Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1718 CVE Description Improper file stream access in /desktop_app/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted “tmp_url”. CWE Classification(s) CWE-835 Loop with Unreachable Exit Condition (‘Infinite Loop’) CAPEC Classification(s) CAPEC-545 Pull Data from System Resources CVSS3....

Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1719 CVE Description Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables....

Summary: Product Bitrix24 Vendor Bitrix24 Severity High Affected Versions Bitrix24 22.0.300 (latest version as of writing) Tested Versions Bitrix24 22.0.300 (latest version as of writing) CVE Identifier CVE-2023-1720 CVE Description Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file....

Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 18.0.1 Tested Versions 17.0.1, 18.0.1 CVE Identifier CVE-2023-4197 CVE Description Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code....

Summary: Product Dolibarr ERP CRM Vendor Dolibarr Severity High Affected Versions <= 17.0.3 Tested Versions 17.0.1, 17.0.3 CVE Identifier CVE-2023-4198 CVE Description Improper Access Control in Dolibarr ERP CRM v17.0.3 allows unauthorized users to read a database table containing sensitive third-party customers’ information via the ajaxcompanies.php endpoint. CWE Classification(s) CWE-862 Missing Authorization CAPEC Classification(s) CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs CVSS3....

Summary: Product NodeBB Vendor NodeBB Severity High - Unprivileged attackers are able to cause NodeBB to crash and exit permanently Affected Versions < v2.8.11 (Commit 82f0efb) Tested Versions v2.8.9 (Commit fb100ac) CVE Identifier CVE-2023-30591 CVE Description Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated attackers to trigger a crash, when invoking eventName.startsWith() or eventName.toString(), while processing Socket....

Summary: Product OpenCart Vendor OpenCart Severity High - Adversaries may exploit software vulnerabilities to empty any file on the server with write permissions. Affected Versions 4.0.0.0 - 4.0.2.2 Tested Version(s) 4.0.2.2 CVE Identifier CVE-2023-2315 CVE Description Path traversal in Opencart versions 4.0.0.0 to 4.0.2.2 allows authenticated backend users to empty any existing file on the server with write permissions....