CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5192 – Excessive Data Query Operations in a Large Data Table in pimcore/demo
https://notcve.org/view.php?id=CVE-2023-5192
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Operaciones excesivas de consulta de datos en una tabla de datos grande en el repositorio de GitHub pimcore/demo antes de 10.3.0. • https://github.com/pimcore/demo/commit/a2a7ff3b565882aefb759804aac4a51afb458f1f https://huntr.dev/bounties/65c954f2-79c3-4672-8846-a3035e7a1db7 • CWE-1049: Excessive Data Query Operations in a Large Data Table •
CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25575 – Secured properties in API Platform Core may be accessible within collections
https://notcve.org/view.php?id=CVE-2023-25575
API Platform Core is the server component of API Platform: hypermedia and GraphQL APIs. Resource properties secured with the `security` option of the `ApiPlatform\Metadata\ApiProperty` attribute can be disclosed to unauthorized users. The problem affects most serialization formats, including raw JSON, which is enabled by default when installing API Platform. Custom serialization formats may also be impacted. Only collection endpoints are affected by the issue, item endpoints are not. • https://github.com/api-platform/core/commit/5723d68369722feefeb11e42528d9580db5dd0fb https://github.com/api-platform/core/security/advisories/GHSA-vr2x-7687-h6qv • CWE-842: Placement of User into Incorrect Group CWE-863: Incorrect Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-29777
https://notcve.org/view.php?id=CVE-2022-29777
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via the component DesktopEditor/fontengine/fontconverter/FontFileBase.h. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contienen un desbordamiento de pila por medio del componente DesktopEditor/fontengine/fontconverter/FontFileBase.h • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 https://github.com/ONLYOFFICE/core/commit/b17d5e860f30e8be2caeb0022b63be4c76660178 https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29777 • CWE-787: Out-of-bounds Write •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 1CVE-2022-29776
https://notcve.org/view.php?id=CVE-2022-29776
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via the component DesktopEditor/common/File.cpp. Se ha detectado que Onlyoffice Document Server versiones v6.0.0 y anteriores y Core versiones 6.1.0.26 y anteriores, contenían un desbordamiento de pila por medio del componente DesktopEditor/common/File.cpp • https://github.com/ONLYOFFICE/DocumentServer/blob/master/CHANGELOG.md#601 https://github.com/ONLYOFFICE/core/commit/88cf60a3ed4a2b40d71a1c2ced72fa3902a30967 https://github.com/moehw/poc_exploits/tree/master/CVE-2022-29776 • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-15235 – Sensitive data exposure in RACTF
https://notcve.org/view.php?id=CVE-2020-15235
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would normally be hidden to everyone except admins. All versions after commit f3dc89b9f6ab1544a289b3efc06699b13d63e0bd(3/10/20) are patched. En RACTF versiones anteriores al commit f3dc89b, los usuarios no autenticados pueden ser capaces de obtener el valor de las claves de configuración confidenciales que normalmente estarían ocultas para todos excepto para los administradores. Todas las versiones posteriores a la confirmación f3dc89b9f6ab1544a289b3efc06699b13d63e0bd (10/3/20) están parcheadas • https://github.com/ractf/core/commit/f3dc89b9f6ab1544a289b3efc06699b13d63e0bd https://github.com/ractf/core/security/advisories/GHSA-ph67-c355-52vm • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •