https://db.gcve.eu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Tue, 26 May 2026 19:54:42 +0000 https://db.gcve.eu/sighting/bc634365-a93c-4811-8088-547502518005/export {"uuid": "bc634365-a93c-4811-8088-547502518005", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30552", "type": "seen", "source": "https://t.me/cibsecurity/62436", "content": "\u203c CVE-2023-30552 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql/instance.py` endpoint's `describe` method. In several cases, user input coming from the `tb_name` parameter value, the `db_name` parameter value or the `schema_name` value in the `sql/instance.py` `describe` endpoint is passed to the `describe_table` methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. Please take into account that in some cases all three parameter values are concatenated, in other only one or two of them. The affected methods are: `describe_table` in `sql/engines/clickhouse.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/clickhouse.py`, `describe_table` in `sql/engines/mssql.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/mssql.py`, `describe_table` in `sql/engines/mysql.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/mysql.py`, `describe_table` in `sql/engines/oracle.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/oracle.py`, `describe_table` in `sql/engines/pgsql.py`which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/pgsql.py`, `describe_table` in `sql/engines/phoenix.py` which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/phoenix.py`. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-101`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:22.000000Z"} {"uuid": "bc634365-a93c-4811-8088-547502518005", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30552", "type": "seen", "source": "https://t.me/cibsecurity/62436", "content": "\u203c CVE-2023-30552 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql/instance.py` endpoint's `describe` method. In several cases, user input coming from the `tb_name` parameter value, the `db_name` parameter value or the `schema_name` value in the `sql/instance.py` `describe` endpoint is passed to the `describe_table` methods in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. Please take into account that in some cases all three parameter values are concatenated, in other only one or two of them. The affected methods are: `describe_table` in `sql/engines/clickhouse.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/clickhouse.py`, `describe_table` in `sql/engines/mssql.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/mssql.py`, `describe_table` in `sql/engines/mysql.py`which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/mysql.py`, `describe_table` in `sql/engines/oracle.py` which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/oracle.py`, `describe_table` in `sql/engines/pgsql.py`which concatenates input which is passed to execution on the database in the `query` methods in `sql/engines/pgsql.py`, `describe_table` in `sql/engines/phoenix.py` which concatenates input which is passed to execution on the database in the `query` method in `sql/engines/phoenix.py`. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-101`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:22.000000Z"} https://db.gcve.eu/sighting/bc634365-a93c-4811-8088-547502518005/export Wed, 19 Apr 2023 07:43:22 +0000 https://db.gcve.eu/sighting/1352fc76-2407-48ff-b6dd-23cfb9df82df/export {"uuid": "1352fc76-2407-48ff-b6dd-23cfb9df82df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30554", "type": "seen", "source": "https://t.me/cibsecurity/62440", "content": "\u203c CVE-2023-30554 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql_api/api_workflow.py` endpoint `ExecuteCheck` which passes unfiltered input to the `explain_check` method in `sql/engines/oracle.py`. User input coming from the `db_name` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed through the `oracle.py` `execute_check` method and to the `explain_check` method for execution. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-103`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:28.000000Z"} {"uuid": "1352fc76-2407-48ff-b6dd-23cfb9df82df", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30554", "type": "seen", "source": "https://t.me/cibsecurity/62440", "content": "\u203c CVE-2023-30554 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to SQL injection in the `sql_api/api_workflow.py` endpoint `ExecuteCheck` which passes unfiltered input to the `explain_check` method in `sql/engines/oracle.py`. User input coming from the `db_name` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed through the `oracle.py` `execute_check` method and to the `explain_check` method for execution. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-103`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:28.000000Z"} https://db.gcve.eu/sighting/1352fc76-2407-48ff-b6dd-23cfb9df82df/export Wed, 19 Apr 2023 07:43:28 +0000 https://db.gcve.eu/sighting/addd2926-0a1f-4720-b964-90f70f57b5aa/export {"uuid": "addd2926-0a1f-4720-b964-90f70f57b5aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30558", "type": "seen", "source": "https://t.me/cibsecurity/62441", "content": "\u203c CVE-2023-30558 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. User input coming from the `db_name` in the `sql/data_dictionary.py` `table_list` endpoint is passed to the methods that follow in a given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. The affected methods are `get_group_tables_by_db` in `sql/engines/mssql.py`which passes unsafe user input to `sql/engines/mssql.py`, and `get_group_tables_by_db` in `sql/engines/oracle.py`which concatenates input which is passed to execution on the database in the `sql/engines/oracle.py` `query` method. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-105`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:29.000000Z"} {"uuid": "addd2926-0a1f-4720-b964-90f70f57b5aa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30558", "type": "seen", "source": "https://t.me/cibsecurity/62441", "content": "\u203c CVE-2023-30558 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. User input coming from the `db_name` in the `sql/data_dictionary.py` `table_list` endpoint is passed to the methods that follow in a given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. The affected methods are `get_group_tables_by_db` in `sql/engines/mssql.py`which passes unsafe user input to `sql/engines/mssql.py`, and `get_group_tables_by_db` in `sql/engines/oracle.py`which concatenates input which is passed to execution on the database in the `sql/engines/oracle.py` `query` method. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-105`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:29.000000Z"} https://db.gcve.eu/sighting/addd2926-0a1f-4720-b964-90f70f57b5aa/export Wed, 19 Apr 2023 07:43:29 +0000 https://db.gcve.eu/sighting/734a89b0-db65-4f6f-acda-f1ad2da3ec76/export {"uuid": "734a89b0-db65-4f6f-acda-f1ad2da3ec76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30555", "type": "seen", "source": "https://t.me/cibsecurity/62448", "content": "\u203c CVE-2023-30555 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.Affected versions are subject to SQL injection in the `explain` method in `sql_optimize.py`. User input coming from the `db_name` parameter value in the `explain` endpoint is passed to the following `query` methods of each database engine for execution. `query` in `sql/engines/mssql.py`, and `query` in `sql/engines/oracle.py`. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-108`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:39.000000Z"} {"uuid": "734a89b0-db65-4f6f-acda-f1ad2da3ec76", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30555", "type": "seen", "source": "https://t.me/cibsecurity/62448", "content": "\u203c CVE-2023-30555 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.Affected versions are subject to SQL injection in the `explain` method in `sql_optimize.py`. User input coming from the `db_name` parameter value in the `explain` endpoint is passed to the following `query` methods of each database engine for execution. `query` in `sql/engines/mssql.py`, and `query` in `sql/engines/oracle.py`. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-108`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-04-19T07:43:39.000000Z"} https://db.gcve.eu/sighting/734a89b0-db65-4f6f-acda-f1ad2da3ec76/export Wed, 19 Apr 2023 07:43:39 +0000 https://db.gcve.eu/sighting/19ae639c-b4de-471a-9611-8cf5d093f741/export {"uuid": "19ae639c-b4de-471a-9611-8cf5d093f741", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30550", "type": "seen", "source": "https://t.me/cibsecurity/63310", "content": "\u203c CVE-2023-30550 \u203c\n\nMeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-04T22:37:13.000000Z"} {"uuid": "19ae639c-b4de-471a-9611-8cf5d093f741", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30550", "type": "seen", "source": "https://t.me/cibsecurity/63310", "content": "\u203c CVE-2023-30550 \u203c\n\nMeterSphere is an open source continuous testing platform, covering functions such as test tracking, interface testing, UI testing, and performance testing. This IDOR vulnerability allows the administrator of a project to modify other projects under the workspace. An attacker can obtain some operating permissions. The issue has been fixed in version 2.9.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-04T22:37:13.000000Z"} https://db.gcve.eu/sighting/19ae639c-b4de-471a-9611-8cf5d093f741/export Thu, 04 May 2023 22:37:13 +0000 https://db.gcve.eu/sighting/67c762b8-de90-4a13-a5b4-089942055cdf/export {"uuid": "67c762b8-de90-4a13-a5b4-089942055cdf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30551", "type": "seen", "source": "https://t.me/cibsecurity/63452", "content": "\u203c CVE-2023-30551 \u203c\n\nRekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-08T20:37:48.000000Z"} {"uuid": "67c762b8-de90-4a13-a5b4-089942055cdf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30551", "type": "seen", "source": "https://t.me/cibsecurity/63452", "content": "\u203c CVE-2023-30551 \u203c\n\nRekor is an open source software supply chain transparency log. Rekor prior to version 1.1.1 may crash due to out of memory (OOM) conditions caused by reading archive metadata files into memory without checking their sizes first. Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. Parsing of an APK file submitted to Rekor can cause an out of memory crash if the .SIGN or .PKGINFO files within the APK are sufficiently large. The OOM crash has been patched in Rekor version 1.1.1. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-08T20:37:48.000000Z"} https://db.gcve.eu/sighting/67c762b8-de90-4a13-a5b4-089942055cdf/export Mon, 08 May 2023 20:37:48 +0000 https://db.gcve.eu/sighting/ee922999-d194-475a-9084-9a681e642b83/export {"uuid": "ee922999-d194-475a-9084-9a681e642b83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-3055", "type": "seen", "source": "https://t.me/cibsecurity/64957", "content": "\u203c CVE-2023-3055 \u203c\n\nThe Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_save' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-03T07:26:36.000000Z"} {"uuid": "ee922999-d194-475a-9084-9a681e642b83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-3055", "type": "seen", "source": "https://t.me/cibsecurity/64957", "content": "\u203c CVE-2023-3055 \u203c\n\nThe Page Builder by AZEXO plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.27.133. This is due to missing or incorrect nonce validation on the 'azh_save' function. This makes it possible for unauthenticated attackers to update the post content and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-06-03T07:26:36.000000Z"} https://db.gcve.eu/sighting/ee922999-d194-475a-9084-9a681e642b83/export Sat, 03 Jun 2023 07:26:36 +0000 https://db.gcve.eu/sighting/66aec33b-f079-4ee9-9340-496dc2f371a6/export {"uuid": "66aec33b-f079-4ee9-9340-496dc2f371a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30559", "type": "seen", "source": "https://t.me/cibsecurity/66689", "content": "\u203c CVE-2023-30559 \u203c\n\nThe configuration from the PCU can be modified without authentication using physical connection to the PCU.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-07-13T22:11:42.000000Z"} {"uuid": "66aec33b-f079-4ee9-9340-496dc2f371a6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30559", "type": "seen", "source": "https://t.me/cibsecurity/66689", "content": "\u203c CVE-2023-30559 \u203c\n\nThe configuration from the PCU can be modified without authentication using physical connection to the PCU.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-07-13T22:11:42.000000Z"} https://db.gcve.eu/sighting/66aec33b-f079-4ee9-9340-496dc2f371a6/export Thu, 13 Jul 2023 22:11:42 +0000 https://db.gcve.eu/sighting/0f03dbf2-206d-4ec5-bb1c-95cbc05d2800/export {"uuid": "0f03dbf2-206d-4ec5-bb1c-95cbc05d2800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30553", "type": "seen", "source": "https://t.me/cibsecurity/62439", "content": "\u203c CVE-2023-30553 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to multiple SQL injections in the `sql_api/api_workflow.py` endpoint `ExecuteCheck`. User input coming from the `db_name` parameter value and the `full_sql` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed to the methods that follow in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. The affected methods are `execute_check` in `sql/engines/clickhouse.py` which concatenates input which is passed to execution on the database in the `sql/engines/clickhouse.py` `query` method, `execute_check` in `sql/engines/goinception.py`which concatenates input which is passed to execution on the database in the `sql/engines/goinception.py` `query` method, `execute_check` in `sql/engines/oracle.py`which passes unsafe user input into the `object_name_check` method in `sql/engines/oracle.py` which in turn is passed to execution on the database in the `sql/engines/oracle.py` `query` method. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-102`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2024-05-15T14:56:19.000000Z"} {"uuid": "0f03dbf2-206d-4ec5-bb1c-95cbc05d2800", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-30553", "type": "seen", "source": "https://t.me/cibsecurity/62439", "content": "\u203c CVE-2023-30553 \u203c\n\nArchery is an open source SQL audit platform. The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases. Affected versions are subject to multiple SQL injections in the `sql_api/api_workflow.py` endpoint `ExecuteCheck`. User input coming from the `db_name` parameter value and the `full_sql` parameter value in the `api_workflow.py` `ExecuteCheck` endpoint is passed to the methods that follow in given SQL engine implementations, which concatenate user input unsafely into a SQL query and afterwards pass it to the `query` method of each database engine for execution. The affected methods are `execute_check` in `sql/engines/clickhouse.py` which concatenates input which is passed to execution on the database in the `sql/engines/clickhouse.py` `query` method, `execute_check` in `sql/engines/goinception.py`which concatenates input which is passed to execution on the database in the `sql/engines/goinception.py` `query` method, `execute_check` in `sql/engines/oracle.py`which passes unsafe user input into the `object_name_check` method in `sql/engines/oracle.py` which in turn is passed to execution on the database in the `sql/engines/oracle.py` `query` method. Each of these issues may be mitigated by escaping user input or by using prepared statements when executing SQL queries. This issue is also indexed as `GHSL-2022-102`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2024-05-15T14:56:19.000000Z"} https://db.gcve.eu/sighting/0f03dbf2-206d-4ec5-bb1c-95cbc05d2800/export Wed, 15 May 2024 14:56:19 +0000