Live-Hack-CVE/CVE-2023-23936 Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici. CVE project by @Sn0wAlice Create: 2023-02-17 03:30:33 +0000 UTC Push: 2023-02-17 03:30:35 +0000 UTC |

Live-Hack-CVE/CVE-2023-24807 Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values CVE project by @Sn0wAlice Create: 2023-02-17 03:30:29 +0000 UTC Push: 2023-02-17 03:30:31 +0000 UTC |

Live-Hack-CVE/CVE-2023-24485 Vulnerabilities have been identified that, collectively, allow a standard Windows user to perform operations as SYSTEM on the computer running Citrix Workspace app. CVE project by @Sn0wAlice Create: 2023-02-17 03:30:25 +0000 UTC Push: 2023-02-17 03:30:27 +0000 UTC |

Live-Hack-CVE/CVE-2023-24484 A malicious user can cause log files to be written to a directory that they do not have permission to write to. CVE project by @Sn0wAlice Create: 2023-02-17 03:30:21 +0000 UTC Push: 2023-02-17 03:30:24 +0000 UTC |

Live-Hack-CVE/CVE-2023-23947 Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. All Argo CD versions starting with 2.3.0-rc1 and prior to 2.3.17, 2.4.23 2.5.11, and 2.6.2 are vulnerable to an improper authorization bug which allows users who have the ability to update at least one cluster secret to update any cluster secret. CVE project by @Sn0wAlice Create: 2023-02-17 03:30:18 +0000 UTC Push: 2023-02-17 03:30:20 +0000 UTC |

Live-Hack-CVE/CVE-2023-24690 ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family. CVE project by @Sn0wAlice Create: 2023-02-17 03:30:08 +0000 UTC Push: 2023-02-17 03:30:10 +0000 UTC |

Live-Hack-CVE/CVE-2023-24236 TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the province parameter at setting/delStaticDhcpRules. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:44 +0000 UTC Push: 2023-02-17 01:16:47 +0000 UTC |

Live-Hack-CVE/CVE-2023-22579 Due to improper parameter filtering in the sequalize js library, can a attacker peform injection. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:41 +0000 UTC Push: 2023-02-17 01:16:43 +0000 UTC |

Live-Hack-CVE/CVE-2023-22578 Due to improper artibute filtering in the sequalize js library, can a attacker peform SQL injections. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:37 +0000 UTC Push: 2023-02-17 01:16:40 +0000 UTC |

Live-Hack-CVE/CVE-2022-3843 In WAGO Unmanaged Switch (852-111/000-001) in firmware version 01 an undocumented configuration interface without authorization allows an remote attacker to read system information and configure a limited set of parameters. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:33 +0000 UTC Push: 2023-02-17 01:16:36 +0000 UTC |

Live-Hack-CVE/CVE-2023-25173 containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary CVE project by @Sn0wAlice Create: 2023-02-17 01:16:29 +0000 UTC Push: 2023-02-17 01:16:32 +0000 UTC |

Live-Hack-CVE/CVE-2023-25153 containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in contai CVE project by @Sn0wAlice Create: 2023-02-17 01:16:26 +0000 UTC Push: 2023-02-17 01:16:28 +0000 UTC |

Live-Hack-CVE/CVE-2023-24238 TOTOlink A7100RU(V7.4cu.2313_B20191024) was discovered to contain a command injection vulnerability via the city parameter at setting/delStaticDhcpRules. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:22 +0000 UTC Push: 2023-02-17 01:16:24 +0000 UTC |

Live-Hack-CVE/CVE-2023-22580 Due to improper input filtering in the sequalize js library, can malicious queries lead to sensitive information disclosure. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:18 +0000 UTC Push: 2023-02-17 01:16:21 +0000 UTC |

Live-Hack-CVE/CVE-2023-22735 Zulip is an open-source team collaboration tool. In versions of zulip prior to commit `2f6c5a8` but after commit `04cf68b` users could upload files with arbitrary `Content-Type` which would be served from the Zulip hostname with `Content-Disposition: inline` and no `Content-Security-Policy` header, allowing them to tri CVE project by @Sn0wAlice Create: 2023-02-17 01:16:15 +0000 UTC Push: 2023-02-17 01:16:17 +0000 UTC |

Live-Hack-CVE/CVE-2023-24814 TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with th CVE project by @Sn0wAlice Create: 2023-02-17 01:16:10 +0000 UTC Push: 2023-02-17 01:16:12 +0000 UTC |

Live-Hack-CVE/CVE-2023-23926 APOC (Awesome Procedures on Cypher) is an add-on library for Neo4j. An XML External Entity (XXE) vulnerability found in the apoc.import.graphml procedure of APOC core plugin prior to version 5.5.0 in Neo4j graph database. XML External Entity (XXE) injection occurs when the XML parser allows external entities to be reso CVE project by @Sn0wAlice Create: 2023-02-17 01:16:06 +0000 UTC Push: 2023-02-17 01:16:09 +0000 UTC |

Live-Hack-CVE/CVE-2023-23558 In Eternal Terminal 6.2.1, TelemetryService uses fixed paths in /tmp. For example, a local attacker can create /tmp/.sentry-native-etserver with mode 0777 before the etserver process is started. The attacker can choose to read sensitive information from that file, or modify the information in that file. CVE project by @Sn0wAlice Create: 2023-02-17 01:16:02 +0000 UTC Push: 2023-02-17 01:16:05 +0000 UTC |

Live-Hack-CVE/CVE-2022-48308 It was discovered that the sls-logging was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to interc CVE project by @Sn0wAlice Create: 2023-02-17 01:15:59 +0000 UTC Push: 2023-02-17 01:16:01 +0000 UTC |

Live-Hack-CVE/CVE-2022-48307 It was discovered that the Magritte-ftp was not verifying hostnames in TLS certificates due to a misuse of the javax.net.ssl.SSLSocketFactory API. A malicious attacker in a privileged network position could abuse this to perform a man-in-the-middle attack. A successful man-in-the-middle attack would allow them to inter CVE project by @Sn0wAlice Create: 2023-02-17 01:15:55 +0000 UTC Push: 2023-02-17 01:15:57 +0000 UTC |