CVEs from 2023
Total
6,202
critical
critical 238
high
high 1,495
medium
medium 1,397
low
low 30
% Critical
3.8%
% with KEV
2.6%
% with exploit
3.4%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-49397 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/category/updateStatus | |||
| CVE-2023-49373 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS | |||
| CVE-2023-49378 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/form/save | |||
| CVE-2023-49375 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/friend_link/update | |||
| CVE-2023-49380 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/friend_link/delete | |||
| CVE-2023-49372 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS | |||
| CVE-2023-49379 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via the component /admin/friend_link/save | |||
| CVE-2023-49376 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS | |||
| CVE-2023-49377 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/tag/update | |||
| CVE-2023-49374 | unknown | — | — | 3y ago | Cross-Site Request Forgery in JFinalCMS via /admin/slide/update | |||
| CVE-2023-41835 | unknown | — | — | 3y ago | Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability | |||
| CVE-2023-49093 | unknown | — | — | 3y ago | HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL | |||
| CVE-2023-48910 | unknown | — | — | 3y ago | Microcks contains a Server-Side Request Forgery (SSRF) via the component /jobs and /artifact/download | |||
| CVE-2023-48967 | unknown | — | — | 3y ago | Solon is vulnerable to Deserialization of Untrusted Data | |||
| CVE-2023-6481 | unknown | — | — | 3y ago | Logback is vulnerable to an attacker mounting a Denial-Of-Service attack by sending poisoned data | |||
| CVE-2023-48887 | unknown | — | — | 3y ago | Jupiter allows attackers to execute arbitrary commands via sending a crafted RPC request | |||
| CVE-2023-49371 | unknown | — | — | 3y ago | RuoYi vulnerable to SQL injection vulnerability | |||
| CVE-2023-49735 | unknown | — | — | 3y ago | Apache Tiles: Unvalidated input may lead to path traversal and XXE | |||
| CVE-2023-4218 | unknown | — | — | 3y ago | Eclipse IDE XXE in eclipse.platform | |||
| CVE-2023-49733 | unknown | — | — | 3y ago | Apache Cocoon Improper Restriction of XML External Entity Reference vulnerability | |||
| CVE-2023-49620 | unknown | — | — | 3y ago | Apache DolphinScheduler Missing Authorization vulnerability | |||
| CVE-2023-49652 | unknown | — | — | 3y ago | Jenkins Google Compute Engine Plugin has incorrect permission checks | |||
| CVE-2023-49674 | unknown | — | — | 3y ago | Jenkins NeuVector Vulnerability Scanner Plugin missing permission check | |||
| CVE-2023-49673 | unknown | — | — | 3y ago | Jenkins NeuVector Vulnerability Scanner Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-49653 | unknown | — | — | 3y ago | Jenkins Jira Plugin vulnerable to exposure of system-scoped credentials | |||
| CVE-2023-49654 | unknown | — | — | 3y ago | Jenkins MATLAB Plugin missing permission checks | |||
| CVE-2023-49655 | unknown | — | — | 3y ago | Jenkins MATLAB Plugin cross-site request forgery vulnerability | |||
| CVE-2023-49656 | unknown | — | — | 3y ago | Jenkins MATLAB Plugin XML External Entity vulnerability | |||
| CVE-2023-6378 | unknown | — | — | 3y ago | logback serialization vulnerability | |||
| CVE-2023-48848 | unknown | — | — | 3y ago | ureport arbitrary file read vulnerability | |||
| CVE-2023-34055 | unknown | — | — | 3y ago | Spring Boot Actuator denial of service vulnerability | |||
| CVE-2023-34054 | unknown | — | — | 3y ago | Reactor Netty HTTP Server denial of service vulnerability | |||
| CVE-2023-34053 | unknown | — | — | 3y ago | Spring Framework vulnerable to denial of service | |||
| CVE-2023-49145 | unknown | — | — | 3y ago | Improper Neutralization of Input in Advanced User Interface for Jolt | |||
| CVE-2023-49081 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request (e.g. to insert a new header) or create… | |||
| CVE-2023-49082 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation makes it possible for an attacker to modify the HTTP request (e.g. insert a new header) or even cre… | |||
| CVE-2023-49068 | unknown | — | — | 3y ago | Apache DolphinScheduler Exposure of Sensitive Information to an Unauthorized Actor vulnerability | |||
| CVE-2023-48796 | unknown | — | — | 3y ago | Apache DolphinScheduler sensitive information disclosure | |||
| CVE-2023-33202 | unknown | — | — | 3y ago | Bouncy Castle Denial of Service (DoS) | |||
| CVE-2023-43123 | unknown | — | — | 3y ago | Apache Storm Local Information Disclosure Vulnerability in Storm-core on Unix-Like systems due temporary files | |||
| CVE-2023-47467 | unknown | — | — | 3y ago | Directory Traversal in jeecg-boot | |||
| CVE-2023-46673 | unknown | — | — | 3y ago | Elasticsearch Improper Handling of Exceptional Conditions | |||
| CVE-2023-48293 | unknown | — | — | 3y ago | Cross-Site Request Forgery with QueryOnXWiki allows arbitrary database queries | |||
| CVE-2023-48241 | unknown | — | — | 3y ago | Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service | |||
| CVE-2023-48240 | unknown | — | — | 3y ago | Cookies are sent to external images in rendered diff (and server side request forgery) | |||
| CVE-2023-40815 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40813 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40814 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40817 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40816 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40809 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40810 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-40812 | unknown | — | — | 3y ago | Cross-site Scripting in OpenCRX | |||
| CVE-2023-47797 | unknown | — | — | 3y ago | Liferay Portal XSS with `p_l_back_url_title` on edit content page | |||
| CVE-2023-40314 | unknown | — | — | 3y ago | OpenNMS Cross-site Scripting vulnerability | |||
| CVE-2023-48222 | unknown | — | — | 3y ago | Authenticated Rundeck users can view or delete jobs they do not have authorization for. | |||
| CVE-2023-47112 | unknown | — | — | 3y ago | Authenticated users can view job names and groups they do not have authorization to view | |||
| CVE-2023-6038 | unknown | — | — | 3y ago | H2O local file inclusion vulnerability | |||
| CVE-2023-26031 | unknown | — | — | 3y ago | Apache Hadoop allows local user to gain root privileges | |||
| CVE-2023-48088 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Cross Site Scripting | |||
| CVE-2023-5245 | unknown | — | — | 3y ago | Zip slip in mleap | |||
| CVE-2023-48087 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Insecure Permissions | |||
| CVE-2023-5720 | unknown | — | — | 3y ago | Quarkus does not properly sanitize artifacts created from its use of the Gradle plugin, allowing certain build system information to remain | |||
| CVE-2023-48089 | unknown | — | — | 3y ago | xxl-job-admin vulnerable to Remote Code Execution | |||
| CVE-2023-34062 | unknown | — | — | 3y ago | In Reactor Netty HTTP Server a malicious user can send a request using a specially crafted URL that can lead to a directory traversal attack | |||
| CVE-2023-5072 | unknown | — | — | 3y ago | Java: DoS Vulnerability in JSON-JAVA | |||
| CVE-2023-47627 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parse… | |||
| CVE-2023-47641 | unknown | — | — | 3y ago | aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protoc… | |||
| CVE-2023-46735 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` return… | |||
| CVE-2023-46734 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Tw… | |||
| CVE-2023-46733 | unknown | — | — | 3y ago | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListene… | |||
| CVE-2023-46446 | unknown | — | — | 3y ago | An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | |||
| CVE-2023-46445 | unknown | — | — | 3y ago | An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation." | |||
| CVE-2023-46732 | unknown | — | — | 3y ago | XWiki Platform vulnerable to reflected cross-site scripting through revision parameter in content menu | |||
| CVE-2023-46731 | unknown | — | — | 3y ago | XWiki Platform vulnerable to remote code execution through the section parameter in Administration as guest | |||
| CVE-2023-39913 | unknown | — | — | 3y ago | Apache UIMA Java SDK Deserialization of Untrusted Data, Improper Input Validation vulnerability | |||
| CVE-2023-4061 | unknown | — | — | 3y ago | wildfly-core Exposure of Sensitive Information to an Unauthorized Actor vulnerability | |||
| CVE-2023-46244 | unknown | — | — | 3y ago | XWiki Platform privilege escalation from script right to programming right through title displayer | |||
| CVE-2023-46243 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action | |||
| CVE-2023-46242 | unknown | — | — | 3y ago | XWiki Platform vulnerable to remote code execution via the edit action because it lacks CSRF token | |||
| CVE-2023-5763 | unknown | — | — | 3y ago | Eclipse Glassfish remote code execution issue | |||
| CVE-2023-4043 | unknown | — | — | 3y ago | Eclipse Parsson Denial of Service vulnerability | |||
| CVE-2023-31579 | unknown | — | — | 3y ago | Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key | |||
| CVE-2023-46129 | unknown | — | — | 3y ago | NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recent… | |||
| CVE-2023-46502 | unknown | — | — | 3y ago | OpenCRX allows a remote attacker to execute arbitrary code via a crafted request | |||
| CVE-2023-31418 | unknown | — | — | 3y ago | Elasticsearch vulnerable to Uncontrolled Resource Consumption | |||
| CVE-2023-31417 | unknown | — | — | 3y ago | Elasticsearch allows insertion of sensitive information into log files when using deprecated URIs | |||
| CVE-2023-31419 | unknown | — | — | 3y ago | Elasticsearch vulnerable to stack overflow in the search API | |||
| CVE-2023-45137 | unknown | — | — | 3y ago | XWiki Platform vulnerable to XSS with edit right in the create document form for existing pages | |||
| CVE-2023-45136 | unknown | — | — | 3y ago | XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled | |||
| CVE-2023-45135 | unknown | — | — | 3y ago | XWiki users can be tricked to execute scripts as the create page action doesn't display the page's title | |||
| CVE-2023-45134 | unknown | — | — | 3y ago | XWiki Platform XSS vulnerability from account in the create page form via template provider | |||
| CVE-2023-37913 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-office-importer vulnerable to arbitrary server side file writing from account through office converter | |||
| CVE-2023-37912 | unknown | — | — | 3y ago | XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro | |||
| CVE-2023-37911 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents | |||
| CVE-2023-37910 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move | |||
| CVE-2023-37909 | unknown | — | — | 3y ago | Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet | |||
| CVE-2023-37908 | unknown | — | — | 3y ago | org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability | |||
| CVE-2023-5752 | unknown | — | — | 3y ago | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… | |||
| CVE-2023-46650 | unknown | — | — | 3y ago | Stored XSS vulnerability in Jenkins GitHub Plugin |