CVE 清單 – 發現高風險與在野利用漏洞

聚合 NVD、CVE 及多源情資,深度解析 RCE 等高危風險。系統整合 CVSS 與 EPSS 模型,動態追蹤 Exploit 資源與 PoC 公開狀態,研判可利用性。結合官方修補與修復方案,優化漏洞管理優先級,縮短回應週期,保障資產安全。

指派機構(CNA / 來源):[email protected] 移除此篩選

顯示 6180395 筆結果
CVE 描述 最高 CVSS EPSS % 公開時間 更新時間
CVE-2023-0357 Helpy version 2.8.0 allows an unauthenticated remote attacker to exploit an XSS stored in the application. This is possible because the application does not correctly validate the attachments sent by customers in the ticket. 6.1 0.69% 2023-04-04 2026-06-17
CVE-2023-0480 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance administrator's account. This is possible because the application is vulnerable to CSRF. 8.8 0.35% 2023-04-04 2026-06-17
CVE-2023-0486 VitalPBX version 3.2.3-8 allows an unauthenticated external attacker to obtain the instance's administrator account via a malicious link. This is possible because the application is vulnerable to XSS. 6.1 0.36% 2023-04-04 2026-06-17
CVE-2023-0738 OrangeScrum version 2.0.11 allows an external attacker to obtain arbitrary user accounts from the application. This is possible because the application returns malicious user input in the response with the content-type set to text/html. 6.1 0.49% 2023-04-04 2026-06-17
CVE-2023-0835 markdown-pdf version 11.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the Markdown content entered by the user. 8.2 0.60% 2023-04-04 2026-06-17
CVE-2023-0670 Ulearn version a5a7ca20de859051ea0470542844980a66dfc05d allows an attacker with administrator permissions to obtain remote code execution on the server through the image upload functionality. This occurs because the application does not validate that the uploaded image is actually an image. 7.2 1.02% 2023-04-05 2026-06-17
CVE-2023-0842 xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. 5.3 1.39% 2023-04-05 2026-06-17
CVE-2023-0944 Bhima version 1.27.0 allows an authenticated attacker with regular user permissions to update arbitrary user session data such as username, email and password. This is possible because the application is vulnerable to IDOR, it does not correctly validate user permissions with respect to certain actions that can be performed by the user. 4.3 0.48% 2023-04-05 2026-06-17
CVE-2023-0959 Bhima version 1.27.0 allows a remote attacker to update the privileges of any account registered in the application via a malicious link sent to an administrator. This is possible because the application is vulnerable to CSRF. 6.5 0.75% 2023-04-05 2026-06-17
CVE-2023-0967 Bhima version 1.27.0 allows an attacker authenticated with normal user permissions to view sensitive data of other application users and data that should only be viewed by the administrator. This is possible because the application is vulnerable to IDOR, it does not properly validate user permissions with respect to certain actions the user can perform. 6.5 0.67% 2023-04-05 2026-06-17
CVE-2023-1031 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `settings` endpoint and first_name parameter. 8.8 1.42% 2023-05-08 2026-06-17
CVE-2023-1094 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/food` endpoint and food parameter. 8.8 1.17% 2023-05-08 2026-06-17
CVE-2023-30787 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/introductions` endpoint and first_met_additional_info parameter. 5.4 0.64% 2023-05-08 2026-06-17
CVE-2023-30788 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people/add` endpoint and nickName, description, lastName, middleName and firstName parameter. 5.4 0.64% 2023-05-08 2026-06-17
CVE-2023-30789 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/work` endpoint and job and company parameter. 5.4 0.67% 2023-05-08 2026-06-17
CVE-2023-30790 MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the `people:id/relationships` endpoint and first_name and last_name parameter. 5.4 0.64% 2023-05-08 2026-06-17
CVE-2023-2533 KEV A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PaperCut NG/MF, which, under specific conditions, could potentially enable an attacker to alter security settings or execute arbitrary code. This could be exploited if the target is an admin with a current login session. Exploiting this would typically involve the possibility of deceiving an admin into clicking a specially crafted malicious link, potentially leading to unauthorized changes. 8.4 29.25% 2023-06-20 2026-06-17
CVE-2023-1783 OrangeScrum version 2.0.11 allows an external attacker to remotely obtain AWS instance credentials. This is possible because the application does not properly validate the HTML content to be converted to PDF. 6.5 0.58% 2023-06-23 2026-06-17
CVE-2023-1721 Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. 9.1 0.99% 2023-06-23 2026-06-17
CVE-2023-1724 Faveo Helpdesk Enterprise version 6.0.1 allows an attacker with agent permissions to perform privilege escalation on the application. This occurs because the application is vulnerable to stored XSS. 7.3 0.47% 2023-06-23 2026-06-17
cvelogic Threat Intelligence