CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-21886 – Oracle VirtualBox Teleporter Improper Error Handling Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2023-21886
17 Jan 2023 — Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.42 and prior to 7.0.6. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). • https://security.gentoo.org/glsa/202310-07 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 10EXPL: 1CVE-2022-41903 – Integer overflow in `git archive`, `git log --format` leading to RCE in git
https://notcve.org/view.php?id=CVE-2022-41903
17 Jan 2023 — This integer overflow can result in arbitrary heap writes, which may result in arbitrary code execution. ... This integer overflow can result in arbitrary heap writes, which may allow arbitrary code execution. • https://github.com/sondermc/git-cveissues • CWE-190: Integer Overflow or Wraparound •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-22731 – Improper Control of Generation of Code in Twig rendered views in shopware
https://notcve.org/view.php?id=CVE-2023-22731
17 Jan 2023 — Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integratio... • https://docs.shopware.com/en/shopware-6-en/security-updates/security-update-01-2023?category=security-updates • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-47318 – ruby-git: code injection vulnerability
https://notcve.org/view.php?id=CVE-2022-47318
17 Jan 2023 — A code injection flaw was found in the ruby-git package. • https://github.com/ruby-git/ruby-git • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-46648 – ruby-git: code injection vulnerability
https://notcve.org/view.php?id=CVE-2022-46648
17 Jan 2023 — A flaw was found in the ruby-git package, which allows a remote authenticated attacker to execute arbitrary code on the system, caused by a code injection flaw. • https://github.com/ruby-git/ruby-git • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22357
https://notcve.org/view.php?id=CVE-2023-22357
17 Jan 2023 — A remote unauthenticated attacker may read/write in arbitrary area of the device memory, which may lead to overwriting the firmware, causing a denial-of-service (DoS) condition, and/or arbitrary code execution. • https://jvn.jp/en/vu/JVNVU97575890/index.html •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22366
https://notcve.org/view.php?id=CVE-2023-22366
17 Jan 2023 — Having a user to open a specially crafted project file may lead to information disclosure and/or arbitrary code execution. • https://jvn.jp/en/vu/JVNVU91744508/index.html • CWE-824: Access of Uninitialized Pointer •
CVSS: 10.0EPSS: 95%CPEs: 1EXPL: 11CVE-2023-0297 – Code Injection in pyload/pyload
https://notcve.org/view.php?id=CVE-2023-0297
14 Jan 2023 — Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. pyLoad versions prior to 0.5.0b3.dev31 are vulnerable to Python code injection due to the pyimport functionality exposed through the js2py library. • https://packetstorm.news/files/id/172914 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-22491 – gatsby-transformer-remark vulnerable to unsanitized JavaScript code injection
https://notcve.org/view.php?id=CVE-2023-22491
13 Jan 2023 — Gatsby is a free and open source framework based on React that helps developers build websites and apps. The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context ... • https://github.com/gatsbyjs/gatsby/security/advisories/GHSA-7ch4-rr99-cqcw • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-21589 – Adobe InDesign Font Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-21589
13 Jan 2023 — Adobe InDesign version 18.0 (and earlier), 17.4 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/indesign/apsb23-07.html • CWE-787: Out-of-bounds Write •