CVEs Today
Latest Information on Common Vulnerabilities and Exposures (CVEs)
Last updated: May 19, 2024. 13:20:29 UTC
click on an item for more info;
ID | Description | Modified | References |
---|---|---|---|
CVE-2023-30019 | imgproxy <=3.14.0 is vulnerable to Server-Side Request Forgery (SSRF) due to a lack of sanitization of the imageURL parameter. | May 16, 2023. 19:33:00 | [breakandpray.com][github.com] |
CVE-2022-46720 | An integer overflow was addressed with improved input validation. This issue is fixed in iOS 16.2 and iPadOS 16.2, macOS Ventura 13.1. An app may be able to break out of its sandbox | May 16, 2023. 19:32:00 | [support.apple.com][support.apple.com] |
CVE-2023-31144 | Craft CMS is a content management system. Starting in version 3.0.0 and prior to versions 3.8.4 and 4.4.4, a malformed title in the feed widget can deliver a cross-site scripting payload. This issue is fixed in version 3.8.4 and 4.4.4. | May 16, 2023. 19:22:00 | [github.com][github.com] |
CVE-2023-23541 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in iOS 15.7.4 and iPadOS 15.7.4, iOS 16.4 and iPadOS 16.4. An app may be able to access information about a user’s contacts | May 16, 2023. 19:18:00 | [support.apple.com][support.apple.com] |
CVE-2022-45846 | Cross-Site Request Forgery (CSRF) vulnerability in Nickys Image Map Pro for WordPress - Interactive SVG Image Map Builder plugin < 5.6.9 versions. | May 16, 2023. 19:17:00 | [patchstack.com] |
CVE-2023-31474 | An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name. | May 16, 2023. 19:17:00 | [github.com][www.gl-inet.com] |
CVE-2023-32999 | A missing permission check in Jenkins AppSpider Plugin 1.0.15 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL and send an HTTP POST request with a JSON payload consisting of attacker-specified credentials. | May 16, 2023. 19:15:00 | [www.jenkins.io] |
CVE-2023-2195 | A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL. | May 16, 2023. 19:15:00 | [www.jenkins.io] |
CVE-2023-2631 | A missing permission check in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL. | May 16, 2023. 19:15:00 | [www.jenkins.io] |
CVE-2022-47441 | Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Charitable Donations & Fundraising Team Donation Forms by Charitable plugin <= 1.7.0.10 versions. | May 16, 2023. 19:07:00 | [patchstack.com] |
CVE-2022-47587 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Cornel Raiu WP Search Analytics plugin <= 1.4.5 versions. | May 16, 2023. 19:06:00 | [patchstack.com] |
CVE-2022-47606 | Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Tim Stephenson WP-CORS plugin <= 0.2.1 versions. | May 16, 2023. 19:06:00 | [patchstack.com] |
CVE-2021-26356 | A TOCTOU in ASP bootloader may allow an attacker to tamper with the SPI ROM following data read to memory potentially resulting in S3 data corruption and information disclosure. | May 16, 2023. 19:01:00 | [www.amd.com][www.amd.com] |
CVE-2023-32071 | XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `<xwiki app>/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01. | May 16, 2023. 17:41:00 | [github.com][github.com] |
CVE-2023-32069 | XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds. | May 16, 2023. 17:34:00 | [github.com][github.com] |
CVE-2020-23362 | Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter. | May 16, 2023. 17:17:00 | [github.com] |
CVE-2023-32991 | A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allows attackers to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML. | May 16, 2023. 17:15:00 | [www.jenkins.io] |
CVE-2023-32992 | Missing permission checks in Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier allow attackers with Overall/Read permission to send an HTTP request to an attacker-specified URL and parse the response as XML, or parse a local file on the Jenkins controller as XML. | May 16, 2023. 17:15:00 | [www.jenkins.io] |
CVE-2023-32993 | Jenkins SAML Single Sign On(SSO) Plugin 2.0.2 and earlier does not perform hostname validation when connecting to miniOrange or the configured IdP to retrieve SAML metadata, which could be abused using a man-in-the-middle attack to intercept these connections. | May 16, 2023. 17:15:00 | [www.jenkins.io] |
CVE-2023-32995 | A cross-site request forgery (CSRF) vulnerability in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails. | May 16, 2023. 17:15:00 | [www.jenkins.io] |
Page 1225 of 1263