CVEs from 2023
Total
6,211
critical
critical 239
high
high 1,498
medium
medium 1,404
low
low 30
% Critical
3.8%
% with KEV
2.6%
% with exploit
3.4%
Top products
- office 29
- office_long_term_servicing_channel 15
- 365_apps 14
- ftmg-esr50sxx 8
- ftmg-esn40sxx 8
- ftmg-esd25axx 8
- ftmg-esr40sxx 8
- ftmg-esd15axx 8
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-32999 | unknown | — | — | 3y ago | Jenkins AppSpider Plugin missing permission check | |||
| CVE-2023-33002 | unknown | — | — | 3y ago | TestComplete support Plugin vulnerable to stored Cross-site Scripting | |||
| CVE-2023-32981 | unknown | — | — | 3y ago | Jenkins Pipeline Utility Steps Plugin arbitrary file write vulnerability | |||
| CVE-2023-32989 | unknown | — | — | 3y ago | Jenkins Azure VM Agents Plugin Cross-site Request Forgery vulnerability | |||
| CVE-2023-31890 | unknown | — | — | 3y ago | glazedlists XML Deserialization vulnerability | |||
| CVE-2023-32068 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability | |||
| CVE-2023-32081 | unknown | — | — | 3y ago | Vert.x STOMP server process client frames that would not send initially a connect frame | |||
| CVE-2023-32082 | unknown | — | — | 3y ago | etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.26 and 3.5.9, the LeaseTimeToLive API allows access to key names (not value) associated to a lease wh… | |||
| CVE-2023-29032 | unknown | — | — | 3y ago | Apache OpenMeetings Improper Authentication vulnerability | |||
| CVE-2023-29246 | unknown | — | — | 3y ago | Apache OpenMeetings vulnerable to remote code execution via null-bye injection | |||
| CVE-2023-32070 | unknown | — | — | 3y ago | Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers | |||
| CVE-2023-32069 | unknown | — | — | 3y ago | Privilege escalation (PR)/RCE from account through class sheet | |||
| CVE-2023-31141 | unknown | — | — | 3y ago | OpenSearch issue with fine-grained access control during extremely rare race conditions | |||
| CVE-2023-31126 | unknown | — | — | 3y ago | Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml | |||
| CVE-2023-32071 | unknown | — | — | 3y ago | XWiki Platform vulnerable to RXSS via editor parameter - importinline template | |||
| CVE-2023-30093 | unknown | — | — | 3y ago | ONOS vulnerable to Cross-site Scripting | |||
| CVE-2023-30331 | unknown | — | — | 3y ago | Server-side template injection in beetl | |||
| CVE-2023-30551 | unknown | — | — | 3y ago | Rekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory witho… | |||
| CVE-2023-25827 | unknown | — | — | 3y ago | Cross Site Scripting in OpenTSDB | |||
| CVE-2023-32007 | unknown | — | — | 3y ago | Apache Spark UI vulnerable to Command Injection | |||
| CVE-2023-29471 | unknown | — | — | 3y ago | Lightbend Alpakka Kafka logs credentials on debug level | |||
| CVE-2023-30349 | unknown | — | — | 3y ago | Remote code execution in JFinal CMS | |||
| CVE-2023-22665 | unknown | — | — | 3y ago | Arbitrary javascript injection in Apache Jena | |||
| CVE-2023-29924 | unknown | — | — | 3y ago | PowerJob vulnerable to incorrect access control | |||
| CVE-2023-1892 | unknown | — | — | 3y ago | Cross-site Scripting (XSS) - Reflected in GitHub repository sidekiq/sidekiq prior to 7.0.8. | |||
| CVE-2023-29525 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation from view right on XWiki.Notifications.Code.LegacyNotificationAdministration | |||
| CVE-2023-29527 | unknown | — | — | 3y ago | XWiki Platform vulnerable to code injection from account through AWM view sheet | |||
| CVE-2023-29526 | unknown | — | — | 3y ago | XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode | |||
| CVE-2023-29524 | unknown | — | — | 3y ago | XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet | |||
| CVE-2023-29523 | unknown | — | — | 3y ago | XWiki Platform vulnerable to code injection in display method used in user profiles | |||
| CVE-2023-29522 | unknown | — | — | 3y ago | XWiki Platform vulnerable to code injection from view right on XWiki.ClassSheet | |||
| CVE-2023-29521 | unknown | — | — | 3y ago | XWiki Platform vulnerable to code injection from account/view through VFS Tree macro | |||
| CVE-2023-29520 | unknown | — | — | 3y ago | XWiki Platform vulnerable to page render failure due to broken translations | |||
| CVE-2023-29519 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection | |||
| CVE-2023-29518 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon | |||
| CVE-2023-29517 | unknown | — | — | 3y ago | Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer | |||
| CVE-2023-29516 | unknown | — | — | 3y ago | XWiki Platform vulnerable to privilege escalation from view right on XWiki.AttachmentSelector | |||
| CVE-2023-29515 | unknown | — | — | 3y ago | XWiki App Within Minutes app grants space admin rights that allows cross-site scripting | |||
| CVE-2023-29514 | unknown | — | — | 3y ago | XWiki vulnerable to Code Injection in template provider administration | |||
| CVE-2023-29513 | unknown | — | — | 3y ago | xwiki-platform-web-templates allows users to be created even when registration is disabled without validation via template macro | |||
| CVE-2023-29512 | unknown | — | — | 3y ago | xwiki-platform-web-templates vulnerable to Eval Injection | |||
| CVE-2023-20873 | unknown | — | — | 3y ago | Spring Boot Security Bypass with Wildcard Pattern Matching on Cloud Foundry | |||
| CVE-2023-29528 | unknown | — | — | 3y ago | Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml | |||
| CVE-2023-25601 | unknown | — | — | 3y ago | Apache DolphinScheduler's python gateway suffered from improper authentication | |||
| CVE-2023-29926 | unknown | — | — | 3y ago | PowerJob vulnerable to remote code execution | |||
| CVE-2023-29922 | unknown | — | — | 3y ago | PowerJob vulnerable to Incorrect Access Control via the create user/save interface. | |||
| CVE-2023-20862 | unknown | — | — | 3y ago | Spring Security logout not clearing security context | |||
| CVE-2023-29510 | unknown | — | — | 3y ago | Code injection via unescaped translations in xwiki-platform | |||
| CVE-2023-29197 | unknown | — | — | 3y ago | guzzlehttp/psr7 is a PSR-7 HTTP message library implementation in PHP. Affected versions are subject to improper header parsing. An attacker could sneak in a newline (\n) into both the header names a… | |||
| CVE-2023-26048 | unknown | — | — | 3y ago | OutOfMemoryError for large multipart without filename in Eclipse Jetty | |||
| CVE-2023-29923 | unknown | — | — | 3y ago | PowerJob vulnerable to Insecure Permissions | |||
| CVE-2023-29921 | unknown | — | — | 3y ago | PowerJob Incorrect Access Control vulnerability | |||
| CVE-2023-26049 | unknown | — | — | 3y ago | Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies | |||
| CVE-2023-24831 | unknown | — | — | 3y ago | Apache IoTDB Grafana Connector vulnerable to Improper Authentication | |||
| CVE-2023-22946 | unknown | — | — | 3y ago | Apache Spark vulnerable to Improper Privilege Management | |||
| CVE-2023-30535 | unknown | — | — | 3y ago | Snowflake JDBC vulnerable to command injection via SSO URL authentication | |||
| CVE-2023-20863 | unknown | — | — | 3y ago | Spring Framework vulnerable to denial of service | |||
| CVE-2023-20866 | unknown | — | — | 3y ago | Spring Session session ID can be logged to the standard output stream | |||
| CVE-2023-29207 | unknown | — | — | 3y ago | Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro | |||
| CVE-2023-29203 | unknown | — | — | 3y ago | Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm | |||
| CVE-2023-29206 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins | |||
| CVE-2023-29205 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro | |||
| CVE-2023-29204 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability | |||
| CVE-2023-29202 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability | |||
| CVE-2023-29201 | unknown | — | — | 3y ago | org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability | |||
| CVE-2023-29511 | unknown | — | — | 3y ago | xwiki-platform-administration-ui vulnerable to privilege escalation | |||
| CVE-2023-30537 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation | |||
| CVE-2023-29509 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability | |||
| CVE-2023-29508 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting | |||
| CVE-2023-29507 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors | |||
| CVE-2023-29506 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints | |||
| CVE-2023-29214 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability | |||
| CVE-2023-29213 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability | |||
| CVE-2023-29212 | unknown | — | — | 3y ago | xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability | |||
| CVE-2023-29211 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability | |||
| CVE-2023-29210 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability | |||
| CVE-2023-29209 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability | |||
| CVE-2023-29208 | unknown | — | — | 3y ago | org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents | |||
| CVE-2023-30518 | unknown | — | — | 3y ago | Jenkins Thycotic Secret Server Plugin missing permissions check | |||
| CVE-2023-30514 | unknown | — | — | 3y ago | Jenkins Azure Key Vault Plugin does not properly mask credentials | |||
| CVE-2023-30515 | unknown | — | — | 3y ago | Jenkins Thycotic DevOps Secrets Vault Plugin does not properly mask credentials | |||
| CVE-2023-30513 | unknown | — | — | 3y ago | Jenkins Kubernetes Plugin does not properly mask credentials | |||
| CVE-2023-30517 | unknown | — | — | 3y ago | Jenkins NeuVector Vulnerability Scanner Plugin disables SSL/TLS certificate and hostname validation | |||
| CVE-2023-30519 | unknown | — | — | 3y ago | Jenkins Quay.io trigger Plugin webhook endpoint can be accessed without authentication | |||
| CVE-2023-30516 | unknown | — | — | 3y ago | Jenkins Image Tag Parameter Plugin improperly introduces option to opt out of SSL/TLS certificate validation | |||
| CVE-2023-30524 | unknown | — | — | 3y ago | Jenkins Report Portal Plugin configuration form does not mask tokens | |||
| CVE-2023-30525 | unknown | — | — | 3y ago | Jenkins Report Portal Plugin Cross-Site Request Forgery vulnerability | |||
| CVE-2023-30526 | unknown | — | — | 3y ago | Jenkins Report Portal Plugin missing permissions check | |||
| CVE-2023-30530 | unknown | — | — | 3y ago | Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted | |||
| CVE-2023-30528 | unknown | — | — | 3y ago | Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form | |||
| CVE-2023-30520 | unknown | — | — | 3y ago | Jenkins Quay.io trigger Plugin Cross-site Scripting vulnerability | |||
| CVE-2023-30523 | unknown | — | — | 3y ago | Jenkins Report Portal Plugin allows users with Item/Extended Read permission to view tokens on Jenkins controller | |||
| CVE-2023-30529 | unknown | — | — | 3y ago | Jenkins Lucene-Search Plugin vulnerable to Cross-Site Request Forgery | |||
| CVE-2023-30527 | unknown | — | — | 3y ago | Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller | |||
| CVE-2023-30521 | unknown | — | — | 3y ago | Jenkins Assembla merge request builder Plugin missing authentication to access endpoint | |||
| CVE-2023-30531 | unknown | — | — | 3y ago | Jenkins Consul KV Builder Plugin stores HashiCorp Consul ACL Token unencrypted | |||
| CVE-2023-30532 | unknown | — | — | 3y ago | Lack of authentication mechanism in Jenkins TurboScript Plugin webhook | |||
| CVE-2023-29216 | unknown | — | — | 3y ago | Apache Linkis DatasourceManager module has deserialization vulnerability | |||
| CVE-2023-29215 | unknown | — | — | 3y ago | Apache Linkis JDBC EngineConn has deserialization vulnerability | |||
| CVE-2023-26120 | unknown | — | — | 3y ago | XXL-JOB vulnerable to Cross-site Scripting |