vulns

---

Vulnerability Notes

• CVE-2016-15030 | Arno0x TwoFactorAuth login/login.php from redirect
• CVE-2016-5346 | Google Pixel/Pixel SL Qualcomm Avtimer Driver information disclosure (BID-97371 / ID 1038201)
• CVE-2015-10097 | grinnellplans-php up to 3.0 read.php interface_disp_page/interface_disp_page sql injection
• CVE-2023-1616 | XiaoBingBy TeaCMS up to 2.0.2 Article Title cross site scripting (I6L9Z2)
• CVE-2023-1518 | CP Plus KVMS Pro up to 2.01.0.T.190521 insufficiently protected credentials (icsa-23-082-02)
• CVE-2023-1516 | RoboDK up to 5.5.3 permission assignment (icsa-23-082-01)
• CVE-2023-28712 | ProPump and Controls Osprey Pump Controller 1.01 command injection (icsa-23-082-06)
• CVE-2023-28718 | ProPump and Controls Osprey Pump Controller 1.01 HTTP Request cross-site request forgery (icsa-23-082-06)
• CVE-2023-28398 | ProPump and Controls Osprey Pump Controller 1.01 authentication bypass (icsa-23-082-06)
• CVE-2023-28648 | ProPump and Controls Osprey Pump Controller 1.01 GET Parameter cross site scripting (icsa-23-082-06)
• CVE-2023-27394 | ProPump and Controls Osprey Pump Controller 1.01 GET Parameter DataLogView.php os command injection (icsa-23-082-06)
• CVE-2023-27886 | ProPump and Controls Osprey Pump Controller 1.01 POST Parameter index.php os command injection (icsa-23-082-06)
• CVE-2023-28654 | ProPump and Controls Osprey Pump Controller 1.01 Web Management Interface hard-coded password (icsa-23-082-06)
• CVE-2023-28375 | ProPump and Controls Osprey Pump Controller 1.01 get request method with sensitive query strings (icsa-23-082-06)
• CVE-2023-28395 | ProPump and Controls Osprey Pump Controller 1.01 Token Generation entropy (icsa-23-082-06)
• CVE-2022-41354 | argocd API information disclosure
• CVE-2020-24857 | IXPManager 5.6.0 Looking Glass cross site scripting
• CVE-2023-28335 | Moodle Template Reset cross-site request forgery
• CVE-2023-28332 | Moodle Algebra Filter cross site scripting
• CVE-2023-28331 | Moodle Database Auto-linking cross site scripting
• CVE-2023-25655 | baserCMS up to 4.7.4 unrestricted upload (GHSA-mfvg-qwcw-qvc8)
• CVE-2023-24295 | SoftMaker FlexiPDF 3.0.3.0 stack-based overflow
• CVE-2023-28611 | OMICRON StationGuard/StationScout access control
• CVE-2023-28336 | Moodle Grade Report History information disclosure
• CVE-2023-28334 | Moodle Learning Plans Page information disclosure
• CVE-2023-28330 | Moodle Backup information disclosure
• CVE-2023-28329 | Moodle profile sql injection
• CVE-2023-1402 | Moodle Course Participation Report information disclosure
• CVE-2023-27034 | jmsblog 2.5.5 on PrestaShop sql injection
• CVE-2022-36413 | Zoho ManageEngine ADSelfService Plus up to 6203 IDM Application password recovery
• CVE-2023-28443 | Directus up to 9.23.2 log file (GHSA-8vg2-wf3q-mwv7)
• CVE-2022-3146 | tripleo-ansible permission assignment
• CVE-2022-3101 | tripleo-ansible permission assignment
• CVE-2020-19786 | CSKaza CSZ CMS up to 1.2.2 PHP unrestricted upload (ID 20)
• CVE-2023-28333 | Mustache Pix Helper implemented/exploitable injection
• CVE-2023-28441 | smartCARS 3 up to 0.5.8 Failed Login log file (GHSA-fp42-c8g2-5jc7)
• CVE-2023-20861 | VMware Spring Framework up to 5.2.22/5.3.25/6.0.6 SpEL Expression denial of service
• CVE-2023-20859 | VMware Spring Vault up to 2.3.2/3.0.1 log file
• CVE-2023-1513 | Linux Kernel on 32-bit KVM arch/x86/kvm/x86.c kvm_vcpu_ioctl_x86_get_debugregs initialization
• CVE-2023-25654 | baserCMS up to 4.7.4 Management System unrestricted upload (GHSA-h4cc-fxpp-pgw9)
• CVE-2023-28442 | GeoNode prior 2.18.7/2.19.6/2.20.6 Geoserver REST API Endpoint status information disclosure (GHSA-87mh-vw7c-5v6w)
• CVE-2023-28818 | Veritas NetBackup IT Analytics up to 11.1.x Application Upgrade data authenticity
• CVE-2023-28686 | Dino up to 0.2.2/0.3.1/0.4.1 Message access control
• CVE-2023-1544 | QEMU Paravirtual RDMA Device out-of-bounds
• CVE-2023-1289 | ImageMagick SVG File /tmp memory corruption (GHSA-j96m-mjp6-99xr)
• CVE-2023-28445 | Deno 1.32.0 Asynchronous Operation read/write out-of-bounds write (GHSA-c25x-cm9x-qqgx)
• CVE-2023-24787 | ChurchCRM 4.5.3 EventAttendance.php Event sql injection
• CVE-2023-24788 | NotrinosERP 0.7 customer_delivery.php OrderNumber sql injection
• CVE-2023-1249 | Linux Kernel Core Dump Subsystem fill_files_note use after free (390031c94211)
• CVE-2023-28436 | Tailscale up to 1.38.1 on FreeBSD SSH privileges management (GHSA-vfgq-g5x8-g595)
• CVE-2023-26361 | Adobe ColdFusion 2021 Update 5/up to 2018 Update 15 path traversal (apsb23-25)
• CVE-2023-26360 | Adobe ColdFusion 2021 Update 5/up to 2018 Update 15 access control (apsb23-25)
• CVE-2023-26359 | Adobe ColdFusion 2021 Update 5/up to 2018 Update 15 deserialization (apsb23-25)
• CVE-2023-1605 | radare2 up to 5.8.5 resource consumption
• CVE-2023-28652 | SAUTER EY-AS525F001 Image unrestricted upload (icsa-23-082-03)
• CVE-2023-27927 | SAUTER EY-AS525F001 SMTP cleartext transmission (icsa-23-082-03)
• CVE-2023-22300 | SAUTER EY-AS525F001 cross site scripting (icsa-23-082-03)
• CVE-2023-28655 | SAUTER EY-AS525F001 cross site scripting (icsa-23-082-03)
• CVE-2023-28650 | SAUTER EY-AS525F001 cross site scripting (icsa-23-082-03)
• CVE-2023-1613 | Rebuild up to 3.2.3 /feeds/post/publish cross site scripting (ID 596)
• CVE-2023-1612 | Rebuild up to 3.2.3 /files/list-file sql injection
• CVE-2023-1610 | Rebuild up to 3.2.3 /project/tasks/list sql injection (ID 597)
• VDB-223741 | Amazon AWS Control Tower Log permission
• VDB-223740 | Amazon AWS Service Catalog CloudTrail access control
• CVE-2023-1609 | Zhong Bang CRMEB Java up to 1.3.4 save cross site scripting (ID 12)
• CVE-2023-1608 | Zhong Bang CRMEB Java up to 1.3.4 list getAdminList cateId sql injection (ID 11)
• CVE-2023-1607 | novel-plus 3.6.2 /common/sysFile/list sort sql injection
• CVE-2023-1606 | novel-plus 3.6.2 DictController.java orderby sql injection
• CVE-2023-25456 | Klaviyo Plugin up to 3.0.7 on WordPress cross site scripting
• CVE-2023-27094 | OpenGoofy Hippo4j 1.4.3 Tenant Management Module Privilege Escalation (ID 1059)
• CVE-2023-23707 | Awsm Innovations Embed Any Document Plugin up to 2.7.1 on WordPress File Upload cross site scripting
• CVE-2022-28496 | TOTOLink Outdoor CPE CP900 6.3c.566_B2017102 Request setPasswordCfg adminuser/adminpass command injection
• CVE-2023-26008 | Ajay D'Souza Top 10 Plugin up to 3.2.4 on WordPress cross site scripting
• CVE-2022-47145 | Blockonomics WordPress Bitcoin Payments Plugin up to 3.5.7 on WordPress cross site scripting
• CVE-2023-1140 | Delta Electronics InfraSuite Device Master prior 1.0.5 missing authentication (icsa-23-080-02)
• CVE-2023-1135 | Delta Electronics InfraSuite Device Master prior 1.0.5 permission assignment (icsa-23-080-02)
• CVE-2023-1141 | Delta Electronics InfraSuite Device Master prior 1.0.5 command injection (icsa-23-080-02)
• CVE-2023-1136 | Delta Electronics InfraSuite Device Master prior 1.0.5 Token improper authentication (icsa-23-080-02)
• CVE-2023-1142 | Delta Electronics InfraSuite Device Master prior 1.0.5 URL path traversal (icsa-23-080-02)
• CVE-2023-1134 | Delta Electronics InfraSuite Device Master prior 1.0.5 path traversal (icsa-23-080-02)
• CVE-2023-1143 | Delta Electronics InfraSuite Device Master prior 1.0.5 Lua Script routine (icsa-23-080-02)
• CVE-2023-1137 | Delta Electronics InfraSuite Device Master prior 1.0.5 access control (icsa-23-080-02)
• CVE-2023-1144 | Delta Electronics InfraSuite Device Master prior 1.0.5 Device-Gateway Service access control (icsa-23-080-02)
• CVE-2023-1138 | Delta Electronics InfraSuite Device Master prior 1.0.5 Gateway Configuration File access control (icsa-23-080-02)
• CVE-2023-1145 | Delta Electronics InfraSuite Device Master prior 1.0.5 Device-DataCollect Service deserialization (icsa-23-080-02)
• CVE-2023-1139 | Delta Electronics InfraSuite Device Master prior 1.0.5 Device-gateway Service deserialization (icsa-23-080-02)
• CVE-2023-1133 | Delta Electronics InfraSuite Device Master prior 1.0.5 Device-status Service deserialization (icsa-23-080-02)
• VDB-223716 | Amazon AWS CodeBuild/AWS ECR IAM Policy insecure inherited permissions
• CVE-2023-28620 | Cyberus Key Plugin up to 1.0 on WordPress Setting cyberkey_settings uid cross site scripting
• CVE-2023-23863 | TreePress Easy Family Trees & Ancestor Profiles Plugin up to 2.0.22 on WordPress post_title cross site scripting
• CVE-2023-0546 | FluentForms Plugin up to 4.3.24 on WordPress cross site scripting
• CVE-2023-23897 | Simple Mobile URL Redirect Plugin up to 1.7.2 on WordPress cross-site request forgery
• CVE-2022-47439 | Open Graphite Plugin up to 1.6.0 on WordPress topic cross site scripting
• CVE-2023-23883 | WP Content Filter Plugin up to 3.0.1 on WordPress cross site scripting
• CVE-2023-28536 | Branded Social Images Plugin up to 1.1.0 on WordPress Setting authorization
• CVE-2023-23664 | ConvertBox Auto Embed Plugin up to 1.0.19 on WordPress Shortcode cross site scripting
• CVE-2023-27618 | Store Locator Plugin up to 1.4.9 on WordPress category_name/description/description_2 cross site scripting
• CVE-2023-23884 | Kanban Boards Plugin up to 2.5.20 on WordPress cross site scripting
• CVE-2023-20113 | Cisco SD-WAN vManage Software cross-site request forgery (cisco-sa-vman-csrf-76RDbLEh)