CVEリスト - 高リスク・悪用確認済み脆弱性

NVD や CVE、ほか複数の脅威フィードを束ね、RCE など高リスクな事象を深く追える一覧です。CVSS と EPSS を組み合わせ、Exploit 参照や PoC の有無から悪用しやすさを追跡します。ベンダー修正や緩和策の文脈とあわせて優先度を決め、対応サイクルを短く保ちつつ重要資産を守る支援をします。

Assigner(CNA/発行元):[email protected] この条件を外す

CVSS スコア
表示中 121140 / 395
CVE 説明 CVSS 最大値 EPSS(%) 公開 更新
CVE-2022-43983 Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL's that use the file:// protocol. 8.2 0.64% 2022-11-25 2026-06-17
CVE-2022-43984 Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does not contain URLs that use the file:// protocol. 8.2 0.61% 2022-11-25 2026-06-17
CVE-2022-45475 Tiny File Manager version 2.4.8 allows an unauthenticated remote attacker to access the application's internal files. This is possible because the application is vulnerable to broken access control. 6.5 0.85% 2022-11-25 2026-06-17
CVE-2022-45476 Tiny File Manager version 2.4.8 executes the code of files uploaded by users of the application, instead of just returning them for download. This is possible because the application is vulnerable to insecure file upload. 9.8 0.95% 2022-11-25 2026-06-17
CVE-2022-4235 RushBet version 2022.23.1-b490616d allows a remote attacker to steal customer accounts via use of a malicious application. This is possible because the application exposes an activity and does not properly validate the data it receives. 5.4 0.57% 2023-01-18 2026-06-17
CVE-2023-0164 OrangeScrum version 2.0.11 allows an authenticated external attacker to execute arbitrary commands on the server. This is possible because the application injects an attacker-controlled parameter into a system function. 8.8 1.38% 2023-01-18 2026-06-17
CVE-2023-0265 Uvdesk version 1.1.1 allows an authenticated remote attacker to execute commands on the server. This is possible because the application does not properly validate profile pictures uploaded by customers. 8.8 1.60% 2023-04-04 2026-06-17
CVE-2023-0325 Uvdesk version 1.1.1 allows an unauthenticated remote attacker to exploit a stored XSS in the application. This is possible because the application does not correctly validate the message sent by the clients in the ticket. 6.1 0.69% 2023-04-04 2026-06-17
CVE-2023-0357 Helpy version 2.8.0 allows an unauthenticated remote attacker to exploit an XSS stored in the application. This is possible because the application does not correctly validate the attachments sent by customers in the ticket. 6.1 0.69% 2023-04-04 2026-06-17
CVE-2023-0454 OrangeScrum version 2.0.11 allows an authenticated external attacker to delete arbitrary local files from the server. This is possible because the application uses an unsanitized attacker-controlled parameter to construct an internal path. 8.1 0.99% 2023-01-31 2026-06-17
CVE-2023-0480 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. 8.8 0.35% 2023-04-04 2026-06-17
CVE-2023-0486 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS. 6.1 0.36% 2023-04-04 2026-06-17
CVE-2023-0624 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. 6.1 0.49% 2023-02-09 2026-06-17
CVE-2023-0670 Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. 7.2 1.02% 2023-04-05 2026-06-17
CVE-2023-0738 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. 6.1 0.49% 2023-04-04 2026-06-17
CVE-2023-0835 markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. 8.2 0.60% 2023-04-04 2026-06-17
CVE-2023-0842 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. 5.3 1.39% 2023-04-05 2026-06-17
CVE-2023-0944 Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user. 4.3 0.48% 2023-04-05 2026-06-17
CVE-2023-0959 Bhima version 1.27.0 allows a remote attacker to update the privileges of any account registered in the application via a malicious link sent to an administrator. This is possible because the application is vulnerable to CSRF. 6.5 0.75% 2023-04-05 2026-06-17
CVE-2023-0967 Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. 6.5 0.67% 2023-04-05 2026-06-17
cvelogic Threat Intelligence