CVEs from 2023
Total
6,208
critical
critical 239
high
high 1,497
medium
medium 1,400
low
low 30
% Critical
3.8%
% with KEV
2.6%
% with exploit
3.4%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-37910 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-attachment-api vulnerable to Missing Authorization on Attachment Move | |||
| CVE-2023-37909 | unknown | — | — | 3y ago | Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet | |||
| CVE-2023-37908 | unknown | — | — | 3y ago | org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability | |||
| CVE-2023-5752 | unknown | — | — | 3y ago | When installing a package from a Mercurial VCS URL (ie "pip install hg+...") with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to th… | |||
| CVE-2023-46653 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin may expose Credentials access token | |||
| CVE-2023-46655 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file read | |||
| CVE-2023-46651 | unknown | — | — | 3y ago | Jenkins Warnings Plugin exposures system-scoped credentials | |||
| CVE-2023-46660 | unknown | — | — | 3y ago | Non-constant time webhook token hash comparison in Jenkins Zanata Plugin | |||
| CVE-2023-46654 | unknown | — | — | 3y ago | Jenkins CloudBees CD Plugin vulnerable to arbitrary file deletion | |||
| CVE-2023-46656 | unknown | — | — | 3y ago | Jenkins Multibranch Scan Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46657 | unknown | — | — | 3y ago | Jenkins Gogs Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46652 | unknown | — | — | 3y ago | Jenkins lambdatest-automation Plugin missing permission check | |||
| CVE-2023-46650 | unknown | — | — | 3y ago | Stored XSS vulnerability in Jenkins GitHub Plugin | |||
| CVE-2023-46658 | unknown | — | — | 3y ago | Jenkins MSTeams Webhook Trigger Plugin uses non-constant time webhook token comparison | |||
| CVE-2023-46659 | unknown | — | — | 3y ago | Jenkins Edgewall Trac Plugin vulnerable to Stored XSS | |||
| CVE-2023-43961 | unknown | — | — | 3y ago | SaToken authentication bypass vulnerability | |||
| CVE-2023-44794 | unknown | — | — | 3y ago | SaToken privilege escalation vulnerability | |||
| CVE-2023-31581 | unknown | — | — | 3y ago | Sureness uses hardcoded key | |||
| CVE-2023-31582 | unknown | — | — | 3y ago | jose4j uses weak cryptographic algorithm | |||
| CVE-2023-31580 | unknown | — | — | 3y ago | light-oauth2 missing public key verification | |||
| CVE-2023-43795 | unknown | — | — | 3y ago | WPS Server Side Request Forgery vulnerability | |||
| CVE-2023-41339 | unknown | — | — | 3y ago | Unsecured WMS dynamic styling sld=<url> parameter affords blind unauthenticated SSRF | |||
| CVE-2023-46122 | unknown | — | — | 3y ago | sbt vulnerable to arbitrary file write via archive extraction (Zip Slip) | |||
| CVE-2023-46120 | unknown | — | — | 3y ago | RabbitMQ Java client's Lack of Message Size Limitation leads to Remote DoS Attack | |||
| CVE-2023-45805 | unknown | — | — | 3y ago | pdm is a Python package and dependency manager supporting the latest PEP standards. It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source proj… | |||
| CVE-2023-44483 | unknown | — | — | 3y ago | Apache Santuario - XML Security for Java are vulnerable to private key disclosure | |||
| CVE-2023-45279 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-45280 | unknown | — | — | 3y ago | Yamcs Cross-site Scripting vulnerability | |||
| CVE-2023-44690 | unknown | — | — | 3y ago | Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py | |||
| CVE-2023-45277 | unknown | — | — | 3y ago | Yamcs Path Traversal vulnerability | |||
| CVE-2023-45278 | unknown | — | — | 3y ago | Yamcs API Directory Traversal vulnerability | |||
| CVE-2023-47090 | unknown | — | — | 3y ago | NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the int… | |||
| CVE-2023-46227 | unknown | — | — | 3y ago | Apache InLong Deserialization of Untrusted Data Vulnerability | |||
| CVE-2023-25753 | unknown | — | — | 3y ago | Apache Shenyu Server Side Request Forgery vulnerability | |||
| CVE-2023-22102 | unknown | — | — | 3y ago | MySQL Connectors takeover vulnerability | |||
| CVE-2023-42627 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Commerce Module | |||
| CVE-2023-45807 | unknown | — | — | 3y ago | OpenSearch Issue with tenant read-only permissions | |||
| CVE-2023-45669 | unknown | — | — | 3y ago | WebAuthn4J Spring Security Improper signature counter value handling | |||
| CVE-2023-45144 | unknown | — | — | 3y ago | XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter | |||
| CVE-2023-44311 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the OAuth2ProviderApplicationRedirect Class | |||
| CVE-2023-42628 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Wiki Widget | |||
| CVE-2023-44310 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS via the Page Tree Menu | |||
| CVE-2023-44309 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to XSS in the Fragment Components | |||
| CVE-2023-42629 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Stored XSS in the Manage Vocabulary Page | |||
| CVE-2023-42497 | unknown | — | — | 3y ago | Liferay Portal and Liferay DXP Vulnerable to Reflected XSS via the Export for Translation Page | |||
| CVE-2023-45138 | unknown | — | — | 3y ago | XWiki Change Request Application UI XSS and remote code execution through change request title | |||
| CVE-2023-43666 | unknown | — | — | 3y ago | Insufficient Verification of Data Authenticity in Apache InLong | |||
| CVE-2023-43668 | unknown | — | — | 3y ago | Authorization Bypass in Apache InLong | |||
| CVE-2023-43667 | unknown | — | — | 3y ago | SQL Injection in Apache InLong | |||
| CVE-2023-44981 | unknown | — | — | 3y ago | Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper | |||
| CVE-2023-36478 | unknown | — | — | 3y ago | HTTP/2 HPACK integer overflow and buffer allocation | |||
| CVE-2023-36566 | unknown | — | — | 3y ago | Microsoft Common Data Model SDK Denial of Service Vulnerability | |||
| CVE-2023-25822 | unknown | — | — | 3y ago | Denial of service vulnerability on creating a Launch with too many recursively nested elements in reportportal | |||
| CVE-2023-43643 | unknown | — | — | 3y ago | mXSS in AntiSamy | |||
| CVE-2023-45303 | unknown | — | — | 3y ago | ThingsBoard Server-Side Template Injection | |||
| CVE-2023-36820 | unknown | — | — | 3y ago | io.micronaut.security:micronaut-security-oauth2 has invalid IdTokenClaimsValidator logic on aud | |||
| CVE-2023-4586 | unknown | — | — | 3y ago | Withdrawn Advisory: Netty-handler does not validate host names by default | |||
| CVE-2023-1584 | unknown | — | — | 3y ago | Quarkus OIDC can leak both ID and access tokens | |||
| CVE-2023-44270 | unknown | — | — | 3y ago | An issue was discovered in PostCSS before 8.4.31. The vulnerability affects linters using PostCSS to parse external untrusted CSS. An attacker can prepare CSS in such a way that it will contains part… | |||
| CVE-2023-39410 | unknown | — | — | 3y ago | Apache Avro Java SDK vulnerable to Improper Input Validation | |||
| CVE-2023-3223 | unknown | — | — | 3y ago | Undertow vulnerable to denial of service | |||
| CVE-2023-43642 | unknown | — | — | 3y ago | snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact | |||
| CVE-2023-40989 | unknown | — | — | 3y ago | SQL injection in jeecgboot | |||
| CVE-2023-43498 | unknown | — | — | 3y ago | Jenkins temporary uploaded file created with insecure permissions | |||
| CVE-2023-43497 | unknown | — | — | 3y ago | Jenkins temporary uploaded file created with insecure permissions | |||
| CVE-2023-43501 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin missing permission check | |||
| CVE-2023-43502 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-43496 | unknown | — | — | 3y ago | Jenkins temporary plugin file created with insecure permissions | |||
| CVE-2023-43495 | unknown | — | — | 3y ago | Jenkins Cross-site Scripting vulnerability | |||
| CVE-2023-43500 | unknown | — | — | 3y ago | Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-43494 | unknown | — | — | 3y ago | Jenkins does not exclude sensitive build variables from search | |||
| CVE-2023-4853 | unknown | — | — | 3y ago | Quarkus HTTP vulnerable to incorrect evaluation of permissions | |||
| CVE-2023-34047 | unknown | — | — | 3y ago | Spring for GraphQL may be exposed to GraphQL context with values from a different session | |||
| CVE-2023-4759 | unknown | — | — | 3y ago | Arbitrary File Overwrite in Eclipse JGit | |||
| CVE-2023-41900 | unknown | — | — | 3y ago | Jetty's OpenId Revoked authentication allows one request | |||
| CVE-2023-40167 | unknown | — | — | 3y ago | Jetty accepts "+" prefixed value in Content-Length | |||
| CVE-2023-36479 | unknown | — | — | 3y ago | Jetty vulnerable to errant command quoting in CGI Servlet | |||
| CVE-2023-1108 | unknown | — | — | 3y ago | Undertow denial of service vulnerability | |||
| CVE-2023-42503 | unknown | — | — | 3y ago | Apache Commons Compress denial of service vulnerability | |||
| CVE-2023-26141 | unknown | — | — | 3y ago | Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipu… | |||
| CVE-2023-4918 | unknown | — | — | 3y ago | Keycloak vulnerable to Plaintext Storage of User Password | |||
| CVE-2023-41887 | unknown | — | — | 3y ago | OpenRefine Remote Code execution in project import with mysql jdbc url attack | |||
| CVE-2023-41886 | unknown | — | — | 3y ago | OpenRefine vulnerable to arbitrary file read in project import with mysql jdbc url attack | |||
| CVE-2023-42278 | unknown | — | — | 3y ago | hutool Buffer Overflow vulnerability | |||
| CVE-2023-42277 | unknown | — | — | 3y ago | hutool Buffer Overflow vulnerability | |||
| CVE-2023-42276 | unknown | — | — | 3y ago | hutool Buffer Overflow vulnerability | |||
| CVE-2023-42268 | unknown | — | — | 3y ago | Jeecg boot SQL Injection vulnerability | |||
| CVE-2023-41578 | unknown | — | — | 3y ago | Jeecg boot arbitrary file read vulnerability | |||
| CVE-2023-41329 | unknown | — | — | 3y ago | Domain restrictions bypass via DNS Rebinding in WireMock and WireMock Studio webhooks, proxy and recorder modes | |||
| CVE-2023-41327 | unknown | — | — | 3y ago | WireMock Controlled Server Side Request Forgery vulnerability through URL | |||
| CVE-2023-41933 | unknown | — | — | 3y ago | Job Configuration History Plugin's path traversal allows exploiting XXE vulnerability | |||
| CVE-2023-41941 | unknown | — | — | 3y ago | Missing permission check in Jenkins AWS CodeCommit Trigger Plugin allows enumerating credentials IDs | |||
| CVE-2023-41932 | unknown | — | — | 3y ago | Path traversal allows exploiting XXE vulnerability in Jenkins Job Configuration History Plugin | |||
| CVE-2023-41935 | unknown | — | — | 3y ago | Non-constant time nonce comparison in Jenkins Microsoft Entra ID (previously Azure AD) Plugin | |||
| CVE-2023-41939 | unknown | — | — | 3y ago | Disabled permissions can be granted by Jenkins SSH2 Easy Plugin | |||
| CVE-2023-41937 | unknown | — | — | 3y ago | SSRF vulnerability in Jenkins Bitbucket Push and Pull Request Plugin allows capturing credentials | |||
| CVE-2023-41940 | unknown | — | — | 3y ago | Stored XSS vulnerability in Jenkins TAP Plugin | |||
| CVE-2023-41944 | unknown | — | — | 3y ago | HTML injection vulnerability in Jenkins AWS CodeCommit Trigger Plugin | |||
| CVE-2023-41938 | unknown | — | — | 3y ago | CSRF vulnerability in Jenkins Ivy Plugin | |||
| CVE-2023-41930 | unknown | — | — | 3y ago | Path traversal in Jenkins Job Configuration History Plugin |