LiveActive security incident?Get immediate response
CVE archive

June 2023

Browse CVE records published in June 2023, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2369 matching CVEs · Page 1 of 48.

Unknown · CVSS Not scored

CVE-2023-31868: Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS).

Sage X3 version 12.14.0.50-0 is vulnerable to Cross Site Scripting (XSS). Some parts of the Web application are dynamically built using user's inputs. Yet, those inputs are not verified nor filtered by the application, so they mathed the expected format. Therefore, when HTML/JavaScript code is injected into those fields, this code will be saved by the application and executed by the web browser of the user viewing the web page. Several injection points have been identified on the application. The major one requires the user to be authenticated with a common account, he can then target an Administrator. All others endpoints need the malicious user to be authenticated as an Administrator. Therefore, the impact is diminished.

Published Jun 22, 2023 · Updated Jul 5, 2026

Medium · CVSS 5.5

CVE-2023-29725: The BT21 x BTS Wallpaper app 12 for Android allows unauthorized applications to actively request permission...

The BT21 x BTS Wallpaper app 12 for Android allows unauthorized applications to actively request permission to insert data into the database that records information about a user's personal preferences and will be loaded into memory to be read and used when the application is opened. By injecting data, the attacker can force the application to load malicious image URLs and display them in the UI. As the amount of data increases, it will eventually cause the application to trigger an OOM error and crash, resulting in a persistent denial of service attack.

Published Jun 2, 2023 · Updated Jul 5, 2026

High · CVSS 7.8

CVE-2023-29724: The BT21 x BTS Wallpaper app 12 for Android allows unauthorized apps to actively request permission to modi...

The BT21 x BTS Wallpaper app 12 for Android allows unauthorized apps to actively request permission to modify data in the database that records information about a user's personal preferences and will be loaded into memory to be read and used when the app is opened. An attacker could tamper with this data to cause an escalation of privilege attack.

Published Jun 2, 2023 · Updated Jul 5, 2026

High · CVSS 8.7

CVE-2023-54365: Traefik - Denial of Service via HTTP/2 Request Handling

Traefik before 2.10.5 and 3.0.0-beta4 is affected by a denial-of-service vulnerability in HTTP/2 request handling inherited from the Go standard library's HTTP/2 implementation (CVE-2023-44487 / CVE-2023-39325, the 'Rapid Reset' technique). A remote attacker can rapidly create and cancel HTTP/2 streams to exhaust server resources and cause service unavailability.

Published Jun 23, 2026 · Updated Jun 30, 2026

High · CVSS 7.7

CVE-2023-37524: HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service.  Since .NET Framework 4.5 has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses through vulnerable third-party components.

Published Jun 27, 2026 · Updated Jun 29, 2026

High · CVSS 7.5

CVE-2023-4727: Ca: token authentication bypass vulnerability

A flaw was found in dogtag-pki and pki-core. The token authentication scheme can be bypassed with a LDAP injection. By passing the query string parameter sessionID=*, an attacker can authenticate with an existing session saved in the LDAP directory server, which may lead to escalation of privilege.

Published Jun 11, 2024 · Updated Jun 26, 2026

High · CVSS 8.7

CVE-2023-54357: Joomla com_booking 2.4.9 Information Disclosure via Account Enumeration

Joomla com_booking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=com_booking, controller=customer, task=getUserData, and an id parameter to retrieve user names, usernames, and email addresses through brute force enumeration.

Published Jun 19, 2026 · Updated Jun 23, 2026

High · CVSS 8.5

CVE-2023-54353: Chromacam 4.0.3.0 Unquoted Service Path Privilege Escalation

Chromacam 4.0.3.0 contains an unquoted service path vulnerability in the PsyFrameGrabberService that allows local attackers to execute arbitrary code by placing malicious executables in unquoted path directories. Attackers with write access to C:\ or subdirectories like C:\Program Files (x86)\Personify\ can place a malicious Program.exe or PsyFrameGrabberService.exe file that executes with LocalSystem privileges when the service starts automatically at boot.

Published Jun 19, 2026 · Updated Jun 23, 2026

High · CVSS 8.1

CVE-2023-45796: XSS vulnerability in Pilz PASvisu and PMI v8xx

A stored cross-site scripting vulnerability in the Runtime component of Pilz PASvisu before 1.14.1 and PMI v8xx up to and including 2.0.33992 allows a low-privileged remote unauthenticated attacker to manipulate process data with potential impact on integrity and/or availability.

Published Jun 22, 2026 · Updated Jun 22, 2026

High · CVSS 8.2

CVE-2023-29146: The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data...

The utility functions used by Malwarebytes EDR 1.0.11 on Linux for calculating a cryptographic hash of data bytes truncate the hashed data if it exceeds 4GB. This leads to an integer wrap-around if the data is larger than the maximum unsigned integer value (32-bit). Attackers could create a colliding hash value for two different strings by attaching 4GB of data to a string that is less than 4GB in size.

Published Jun 9, 2026 · Updated Jun 9, 2026

High · CVSS 8.7

CVE-2023-54350: WordPress Augmented-Reality Plugin Remote Code Execution Unauthenticated

WordPress Augmented-Reality plugin contains a remote code execution vulnerability in the elFinder connector that allows unauthenticated attackers to upload and execute arbitrary PHP files. Attackers can send POST requests to the connector.minimal.php endpoint with mkfile and put commands to create malicious PHP files in the file_manager directory and execute them on the server.

Published Jun 8, 2026 · Updated Jun 9, 2026

Critical · CVSS 9.8

CVE-2023-54352: WordPress Seotheme Remote Code Execution Unauthenticated

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands and upload additional files for persistent access.

Published Jun 8, 2026 · Updated Jun 8, 2026

High · CVSS 7.2

CVE-2023-54351: WordPress Sonaar Music Plugin 4.7 Stored XSS via Comments

WordPress Sonaar Music Plugin 4.7 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts through the comment functionality. Attackers can submit JavaScript payloads in the comment parameter to wp-comments-post.php which are stored and executed in the browsers of users viewing the affected playlist pages.

Published Jun 8, 2026 · Updated Jun 8, 2026