CVE-2023-5004

Hospital management system version 378c157 allows to bypass authentication.

This is possible because the application is vulnerable to SQLI.

Source: CVE-2023-5004

CVE-2023-44173

Online Movie Ticket Booking System v1.0 is vulnerable to

an authenticated Reflected Cross-Site Scripting vulnerability.

Source: CVE-2023-44173

CVE-2023-5185

Gym Management System Project v1.0 is vulnerable to

an Insecure File Upload vulnerability on the ‘file’

parameter of profile/i.php page, allowing an

authenticated attacker to obtain Remote Code Execution

on the server hosting the application.

Source: CVE-2023-5185

CVE-2023-41911

Samsung Mobile Processor Exynos 2200 allows a GPU Double Free (issue 1 of 2).

Source: CVE-2023-41911

CVE-2023-43323

mooSocial 3.1.8 is vulnerable to external service interaction on post function. When executed, the server sends a HTTP and DNS request to external server. The Parameters effected are multiple – messageText, data[wall_photo], data[userShareVideo] and data[userShareLink].

Source: CVE-2023-43323

CVE-2023-43226

An arbitrary file upload vulnerability in dede/baidunews.php in DedeCMS 5.7.111 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

Source: CVE-2023-43226

CVE-2023-5256

In certain scenarios, Drupal’s JSON:API module will output error backtraces. With some configurations, this may cause sensitive information to be cached and made available to anonymous users, leading to privilege escalation.

This vulnerability only affects sites with the JSON:API module enabled, and can be mitigated by uninstalling JSON:API.

The core REST and contributed GraphQL modules are not affected.

Source: CVE-2023-5256

CVE-2023-43664

PrestaShop is an Open Source e-commerce web application. In the Prestashop Back office interface, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn’t check access rights. This issue has been addressed in commit `15bd281c` which is included in version 8.1.2. Users are advised to upgrade. There are no known workaround for this issue.

Source: CVE-2023-43664

CVE-2023-43657

discourse-encrypt is a plugin that provides a secure communication channel through Discourse. Improper escaping of encrypted topic titles could lead to a cross site scripting (XSS) issue when a site has content security policy (CSP) headers disabled. Having CSP disabled is a non-default configuration, and having it disabled with discourse-encrypt installed will result in a warning in the Discourse admin dashboard. This has been fixed in commit `9c75810af9` which is included in the latest version of the discourse-encrypt plugin. Users are advised to upgrade. Users unable to upgrade should ensure that CSP headers are enabled and properly configured.

Source: CVE-2023-43657

CVE-2023-43663

PrestaShop is an Open Source e-commerce web application. In affected versions any module can be disabled or uninstalled from back office, even with low user right. This allows low privileged users to disable portions of a shops functionality. Commit `ce1f6708` addresses this issue and is included in version 8.1.2. Users are advised to upgrade. There are no known workarounds for this issue.

Source: CVE-2023-43663