Oracle-Security/CVEs

Releases0

Stars4

A repository of exploits that I have discovered. These are disclosed responsibly and vendors have been contacted. In any instance where it works against the live version, the vendor has not responded to my emails.

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2023-51067 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	6.1 MEDIUM	—
An unauthenticated reflected cross-site scripting (XSS) vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 allows attackers to execute arbitrary javascript on a victim's browser via a crafted link.
CVE-2023-51071 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	6.5 MEDIUM	—
An access control issue in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to arbitrarily disable the SMB service on a victim's Qstar instance by executing a specific command in a link.
CVE-2023-51070 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	7.5 HIGH	—
An access control issue in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to arbitrarily adjust sensitive SMB settings on the QStar Server.
CVE-2023-51068 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	5.4 MEDIUM	—
An authenticated reflected cross-site scripting (XSS) vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 allows attackers to execute arbitrary javascript on a victim's browser via a crafted link.
CVE-2023-51066 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	8.8 HIGH	—
An authenticated remote code execution vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows attackers to arbitrarily execute commands.
CVE-2023-51062 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	5.3 MEDIUM	—
An unauthenticated log file read in the component log-smblog-save of QStar Archive Solutions RELEASE_3-0 Build 7 Patch 0 allows attackers to disclose the SMB Log contents via executing a crafted command.
CVE-2023-51063 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	8.8 HIGH	—
QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level.
CVE-2023-51064 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	6.1 MEDIUM	—
QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based reflected XSS vulnerability within the component qnme-ajax?method=tree_table.
CVE-2023-51065 ↗	Jan 13, 2024Saturday, 13 January 2024, 04:15	7.5 HIGH	—
Incorrect access control in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to obtain system backups and other sensitive information from the QStar Server.
CVE-2023-38827 ↗	Jan 9, 2024Tuesday, 9 January 2024, 22:15	6.1 MEDIUM	—
Cross Site Scripting vulnerability in Follet School Solutions Destiny v.20_0_1_AU4 and later allows a remote attacker to run arbitrary code via presentonesearchresultsform.do.
CVE-2023-45893 ↗	Jan 2, 2024Tuesday, 2 January 2024, 21:15	7.5 HIGH	—
An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
CVE-2023-45892 ↗	Jan 2, 2024Tuesday, 2 January 2024, 21:15	7.5 HIGH	—
An issue discovered in the Order and Invoice pages in Floorsight Insights Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information.
CVE-2023-38826 ↗	Dec 25, 2023Monday, 25 December 2023, 08:15	6.1 MEDIUM	—
A Cross Site Scripting (XSS) vulnerability exists in Follet Learning Solutions Destiny through 20.0_1U. via the handlewpesearchform.do. searchString.
CVE-2023-45894 ↗	Dec 14, 2023Thursday, 14 December 2023, 20:15	10 CRITICAL	—
The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques.