CVSS: 5.7EPSS: 0%CPEs: 6EXPL: 0CVE-2023-1178
https://notcve.org/view.php?id=CVE-2023-1178
An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. • https://gitlab.com/gitlab-org/cves/-/blob/master/2023/CVE-2023-1178.json https://gitlab.com/gitlab-org/gitlab/-/issues/381815 https://hackerone.com/reports/1778009 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26782
https://notcve.org/view.php?id=CVE-2023-26782
An issue discovered in mccms 2.6.1 allows remote attackers to cause a denial of service via Backend management interface ->System Configuration->Cache Configuration->Cache security characters. • https://github.com/chshcms/mccms/issues/2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-30626 – Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-30626
When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. • https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44 https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7 https://github.com/jellyfin/jellyfin/pull/5918 https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10 https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26060
https://notcve.org/view.php?id=CVE-2023-26060
An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. • https://nokia.com https://www.ptsecurity.com/ww-en/analytics/threatscape/pt-2022-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2259 – Improper Neutralization of Special Elements Used in a Template Engine in alfio-event/alf.io
https://notcve.org/view.php?id=CVE-2023-2259
Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. • https://github.com/alfio-event/alf.io/commit/94e2923a317452e337393789c9f3192dfc1ddac2 https://huntr.dev/bounties/e753bce0-ce82-463b-b344-2f67b39b60ff • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •