Skip to main content
CVE-2023-38950 HIGH POC KEV THREAT Act Now

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available.

Path Traversal Biotime
NVD VulDB
CVSS 3.1
7.5
EPSS
84.9%
Threat
7.0
CVE-2023-37679 CRITICAL POC THREAT Emergency

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 97.1%.

Command Injection Mirth Connect
NVD VulDB
CVSS 3.1
9.8
EPSS
97.1%
Threat
6.4
CVE-2023-36255 HIGH POC THREAT Act Now

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and EPSS exploitation probability 57.4%.

Code Injection RCE Eramba
NVD VulDB
CVSS 3.1
8.8
EPSS
57.4%
Threat
5.0
CVE-2023-36082 CRITICAL POC Act Now

An isssue in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W allows a remote attacker to gain privileges via the LDAP and SMTP credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Flexiva Fax 150W Firmware
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-38942 CRITICAL POC Act Now

Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Command Injection Dango Translator
NVD GitHub
CVSS 3.1
9.8
EPSS
1.6%
CVE-2023-36213 CRITICAL POC Act Now

SQL injection vulnerability in MotoCMS v.3.4.3 allows a remote attacker to gain privileges via the keyword parameter of the search function. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Motocms
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-4121 CRITICAL POC Act Now

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230722. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Smart S85F
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
2.3%
CVE-2023-4120 CRITICAL POC THREAT Act Now

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20230722 and classified as critical.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP Command Injection Smart S85F
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
81.1%
CVE-2023-36217 CRITICAL POC Act Now

Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS Xoops
NVD GitHub Exploit-DB
CVSS 3.1
9.0
EPSS
1.4%
CVE-2023-36299 HIGH POC PATCH This Week

A File Upload vulnerability in typecho v.1.2.1 allows a remote attacker to execute arbitrary code via the upload and options-general parameters in index.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE File Upload PHP Typecho
NVD GitHub
CVSS 3.1
8.8
EPSS
1.4%
CVE-2023-36298 HIGH POC This Week

DedeCMS v5.7.109 has a File Upload vulnerability, leading to remote code execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload Dedecms
NVD GitHub
CVSS 3.1
8.8
EPSS
1.2%
CVE-2023-4126 HIGH POC PATCH This Week

Insufficient Session Expiration in GitHub repository answerdev/answer prior to v1.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Answer
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-4125 HIGH POC PATCH This Week

Weak Password Requirements in GitHub repository answerdev/answer prior to v1.1.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Brute Force Answer
NVD GitHub
CVSS 3.1
8.8
EPSS
0.7%
CVE-2023-36212 HIGH POC THREAT This Week

File Upload vulnerability in Total CMS v.1.7.4 allows a remote attacker to execute arbitrary code via a crafted PHP file to the edit page function. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP Total Cms
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
23.7%
CVE-2023-38952 HIGH POC This Week

Insecure access control in ZKTeco BioTime through 9.0.1 allows authenticated attackers to escalate their privileges due to the fact that session ids are not validated for the type of user accessing. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Path Traversal Biotime
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
2.4%
CVE-2023-39144 HIGH POC This Week

Element55 KnowMore appliances version 21 and older was discovered to store passwords in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Knowmore
NVD GitHub
CVSS 3.1
7.5
EPSS
0.4%
CVE-2023-39121 HIGH POC This Week

emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Emlog
NVD GitHub
CVSS 3.1
7.2
EPSS
2.3%
CVE-2023-38948 HIGH POC This Week

An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal RCE Information Disclosure PHP Jizhicms
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2023-38947 HIGH POC This Week

An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE File Upload PHP Wbce Cms
NVD GitHub
CVSS 3.1
7.2
EPSS
0.5%
CVE-2023-4138 MEDIUM POC PATCH This Month

Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.8.0. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rdiffweb
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-3932 MEDIUM POC This Month

An issue has been discovered in GitLab EE affecting all versions starting from 13.12 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Gitlab
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2023-4124 MEDIUM POC PATCH This Month

Missing Authorization in GitHub repository answerdev/answer prior to v1.1.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Answer
NVD GitHub
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-38951 CRITICAL Act Now

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal RCE Biotime
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
3.2%
CVE-2023-4136 MEDIUM POC PATCH This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CrafterCMS Engine on Windows, MacOS, Linux, x86, ARM, 64 bit allows Reflected XSS.0.0 through. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apple XSS Microsoft Craftercms
NVD
CVSS 3.1
6.1
EPSS
1.3%
CVE-2023-4119 MEDIUM POC This Month

A vulnerability has been found in Academy LMS 6.0 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Academy Lms
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
2.0%
CVE-2023-4117 MEDIUM POC This Month

A vulnerability, which was classified as problematic, has been found in PHP Jabbers Rental Property Booking 2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Rental Property Booking Calendar
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
1.5%
CVE-2023-4116 MEDIUM POC This Month

A vulnerability classified as problematic was found in PHP Jabbers Taxi Booking 2.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Taxi Booking Script
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
5.2%
CVE-2023-4115 MEDIUM POC This Month

A vulnerability classified as problematic has been found in PHP Jabbers Cleaning Business 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Cleaning Business Software
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
5.2%
CVE-2023-4114 MEDIUM POC This Month

A vulnerability was found in PHP Jabbers Night Club Booking Software 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Night Club Booking Software
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
5.1%
CVE-2023-4113 MEDIUM POC This Month

A vulnerability was found in PHP Jabbers Service Booking Script 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Service Booking Script
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
5.2%
CVE-2023-4112 MEDIUM POC This Month

A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Shuttle Booking Software
NVD VulDB Exploit-DB
CVSS 3.1
6.1
EPSS
5.2%
CVE-2023-4111 MEDIUM POC This Month

A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Bus Reservation System
NVD VulDB
CVSS 3.1
6.1
EPSS
2.5%
CVE-2023-4110 MEDIUM POC This Month

A vulnerability has been found in PHP Jabbers Availability Booking Calendar 5.0 and classified as problematic. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Availability Booking Calendar
NVD VulDB
CVSS 3.1
6.1
EPSS
1.8%
CVE-2023-38954 CRITICAL Act Now

ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Bioaccess Ivs
NVD VulDB
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-4127 MEDIUM POC PATCH This Month

Race Condition within a Thread in GitHub repository answerdev/answer prior to v1.1.1. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Answer
NVD GitHub
CVSS 3.1
5.9
EPSS
0.4%
CVE-2023-33666 CRITICAL PATCH Act Now

ai-dev aioptimizedcombinations before v0.1.3 was discovered to contain a SQL injection vulnerability via the component /includes/ajax.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

PHP SQLi Aioptimizedcombinations
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2023-4008 CRITICAL Act Now

An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.9 before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Gitlab
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-21409 CRITICAL Act Now

Due to insufficient file permissions, unprivileged users could gain access to unencrypted administrator credentials allowing the configuration of the application. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure License Plate Verifier
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-21408 CRITICAL Act Now

Due to insufficient file permissions, unprivileged users could gain access to unencrypted user credentials that are used in the integration interface towards 3rd party systems. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure License Plate Verifier
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2023-3346 CRITICAL Act Now

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in MITSUBSHI CNC Series allows a remote unauthenticated attacker to cause Denial of Service (DoS) condition and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Denial Of Service C80 Firmware E70 Firmware +19
NVD
CVSS 3.1
9.8
EPSS
1.7%
CVE-2023-33371 CRITICAL Act Now

Control ID IDSecure 4.7.26.0 and prior uses a hardcoded cryptographic key in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Control Id Idsecure
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-4145 MEDIUM POC PATCH This Month

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/customer-data-framework prior to 3.4.2. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Customer Management Framework
NVD GitHub
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-20214 CRITICAL Act Now

A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Cisco Authentication Bypass Catalyst Sd Wan Manager Sd Wan Vmanage
NVD
CVSS 3.1
9.1
EPSS
1.0%
CVE-2023-37364 CRITICAL Act Now

In WS-Inc J WBEM Server 4.7.4 before 4.7.5, the CIM-XML protocol adapter does not disable entity resolution. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service XXE J Wbem
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2023-33369 CRITICAL Act Now

A path traversal vulnerability exists in Control ID IDSecure 4.7.26.0 and prior, allowing attackers to delete arbitrary files on IDSecure filesystem, causing a denial of service. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Denial Of Service Control Id Idsecure
NVD
CVSS 3.1
9.1
EPSS
0.7%
CVE-2023-37498 HIGH This Week

A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Unica
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-37497 HIGH This Week

The Unica application exposes an API which accepts arbitrary XML input. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE Unica
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2023-33366 HIGH This Week

A SQL injection vulnerability exists in Suprema BioStar 2 before 2.9.1, which allows authenticated users to inject arbitrary SQL directives into an SQL statement and execute arbitrary SQL commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Biostar 2
NVD
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-33364 HIGH This Week

An OS Command injection vulnerability exists in Suprema BioStar 2 before V2.9.1, which allows authenticated users to execute arbitrary OS commands on the BioStar 2 server. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Biostar 2
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2023-3663 HIGH This Week

In CODESYS Development System versions from 3.5.11.20 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Development System
NVD
CVSS 3.1
8.8
EPSS
1.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy