CVEs from 2023
Total
8,568
critical
critical 222
high
high 1,548
medium
medium 1,277
low
low 23
% Critical
2.6%
% with KEV
1.9%
% with exploit
1.9%
Top vendors
- redhat 120
- microsoft 76
- f5 43
- cisco 26
- automattic 19
- cbot 12
- brainstormforce 11
- gvectors 10
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- openstack_platform 6
- codeready_linux_builder_for_ibm_z_systems_eus 6
- registrationmagic 6
- codeready_linux_builder_eus 6
- cbot_panel 6
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2023-1728 | critical | 9.8 | 9.8 | 3y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection. This issue affects LMS: before 23.04.03. | |
| CVE-2023-1765 | critical | 9.8 | 9.8 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection. This issue affects Panon: before 1.0.2. | |
| CVE-2023-1725 | critical | 9.8 | 9.8 | 3y ago | Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery. This issue affects Project Management System: before 4.09.31.125. | |
| CVE-2023-28531 | critical | 9.8 | 9.8 | 3y ago | ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. | |
| CVE-2023-33150 | critical | 9.6 | 9.6 | 3y ago | Microsoft Office Security Feature Bypass Vulnerability | |
| CVE-2023-43641 | critical | — | 9.5 | — | libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited… | |
| CVE-2023-5388 | critical | — | 9.5 | 2y ago | Critical: firefox security update | |
| CVE-2023-46847 | critical | — | 9.5 | 3y ago | Critical: squid security update | |
| CVE-2023-46848 | critical | — | 9.5 | 3y ago | Critical: squid security update | |
| CVE-2023-46846 | critical | — | 9.5 | 3y ago | Critical: squid security update | |
| CVE-2023-45853 | critical | — | 9.5 | 3y ago | pyminizip affected by zlib's integer overflow/heap based buffer overflow vulnerability due to vulnerable dependency | |
| CVE-2023-3128 | critical | — | 9.5 | 3y ago | Critical: grafana security update | |
| CVE-2023-29404 | critical | — | 9.5 | 3y ago | Critical: go-toolset and golang security update | |
| CVE-2023-29403 | critical | — | 9.5 | 3y ago | Critical: go-toolset and golang security update | |
| CVE-2023-29405 | critical | — | 9.5 | 3y ago | Critical: go-toolset and golang security update | |
| CVE-2023-29402 | critical | — | 9.5 | 3y ago | Critical: go-toolset and golang security update | |
| CVE-2023-28787 | critical | 9.3 | 9.3 | 2y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Quiz And Survey Master.This issue affects Quiz And Survey Master: from n/a through 8.… | |
| CVE-2023-24215 | critical | 9.1 | 9.1 | 10d ago | Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request. | |
| CVE-2023-47842 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Zachary Segal CataBlog.This issue affects CataBlog: from n/a through 1.7.0. | |
| CVE-2023-29386 | critical | 9.1 | 9.1 | 2y ago | Unrestricted Upload of File with Dangerous Type vulnerability in Julien Crego Manager for Icomoon.This issue affects Manager for Icomoon: from n/a through 2.0. | |
| CVE-2023-49166 | critical | 9.1 | 9.1 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0. | |
| CVE-2023-49161 | critical | 9.1 | 9.1 | 3y ago | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Guelben Bravo Translate.This issue affects Bravo Translate: from n/a through 1.2. | |
| CVE-2023-43770 | unknown | — | 1.5 | 2y ago | Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 allows XSS via text/plain e-mail messages with crafted links because of program/lib/Roundcube/rcube_string_replacer.php behavior. | |
| CVE-2023-5631 | unknown | — | 1.5 | 3y ago | Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavio… | |
| CVE-2023-0645 | unknown | — | — | — | An out of bounds read exists in libjxl. An attacker using a specifically crafted file could cause an out of bounds read in the exif handler. We recommend upgrading to version 0.8.1 or past commit ht… | |
| CVE-2023-48104 | unknown | — | — | — | Alinto SOGo before 5.9.1 is vulnerable to HTML Injection. | |
| CVE-2023-47272 | unknown | — | — | — | Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download). | |
| CVE-2023-35790 | unknown | — | — | — | An issue was discovered in dec_patch_dictionary.cc in libjxl before 0.8.2. An integer underflow in patch decoding can lead to a denial of service, such as an infinite loop. | |
| CVE-2023-52426 | unknown | — | — | — | libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time. | |
| CVE-2023-51698 | unknown | — | — | — | Atril is a simple multi-page document viewer. Atril is vulnerable to a critical Command Injection Vulnerability. This vulnerability gives the attacker immediate access to the target system when the t… | |
| CVE-2023-0482 | unknown | — | — | 1y ago | Insecure Temporary File in RESTEasy | |
| CVE-2023-49921 | unknown | — | — | 2y ago | Elasticsearch Insertion of Sensitive Information into Log File | |
| CVE-2023-47798 | unknown | — | — | 2y ago | Liferay Portal's account lockout does not invalidate existing user sessions | |
| CVE-2023-50720 | unknown | — | — | 3y ago | Solr search discloses email addresses of users | |
| CVE-2023-47321 | unknown | — | — | 3y ago | Broken access control in Silverpeas | |
| CVE-2023-50164 | unknown | — | — | 3y ago | Apache Struts vulnerable to path traversal | |
| CVE-2023-49280 | unknown | — | — | 3y ago | Data leak of password hash through change requests | |
| CVE-2023-46673 | unknown | — | — | 3y ago | Elasticsearch Improper Handling of Exceptional Conditions | |
| CVE-2023-4061 | unknown | — | — | 3y ago | wildfly-core Exposure of Sensitive Information to an Unauthorized Actor vulnerability | |
| CVE-2023-5763 | unknown | — | — | 3y ago | Eclipse Glassfish remote code execution issue | |
| CVE-2023-31418 | unknown | — | — | 3y ago | Elasticsearch vulnerable to Uncontrolled Resource Consumption | |
| CVE-2023-44270 | unknown | — | — | 3y ago | An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains part… | |
| CVE-2023-43494 | unknown | — | — | 3y ago | Jenkins does not exclude sensitive build variables from search | |
| CVE-2023-37754 | unknown | — | — | 3y ago | Code injection in PowerJob | |
| CVE-2023-32261 | unknown | — | — | 3y ago | Missing permission check in Jenkins Dimensions Plugin allows enumerating credentials IDs | |
| CVE-2023-34150 | unknown | — | — | 3y ago | Apache Any23 vulnerable to excessive memory usage | |
| CVE-2023-33946 | unknown | — | — | 3y ago | Liferay portal unauthorized access to objects via OAuth 2 scope | |
| CVE-2023-32989 | unknown | — | — | 3y ago | Jenkins Azure VM Agents Plugin Cross-site Request Forgery vulnerability | |
| CVE-2023-32980 | unknown | — | — | 3y ago | Jenkins Email Extension Plugin Cross-Site Request Forgery vulnerability | |
| CVE-2023-32999 | unknown | — | — | 3y ago | Jenkins AppSpider Plugin missing permission check | |
| CVE-2023-30520 | unknown | — | — | 3y ago | Jenkins Quay.io trigger Plugin Cross-site Scripting vulnerability | |
| CVE-2023-26302 | unknown | — | — | 3y ago | Denial of service could be caused to the command line interface of markdown-it-py, before v2.2.0, if an attacker was allowed to use invalid UTF-8 characters as input. | |
| CVE-2023-26303 | unknown | — | — | 3y ago | Denial of service could be caused to markdown-it-py, before v2.2.0, if an attacker was allowed to force null assertions with specially crafted input. | |
| CVE-2023-24425 | unknown | — | — | 3y ago | Exposure of system-scoped Kubernetes credentials in Jenkins Kubernetes Credentials Provider Plugin | |
| CVE-2023-22899 | unknown | — | — | 3y ago | Zip4j Origin Validation Error |