| CVE-ID |
Description |
CVSS-Score |
|
|
V2 |
V3 |
| CVE-2023-28435 |
Dataease is an open source data visualization and analysis tool. The permissions for the file upload interface is not checked so users who are not logged in can upload directly to the background. The file type also goes ...
|
None |
None |
| CVE-2023-28434 |
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `Pos...
|
None |
None |
| CVE-2023-28433 |
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement acros...
|
None |
None |
| CVE-2023-28432 |
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SEC...
|
None |
None |
| CVE-2023-28431 |
Frontier is an Ethereum compatibility layer for Substrate. Frontier's `modexp` precompile uses `num-bigint` crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and mod...
|
None |
None |
| CVE-2023-28430 |
OneSignal is an email, sms, push notification, and in-app message service for mobile apps.The Zapier.yml workflow is triggered on issues (types: [closed]) (i.e., when an Issue is closed). The workflow starts with full wr...
|
None |
None |
| CVE-2023-28429 |
Pimcore is an open source data and experience management platform. Versions prior to 10.5.19 have an unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie a...
|
None |
6.1 |
| CVE-2023-28428 |
PDFio is a C library for reading and writing PDF files. In versions 1.1.0 and prior, a denial of service vulnerability exists in the pdfio parser. Crafted pdf files can cause the program to run at 100% utilization and ne...
|
None |
3.3 |
| CVE-2023-28425 |
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis serv...
|
None |
5.5 |
| CVE-2023-28424 |
Soko if the code that powers packages.gentoo.org. Prior to version 1.0.2, the two package search handlers, `Search` and `SearchFeed`, implemented in `pkg/app/handler/packages/search.go`, are affected by a SQL injection v...
|
None |
9.8 |
| CVE-2023-28422 |
Auth. (admin+) Stored Cross-site Scripting (XSS) vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce <= 3.8.6. versions.
|
None |
4.8 |
| CVE-2023-28371 |
In Stellarium through 1.2, attackers can write to files that are typically unintended, such as ones with absolute pathnames or .. directory traversal.
|
None |
9.8 |
| CVE-2023-28343 |
OS command injection affects Altenergy Power Control Software C1.2.5 via shell metacharacters in the index.php/management/set_timezone timezone parameter, because of set_timezone in models/management_model.php.
|
None |
9.8 |
| CVE-2023-28339 |
OpenDoas through 6.8.2, when TIOCSTI is available, allows privilege escalation because of sharing a terminal with the original session. NOTE: TIOCSTI is unavailable in OpenBSD 6.0 and later, and can be made unavailable i...
|
None |
8.8 |
| CVE-2023-28338 |
Any request send to a Netgear Nighthawk Wifi6 Router (RAX30)'s web service containing a “Content-Type” of “multipartboundary=” will result in the request body being written to “/tmp/mulipartFile” on the device itself. A ...
|
None |
7.5 |
| CVE-2023-28337 |
When uploading a firmware image to a Netgear Nighthawk Wifi6 Router (RAX30), a hidden “forceFWUpdate” parameter may be provided to force the upgrade to complete and bypass certain validation checks. End users can use thi...
|
None |
8.8 |
| CVE-2023-28336 |
Insufficient filtering of grade report history made it possible for teachers to access the names of users they could not otherwise access.
|
None |
None |
| CVE-2023-28335 |
The link to reset all templates of a database activity did not include the necessary token to prevent a CSRF risk.
|
None |
None |
| CVE-2023-28334 |
Authenticated users were able to enumerate other users' names via the learning plans page.
|
None |
None |
| CVE-2023-28333 |
The Mustache pix helper contained a potential Mustache injection risk if combined with user input (note: This did not appear to be implemented/exploitable anywhere in the core Moodle LMS).
|
None |
None |
