Weekly Vulnerabilities Reports > October 16 to 22, 2023

Overview

667 new vulnerabilities reported during this period, including 88 critical vulnerabilities and 233 high severity vulnerabilities. This weekly summary report vulnerabilities in 574 products from 327 vendors including Oracle, IBM, Netapp, Dlink, and Nothings. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Out-of-bounds Write", "SQL Injection", and "Path Traversal".

  • 578 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 241 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 371 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 73 reported vulnerabilities.
  • Dlink has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

88 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-10-19 CVE-2022-42150 Tinylab Incorrect Default Permissions vulnerability in Tinylab Cloud LAB and Linux LAB

TinyLab linux-lab v1.1-rc1 and cloud-labv0.8-rc2, v1.1-rc1 are vulnerable to insecure permissions.

10.0
2023-10-18 CVE-2023-45146 XXL RPC Project Deserialization of Untrusted Data vulnerability in Xxl-Rpc Project Xxl-Rpc

XXL-RPC is a high performance, distributed RPC framework.

10.0
2023-10-16 CVE-2023-20198 Cisco Unspecified vulnerability in Cisco IOS XE

Cisco is providing an update for the ongoing investigation into observed exploitation of the web UI feature in Cisco IOS XE Software.

10.0
2023-10-22 CVE-2023-5693 Martmbithi SQL Injection vulnerability in Martmbithi Internet Banking System 1.0

A vulnerability was found in CodeAstro Internet Banking System 1.0 and classified as critical.

9.8
2023-10-22 CVE-2023-46300 Iterm2 Improper Encoding or Escaping of Output vulnerability in Iterm2

iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to tmux integration.

9.8
2023-10-22 CVE-2023-46301 Iterm2 Improper Encoding or Escaping of Output vulnerability in Iterm2

iTerm2 before 3.4.20 allow (potentially remote) code execution because of mishandling of certain escape sequences related to upload.

9.8
2023-10-21 CVE-2023-5684 Byzoro OS Command Injection vulnerability in Byzoro Smart S85F Firmware 20231010

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231012.

9.8
2023-10-21 CVE-2023-5683 Byzoro OS Command Injection vulnerability in Byzoro Smart S85F Firmware 20231010

A vulnerability was found in Byzoro Smart S85F Management Platform up to 20231010 and classified as critical.

9.8
2023-10-21 CVE-2023-45666 Nothings Double Free vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images.

9.8
2023-10-20 CVE-2023-5682 Tongda2000 SQL Injection vulnerability in Tongda2000 Tongda Office Anywhere 2017

A vulnerability has been found in Tongda OA 2017 and classified as critical.

9.8
2023-10-20 CVE-2023-37824 Sitolog SQL Injection vulnerability in Sitolog Application Connect 7.8.A

Sitolog sitologapplicationconnect v7.8.a and before was discovered to contain a SQL injection vulnerability via the component /activate_hook.php.

9.8
2023-10-20 CVE-2023-5533 Quantumcloud Missing Authorization vulnerability in Quantumcloud AI Chatbot

The AI ChatBot plugin for WordPress is vulnerable to unauthorized use of AJAX actions due to missing capability checks on the corresponding functions in versions up to, and including, 4.8.9 as well as 4.9.2.

9.8
2023-10-20 CVE-2020-36706 Simple Press Unrestricted Upload of File with Dangerous Type vulnerability in Simple-Press Simple:Press

The Simple:Press – WordPress Forum Plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ~/admin/resources/jscript/ajaxupload/sf-uploader.php file in versions up to, and including, 6.6.0.

9.8
2023-10-20 CVE-2023-39680 Sollace Deserialization of Untrusted Data vulnerability in Sollace Unicopia

Sollace Unicopia version 1.1.1 and before was discovered to deserialize untrusted data, allowing attackers to execute arbitrary code.

9.8
2023-10-20 CVE-2023-4402 Wpdeveloper Deserialization of Untrusted Data vulnerability in Wpdeveloper Essential Blocks and Essential Blocks PRO

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function.

9.8
2023-10-20 CVE-2023-4488 Hynotech Inclusion of Functionality from Untrusted Control Sphere vulnerability in Hynotech Dropbox Folder Share 1.9.7

The Dropbox Folder Share for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.9.7 via the editor-view.php file.

9.8
2023-10-20 CVE-2023-34051 Vmware Incorrect Authorization vulnerability in VMWare Aria Operations for Logs

VMware Aria Operations for Logs contains an authentication bypass vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.

9.8
2023-10-19 CVE-2023-30131 Ixpdata Unspecified vulnerability in Ixpdata Easyinstall 6.6.148840

An issue discovered in IXP EasyInstall 6.6.14884.0 allows attackers to run arbitrary commands, gain escalated privilege, and cause other unspecified impacts via unauthenticated API calls.

9.8
2023-10-19 CVE-2023-38584 Weintek Out-of-bounds Write vulnerability in Weintek products

In Weintek's cMT3000 HMI Web CGI device, the cgi-bin command_wb.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.

9.8
2023-10-19 CVE-2023-43492 Weintek Out-of-bounds Write vulnerability in Weintek products

In Weintek's cMT3000 HMI Web CGI device, the cgi-bin codesys.cgi contains a stack-based buffer overflow, which could allow an anonymous attacker to hijack control flow and bypass login authentication.

9.8
2023-10-19 CVE-2023-45376 Hipresta SQL Injection vulnerability in Hipresta Carousels Pack 1.5.0

In the module "Carousels Pack - Instagram, Products, Brands, Supplier" (hicarouselspack) for PrestaShop up to version 1.5.0 from HiPresta for PrestaShop, a guest can perform SQL injection via HiCpProductGetter::getViewedProduct().`

9.8
2023-10-19 CVE-2023-43986 Dmconcept SQL Injection vulnerability in Dmconcept Configurator 4.9.3

DM Concept configurator before v4.9.4 was discovered to contain a SQL injection vulnerability via the component ConfiguratorAttachment::getAttachmentByToken.

9.8
2023-10-19 CVE-2023-45381 Webshopworks SQL Injection vulnerability in Webshopworks Creativepopup

In the module "Creative Popup" (creativepopup) up to version 1.6.9 from WebshopWorks for PrestaShop, a guest can perform SQL injection via `cp_download_popup().`

9.8
2023-10-19 CVE-2022-47583 Mintty Project Injection vulnerability in Mintty Project Mintty

Terminal character injection in Mintty before 3.6.3 allows code execution via unescaped output to the terminal.

9.8
2023-10-19 CVE-2023-35182 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability.

9.8
2023-10-19 CVE-2023-35184 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability.

9.8
2023-10-19 CVE-2023-35187 Solarwinds Path Traversal vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability.

9.8
2023-10-19 CVE-2023-46042 GET Simple Unspecified vulnerability in Get-Simple Getsimplecms 3.4.0A

An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().

9.8
2023-10-19 CVE-2023-45379 Posthemes SQL Injection vulnerability in Posthemes Posrotatorimg 1.1

In the module "Rotator Img" (posrotatorimg) in versions at least up to 1.1 from PosThemes for PrestaShop, a guest can perform SQL injection.

9.8
2023-10-19 CVE-2023-45384 Knowband Unrestricted Upload of File with Dangerous Type vulnerability in Knowband Supercheckout 5.0.7

KnowBand supercheckout > 5.0.7 and < 6.0.7 is vulnerable to Unrestricted Upload of File with Dangerous Type.

9.8
2023-10-19 CVE-2023-37503 Hcltech Weak Password Requirements vulnerability in Hcltech HCL Compass

HCL Compass is vulnerable to insecure password requirements.

9.8
2023-10-18 CVE-2023-4601 NI Out-of-bounds Write vulnerability in NI System Configuration

A stack-based buffer overflow vulnerability exists in NI System Configuration that could result in information disclosure and/or arbitrary code execution.

9.8
2023-10-18 CVE-2023-45911 Wipotec Exposure of Resource to Wrong Sphere vulnerability in Wipotec Comscale 4.3.29.21344/4.4.12.723

An issue in WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 allows unauthenticated attackers to login as any user without a password.

9.8
2023-10-18 CVE-2023-5642 Advantech Unspecified vulnerability in Advantech R-Seenet 2.4.23

Advantech R-SeeNet v2.4.23 allows an unauthenticated remote attacker to read from and write to the snmpmon.ini file, which contains sensitive information.

9.8
2023-10-18 CVE-2023-46005 Mayurik SQL Injection vulnerability in Mayurik Best Courier Management System 1.0

Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_branch.php.

9.8
2023-10-18 CVE-2023-46006 Mayurik SQL Injection vulnerability in Mayurik Best Courier Management System 1.0

Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_user.php.

9.8
2023-10-18 CVE-2023-46007 Mayurik SQL Injection vulnerability in Mayurik Best Courier Management System 1.0

Sourcecodester Best Courier Management System 1.0 is vulnerable to SQL Injection via the parameter id in /edit_staff.php.

9.8
2023-10-18 CVE-2023-35084 Ivanti Deserialization of Untrusted Data vulnerability in Ivanti Endpoint Manager

Unsafe Deserialization of User Input could lead to Execution of Unauthorized Operations in Ivanti Endpoint Manager 2022 su3 and all previous versions, which could allow an attacker to execute commands remotely.

9.8
2023-10-18 CVE-2023-38545 Haxx
Fedoraproject
Netapp
Microsoft
Out-of-bounds Write vulnerability in multiple products

This flaw makes curl overflow a heap based buffer in the SOCKS5 proxy handshake. When curl is asked to pass along the host name to the SOCKS5 proxy to allow that to resolve the address instead of it getting done by curl itself, the maximum length that host name can be is 255 bytes. If the host name is detected to be longer, curl switches to local name resolving and instead passes on the resolved address only.

9.8
2023-10-18 CVE-2023-39332 Nodejs
Fedoraproject
Path Traversal vulnerability in multiple products

Various `node:fs` functions allow specifying paths as either strings or `Uint8Array` objects.

9.8
2023-10-17 CVE-2023-22069 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

9.8
2023-10-17 CVE-2023-22072 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.3.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

9.8
2023-10-17 CVE-2023-22089 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

9.8
2023-10-17 CVE-2023-41630 Esst Code Injection vulnerability in Esst Monitoring

eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the Gii code generator component.

9.8
2023-10-17 CVE-2023-45951 Lylme SQL Injection vulnerability in Lylme Spage 1.7.0

lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php.

9.8
2023-10-17 CVE-2023-45952 Lylme Unrestricted Upload of File with Dangerous Type vulnerability in Lylme Spage 1.7.0

An arbitrary file upload vulnerability in the component ajax_link.php of lylme_spage v1.7.0 allows attackers to execute arbitrary code via uploading a crafted file.

9.8
2023-10-17 CVE-2023-27132 Tsplus Insufficiently Protected Credentials vulnerability in Tsplus Remote Work

TSplus Remote Work 16.0.0.0 places a cleartext password on the "var pass" line of the HTML source code for the secure single sign-on web portal.

9.8
2023-10-17 CVE-2023-27133 Tsplus Incorrect Default Permissions vulnerability in Tsplus Remote Work

TSplus Remote Work 16.0.0.0 has weak permissions for .exe, .js, and .html files under the %PROGRAMFILES(X86)%\TSplus-RemoteWork\Clients\www folder.

9.8
2023-10-17 CVE-2023-44693 Dlink SQL Injection vulnerability in Dlink Dar-7000 Firmware V31R02B1413C

D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /importexport.php.

9.8
2023-10-17 CVE-2023-44694 Dlink SQL Injection vulnerability in Dlink Dar-7000 Firmware V31R02B1413C

D-Link Online behavior audit gateway DAR-7000 V31R02B1413C is vulnerable to SQL Injection via /log/mailrecvview.php.

9.8
2023-10-17 CVE-2023-45386 Mypresta SQL Injection vulnerability in Mypresta Product Extra Tabs PRO

In the module extratabspro before version 2.2.8 from MyPresta.eu for PrestaShop, a guest can perform SQL injection via `extratabspro::searchcategory()`, `extratabspro::searchproduct()` and `extratabspro::searchmanufacturer().'

9.8
2023-10-17 CVE-2011-10004 Reciply Project Unrestricted Upload of File with Dangerous Type vulnerability in Reciply Project Reciply 1.1.7

A vulnerability was found in reciply Plugin up to 1.1.7 on WordPress.

9.8
2023-10-16 CVE-2023-40852 User Registration Login AND User Management System With Admin Panel Project SQL Injection vulnerability in User Registration & Login and User Management System With Admin Panel Project User Registration & Login and User Management System With Admin Panel 3.0

SQL Injection vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to obtain sensitive information via crafted string in the admin user name field on the admin log in page.

9.8
2023-10-16 CVE-2023-43119 Extremenetworks Incorrect Authorization vulnerability in Extremenetworks Exos 31.7.1/32.0

An Access Control issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, also fixed in 22.7, 31.7.2 allows attackers to gain escalated privileges using crafted telnet commands via Redis server.

9.8
2023-10-16 CVE-2023-4666 10Web Unspecified vulnerability in 10Web Form Maker

The Form Maker by 10Web WordPress plugin before 1.15.20 does not validate signatures when creating them on the server from user input, allowing unauthenticated users to create arbitrary files and lead to RCE

9.8
2023-10-16 CVE-2023-45984 Totolink Out-of-bounds Write vulnerability in Totolink A7000R Firmware and X5000R Firmware

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the lang parameter in the function setLanguageCfg.

9.8
2023-10-16 CVE-2023-3991 Freshtomato OS Command Injection vulnerability in Freshtomato 2023.3

An OS command injection vulnerability exists in the httpd iperfrun.cgi functionality of FreshTomato 2023.3.

9.8
2023-10-16 CVE-2023-43668 Apache Authorization Bypass Through User-Controlled Key vulnerability in Apache Inlong

Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile".... .   Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/8604

9.8
2023-10-16 CVE-2023-45158 Web2Py OS Command Injection vulnerability in Web2Py

An OS command injection vulnerability exists in web2py 2.24.1 and earlier.

9.8
2023-10-16 CVE-2023-45576 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the remove_ext_proto/remove_ext_port parameter of the upnp_ctrl.asp function.

9.8
2023-10-16 CVE-2023-45577 Dlink Out-of-bounds Write vulnerability in Dlink products

Stack Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the wanid parameter of the H5/speedlimit.data function.

9.8
2023-10-16 CVE-2023-45578 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the pap_en/chap_en parameter of the pppoe_base.asp function.

9.8
2023-10-16 CVE-2023-45579 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the ip/type parameter of the jingx.asp function.

9.8
2023-10-16 CVE-2023-45580 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the wild/mx and other parameters of the ddns.asp function

9.8
2023-10-16 CVE-2023-36950 Totolink Out-of-bounds Write vulnerability in Totolink A7000R Firmware and X5000R Firmware

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

9.8
2023-10-16 CVE-2023-36953 Totolink Command Injection vulnerability in Totolink Cp300+ Firmware 5.2Cu.7594B20200910

TOTOLINK CP300+ V5.2cu.7594_B20200910 and before is vulnerable to command injection.

9.8
2023-10-16 CVE-2023-36954 Totolink Command Injection vulnerability in Totolink Cp300+ Firmware 5.2Cu.7594B20200910

TOTOLINK CP300+ V5.2cu.7594_B20200910 and before is vulnerable to command injection.

9.8
2023-10-16 CVE-2023-36955 Totolink Out-of-bounds Write vulnerability in Totolink Cp300+ Firmware 5.2Cu.7594/5.2Cu.7594B20200910

TOTOLINK CP300+ <=V5.2cu.7594_B20200910 was discovered to contain a stack overflow via the File parameter in the function UploadCustomModule.

9.8
2023-10-16 CVE-2023-44808 Dlink Out-of-bounds Write vulnerability in Dlink Dir-820L Firmware 1.05B03

D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the sub_4507CC function.

9.8
2023-10-16 CVE-2023-44809 Dlink Unspecified vulnerability in Dlink Dir-820L Firmware 1.05B03

D-Link device DIR-820L 1.05B03 is vulnerable to Insecure Permissions.

9.8
2023-10-16 CVE-2023-45572 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the fn parameter of the tgfile.htm function.

9.8
2023-10-16 CVE-2023-45573 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the n parameter of the mrclfile_del.asp function.

9.8
2023-10-16 CVE-2023-45574 Dlink Out-of-bounds Write vulnerability in Dlink products

Buffer Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the fn parameter of the file.data function.

9.8
2023-10-16 CVE-2023-45575 Dlink Out-of-bounds Write vulnerability in Dlink products

Stack Overflow vulnerability in D-Link device DI-7003GV2.D1 v.23.08.25D1 and before, DI-7100G+V2.D1 v.23.08.23D1 and before, DI-7100GV2.D1 v.23.08.23D1, DI-7200G+V2.D1 v.23.08.23D1 and before, DI-7200GV2.E1 v.23.08.23E1 and before, DI-7300G+V2.D1 v.23.08.23D1, and DI-7400G+V2.D1 v.23.08.23D1 and before allows a remote attacker to execute arbitrary code via the ip parameter of the ip_position.asp function.

9.8
2023-10-16 CVE-2023-36340 Totolink Out-of-bounds Write vulnerability in Totolink Nr1800X Firmware 9.1.0U.6279B20210910

TOTOLINK NR1800X V9.1.0u.6279_B20210910 was discovered to contain a stack overflow via the http_host parameter in the function loginAuth.

9.8
2023-10-16 CVE-2023-36947 Totolink Out-of-bounds Write vulnerability in Totolink A7000R Firmware and X5000R Firmware

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 was discovered to contain a stack overflow via the File parameter in the function UploadCustomModule.

9.8
2023-10-16 CVE-2023-36952 Totolink Out-of-bounds Write vulnerability in Totolink Cp300+ Firmware 5.2Cu.7594B20200910

TOTOLINK CP300+ V5.2cu.7594_B20200910 was discovered to contain a stack overflow via the pingIp parameter in the function setDiagnosisCfg.

9.8
2023-10-16 CVE-2023-33836 IBM Use of Hard-coded Credentials vulnerability in IBM Security Verify Governance 10.0/10.0.1

IBM Security Verify Governance 10.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

9.8
2023-10-19 CVE-2023-41895 Home Assistant Cross-site Scripting vulnerability in Home-Assistant

Home assistant is an open source home automation.

9.6
2023-10-19 CVE-2023-41897 Home Assistant Improper Restriction of Rendered UI Layers or Frames vulnerability in Home-Assistant

Home assistant is an open source home automation.

9.6
2023-10-19 CVE-2023-45992 Commscope Cross-site Scripting vulnerability in Commscope Ruckus Cloudpath Enrollment System

A vulnerability in the web-based interface of the RUCKUS Cloudpath product on version 5.12 build 5538 or before to could allow a remote, unauthenticated attacker to execute persistent XSS and CSRF attacks against a user of the admin management interface.

9.6
2023-10-19 CVE-2022-37830 Webjet Cross-site Scripting vulnerability in Webjet CMS

Interway a.s WebJET CMS 8.6.896 is vulnerable to Cross Site Scripting (XSS).

9.6
2023-10-16 CVE-2023-45144 Xwiki Cross-site Scripting vulnerability in Xwiki Oauth Identity

com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations.

9.6
2023-10-20 CVE-2023-5576 Wpvivid Unspecified vulnerability in Wpvivid Migration, Backup, Staging

The Migration, Backup, Staging - WPvivid plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 0.9.91 via Google Drive API secrets stored in plaintext in the publicly visible plugin source.

9.3
2023-10-19 CVE-2023-45278 Spaceapplications Path Traversal vulnerability in Spaceapplications Yamcs 5.8.6

Directory Traversal vulnerability in the storage functionality of the API in Yamcs 5.8.6 allows attackers to delete arbitrary files via crafted HTTP DELETE request.

9.1
2023-10-16 CVE-2023-45685 Southrivertech Path Traversal vulnerability in Southrivertech Titan MFT Server and Titan Sftp Server

Insufficient path validation when extracting a zip archive in South River Technologies' Titan MFT and Titan SFTP servers on Windows and Linux allows an authenticated attacker to write a file to any location on the filesystem via path traversal

9.1
2023-10-16 CVE-2023-5422 Otrs Improper Certificate Validation vulnerability in Otrs

The functions to fetch e-mail via POP3 or IMAP as well as sending e-mail via SMTP use OpenSSL for static SSL or TLS based communication.

9.1
2023-10-19 CVE-2023-41896 Home Assistant Insufficient Verification of Data Authenticity vulnerability in Home-Assistant Home-Assistant-Js-Websocket

Home assistant is an open source home automation.

9.0

233 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-10-22 CVE-2023-46085 Wpmet Cross-Site Request Forgery (CSRF) vulnerability in Wpmet WP Ultimate Review

Cross-Site Request Forgery (CSRF) vulnerability in Wpmet Wp Ultimate Review plugin <= 2.2.4 versions.

8.8
2023-10-22 CVE-2023-46089 Userback Cross-Site Request Forgery (CSRF) vulnerability in Userback

Cross-Site Request Forgery (CSRF) vulnerability in Lee Le @ Userback Userback plugin <= 1.0.13 versions.

8.8
2023-10-22 CVE-2023-46095 Chetangole Cross-Site Request Forgery (CSRF) vulnerability in Chetangole Smooth Scroll Links 1.0.0/1.1.0

Cross-Site Request Forgery (CSRF) vulnerability in Chetan Gole Smooth Scroll Links [SSL] plugin <= 1.1.0 versions.

8.8
2023-10-21 CVE-2023-46078 Pluginever Cross-Site Request Forgery (CSRF) vulnerability in Pluginever WC Serial Numbers

Cross-Site Request Forgery (CSRF) vulnerability in PluginEver WC Serial Numbers plugin <= 1.6.3 versions.

8.8
2023-10-21 CVE-2023-46067 Qwerty23 Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Font

Cross-Site Request Forgery (CSRF) vulnerability in Qwerty23 Rocket Font plugin <= 1.2.3 versions.

8.8
2023-10-21 CVE-2023-46055 Thingnario Unspecified vulnerability in Thingnario Photon 1.0

An issue in ThingNario Photon v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the ping function to the "thingnario Logger Maintenance Webpage" endpoint.

8.8
2023-10-21 CVE-2023-38190 Superwebmailer SQL Injection vulnerability in Superwebmailer 9.00.0.01710

An issue was discovered in SuperWebMailer 9.00.0.01710.

8.8
2023-10-21 CVE-2023-38193 Superwebmailer Command Injection vulnerability in Superwebmailer 9.00.0.01710

An issue was discovered in SuperWebMailer 9.00.0.01710.

8.8
2023-10-21 CVE-2023-45664 Nothings Double Free vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images.

8.8
2023-10-20 CVE-2023-46117 Six2Dez OS Command Injection vulnerability in Six2Dez Reconftw

reconFTW is a tool designed to perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities.

8.8
2023-10-20 CVE-2023-23373 Qnap OS Command Injection vulnerability in Qnap Qusbcam2 2.0.0

An OS command injection vulnerability has been reported to affect QUSBCam2.

8.8
2023-10-20 CVE-2023-5686 Radare
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Heap-based Buffer Overflow in GitHub repository radareorg/radare2 prior to 5.9.0.

8.8
2023-10-20 CVE-2023-5687 Mosparo Cross-Site Request Forgery (CSRF) vulnerability in Mosparo

Cross-Site Request Forgery (CSRF) in GitHub repository mosparo/mosparo prior to 1.0.3.

8.8
2023-10-20 CVE-2023-5690 Modoboa Cross-Site Request Forgery (CSRF) vulnerability in Modoboa

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

8.8
2023-10-20 CVE-2021-4334 Radykal Incorrect Authorization vulnerability in Radykal Fancy Product Designer

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized modification of site options due to a missing capability check on the fpd_update_options function in versions up to, and including, 4.6.9.

8.8
2023-10-20 CVE-2022-2441 Orangelab Cross-Site Request Forgery (CSRF) vulnerability in Orangelab Imagemagick Engine

The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5.

8.8
2023-10-20 CVE-2022-3342 Automattic Deserialization of Untrusted Data vulnerability in Automattic Jetpack CRM

The Jetpack CRM plugin for WordPress is vulnerable to PHAR deserialization via the ‘zbscrmcsvimpf’ parameter in the 'zeroBSCRM_CSVImporterLitehtml_app' function in versions up to, and including, 5.3.1.

8.8
2023-10-20 CVE-2022-4290 CYR TO LAT Project SQL Injection vulnerability in CYR to LAT Project CYR to LAT

The Cyr to Lat plugin for WordPress is vulnerable to authenticated SQL Injection via the 'ctl_sanitize_title' function in versions up to, and including, 3.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

8.8
2023-10-20 CVE-2023-4999 Gopiplus SQL Injection vulnerability in Gopiplus Horizontal Scrolling Announcement 9.2

The Horizontal scrolling announcement plugin for WordPress is vulnerable to SQL Injection via the plugin's [horizontal-scrolling] shortcode in versions up to, and including, 9.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

8.8
2023-10-20 CVE-2023-5602 Ultimatelysocial Cross-Site Request Forgery (CSRF) vulnerability in Ultimatelysocial Social Media Share Buttons & Social Sharing Icons

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5.

8.8
2023-10-20 CVE-2020-36698 Cleantalk Missing Authorization vulnerability in Cleantalk Security & Malware Scan

The Security & Malware scan by CleanTalk plugin for WordPress is vulnerable to unauthorized user interaction in versions up to, and including, 2.50.

8.8
2023-10-20 CVE-2023-4920 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

8.8
2023-10-19 CVE-2023-44385 Home Assistant Cross-Site Request Forgery (CSRF) vulnerability in Home-Assistant Home Assistant Companion

The Home Assistant Companion for iOS and macOS app up to version 2023.4 are vulnerable to Client-Side Request Forgery.

8.8
2023-10-19 CVE-2023-40145 Weintek OS Command Injection vulnerability in Weintek products

In Weintek's cMT3000 HMI Web CGI device, an anonymous attacker can execute arbitrary commands after login to the device.

8.8
2023-10-19 CVE-2023-41089 Dexma Improper Authentication vulnerability in Dexma Dexgate 20130114

The affected product is vulnerable to an improper authentication vulnerability, which may allow an attacker to impersonate a legitimate user as long as the device keeps the session active, since the attack takes advantage of the cookie header to generate "legitimate" requests.

8.8
2023-10-19 CVE-2023-42435 Dexma Cross-Site Request Forgery (CSRF) vulnerability in Dexma Dexgate 20130114

The affected product is vulnerable to a cross-site request forgery vulnerability, which may allow an attacker to perform actions with the permissions of a victim user.

8.8
2023-10-19 CVE-2023-35180 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability.

8.8
2023-10-19 CVE-2023-35186 Solarwinds Deserialization of Untrusted Data vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability.

8.8
2023-10-19 CVE-2022-25333 TI Unspecified vulnerability in TI Omap L138 Firmware

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) performs an RSA check implemented in mask ROM when loading a module through the SK_LOAD routine.

8.8
2023-10-19 CVE-2022-25334 TI Out-of-bounds Write vulnerability in TI Omap L138 Firmware

The Texas Instruments OMAP L138 (secure variants) trusted execution environment (TEE) lacks a bounds check on the signature size field in the SK_LOAD module loading routine, present in mask ROM.

8.8
2023-10-19 CVE-2022-26941 Motorola Use of Externally-Controlled Format String vulnerability in Motorola Mtm5400 Firmware and Mtm5500 Firmware

A format string vulnerability exists in Motorola MTM5000 series firmware AT command handler for the AT+CTGL command.

8.8
2023-10-19 CVE-2022-26943 Motorola Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Motorola Mtm5400 Firmware and Mtm5500 Firmware

The Motorola MTM5000 series firmwares generate TETRA authentication challenges using a PRNG using a tick count register as its sole entropy source.

8.8
2023-10-19 CVE-2023-46229 Langchain Server-Side Request Forgery (SSRF) vulnerability in Langchain

LangChain before 0.0.317 allows SSRF via document_loaders/recursive_url_loader.py because crawling can proceed from an external server to an internal server.

8.8
2023-10-18 CVE-2023-37502 Hcltech Unrestricted Upload of File with Dangerous Type vulnerability in Hcltech HCL Compass

HCL Compass is vulnerable to lack of file upload security.

8.8
2023-10-18 CVE-2023-5626 SFU Cross-Site Request Forgery (CSRF) vulnerability in SFU Open Journal System

Cross-Site Request Forgery (CSRF) in GitHub repository pkp/ojs prior to 3.3.0-16.

8.8
2023-10-17 CVE-2023-41715 Sonicwall Improper Privilege Management vulnerability in Sonicwall Sonicos

SonicOS post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel allows users to elevate their privileges inside the tunnel.

8.8
2023-10-17 CVE-2023-22085 Oracle Unspecified vulnerability in Oracle Hospitality Opera 5 Property Services 5.6

Vulnerability in the Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera).

8.8
2023-10-17 CVE-2023-22087 Oracle Unspecified vulnerability in Oracle Hospitality Opera 5 Property Services 5.6

Vulnerability in the Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera).

8.8
2023-10-17 CVE-2023-41631 Esst Unrestricted Upload of File with Dangerous Type vulnerability in Esst Monitoring

eSST Monitoring v2.147.1 was discovered to contain a remote code execution (RCE) vulnerability via the file upload function.

8.8
2023-10-17 CVE-2023-43959 Yealink OS Command Injection vulnerability in Yealink Sip-T19P-E2 Firmware 53.84.0.15

An issue in YeaLinkSIP-T19P-E2 v.53.84.0.15 allows a remote privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

8.8
2023-10-17 CVE-2023-45901 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin\/category\/add.

8.8
2023-10-17 CVE-2023-45902 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/attachment/delete.

8.8
2023-10-17 CVE-2023-45903 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/label/delete.

8.8
2023-10-17 CVE-2023-45904 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /variable/update.

8.8
2023-10-17 CVE-2023-45905 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/add.

8.8
2023-10-17 CVE-2023-45906 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/user/add.

8.8
2023-10-17 CVE-2023-45907 Dreamer CMS Project Cross-Site Request Forgery (CSRF) vulnerability in Dreamer CMS Project Dreamer CMS 4.1.3

Dreamer CMS v4.1.3 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/variable/delete.

8.8
2023-10-17 CVE-2023-34210 Easyuse SQL Injection vulnerability in Easyuse Mailhunter Ultimate 2020/2023

SQL Injection in create customer group function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to execute arbitrary SQL commands via the ctl00$ContentPlaceHolder1$txtCustSQL parameter.

8.8
2023-10-17 CVE-2023-45375 01Generator SQL Injection vulnerability in 01Generator Pireospay 1.7.9

In the module "PireosPay" (pireospay) before version 1.7.10 from 01generator.com for PrestaShop, a guest can perform SQL injection via `PireosPayValidationModuleFrontController::postProcess().`

8.8
2023-10-17 CVE-2023-34207 Easyuse Unrestricted Upload of File with Dangerous Type vulnerability in Easyuse Mailhunter Ultimate 2020/2023

Unrestricted upload of file with dangerous type vulnerability in create template function in EasyUse MailHunter Ultimate 2023 and earlier allows remote authenticated users to perform arbitrary system commands with ‘NT Authority\SYSTEM‘ privilege via a crafted ZIP archive.

8.8
2023-10-17 CVE-2022-22375 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.

8.8
2023-10-16 CVE-2023-45128 Gofiber Reliance on Untrusted Inputs in a Security Decision vulnerability in Gofiber Fiber

Fiber is an express inspired web framework written in Go.

8.8
2023-10-16 CVE-2023-45141 Gofiber Reliance on Cookies without Validation and Integrity Checking vulnerability in Gofiber Fiber

Fiber is an express inspired web framework written in Go.

8.8
2023-10-16 CVE-2023-43118 Extremenetworks Cross-Site Request Forgery (CSRF) vulnerability in Extremenetworks Exos 31.7.1/32.0

Cross Site Request Forgery (CSRF) vulnerability in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, fixed in 31.7.2 and 32.5.1.5 allows attackers to run arbitrary code and cause other unspecified impacts via /jsonrpc API.

8.8
2023-10-16 CVE-2023-4643 Shortpixel Unspecified vulnerability in Shortpixel Enable Media Replace

The Enable Media Replace WordPress plugin before 4.1.3 unserializes user input via the Remove Background feature, which could allow Author+ users to perform PHP Object Injection when a suitable gadget is present on the blog

8.8
2023-10-16 CVE-2023-4776 Igexsolutions SQL Injection vulnerability in Igexsolutions Wpschoolpress

The School Management System WordPress plugin before 2.2.5 uses the WordPress esc_sql() function on a field not delimited by quotes and did not first prepare the query, leading to a SQL injection exploitable by relatively low-privilege users like Teachers.

8.8
2023-10-16 CVE-2023-43120 Extremenetworks Unspecified vulnerability in Extremenetworks Exos 31.0/32.0

An issue discovered in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, before 22.7 and before 31.7.1 allows attackers to gain escalated privileges via crafted HTTP request.

8.8
2023-10-16 CVE-2023-45151 Nextcloud Cleartext Storage of Sensitive Information vulnerability in Nextcloud Server

Nextcloud server is an open source home cloud platform.

8.8
2023-10-16 CVE-2023-45687 Southrivertech Session Fixation vulnerability in Southrivertech Titan MFT Server and Titan Sftp Server

A session fixation vulnerability in South River Technologies' Titan MFT and Titan SFTP servers on Linux and Windows allows an attacker to bypass the server's authentication if they can trick an administrator into authorizating a session id of their choosing

8.8
2023-10-16 CVE-2023-46087 Mahlamusa Cross-Site Request Forgery (CSRF) vulnerability in Mahlamusa WHO HIT the Page HIT Counter

Cross-Site Request Forgery (CSRF) vulnerability in Mahlamusa Who Hit The Page – Hit Counter plugin <= 1.4.14.3 versions.

8.8
2023-10-16 CVE-2023-45748 Mailmunch Cross-Site Request Forgery (CSRF) vulnerability in Mailmunch Mailchimp Forms

Cross-Site Request Forgery (CSRF) vulnerability in MailMunch MailChimp Forms by MailMunch plugin <= 3.1.4 versions.

8.8
2023-10-16 CVE-2023-45749 Profosbox Cross-Site Request Forgery (CSRF) vulnerability in Profosbox AGP Font Awesome Collection 3.2.4

Cross-Site Request Forgery (CSRF) vulnerability in Alexey Golubnichenko AGP Font Awesome Collection plugin <= 3.2.4 versions.

8.8
2023-10-16 CVE-2023-45752 10Quality Cross-Site Request Forgery (CSRF) vulnerability in 10Quality Post Gallery 2.3.12

Cross-Site Request Forgery (CSRF) vulnerability in 10 Quality Post Gallery plugin <= 2.3.12 versions.

8.8
2023-10-16 CVE-2023-45753 Gillesdumas Cross-Site Request Forgery (CSRF) vulnerability in Gillesdumas Which Template File

Cross-Site Request Forgery (CSRF) vulnerability in Gilles Dumas which template file plugin <= 4.6.0 versions.

8.8
2023-10-16 CVE-2023-45763 Taggbox Cross-Site Request Forgery (CSRF) vulnerability in Taggbox

Cross-Site Request Forgery (CSRF) vulnerability in Taggbox plugin <= 2.9 versions.

8.8
2023-10-16 CVE-2023-45831 Pixelative Cross-Site Request Forgery (CSRF) vulnerability in Pixelative Google AMP

Cross-Site Request Forgery (CSRF) vulnerability in Pixelative, Mohsin Rafique AMP WP – Google AMP For WordPress plugin <= 1.5.15 versions.

8.8
2023-10-16 CVE-2023-45836 Xydac Cross-Site Request Forgery (CSRF) vulnerability in Xydac Ultimate Taxonomy Manager

Cross-Site Request Forgery (CSRF) vulnerability in XYDAC Ultimate Taxonomy Manager plugin <= 2.0 versions.

8.8
2023-10-16 CVE-2023-45639 Phpdeveloper Cross-Site Request Forgery (CSRF) vulnerability in PHPdeveloper Sort Searchresult BY Title

Cross-Site Request Forgery (CSRF) vulnerability in Codex-m Sort SearchResult By Title plugin <= 10.0 versions.

8.8
2023-10-16 CVE-2023-45641 CA RET Cross-Site Request Forgery (CSRF) vulnerability in Ca-Ret Country Access Limit

Cross-Site Request Forgery (CSRF) vulnerability in Caret Inc.

8.8
2023-10-16 CVE-2023-45642 Coresol Cross-Site Request Forgery (CSRF) vulnerability in Coresol Snap Pixel

Cross-Site Request Forgery (CSRF) vulnerability in Hassan Ali Snap Pixel plugin <= 1.5.7 versions.

8.8
2023-10-16 CVE-2023-45643 Anuragdeshmukh Cross-Site Request Forgery (CSRF) vulnerability in Anuragdeshmukh CPT Shortcode Generator 1.0

Cross-Site Request Forgery (CSRF) vulnerability in Anurag Deshmukh CPT Shortcode Generator plugin <= 1.0 versions.

8.8
2023-10-16 CVE-2023-45645 Info D 74 Cross-Site Request Forgery (CSRF) vulnerability in Info-D-74 Open Street MAP

Cross-Site Request Forgery (CSRF) vulnerability in InfoD74 WP Open Street Map plugin <= 1.25 versions.

8.8
2023-10-16 CVE-2023-45647 Mailmunch Cross-Site Request Forgery (CSRF) vulnerability in Mailmunch Constant Contact Forms

Cross-Site Request Forgery (CSRF) vulnerability in MailMunch Constant Contact Forms by MailMunch plugin <= 2.0.10 versions.

8.8
2023-10-16 CVE-2023-45273 Mattmckenny Cross-Site Request Forgery (CSRF) vulnerability in Mattmckenny Stout Google Calendar

Cross-Site Request Forgery (CSRF) vulnerability in Matt McKenny Stout Google Calendar plugin <= 1.2.3 versions.

8.8
2023-10-16 CVE-2023-45274 Sendpulse Cross-Site Request Forgery (CSRF) vulnerability in Sendpulse Free web Push

Cross-Site Request Forgery (CSRF) vulnerability in SendPulse SendPulse Free Web Push plugin <= 1.3.1 versions.

8.8
2023-10-16 CVE-2023-45605 Feed Statistics Project Cross-Site Request Forgery (CSRF) vulnerability in Feed Statistics Project Feed Statistics

Cross-Site Request Forgery (CSRF) vulnerability in Christopher Finke Feed Statistics plugin <= 4.1 versions.

8.8
2023-10-16 CVE-2023-45606 Getlasso Cross-Site Request Forgery (CSRF) vulnerability in Getlasso Simple Urls

Cross-Site Request Forgery (CSRF) vulnerability in Lasso Simple URLs plugin <= 120 versions.

8.8
2023-10-16 CVE-2023-45629 Wpdevart Cross-Site Request Forgery (CSRF) vulnerability in Wpdevart Gallery - Image and Video Gallery With Thumbnails

Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Gallery – Image and Video Gallery with Thumbnails plugin <= 2.0.3 versions.

8.8
2023-10-16 CVE-2023-45638 Eupago Cross-Site Request Forgery (CSRF) vulnerability in Eupago Gateway Woocommerce

Cross-Site Request Forgery (CSRF) vulnerability in euPago Eupago Gateway For Woocommerce plugin <= 3.1.9 versions.

8.8
2023-10-16 CVE-2023-45650 FLA Shop Cross-Site Request Forgery (CSRF) vulnerability in Fla-Shop Html5 Maps

Cross-Site Request Forgery (CSRF) vulnerability in Fla-shop.Com HTML5 Maps plugin <= 1.7.1.4 versions.

8.8
2023-10-16 CVE-2023-45651 Marcomilesi Cross-Site Request Forgery (CSRF) vulnerability in Marcomilesi WP Attachments

Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi WP Attachments plugin <= 5.0.6 versions.

8.8
2023-10-16 CVE-2023-45653 Galaxyweblinks Cross-Site Request Forgery (CSRF) vulnerability in Galaxyweblinks Video Playlist for Youtube

Cross-Site Request Forgery (CSRF) vulnerability in Galaxy Weblinks Video Playlist For YouTube plugin <= 6.0 versions.

8.8
2023-10-16 CVE-2023-45654 Pixelgrade Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade Comments Rating

Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade Comments Ratings plugin <= 1.1.7 versions.

8.8
2023-10-16 CVE-2023-45655 Pixelgrade Cross-Site Request Forgery (CSRF) vulnerability in Pixelgrade Pixfields 0.7.0

Cross-Site Request Forgery (CSRF) vulnerability in PixelGrade PixFields plugin <= 0.7.0 versions.

8.8
2023-10-16 CVE-2023-45656 Kevinweber Cross-Site Request Forgery (CSRF) vulnerability in Kevinweber Lazy Load for Videos

Cross-Site Request Forgery (CSRF) vulnerability in Kevin Weber Lazy Load for Videos plugin <= 2.18.2 versions.

8.8
2023-10-16 CVE-2023-4827 Ninjateam Unspecified vulnerability in Ninjateam Filester

The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action.

8.8
2023-10-19 CVE-2023-43345 Opensolution Cross-site Scripting vulnerability in Opensolution Quick CMS 6.7

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Content - Name parameter in the Pages Menu component.

8.6
2023-10-17 CVE-2023-22102 Oracle
Netapp
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).
8.3
2023-10-19 CVE-2022-26942 Motorola Release of Invalid Pointer or Reference vulnerability in Motorola Mtm5400 Firmware and Mtm5500 Firmware

The Motorola MTM5000 series firmwares lack pointer validation on arguments passed to trusted execution environment (TEE) modules.

8.2
2023-10-19 CVE-2022-27813 Motorola Unspecified vulnerability in Motorola Mtm5400 Firmware and Mtm5500 Firmware

Motorola MTM5000 series firmwares lack properly configured memory protection of pages shared between the OMAP-L138 ARM and DSP cores.

8.2
2023-10-19 CVE-2023-34441 Bakerhughes Cleartext Transmission of Sensitive Information vulnerability in Bakerhughes Bentley Nevada 3500 System Firmware 5.0.5

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a cleartext transmission vulnerability which could allow an attacker to steal the authentication secret from communication traffic to the device and reuse it for arbitrary requests.

8.2
2023-10-17 CVE-2023-22098 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

8.2
2023-10-17 CVE-2023-22099 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

8.2
2023-10-21 CVE-2023-45662 Nothings Out-of-bounds Read vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images.

8.1
2023-10-20 CVE-2020-36714 Brizy Incorrect Authorization vulnerability in Brizy Brizy-Page Builder

The Brizy plugin for WordPress is vulnerable to authorization bypass due to a incorrect capability check on the is_administrator() function in versions up to, and including, 1.0.125.

8.1
2023-10-20 CVE-2023-4386 Wpdeveloper Deserialization of Untrusted Data vulnerability in Wpdeveloper Essential Blocks

The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function.

8.1
2023-10-19 CVE-2023-27791 Ixpdata Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Ixpdata Easyinstall 6.6.148840

An issue found in IXP Data Easy Install 6.6.148840 allows a remote attacker to escalate privileges via insecure PRNG.

8.1
2023-10-19 CVE-2022-24401 Midnightblue Authorization Bypass Through User-Controlled Key vulnerability in Midnightblue Tetra:Burst

Adversary-induced keystream re-use on TETRA air-interface encrypted traffic using any TEA keystream generator.

8.1
2023-10-19 CVE-2023-5212 Quantumcloud Unspecified vulnerability in Quantumcloud AI Chatbot

The AI ChatBot plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 4.8.9 as well as version 4.9.2.

8.1
2023-10-19 CVE-2023-5241 Quantumcloud Unspecified vulnerability in Quantumcloud AI Chatbot

The AI ChatBot for WordPress is vulnerable to Directory Traversal in versions up to, and including, 4.8.9 as well as 4.9.2 via the qcld_openai_upload_pagetraining_file function.

8.1
2023-10-17 CVE-2023-22101 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

8.1
2023-10-16 CVE-2023-21415 Axis Path Traversal vulnerability in Axis products

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to path traversal attacks that allows for file deletion.

8.1
2023-10-17 CVE-2023-22094 Oracle Unspecified vulnerability in Oracle Mysql Installer 1.0.11.0/1.0.17.0/1.0.18.0

Vulnerability in the MySQL Installer product of Oracle MySQL (component: Installer: General).

7.9
2023-10-17 CVE-2023-22100 Oracle Unspecified vulnerability in Oracle VM Virtualbox

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core).

7.9
2023-10-21 CVE-2023-45675 Nothings Out-of-bounds Write vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-21 CVE-2023-45676 Nothings Out-of-bounds Write vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-21 CVE-2023-45677 Nothings Out-of-bounds Write vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-21 CVE-2023-45678 Nothings Out-of-bounds Write vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-21 CVE-2023-45679 Nothings Double Free vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-21 CVE-2023-45681 Nothings Integer Overflow or Wraparound vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.8
2023-10-20 CVE-2023-45805 Frostming Unspecified vulnerability in Frostming PDM

pdm is a Python package and dependency manager supporting the latest PEP standards.

7.8
2023-10-20 CVE-2023-3487 Silabs Integer Overflow or Wraparound vulnerability in Silabs Gecko Bootloader

An integer overflow in Silicon Labs Gecko Bootloader version 4.3.1 and earlier allows unbounded memory access when reading from or writing to storage slots.

7.8
2023-10-20 CVE-2023-34045 Vmware Unspecified vulnerability in VMWare Fusion 13.0.0/13.0.1/13.0.2

VMware Fusion(13.x prior to 13.5) contains a local privilege escalation vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

7.8
2023-10-20 CVE-2023-5523 M Files Inclusion of Functionality from Untrusted Control Sphere vulnerability in M-Files web Companion 23.8

Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution 

7.8
2023-10-20 CVE-2023-40361 Secudos Incorrect Permission Assignment for Critical Resource vulnerability in Secudos Qiata 4.13

SECUDOS Qiata (DOMOS OS) 4.13 has Insecure Permissions for the previewRm.sh daily cronjob.

7.8
2023-10-20 CVE-2023-34052 Vmware Deserialization of Untrusted Data vulnerability in VMWare Aria Operations for Logs

VMware Aria Operations for Logs contains a deserialization vulnerability. A malicious actor with non-administrative access to the local system can trigger the deserialization of data which could result in authentication bypass.

7.8
2023-10-20 CVE-2023-46277 Edneville Unspecified vulnerability in Edneville Please

please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl.

7.8
2023-10-19 CVE-2023-41898 Home Assistant Code Injection vulnerability in Home-Assistant Home Assistant Companion

Home assistant is an open source home automation.

7.8
2023-10-19 CVE-2023-27792 Ixpdata Missing Authorization vulnerability in Ixpdata Easyinstall 6.6.148840

An issue found in IXP Data Easy Install v.6.6.14884.0 allows an attacker to escalate privileges via lack of permissions applied to sub directories.

7.8
2023-10-19 CVE-2023-27793 Ixpdata Unspecified vulnerability in Ixpdata Easyinstall 6.6.14884.0

An issue discovered in IXP Data Easy Install v.6.6.14884.0 allows local attackers to gain escalated privileges via weak encoding of sensitive information.

7.8
2023-10-19 CVE-2023-27795 Ixpdata Unspecified vulnerability in Ixpdata Easyinstall 6.6.148840

An issue found in IXP Data Easy Install v.6.6.14884.0 allows a local attacker to gain privileges via a static XOR key.

7.8
2023-10-19 CVE-2023-30132 Ixpdata Inadequate Encryption Strength vulnerability in Ixpdata Easyinstall 6.6.14907.0

An issue discovered in IXP Data EasyInstall 6.6.14907.0 allows attackers to gain escalated privileges via static Cryptographic Key.

7.8
2023-10-19 CVE-2023-34366 Justsystems Use After Free vulnerability in Justsystems products

A use-after-free vulnerability exists in the Figure stream parsing functionality of Ichitaro 2023 1.0.1.59372.

7.8
2023-10-19 CVE-2023-35986 Santesoft Out-of-bounds Write vulnerability in Santesoft Dicom Viewer PRO

Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files.

7.8
2023-10-19 CVE-2023-38127 Justsystems Integer Overflow or Wraparound vulnerability in Justsystems products

An integer overflow exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372.

7.8
2023-10-19 CVE-2023-38128 Justsystems Out-of-bounds Write vulnerability in Justsystems products

An out-of-bounds write vulnerability exists in the "HyperLinkFrame" stream parser of Ichitaro 2023 1.0.1.59372.

7.8
2023-10-19 CVE-2023-39431 Santesoft Out-of-bounds Write vulnerability in Santesoft Dicom Viewer PRO

Sante DICOM Viewer Pro lacks proper validation of user-supplied data when parsing DICOM files.

7.8
2023-10-19 CVE-2023-5059 Santesoft Out-of-bounds Read vulnerability in Santesoft FFT Imaging

Santesoft Sante FFT Imaging lacks proper validation of user-supplied data when parsing DICOM files.

7.8
2023-10-19 CVE-2023-35126 Justsystems Out-of-bounds Write vulnerability in Justsystems products

An out-of-bounds write vulnerability exists within the parsers for both the "DocumentViewStyles" and "DocumentEditStyles" streams of Ichitaro 2023 1.0.1.59372 when processing types 0x0000-0x0009 of a style record with the type 0x2008.

7.8
2023-10-19 CVE-2023-35181 Solarwinds Incorrect Default Permissions vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability.

7.8
2023-10-19 CVE-2023-35183 Solarwinds Incorrect Default Permissions vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability.

7.8
2023-10-19 CVE-2023-43251 Xnview Improper Handling of Exceptional Conditions vulnerability in Xnview Nconvert 7.136

XNSoft Nconvert 7.136 has an Exception Handler Chain Corrupted via a crafted image file.

7.8
2023-10-19 CVE-2023-43252 Xnview Out-of-bounds Write vulnerability in Xnview Nconvert 7.136

XNSoft Nconvert 7.136 is vulnerable to Buffer Overflow via a crafted image file.

7.8
2023-10-19 CVE-2023-45883 Enghouse Unspecified vulnerability in Enghouse Qumu 2.0.0

A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows.

7.8
2023-10-19 CVE-2023-46228 Zchunk Integer Overflow or Wraparound vulnerability in Zchunk

zchunk before 1.3.2 has multiple integer overflows via malformed zchunk files to lib/comp/comp.c, lib/comp/zstd/zstd.c, lib/dl/multipart.c, or lib/header.c.

7.8
2023-10-18 CVE-2023-43800 Arduino Insufficient Verification of Data Authenticity vulnerability in Arduino Create Agent

Arduino Create Agent is a package to help manage Arduino development.

7.8
2023-10-18 CVE-2023-43802 Arduino Path Traversal vulnerability in Arduino Create Agent

Arduino Create Agent is a package to help manage Arduino development.

7.8
2023-10-18 CVE-2023-26300 HP Unspecified vulnerability in HP products

A potential security vulnerability has been identified in the system BIOS for certain HP PC products which might allow escalation of privilege.

7.8
2023-10-18 CVE-2023-43250 Xnview Classic Buffer Overflow vulnerability in Xnview Nconvert 7.136

XNSoft Nconvert 7.136 is vulnerable to Buffer Overflow.

7.8
2023-10-18 CVE-2023-46009 Lcdf Incorrect Comparison vulnerability in Lcdf Gifsicle 1.94

gifsicle-1.94 was found to have a floating point exception (FPE) vulnerability via resize_stream at src/xform.c.

7.8
2023-10-17 CVE-2023-42506 Jtekt Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jtekt Onsinview2 1.1.0/2.0.1

Improper restriction of operations within the bounds of a memory buffer issue exists in OnSinView2 versions 2.0.1 and earlier.

7.8
2023-10-17 CVE-2023-42507 Jtekt Out-of-bounds Write vulnerability in Jtekt Onsinview2 1.1.0/2.0.1

Stack-based buffer overflow vulnerability exists in OnSinView2 versions 2.0.1 and earlier.

7.8
2023-10-17 CVE-2023-45811 Relative Unspecified vulnerability in Relative Synchrony 2.0.1/2.4.3

Synchrony deobfuscator is a javascript cleaner & deobfuscator.

7.8
2023-10-17 CVE-2023-37537 Hcltech Unquoted Search Path or Element vulnerability in Hcltech Appscan Presence

An unquoted service path vulnerability in HCL AppScan Presence, deployed as a Windows service in HCL AppScan on Cloud (ASoC), may allow a local attacker to gain elevated privileges.

7.8
2023-10-17 CVE-2023-20598 AMD Unspecified vulnerability in AMD Radeon Software

An improper privilege management in the AMD Radeon™ Graphics driver may allow an authenticated attacker to craft an IOCTL request to gain I/O control over arbitrary hardware ports or physical addresses resulting in a potential arbitrary code execution.

7.8
2023-10-17 CVE-2023-44824 Oretnom23 Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Expense Management System 1.0

An issue in Expense Management System v.1.0 allows a local attacker to execute arbitrary code via a crafted file uploaded to the sign-up.php component.

7.8
2023-10-17 CVE-2023-39902 NXP Improper Preservation of Permissions vulnerability in NXP Uboot Secondary Program Loader

A software vulnerability has been identified in the U-Boot Secondary Program Loader (SPL) before 2023.07 on select NXP i.MX 8M family processors.

7.8
2023-10-16 CVE-2023-45898 Linux Use After Free vulnerability in Linux Kernel

The Linux kernel before 6.5.4 has an es1 use-after-free in fs/ext4/extents_status.c, related to ext4_es_insert_extent.

7.8
2023-10-16 CVE-2023-38280 IBM Improper Privilege Management vulnerability in IBM Hardware Management Console 10.1.1010.0/10.2.1030.0

IBM HMC (Hardware Management Console) 10.1.1010.0 and 10.2.1030.0 could allow a local user to escalate their privileges to root access on a restricted shell.

7.8
2023-10-16 CVE-2023-40377 IBM Unspecified vulnerability in IBM I 7.2/7.3/7.4

Backup, Recovery, and Media Services (BRMS) for IBM i 7.2, 7.3, and 7.4 contains a local privilege escalation vulnerability.

7.8
2023-10-22 CVE-2023-46317 NIC Unspecified vulnerability in NIC Knot Resolver

Knot Resolver before 5.7.0 performs many TCP reconnections upon receiving certain nonsensical responses from servers.

7.5
2023-10-22 CVE-2023-46315 Zanllp Unspecified vulnerability in Zanllp Stable Diffusion Webui Infinite Image Browsing

The zanllp sd-webui-infinite-image-browsing (aka Infinite Image Browsing) extension before 977815a for stable-diffusion-webui (aka Stable Diffusion web UI), if Gradio authentication is enabled without secret key configuration, allows remote attackers to read any local file via /file?path= in the URL, as demonstrated by reading /proc/self/environ to discover credentials.

7.5
2023-10-22 CVE-2023-46303 Calibre Ebook Server-Side Request Forgery (SSRF) vulnerability in Calibre-Ebook Calibre

link_to_local_path in ebooks/conversion/plugins/html_input.py in calibre before 6.19.0 can, by default, add resources outside of the document root.

7.5
2023-10-22 CVE-2023-46298 Vercel Unspecified vulnerability in Vercel Next.Js

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN.

7.5
2023-10-22 CVE-2023-38276 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Cognos Dashboards on Cloud PAK for Data 4.7.0

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in environment variables which could aid in further attacks against the system.

7.5
2023-10-22 CVE-2023-38275 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Cognos Dashboards on Cloud PAK for Data 4.7.0

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 exposes sensitive information in container images which could lead to further attacks against the system.

7.5
2023-10-21 CVE-2023-5132 Soisy Missing Authorization vulnerability in Soisy Pagamento Rateale

The Soisy Pagamento Rateale plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the parseRemoteRequest function in versions up to, and including, 6.0.1.

7.5
2023-10-21 CVE-2023-45667 Nothings NULL Pointer Dereference vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images. If `stbi__load_gif_main` in `stbi_load_gif_from_memory` fails it returns a null pointer and may keep the `z` variable uninitialized.

7.5
2023-10-20 CVE-2023-32786 Langchain Injection vulnerability in Langchain

In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

7.5
2023-10-20 CVE-2023-4668 AD Inserter Project Missing Authorization vulnerability in AD Inserter Project AD Inserter

The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai-debug-processing-fe URL parameter.

7.5
2023-10-19 CVE-2023-44690 Dbcli Inadequate Encryption Strength vulnerability in Dbcli Mycli 1.27.0

Inadequate encryption strength in mycli 1.27.0 allows attackers to view sensitive information via /mycli/config.py

7.5
2023-10-19 CVE-2023-45823 Artifacthub Path Traversal vulnerability in Artifacthub HUB

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects.

7.5
2023-10-19 CVE-2023-45277 Spaceapplications Path Traversal vulnerability in Spaceapplications Yamcs 5.8.6

Yamcs 5.8.6 is vulnerable to directory traversal (issue 1 of 2).

7.5
2023-10-19 CVE-2022-24402 Midnightblue Improper Restriction of Excessive Authentication Attempts vulnerability in Midnightblue Tetra:Burst

The TETRA TEA1 keystream generator implements a key register initialization function that compresses the 80-bit key to only 32 bits for usage during the keystream generation phase, which is insufficient to safeguard against exhaustive search attacks.

7.5
2023-10-19 CVE-2022-24404 Midnightblue Improper Validation of Integrity Check Value vulnerability in Midnightblue Tetra:Burst

Lack of cryptographic integrity check on TETRA air-interface encrypted traffic.

7.5
2023-10-19 CVE-2023-46227 Apache Deserialization of Untrusted Data vulnerability in Apache Inlong

Deserialization of Untrusted Data Vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can use \t to bypass. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8814

7.5
2023-10-19 CVE-2023-5204 Quantumcloud Unspecified vulnerability in Quantumcloud AI Chatbot

The ChatBot plugin for WordPress is vulnerable to SQL Injection via the $strid parameter in versions up to, and including, 4.8.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

7.5
2023-10-19 CVE-2023-34437 Bakerhughes Information Exposure vulnerability in Bakerhughes Bentley Nevada 3500 System Firmware 5.0.5

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a vulnerability in their password retrieval functionality which could allow an attacker to access passwords stored on the device.

7.5
2023-10-18 CVE-2023-45812 Apollographql Improper Check for Unusual or Exceptional Conditions vulnerability in Apollographql Apollo Helms-Charts Router and Apollo Router

The Apollo Router is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation.

7.5
2023-10-18 CVE-2023-45813 Validators Project
Torbot Project
Torbot is an open source tor network intelligence tool.
7.5
2023-10-18 CVE-2023-35656 Google Out-of-bounds Read vulnerability in Google Android

In multiple functions of protocolembmsadapter.cpp, there is a possible out of bounds read due to a missing bounds check.

7.5
2023-10-18 CVE-2023-35663 Google Out-of-bounds Read vulnerability in Google Android

In Init of protocolnetadapter.cpp, there is a possible out of bounds read due to a missing bounds check.

7.5
2023-10-18 CVE-2023-30911 HPE Unspecified vulnerability in HPE products

HPE Integrated Lights-Out 5, and Integrated Lights-Out 6 using iLOrest may cause denial of service.

7.5
2023-10-18 CVE-2023-45912 Wipotec Information Exposure vulnerability in Wipotec Comscale 4.3.29.21344/4.4.12.723

WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 fails to validate user sessions, allowing unauthenticated attackers to read files from the underlying operating system and obtain directory listings.

7.5
2023-10-18 CVE-2023-45383 Common Services Path Traversal vulnerability in Common-Services Sonice Etiquetage 2.5.9

In the module "SoNice etiquetage" (sonice_etiquetage) up to version 2.5.9 from Common-Services for PrestaShop, a guest can download personal information without restriction by performing a path traversal attack.

7.5
2023-10-18 CVE-2023-45727 Northgrid XXE vulnerability in Northgrid Proself

Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08 and earlier allow a remote unauthenticated attacker to conduct XML External Entity (XXE) attacks.

7.5
2023-10-18 CVE-2023-5632 Eclipse Excessive Iteration vulnerability in Eclipse Mosquitto

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption.

7.5
2023-10-18 CVE-2023-42319 Ethereum Unspecified vulnerability in Ethereum GO Ethereum

Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query.

7.5
2023-10-18 CVE-2023-38552 Nodejs
Fedoraproject
Insufficient Verification of Data Authenticity vulnerability in multiple products

When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

7.5
2023-10-18 CVE-2023-39331 Nodejs Path Traversal vulnerability in Nodejs Node.Js

A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently in commit 205f1e6.

7.5
2023-10-18 CVE-2023-5552 Sophos Insufficiently Protected Credentials vulnerability in Sophos Firewall 19.0.1

A password disclosure vulnerability in the Secure PDF eXchange (SPX) feature allows attackers with full email access to decrypt PDFs in Sophos Firewall version 19.5 MR3 (19.5.3) and older, if the password type is set to “Specified by sender”.

7.5
2023-10-17 CVE-2023-36321 Covesa Classic Buffer Overflow vulnerability in Covesa Dlt-Daemon

Connected Vehicle Systems Alliance (COVESA) up to v2.18.8 was discovered to contain a buffer overflow via the component /shared/dlt_common.c.

7.5
2023-10-17 CVE-2023-41713 Sonicwall Use of Hard-coded Credentials vulnerability in Sonicwall Sonicos

SonicOS Use of Hard-coded Password vulnerability in the 'dynHandleBuyToolbar' demo function.

7.5
2023-10-17 CVE-2023-45810 Openfga Resource Exhaustion vulnerability in Openfga

OpenFGA is a flexible authorization/permission engine built for developers and inspired by Google Zanzibar.

7.5
2023-10-17 CVE-2023-22019 Oracle Unspecified vulnerability in Oracle Http Server 12.2.1.4.0

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Web Listener).

7.5
2023-10-17 CVE-2023-22086 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-10-17 CVE-2023-22108 Oracle Unspecified vulnerability in Oracle Weblogic Server 12.2.1.4.0/14.1.1.0.0

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core).

7.5
2023-10-17 CVE-2023-41629 Esst Unspecified vulnerability in Esst Monitoring

A lack of input sanitizing in the file download feature of eSST Monitoring v2.147.1 allows attackers to execute a path traversal.

7.5
2023-10-17 CVE-2023-39456 Apache
Fedoraproject
Improper Input Validation vulnerability in multiple products

Improper Input Validation vulnerability in Apache Traffic Server with malformed HTTP/2 frames.This issue affects Apache Traffic Server: from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 9.2.3, which fixes the issue.

7.5
2023-10-17 CVE-2023-41752 Apache
Fedoraproject
Information Exposure vulnerability in multiple products

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Traffic Server.This issue affects Apache Traffic Server: from 8.0.0 through 8.1.8, from 9.0.0 through 9.2.2. Users are recommended to upgrade to version 8.1.9 or 9.2.3, which fixes the issue.

7.5
2023-10-17 CVE-2022-22385 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could disclose sensitive information to an attacked due to the transmission of data in clear text.

7.5
2023-10-17 CVE-2012-10016 Halulu Unspecified vulnerability in Halulu Simple-Download-Button-Shortcode 1.0

A vulnerability classified as problematic has been found in Halulu simple-download-button-shortcode Plugin 1.0 on WordPress.

7.5
2023-10-17 CVE-2023-40372 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted SQL statement using External Tables.

7.5
2023-10-17 CVE-2023-40373 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to denial of service with a specially crafted query containing common table expressions.

7.5
2023-10-17 CVE-2023-4215 Advantech Unspecified vulnerability in Advantech Webaccess 9.1.3

Advantech WebAccess version 9.1.3 contains an exposure of sensitive information to an unauthorized actor vulnerability that could leak user credentials.

7.5
2023-10-16 CVE-2023-30991 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.1 and 11.5 is vulnerable to denial of service with a specially crafted query.

7.5
2023-10-16 CVE-2023-40374 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to denial of service with a specially crafted query statement.

7.5
2023-10-16 CVE-2023-38728 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted XML query statement.

7.5
2023-10-16 CVE-2023-38740 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX, and Windows (includes Db2 Connect Server) 11.5 is vulnerable to a denial of service with a specially crafted SQL statement.

7.5
2023-10-16 CVE-2023-44388 Discourse Resource Exhaustion vulnerability in Discourse

Discourse is an open source platform for community discussion.

7.5
2023-10-16 CVE-2023-45131 Discourse Unspecified vulnerability in Discourse 2.6.3/2.6.4/3.2.0

Discourse is an open source platform for community discussion.

7.5
2023-10-16 CVE-2023-30987 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to denial of service with a specially crafted query on certain databases.

7.5
2023-10-16 CVE-2023-38720 IBM Unspecified vulnerability in IBM DB2

IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 and 11.5 is vulnerable to denial of service with a specially crafted ALTER TABLE statement.

7.5
2023-10-16 CVE-2023-42459 Eprosima Free of Memory not on the Heap vulnerability in Eprosima Fast DDS

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group).

7.5
2023-10-16 CVE-2023-3154 Imagely Unspecified vulnerability in Imagely Nextgen Gallery

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

7.5
2023-10-16 CVE-2023-43121 Extremenetworks Path Traversal vulnerability in Extremenetworks Exos 31.7.1/32.0

A Directory Traversal vulnerability discovered in Chalet application in Extreme Networks Switch Engine (EXOS) before 32.5.1.5, before 22.7, and before 31.7.2 allows attackers to read arbitrary files.

7.5
2023-10-16 CVE-2023-5003 Miniorange Unspecified vulnerability in Miniorange Active Directory Integration / Ldap Integration 3.5.8/3.7.3

The Active Directory Integration / LDAP Integration WordPress plugin before 4.1.10 stores sensitive LDAP logs in a buffer file when an administrator wants to export said logs.

7.5
2023-10-16 CVE-2023-5133 Solwininfotech Unspecified vulnerability in Solwininfotech User Activity LOG

This user-activity-log-pro WordPress plugin before 2.3.4 retrieves client IP addresses from potentially untrusted headers, allowing an attacker to manipulate its value.

7.5
2023-10-16 CVE-2023-40180 Silverstripe Resource Exhaustion vulnerability in Silverstripe Graphql

silverstripe-graphql is a package which serves Silverstripe data in GraphQL representations.

7.5
2023-10-16 CVE-2023-45985 Totolink Out-of-bounds Write vulnerability in Totolink A7000R Firmware and X5000R Firmware

TOTOLINK X5000R V9.1.0u.6118_B20201102 and TOTOLINK A7000R V9.1.0u.6115_B20201022 were discovered to contain a stack overflow in the function setParentalRules.

7.5
2023-10-16 CVE-2023-4457 Grafana Information Exposure Through an Error Message vulnerability in Grafana Google Sheets

Grafana is an open-source platform for monitoring and observability. The Google Sheets data source plugin for Grafana, versions 0.9.0 to 1.2.2 are vulnerable to an information disclosure vulnerability. The plugin did not properly sanitize error messages, making it potentially expose the Google Sheet API-key that is configured for the data source. This vulnerability was fixed in version 1.2.2.

7.5
2023-10-16 CVE-2023-43667 Apache SQL Injection vulnerability in Apache Inlong

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0, the attacker can create misleading or false records, making it harder to audit and trace malicious activities. Users are advised to upgrade to Apache InLong's 1.8.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/8628

7.5
2023-10-20 CVE-2023-5524 M Files Unrestricted Upload of File with Dangerous Type vulnerability in M-Files web Companion 23.8

Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types

7.3
2023-10-20 CVE-2023-5681 Netentsec SQL Injection vulnerability in Netentsec Application Security Gateway 6.3

A vulnerability, which was classified as critical, was found in Netentsec NS-ASG Application Security Gateway 6.3.

7.2
2023-10-20 CVE-2023-5414 Icegram Path Traversal vulnerability in Icegram Express

The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function.

7.2
2023-10-19 CVE-2023-41899 Home Assistant Server-Side Request Forgery (SSRF) vulnerability in Home-Assistant

Home assistant is an open source home automation.

7.2
2023-10-18 CVE-2023-46004 Mayurik Unrestricted Upload of File with Dangerous Type vulnerability in Mayurik Best Courier Management System 1.0

Sourcecodester Best Courier Management System 1.0 is vulnerable to Arbitrary file upload in the update_user function.

7.2
2023-10-17 CVE-2023-4399 Grafana Unspecified vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

7.2
2023-10-16 CVE-2023-3155 Imagely Files or Directories Accessible to External Parties vulnerability in Imagely Nextgen Gallery

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to Arbitrary File Read and Delete due to a lack of input parameter validation in the `gallery_edit` function, allowing an attacker to access arbitrary resources on the server.

7.2
2023-10-16 CVE-2023-4691 Booking WP Plugin Unspecified vulnerability in Booking-Wp-Plugin Bookly

The WordPress Online Booking and Scheduling Plugin WordPress plugin before 22.4 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

7.2
2023-10-16 CVE-2023-4861 Ninjateam Unspecified vulnerability in Ninjateam Filester

The File Manager Pro WordPress plugin before 1.8.1 allows admin users to upload arbitrary files, even in environments where such a user should not be able to gain full control of the server, such as a multisite installation.

7.2
2023-10-16 CVE-2023-4971 Weavertheme Deserialization of Untrusted Data vulnerability in Weavertheme Weaver Xtreme Theme Support

The Weaver Xtreme Theme Support WordPress plugin before 6.3.1 unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.

7.2
2023-10-16 CVE-2023-45686 Southrivertech Path Traversal vulnerability in Southrivertech Titan MFP Server

Insufficient path validation when writing a file via WebDAV in South River Technologies' Titan MFT and Titan SFTP servers on Linux allows an authenticated attacker to write a file to any location on the filesystem via path traversal

7.2
2023-10-16 CVE-2023-3392 Edmonsoft Unspecified vulnerability in Edmonsoft Read More & Accordion

The Read More & Accordion WordPress plugin before 3.2.7 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.

7.2
2023-10-16 CVE-2023-4822 Grafana Unspecified vulnerability in Grafana

Grafana is an open-source platform for monitoring and observability.

7.2
2023-10-16 CVE-2023-21413 Axis Command Injection vulnerability in Axis OS

GoSecure on behalf of Genetec Inc.

7.2
2023-10-16 CVE-2023-35018 IBM Unrestricted Upload of File with Dangerous Type vulnerability in IBM Security Verify Governance 10.0/10.0.1

IBM Security Verify Governance 10.0 could allow a privileged use to upload arbitrary files due to improper file validation.

7.2
2023-10-21 CVE-2023-45661 Nothings Out-of-bounds Read vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images.

7.1
2023-10-21 CVE-2023-45682 Nothings Out-of-bounds Read vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

7.1
2023-10-18 CVE-2023-43801 Arduino Path Traversal vulnerability in Arduino Create Agent

Arduino Create Agent is a package to help manage Arduino development.

7.1
2023-10-18 CVE-2023-43803 Arduino Path Traversal vulnerability in Arduino Create Agent

Arduino Create Agent is a package to help manage Arduino development.

7.1
2023-10-17 CVE-2021-29913 IBM Improper Input Validation vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premise 11.5 could allow an authenticated user to obtain sensitive information or perform unauthorized actions due to improper input validation.

7.1
2023-10-20 CVE-2023-34046 Vmware Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in VMWare Fusion 13.0.0/13.0.1/13.0.2

VMware Fusion(13.x prior to 13.5) contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during installation for the first time (the user needs to drag or copy the application to a folder from the '.dmg' volume) or when installing an upgrade. A malicious actor with local non-administrative user privileges may exploit this vulnerability to escalate privileges to root on the system where Fusion is installed or being installed for the first time.

7.0

333 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-10-19 CVE-2023-46033 Dlink Unspecified vulnerability in Dlink Dsl-2730U Firmware and Dsl-2750U Firmware

D-Link (Non-US) DSL-2750U N300 ADSL2+ and (Non-US) DSL-2730U N150 ADSL2+ are vulnerable to Incorrect Access Control.

6.8
2023-10-19 CVE-2023-35185 Solarwinds Path Traversal vulnerability in Solarwinds Access Rights Manager

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

6.8
2023-10-16 CVE-2023-21414 Axis Unspecified vulnerability in Axis OS

NCC Group has found a flaw during the annual internal penetration test ordered by Axis Communications.

6.8
2023-10-22 CVE-2023-46306 Netmodule OS Command Injection vulnerability in Netmodule Router Software

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter.

6.6
2023-10-17 CVE-2023-43776 Eaton Inadequate Encryption Strength vulnerability in Eaton products

Eaton easyE4 PLC offers a device password protection functionality to facilitate a secure connection and prevent unauthorized access.

6.6
2023-10-22 CVE-2021-46897 Wagtailcrx Path Traversal vulnerability in Wagtailcrx Codered Extensions

views.py in Wagtail CRX CodeRed Extensions (formerly CodeRed CMS or coderedcms) before 0.22.3 allows upward protected/..%2f..%2f path traversal when serving protected media.

6.5
2023-10-22 CVE-2023-38735 IBM Improper Authentication vulnerability in IBM Cognos Dashboards on Cloud PAK for Data 4.7.0

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw.

6.5
2023-10-20 CVE-2023-44256 Fortinet Server-Side Request Forgery (SSRF) vulnerability in Fortinet Fortianalyzer and Fortimanager

A server-side request forgery vulnerability [CWE-918] in Fortinet FortiAnalyzer version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 and FortiManager version 7.4.0, version 7.2.0 through 7.2.3 and before 7.0.8 allows a remote attacker with low privileges to view sensitive data from internal servers or perform a local port scan via a crafted HTTP request.

6.5
2023-10-20 CVE-2023-44483 Apache Information Exposure Through Log Files vulnerability in Apache Santuario XML Security for Java

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

6.5
2023-10-20 CVE-2023-5070 Ultimatelysocial Information Exposure vulnerability in Ultimatelysocial Social Media Share Buttons & Social Sharing Icons

The Social Media Share Buttons & Social Sharing Icons plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.8.5 via the sfsi_save_export function.

6.5
2023-10-20 CVE-2023-4274 Wpvivid Path Traversal vulnerability in Wpvivid Migration, Backup, Staging

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 0.9.89.

6.5
2023-10-20 CVE-2023-4598 WP Slimstat SQL Injection vulnerability in Wp-Slimstat Slimstat Analytics

The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

6.5
2023-10-19 CVE-2023-41088 Dexma Cleartext Transmission of Sensitive Information vulnerability in Dexma Dexgate 20130114

The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker with access to the network, where clients have access to the DexGate server, could capture traffic.

6.5
2023-10-19 CVE-2023-45820 Monospace Improper Handling of Exceptional Conditions vulnerability in Monospace Directus

Directus is a real-time API and App dashboard for managing SQL database content.

6.5
2023-10-19 CVE-2023-45826 Leantime SQL Injection vulnerability in Leantime

Leantime is an open source project management system.

6.5
2023-10-19 CVE-2023-5654 Facebook Unspecified vulnerability in Facebook React-Devtools

The React Developer Tools extension registers a message listener with window.addEventListener('message', <listener>) in a content script that is accessible to any webpage that is active in the browser.

6.5
2023-10-19 CVE-2023-31046 Papercut Path Traversal vulnerability in Papercut MF

A Path Traversal vulnerability exists in PaperCut NG before 22.1.1 and PaperCut MF before 22.1.1.

6.5
2023-10-19 CVE-2023-25753 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Shenyu 2.5.1

There exists an SSRF (Server-Side Request Forgery) vulnerability located at the /sandbox/proxyGateway endpoint.

6.5
2023-10-19 CVE-2023-5336 Ipanorama 360 Wordpress Virtual Tour Builder Project SQL Injection vulnerability in Ipanorama 360 Wordpress Virtual Tour Builder Project Ipanorama 360 Wordpress Virtual Tour Builder

The iPanorama 360 – WordPress Virtual Tour Builder plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 1.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

6.5
2023-10-19 CVE-2023-37504 Hcltech Insufficient Session Expiration vulnerability in Hcltech HCL Compass

HCL Compass is vulnerable to failure to invalidate sessions.

6.5
2023-10-19 CVE-2023-36857 Bakerhughes Authentication Bypass by Capture-replay vulnerability in Bakerhughes Bentley Nevada 3500 System Firmware 5.0.5

Baker Hughes – Bently Nevada 3500 System TDI Firmware version 5.05 contains a replay vulnerability which could allow an attacker to replay older captured packets of traffic to the device to gain access.

6.5
2023-10-18 CVE-2023-20261 Cisco Unspecified vulnerability in Cisco Catalyst Sd-Wan Manager

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager could allow an authenticated, remote attacker to retrieve arbitrary files from an affected system. This vulnerability is due to improper validation of parameters that are sent to the web UI.

6.5
2023-10-18 CVE-2023-35083 Ivanti Unspecified vulnerability in Ivanti Endpoint Manager

Allows an authenticated attacker with network access to read arbitrary files on Endpoint Manager recently discovered on 2022 SU3 and all previous versions potentially leading to the leakage of sensitive information.

6.5
2023-10-17 CVE-2023-39276 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication stack-based buffer overflow vulnerability in the getBookmarkList.json URL endpoint leads to a firewall crash.

6.5
2023-10-17 CVE-2023-39277 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication stack-based buffer overflow vulnerability in the sonicflow.csv and appflowsessions.csv URL endpoints leads to a firewall crash.

6.5
2023-10-17 CVE-2023-39278 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication user assertion failure leads to Stack-Based Buffer Overflow vulnerability via main.cgi leads to a firewall crash.

6.5
2023-10-17 CVE-2023-39279 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication Stack-Based Buffer Overflow vulnerability in the getPacketReplayData.json URL endpoint leads to a firewall crash.

6.5
2023-10-17 CVE-2023-39280 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS p ost-authentication Stack-Based Buffer Overflow vulnerability in the ssoStats-s.xml, ssoStats-s.wri URL endpoints leads to a firewall crash.

6.5
2023-10-17 CVE-2023-41711 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication Stack-Based Buffer Overflow Vulnerability in the sonicwall.exp, prefs.exp URL endpoints lead to a firewall crash.

6.5
2023-10-17 CVE-2023-41712 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Sonicos

SonicOS post-authentication Stack-Based Buffer Overflow Vulnerability in the SSL VPN plainprefs.exp URL endpoint leads to a firewall crash.

6.5
2023-10-17 CVE-2023-22059 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2023-10-17 CVE-2023-22079 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2023-10-17 CVE-2023-22090 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Cost Center Common Application Objects 9.2

Vulnerability in the PeopleSoft Enterprise CC Common Application Objects product of Oracle PeopleSoft (component: Events & Notifications).

6.5
2023-10-17 CVE-2023-22093 Oracle Unspecified vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle iRecruitment product of Oracle E-Business Suite (component: Requisition and Vacancy).

6.5
2023-10-17 CVE-2023-22095 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2023-10-17 CVE-2023-22106 Oracle Unspecified vulnerability in Oracle Enterprise Command Center Framework 10.0/8.0/9.0

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: API).

6.5
2023-10-17 CVE-2023-22118 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure).

6.5
2023-10-17 CVE-2023-4896 Arubanetworks Unspecified vulnerability in Arubanetworks Airwave

A vulnerability exists which allows an authenticated attacker to access sensitive information on the AirWave Management Platform web-based management interface.

6.5
2023-10-17 CVE-2023-43777 Eaton Insufficiently Protected Credentials vulnerability in Eaton Easysoft

Eaton easySoft software is used to program easy controllers and displays for configuring, programming and defining parameters for all the intelligent relays.

6.5
2023-10-17 CVE-2023-45357 Archerirm Exposure of Resource to Wrong Sphere vulnerability in Archerirm Archer

Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a sensitive information disclosure vulnerability.

6.5
2023-10-17 CVE-2023-34208 Easyuse Path Traversal vulnerability in Easyuse Mailhunter Ultimate 2020/2023

Path Traversal in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to extract files into arbitrary directories via a crafted ZIP archive.

6.5
2023-10-16 CVE-2023-45540 Jorani Injection vulnerability in Jorani Leave Management System 1.0.3

An issue in Jorani Leave Management System 1.0.3 allows a remote attacker to execute arbitrary HTML code via a crafted script to the comment field of the List of Leave requests page.

6.5
2023-10-16 CVE-2023-29484 Terminalfour Incorrect Authorization vulnerability in Terminalfour

In Terminalfour before 8.3.16, misconfigured LDAP users are able to login with an invalid password.

6.5
2023-10-16 CVE-2023-4800 Wpdo Unspecified vulnerability in Wpdo Dologin Security

The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users.

6.5
2023-10-16 CVE-2023-45689 Southrivertech Path Traversal vulnerability in Southrivertech Titan MFT Server and Titan Sftp Server

Lack of sufficient path validation in South River Technologies' Titan MFT and Titan SFTP servers on Windows and Linux allows an authenticated attacker with administrative privileges to read any file on the filesystem via path traversal

6.5
2023-10-16 CVE-2023-5575 Devolutions Unspecified vulnerability in Devolutions Server

Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent.

6.5
2023-10-16 CVE-2023-43666 Apache Insufficient Verification of Data Authenticity vulnerability in Apache Inlong

Insufficient Verification of Data Authenticity vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,  General user can view all user data like Admin account. Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/8623

6.5
2023-10-16 CVE-2023-5591 Librenms SQL Injection vulnerability in Librenms

SQL Injection in GitHub repository librenms/librenms prior to 23.10.0.

6.5
2023-10-20 CVE-2021-4335 Radykal Unspecified vulnerability in Radykal Fancy Product Designer

The Fancy Product Designer plugin for WordPress is vulnerable to unauthorized access to data and modification of plugin settings due to a missing capability check on multiple AJAX functions in versions up to, and including, 4.6.9.

6.3
2023-10-19 CVE-2023-45821 Artifacthub Unspecified vulnerability in Artifacthub HUB

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects.

6.3
2023-10-17 CVE-2023-22127 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.6

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Content Access SDK, Image Export SDK, PDF Export SDK, HTML Export SDK).

6.3
2023-10-16 CVE-2023-40791 Linux
Netapp
extract_user_to_sg in lib/scatterlist.c in the Linux kernel before 6.4.12 fails to unpin pages in a certain situation, as demonstrated by a WARNING for try_grab_page.
6.3
2023-10-22 CVE-2023-5694 Martmbithi Cross-site Scripting vulnerability in Martmbithi Internet Banking System 1.0

A vulnerability was found in CodeAstro Internet Banking System 1.0.

6.1
2023-10-22 CVE-2023-5695 Martmbithi Cross-site Scripting vulnerability in Martmbithi Internet Banking System 1.0

A vulnerability was found in CodeAstro Internet Banking System 1.0.

6.1
2023-10-22 CVE-2023-5696 Martmbithi Cross-site Scripting vulnerability in Martmbithi Internet Banking System 1.0

A vulnerability was found in CodeAstro Internet Banking System 1.0.

6.1
2023-10-22 CVE-2021-46898 Vonautomatisch Open Redirect vulnerability in Vonautomatisch Django Grappelli

views/switch.py in django-grappelli (aka Django Grappelli) before 2.15.2 attempts to prevent external redirection with startswith("/") but this does not consider a protocol-relative URL (e.g., //example.com) attack.

6.1
2023-10-21 CVE-2023-4635 Myeventon Cross-site Scripting vulnerability in Myeventon Eventon-Lite

The EventON plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping.

6.1
2023-10-21 CVE-2023-38192 Superwebmailer Cross-site Scripting vulnerability in Superwebmailer 9.00.0.01710

An issue was discovered in SuperWebMailer 9.00.0.01710.

6.1
2023-10-21 CVE-2023-38194 Superwebmailer Cross-site Scripting vulnerability in Superwebmailer 9.00.0.01710

An issue was discovered in SuperWebMailer 9.00.0.01710.

6.1
2023-10-20 CVE-2023-38191 Superwebmailer Cross-site Scripting vulnerability in Superwebmailer 9.00.0.01710

An issue was discovered in SuperWebMailer 9.00.0.01710.

6.1
2023-10-20 CVE-2023-3933 Wiloke Unspecified vulnerability in Wiloke Your Journey 1.9.8

The Your Journey theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.9.8 due to insufficient input sanitization and output escaping.

6.1
2023-10-20 CVE-2023-3962 Myshopkit Unspecified vulnerability in Myshopkit Winters 1.4.3

The Winters theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping.

6.1
2023-10-20 CVE-2023-3965 Saleswizard Unspecified vulnerability in Saleswizard NSC 1.0

The nsc theme for WordPress is vulnerable to Reflected Cross-Site Scripting via prototype pollution in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.

6.1
2023-10-20 CVE-2023-46287 Nagvis Cross-site Scripting vulnerability in Nagvis

XSS exists in NagVis before 1.9.38 via the select function in share/server/core/functions/html.php.

6.1
2023-10-20 CVE-2022-4712 Cerber Cross-site Scripting vulnerability in Cerber WP Cerber Security, Anti-Spam & Malware Scan

The WP Cerber Security plugin for WordPress is vulnerable to stored cross-site scripting via the log parameter when logging in to the site in versions up to, and including, 9.1.

6.1
2023-10-19 CVE-2023-43341 EVO Cross-site Scripting vulnerability in EVO Evolution CMS 3.2.3

Cross-site scripting (XSS) vulnerability in evolution evo v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected uid parameter.

6.1
2023-10-19 CVE-2023-43875 Intelliants Cross-site Scripting vulnerability in Intelliants Subrion CMS 4.2.1

Multiple Cross-Site Scripting (XSS) vulnerabilities in installation of Subrion CMS v.4.2.1 allows a local attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost, dbname, dbuser, adminusername and adminemail.

6.1
2023-10-19 CVE-2023-45818 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

TinyMCE is an open source rich text editor.

6.1
2023-10-19 CVE-2023-45819 Tiny Cross-site Scripting vulnerability in Tiny Tinymce

TinyMCE is an open source rich text editor.

6.1
2023-10-19 CVE-2023-40153 Dexma Cross-site Scripting vulnerability in Dexma Dexgate 20130114

The affected product is vulnerable to a cross-site scripting vulnerability, which could allow an attacker to access the web application to introduce arbitrary Java Script by injecting an XSS payload into the 'hostname' parameter of the vulnerable software.

6.1
2023-10-19 CVE-2023-45281 Spaceapplications Cross-site Scripting vulnerability in Spaceapplications Yamcs 5.8.6

An issue in Yamcs 5.8.6 allows attackers to obtain the session cookie via upload of crafted HTML file.

6.1
2023-10-18 CVE-2023-45909 Zzzcms Open Redirect vulnerability in Zzzcms Zzzphp 2.2.0

zzzcms v2.2.0 was discovered to contain an open redirect vulnerability.

6.1
2023-10-18 CVE-2023-45958 Thirtybees Cross-site Scripting vulnerability in Thirtybees Thirty Bees 1.4.0

Thirty Bees Core v1.4.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the backup_pagination parameter at /controller/AdminController.php.

6.1
2023-10-18 CVE-2023-30781 Themeblvd Cross-site Scripting vulnerability in Themeblvd Tweeple

Unauth.

6.1
2023-10-18 CVE-2023-45602 Shopfiles Cross-site Scripting vulnerability in Shopfiles Ebook Store

Unauth.

6.1
2023-10-18 CVE-2023-45630 Wpdevart Cross-site Scripting vulnerability in Wpdevart Gallery

Unauth.

6.1
2023-10-18 CVE-2023-45632 WEB Dorado Cross-site Scripting vulnerability in Web-Dorado Spidervplayer 1.5.22

Unauth.

6.1
2023-10-18 CVE-2023-45065 Madfishdigital Cross-site Scripting vulnerability in Madfishdigital Bulk Noindex & Nofollow Toolkit

Unauth.

6.1
2023-10-18 CVE-2023-45070 10Web Cross-site Scripting vulnerability in 10Web Form Maker

Unauth.

6.1
2023-10-18 CVE-2023-45071 10Web Cross-site Scripting vulnerability in 10Web Form Maker

Unauth.

6.1
2023-10-18 CVE-2023-32087 Pega Cross-site Scripting vulnerability in Pega Platform

Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with task creation

6.1
2023-10-18 CVE-2023-32088 Pega Cross-site Scripting vulnerability in Pega Platform

Pega Platform versions 8.1 to Infinity 23.1.0 are affected by an XSS issue with ad-hoc case creation

6.1
2023-10-18 CVE-2023-32089 Pega Cross-site Scripting vulnerability in Pega Platform

Pega Platform versions 8.1 to 8.8.2 are affected by an XSS issue with Pin description

6.1
2023-10-18 CVE-2023-45054 Awesometogi Cross-site Scripting vulnerability in Awesometogi Product-Category-Tree

Unauth.

6.1
2023-10-18 CVE-2023-45062 Virtuellwerk Cross-site Scripting vulnerability in Virtuellwerk Canvasio3D Light

Unauth.

6.1
2023-10-18 CVE-2023-45064 Extendwings Cross-site Scripting vulnerability in Extendwings Opcache Dashboard

Unauth.

6.1
2023-10-18 CVE-2023-25476 Ezoic Cross-site Scripting vulnerability in Ezoic Ampedsense

Unauth.

6.1
2023-10-18 CVE-2023-5538 Mrpeng Cross-site Scripting vulnerability in Mrpeng Mpoperationlogs 1.0.1

The MpOperationLogs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the IP Request Headers in versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping.

6.1
2023-10-17 CVE-2023-3042 Dotcms Cross-site Scripting vulnerability in Dotcms

In dotCMS, versions mentioned, a flaw in the NormalizationFilter does not strip double slashes (//) from URLs, potentially enabling bypasses for XSS and access controls.

6.1
2023-10-17 CVE-2023-22029 Oracle Unspecified vulnerability in Oracle Commerce Guided Search 11.3.2

Vulnerability in the Oracle Commerce Guided Search product of Oracle Commerce (component: Workbench).

6.1
2023-10-17 CVE-2023-22076 Oracle Unspecified vulnerability in Oracle E-Business Suite

Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization).

6.1
2023-10-17 CVE-2023-22080 Oracle Unspecified vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.59/8.60

Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology).

6.1
2023-10-17 CVE-2023-22107 Oracle Unspecified vulnerability in Oracle Enterprise Command Center Framework 10.0/8.0/9.0

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: UI Components).

6.1
2023-10-17 CVE-2023-45004 Wp3Sixty Cross-site Scripting vulnerability in Wp3Sixty WOO Custom Emails 2.2

Unauth.

6.1
2023-10-17 CVE-2023-45006 Byconsole Cross-site Scripting vulnerability in Byconsole Wooodt Lite

Unauth.

6.1
2023-10-17 CVE-2023-45007 Fotomoto Cross-site Scripting vulnerability in Fotomoto

Unauth.

6.1
2023-10-17 CVE-2023-45003 Arrowplugins Cross-site Scripting vulnerability in Arrowplugins Social Feed

Unauth.

6.1
2023-10-17 CVE-2023-44311 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Multiple reflected cross-site scripting (XSS) vulnerabilities in the Plugin for OAuth 2.0 module's OAuth2ProviderApplicationRedirect class in Liferay Portal 7.4.3.41 through 7.4.3.89, and Liferay DXP 7.4 update 41 through update 89 allow remote attackers to inject arbitrary web script or HTML via the (1) code, or (2) error parameter.

6.1
2023-10-17 CVE-2023-45005 Castos Cross-site Scripting vulnerability in Castos Seriously Simple Stats

Unauth.

6.1
2023-10-17 CVE-2023-42497 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Reflected cross-site scripting (XSS) vulnerability on the Export for Translation page in Liferay Portal 7.4.3.4 through 7.4.3.85, and Liferay DXP 7.4 before update 86 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_translation_web_internal_portlet_TranslationPortlet_redirect` parameter.

6.1
2023-10-16 CVE-2023-43658 Discourse Cross-site Scripting vulnerability in Discourse Calendar 1.0.0/1.0.1

dicourse-calendar is a plugin for the Discourse messaging platform which adds the ability to create a dynamic calendar in the first post of a topic.

6.1
2023-10-16 CVE-2023-45542 Moosocial Cross-site Scripting vulnerability in Moosocial 3.1.8

Cross Site Scripting vulnerability in mooSocial 3.1.8 allows a remote attacker to obtain sensitive information via a crafted script to the q parameter in the Search function.

6.1
2023-10-16 CVE-2023-4290 Mpembed Unspecified vulnerability in Mpembed WP Matterport Shortcode

The WP Matterport Shortcode WordPress plugin before 2.1.7 does not escape the PHP_SELF server variable when outputting it in attributes, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin

6.1
2023-10-16 CVE-2023-4687 Pagelayer Unspecified vulnerability in Pagelayer

The Page Builder: Pagelayer WordPress plugin before 1.7.7 doesn't prevent unauthenticated attackers from updating a post's header or footer code on scheduled posts.

6.1
2023-10-16 CVE-2023-4819 Tammersoft Unspecified vulnerability in Tammersoft Shared Files

The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file.

6.1
2023-10-16 CVE-2023-4950 Funnelforms Unspecified vulnerability in Funnelforms

The Interactive Contact Form and Multi Step Form Builder WordPress plugin before 3.4 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks

6.1
2023-10-16 CVE-2023-45683 Saml Project Cross-site Scripting vulnerability in Saml Project Saml

github.com/crewjam/saml is a saml library for the go language.

6.1
2023-10-16 CVE-2023-45757 Apache Cross-site Scripting vulnerability in Apache Brpc

Security vulnerability in Apache bRPC <=1.6.0 on all platforms allows attackers to inject XSS code to the builtin rpcz page. An attacker that can send http request to bRPC server with rpcz enabled can inject arbitrary XSS code to the builtin rpcz page. Solution (choose one of three): 1.

6.1
2023-10-16 CVE-2023-4620 Wpbookingcalendar Unspecified vulnerability in Wpbookingcalendar Booking Calendar

The Booking Calendar WordPress plugin before 9.7.3.1 does not sanitize and escape some of its booking from data, allowing unauthenticated users to perform Stored Cross-Site Scripting attacks against administrators

6.1
2023-10-16 CVE-2022-48612 Classlink Cross-site Scripting vulnerability in Classlink Oneclick 10.7

A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.7 allows remote attackers to inject JavaScript into any webpage, because a regular expression (validating whether a URL is controlled by ClassLink) is not present in all applicable places.

6.1
2023-10-20 CVE-2023-34044 Vmware Out-of-bounds Read vulnerability in VMWare Fusion and Workstation

VMware Workstation( 17.x prior to 17.5) and Fusion(13.x prior to 13.5) contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine. A malicious actor with local administrative privileges on a virtual machine may be able to read privileged information contained in hypervisor memory from a virtual machine.

6.0
2023-10-19 CVE-2022-24400 Midnightblue Authorization Bypass Through User-Controlled Key vulnerability in Midnightblue Tetra:Burst

A flaw in the TETRA authentication procecure allows a MITM adversary that can predict the MS challenge RAND2 to set session key DCK to zero.

5.9
2023-10-17 CVE-2023-22071 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the PL/SQL component of Oracle Database Server.

5.9
2023-10-17 CVE-2023-22119 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure).

5.9
2023-10-17 CVE-2023-22122 Oracle Unspecified vulnerability in Oracle Banking Trade Finance 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

5.9
2023-10-17 CVE-2023-22130 Oracle Unspecified vulnerability in Oracle SUN ZFS Storage Appliance KIT 8.8.60

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core).

5.9
2023-10-17 CVE-2022-3761 Openvpn Improper Certificate Validation vulnerability in Openvpn Connect

OpenVPN Connect versions before 3.4.0.4506 (macOS) and OpenVPN Connect before 3.4.0.3100 (Windows) allows man-in-the-middle attackers to intercept configuration profile download requests which contains the users credentials

5.9
2023-10-17 CVE-2022-22386 IBM Missing Encryption of Sensitive Data vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

5.9
2023-10-21 CVE-2023-45663 Nothings Use of Uninitialized Resource vulnerability in Nothings STB Image.H 2.28

stb_image is a single file MIT licensed library for processing images.

5.5
2023-10-21 CVE-2023-45680 Nothings NULL Pointer Dereference vulnerability in Nothings STB Vorbis.C 1.22

stb_vorbis is a single file MIT licensed library for processing ogg vorbis files.

5.5
2023-10-20 CVE-2023-46115 Tauri Insufficiently Protected Credentials vulnerability in Tauri

Tauri is a framework for building binaries for all major desktop platforms.

5.5
2023-10-19 CVE-2023-45825 YDB Information Exposure Through Log Files vulnerability in YDB Ydb-Go-Sdk

ydb-go-sdk is a pure Go native and database/sql driver for the YDB platform.

5.5
2023-10-17 CVE-2023-22129 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

5.5
2023-10-17 CVE-2023-5339 Mattermost Information Exposure Through Log Files vulnerability in Mattermost Desktop

Mattermost Desktop fails to set an appropriate log level during initial run after fresh installation resulting in logging all keystrokes including password entry being logged. 

5.5
2023-10-16 CVE-2023-5421 Otrs Cross-site Scripting vulnerability in Otrs

An attacker who is logged into OTRS as an user with privileges to create and change customer user data may manipulate the CustomerID field to execute JavaScript code that runs immediatly after the data is saved.The issue onlyoccurs if the configuration for AdminCustomerUser::UseAutoComplete was changed before. This issue affects OTRS: from 7.0.X before 7.0.47, from 8.0.X before 8.0.37; ((OTRS)) Community Edition: from 6.0.X through 6.0.34.

5.5
2023-10-16 CVE-2023-5595 Gpac Unspecified vulnerability in Gpac

Denial of Service in GitHub repository gpac/gpac prior to 2.3.0-DEV.

5.5
2023-10-21 CVE-2023-5205 Anilankola Cross-site Scripting vulnerability in Anilankola ADD Custom Body Class 1.4.1

The Add Custom Body Class plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_custom_body_class' value in versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping.

5.4
2023-10-21 CVE-2023-46054 Wbce Cross-site Scripting vulnerability in Wbce CMS

Cross Site Scripting (XSS) vulnerability in WBCE CMS v.1.6.1 and before allows a remote attacker to escalate privileges via a crafted script to the website_footer parameter in the admin/settings/save.php component.

5.4
2023-10-21 CVE-2023-46003 I Doit Cross-site Scripting vulnerability in I-Doit

I-doit pro 25 and below is vulnerable to Cross Site Scripting (XSS) via index.php.

5.4
2023-10-20 CVE-2023-43346 Opensolution Cross-site Scripting vulnerability in Opensolution Quick CMS 6.7

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Backend - Dashboard parameter in the Languages Menu component.

5.4
2023-10-20 CVE-2023-43353 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

5.4
2023-10-20 CVE-2023-43354 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

5.4
2023-10-20 CVE-2023-43355 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.

5.4
2023-10-20 CVE-2023-43356 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

5.4
2023-10-20 CVE-2023-43357 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

5.4
2023-10-20 CVE-2023-5688 Modoboa Cross-site Scripting vulnerability in Modoboa

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

5.4
2023-10-20 CVE-2023-5689 Modoboa Cross-site Scripting vulnerability in Modoboa

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

5.4
2023-10-20 CVE-2023-5618 Prismtechstudios Cross-site Scripting vulnerability in Prismtechstudios Modern Footnotes

The Modern Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in versions up to, and including, 1.4.16 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-4961 Poptin Cross-site Scripting vulnerability in Poptin Popups

The Poptin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'poptin-form' shortcode in versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5086 Maheshwaghmare Cross-site Scripting vulnerability in Maheshwaghmare Copy Anything to Clipboard

The Copy Anything to Clipboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'copy' shortcode in versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5109 Ironikus Cross-site Scripting vulnerability in Ironikus WP Mailto Links

The WP Mailto Links – Protect Email Addresses plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wpml_mailto' shortcode in versions up to, and including, 3.1.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5231 Pogidude Cross-site Scripting vulnerability in Pogidude Magic Action BOX 2.17.2

The Magic Action Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 2.17.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5292 Acfextended Cross-site Scripting vulnerability in Acfextended Advanced Custom Fields Extended

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acfe_form' shortcode in versions up to, and including, 0.8.9.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5337 Formforall Cross-site Scripting vulnerability in Formforall

The Contact form Form For All plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'formforall' shortcode in versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5534 Quantumcloud Cross-Site Request Forgery (CSRF) vulnerability in Quantumcloud AI Chatbot

The AI ChatBot plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.8.9 and 4.9.2.

5.4
2023-10-20 CVE-2023-5615 Ravanh Cross-site Scripting vulnerability in Ravanh Skype Legacy Buttons

The Skype Legacy Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skype-status' shortcode in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-2325 M Files Cross-site Scripting vulnerability in M-Files Classic web 23.2/23.6.12695.3/23.8

Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.

5.4
2023-10-20 CVE-2023-4482 Michaeluno Cross-site Scripting vulnerability in Michaeluno Auto Amazon Links

The Auto Amazon Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the style parameter in versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping.

5.4
2023-10-20 CVE-2023-4919 Iframe Project Cross-site Scripting vulnerability in Iframe Project Iframe

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `iframe` shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping.

5.4
2023-10-20 CVE-2023-5050 Bozdoz Cross-site Scripting vulnerability in Bozdoz Leaflet MAP

The Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping.

5.4
2023-10-20 CVE-2023-5071 Sitekit Project Cross-site Scripting vulnerability in Sitekit Project Sitekit

The Sitekit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'sitekit_iframe' shortcode in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping.

5.4
2023-10-20 CVE-2023-5200 Flowpaper Cross-site Scripting vulnerability in Flowpaper

The flowpaper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'flipbook' shortcode in versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5308 Secondlinethemes Cross-site Scripting vulnerability in Secondlinethemes Podcast Subscribe Buttons

The Podcast Subscribe Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'podcast_subscribe' shortcode in versions up to, and including, 1.4.8 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5613 Themepoints Cross-site Scripting vulnerability in Themepoints Super Testimonials

The Super Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpsscode' shortcode in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5614 Plugin Planet Cross-site Scripting vulnerability in Plugin-Planet Theme Switcha

The Theme Switcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'theme_switcha_list' shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-5668 Firecask Cross-site Scripting vulnerability in Firecask Whatsapp Share Button 1.0.1

The WhatsApp Share Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'whatsapp' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-20 CVE-2023-45394 Small CRM Project Cross-site Scripting vulnerability in Small CRM Project Small CRM 3.0

Stored Cross-Site Scripting (XSS) vulnerability in the Company field in the "Request a Quote" Section of Small CRM v3.0 allows an attacker to store and execute malicious javascript code in the Admin panel which leads to Admin account takeover.

5.4
2023-10-20 CVE-2023-45471 QAD Cross-site Scripting vulnerability in QAD Search Server

The QAD Search Server is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to, and including, 1.0.0.315 due to insufficient checks on indexes.

5.4
2023-10-20 CVE-2023-41893 Home Assistant Unspecified vulnerability in Home-Assistant

Home assistant is an open source home automation.

5.4
2023-10-19 CVE-2023-43342 Opensolution Cross-site Scripting vulnerability in Opensolution Quick CMS 6.7

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component.

5.4
2023-10-19 CVE-2023-43344 Opensolution Cross-site Scripting vulnerability in Opensolution Quick CMS 6.7

Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component.

5.4
2023-10-19 CVE-2023-43359 Cmsmadesimple Cross-site Scripting vulnerability in Cmsmadesimple CMS Made Simple 2.2.18

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

5.4
2023-10-19 CVE-2023-45279 Spaceapplications Cross-site Scripting vulnerability in Spaceapplications Yamcs 5.8.6

Yamcs 5.8.6 allows XSS (issue 1 of 2).

5.4
2023-10-19 CVE-2023-45280 Spaceapplications Cross-site Scripting vulnerability in Spaceapplications Yamcs 5.8.6

Yamcs 5.8.6 allows XSS (issue 2 of 2).

5.4
2023-10-19 CVE-2023-45815 Archivebox Cross-site Scripting vulnerability in Archivebox

ArchiveBox is an open source self-hosted web archiving system.

5.4
2023-10-19 CVE-2023-5638 Booster Cross-site Scripting vulnerability in Booster for Woocommerce

The Booster for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcj_image' shortcode in versions up to, and including, 7.1.2 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-19 CVE-2023-5639 Themepoints Cross-site Scripting vulnerability in Themepoints Team Showcase

The Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tmfshortcode' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2023-10-18 CVE-2023-5631 Roundcube
Debian
Fedoraproject
Cross-site Scripting vulnerability in multiple products

Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior.

5.4
2023-10-18 CVE-2023-45607 Wordpress Popular Posts Project Cross-site Scripting vulnerability in Wordpress Popular Posts Project Wordpress Popular Posts

Auth.

5.4
2023-10-18 CVE-2023-45628 Qrokes Cross-site Scripting vulnerability in Qrokes QR Twitter Widget

Auth.

5.4
2023-10-18 CVE-2023-31217 User Location AND IP Project Cross-site Scripting vulnerability in User Location and IP Project User Location and IP

Auth.

5.4
2023-10-18 CVE-2023-45067 Freelancer Coder Cross-site Scripting vulnerability in Freelancer-Coder Wordpress Simple Html Sitemap 1.0/2.0/2.1

Auth.

5.4
2023-10-18 CVE-2023-45608 Nicolamodugno Cross-site Scripting vulnerability in Nicolamodugno Smart Cookie KIT

Auth.

5.4
2023-10-18 CVE-2023-45059 Gumroad Cross-site Scripting vulnerability in Gumroad

Auth.

5.4
2023-10-18 CVE-2023-45049 Getbutterfly Cross-site Scripting vulnerability in Getbutterfly Youtube Playlist Player

Auth.

5.4
2023-10-17 CVE-2023-22082 Oracle Unspecified vulnerability in Oracle Business Intelligence 6.4.0.0.0/7.0.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Pod Admin).

5.4
2023-10-17 CVE-2023-22105 Oracle Unspecified vulnerability in Oracle BI Publisher 6.4.0.0.0/7.0.0.0.0

Vulnerability in the BI Publisher product of Oracle Analytics (component: Web Server).

5.4
2023-10-17 CVE-2023-22117 Oracle Unspecified vulnerability in Oracle Flexcube Universal Banking

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Infrastructure).

5.4
2023-10-17 CVE-2023-22121 Oracle Unspecified vulnerability in Oracle Banking Trade Finance 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

5.4
2023-10-17 CVE-2023-22123 Oracle Unspecified vulnerability in Oracle Banking Trade Finance 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

5.4
2023-10-17 CVE-2023-22124 Oracle Unspecified vulnerability in Oracle Banking Trade Finance 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

5.4
2023-10-17 CVE-2023-22125 Oracle Unspecified vulnerability in Oracle Banking Trade Finance 14.5

Vulnerability in the Oracle Banking Trade Finance product of Oracle Financial Services Applications (component: Infrastructure).

5.4
2023-10-17 CVE-2023-42627 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Multiple stored cross-site scripting (XSS) vulnerabilities in the Commerce module in Liferay Portal 7.3.5 through 7.4.3.91, and Liferay DXP 7.3 update 33 and earlier, and 7.4 before update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a (1) Shipping Name, (2) Shipping Phone Number, (3) Shipping Address, (4) Shipping Address 2, (5) Shipping Address 3, (6) Shipping Zip, (7) Shipping City, (8) Shipping Region (9), Shipping Country, (10) Billing Name, (11) Billing Phone Number, (12) Billing Address, (13) Billing Address 2, (14) Billing Address 3, (15) Billing Zip, (16) Billing City, (17) Billing Region, (18) Billing Country, or (19) Region Code.

5.4
2023-10-17 CVE-2023-42628 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform 7.0/7.1/7.2

Stored cross-site scripting (XSS) vulnerability in the Wiki widget in Liferay Portal 7.1.0 through 7.4.3.87, and Liferay DXP 7.0 fix pack 83 through 102, 7.1 fix pack 28 and earlier, 7.2 fix pack 20 and earlier, 7.3 update 33 and earlier, and 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML into a parent wiki page via a crafted payload injected into a wiki page's ‘Content’ text field.

5.4
2023-10-17 CVE-2023-44310 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Stored cross-site scripting (XSS) vulnerability in Page Tree menu Liferay Portal 7.3.6 through 7.4.3.78, and Liferay DXP 7.3 fix pack 1 through update 23, and 7.4 before update 79 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into page's "Name" text field.

5.4
2023-10-17 CVE-2023-42629 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Stored cross-site scripting (XSS) vulnerability in the manage vocabulary page in Liferay Portal 7.4.2 through 7.4.3.87, and Liferay DXP 7.4 before update 88 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a Vocabulary's 'description' text field.

5.4
2023-10-17 CVE-2023-44309 Liferay Cross-site Scripting vulnerability in Liferay Digital Experience Platform and Liferay Portal

Multiple stored cross-site scripting (XSS) vulnerabilities in the fragment components in Liferay Portal 7.4.2 through 7.4.3.53, and Liferay DXP 7.4 before update 54 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into any non-HTML field of a linked source asset.

5.4
2023-10-17 CVE-2023-45358 Archerirm Cross-site Scripting vulnerability in Archerirm Archer

Archer Platform 6.x before 6.13 P2 HF2 (6.13.0.2.2) contains a stored cross-site scripting (XSS) vulnerability.

5.4
2023-10-16 CVE-2023-43659 Discourse Cross-site Scripting vulnerability in Discourse 2.6.3/2.6.4/3.2.0

Discourse is an open source platform for community discussion.

5.4
2023-10-16 CVE-2023-45807 Amazon Improper Preservation of Permissions vulnerability in Amazon Opensearch

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021.

5.4
2023-10-16 CVE-2023-40851 User Registration Login AND User Management System With Admin Panel Project Cross-site Scripting vulnerability in User Registration & Login and User Management System With Admin Panel Project User Registration & Login and User Management System With Admin Panel 3.0

Cross Site Scripting (XSS) vulnerability in Phpgurukul User Registration & Login and User Management System With admin panel 3.0 allows attackers to run arbitrary code via fname, lname, email, and contact fields of the user registration page.

5.4
2023-10-16 CVE-2023-3746 Automattic Unspecified vulnerability in Automattic Activitypub

The ActivityPub WordPress plugin before 1.0.0 does not sanitize and escape some data from post content, which could allow contributor and above role to perform Stored Cross-Site Scripting attacks

5.4
2023-10-16 CVE-2023-4289 Mpembed Unspecified vulnerability in Mpembed WP Matterport Shortcode

The WP Matterport Shortcode WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

5.4
2023-10-16 CVE-2023-4646 Sayandatta Unspecified vulnerability in Sayandatta Simple Posts Ticker

The Simple Posts Ticker WordPress plugin before 1.1.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-10-16 CVE-2023-4783 Hoosoft Unspecified vulnerability in Hoosoft Magee Shortcodes

The Magee Shortcodes WordPress plugin through 2.1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2023-10-16 CVE-2023-4795 Sazzadh Unspecified vulnerability in Sazzadh Testimonial Slider Shortcode

The Testimonial Slider Shortcode WordPress plugin before 1.1.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admin

5.4
2023-10-16 CVE-2023-4798 Wpexperts Unspecified vulnerability in Wpexperts User Avatar-Reloaded

The User Avatar WordPress plugin before 1.2.2 does not properly sanitize and escape certain of its shortcodes attributes, which could allow relatively low-privileged users like contributors to conduct Stored XSS attacks.

5.4
2023-10-16 CVE-2023-4805 Themeum Unspecified vulnerability in Themeum Tutor LMS

The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

5.4
2023-10-16 CVE-2023-4811 Iptanus Unspecified vulnerability in Iptanus Wordpress File Upload

The WordPress File Upload WordPress plugin before 4.23.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.

5.4
2023-10-16 CVE-2023-4820 Blubrry Unspecified vulnerability in Blubrry Powerpress

The PowerPress Podcasting plugin by Blubrry WordPress plugin before 11.0.12 does not sanitize and escape the media url field in posts, which could allow users with privileges as low as contributor to inject arbitrary web scripts that could target a site admin or superadmin.

5.4
2023-10-16 CVE-2023-4821 Codedropz Unspecified vulnerability in Codedropz Drag and Drop multiple File Uploader

The Drag and Drop Multiple File Upload for WooCommerce WordPress plugin before 1.1.1 does not filter all potentially dangerous file extensions.

5.4
2023-10-16 CVE-2023-5057 Automattic Unspecified vulnerability in Automattic Activitypub

The ActivityPub WordPress plugin before 1.0.0 does not escape user metadata before outputting them in mentions, which could allow users with a role of Contributor and above to perform Stored XSS attacks

5.4
2023-10-16 CVE-2023-5087 Pagelayer Unspecified vulnerability in Pagelayer

The Page Builder: Pagelayer WordPress plugin before 1.7.8 doesn't prevent attackers with author privileges and higher from inserting malicious JavaScript inside a post's header or footer code.

5.4
2023-10-16 CVE-2023-5167 Solwininfotech Unspecified vulnerability in Solwininfotech User Activity LOG

The User Activity Log Pro WordPress plugin before 2.3.4 does not properly escape recorded User-Agents in the user activity logs dashboard, which may allow visitors to conduct Stored Cross-Site Scripting attacks.

5.4
2023-10-16 CVE-2023-46066 Codedraft Cross-site Scripting vulnerability in Codedraft Mediabay - Wordpress Media Library Folders

Auth.

5.4
2023-10-16 CVE-2023-44984 Rewweb Cross-site Scripting vulnerability in Rewweb BBP Style Pack

Auth.

5.4
2023-10-16 CVE-2023-44985 Cytechmobile Cross-site Scripting vulnerability in Cytechmobile Buddymeet

Auth.

5.4
2023-10-21 CVE-2023-4939 Salesmanago Improper Authentication vulnerability in Salesmanago

The SALESmanago plugin for WordPress is vulnerable to Log Injection in versions up to, and including, 3.2.4.

5.3
2023-10-20 CVE-2022-4943 Miniorange Missing Authorization vulnerability in Miniorange Google Authenticator

The miniOrange's Google Authenticator plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when changing plugin settings in versions up to, and including, 5.6.5.

5.3
2023-10-20 CVE-2023-3869 Gvectors Missing Authorization vulnerability in Gvectors Wpdiscuz

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the voteOnComment function in versions up to, and including, 7.6.3.

5.3
2023-10-20 CVE-2023-3998 Gvectors Missing Authorization vulnerability in Gvectors Wpdiscuz

The wpDiscuz plugin for WordPress is vulnerable to unauthorized modification of data due to a missing authorization check on the userRate function in versions up to, and including, 7.6.3.

5.3
2023-10-20 CVE-2021-4353 Rightpress Missing Authorization vulnerability in Rightpress Woocommerce Dynamic Pricing & Discounts 2.4.1

The WooCommerce Dynamic Pricing and Discounts plugin for WordPress is vulnerable to unauthenticated settings export in versions up to, and including, 2.4.1.

5.3
2023-10-20 CVE-2023-39731 Line Unspecified vulnerability in Line Kaibutsunosato 13.6.1

The leakage of the client secret in Kaibutsunosato v13.6.1 allows attackers to obtain the channel access token and send crafted broadcast messages.

5.3
2023-10-20 CVE-2023-41894 Home Assistant Unspecified vulnerability in Home-Assistant

Home assistant is an open source home automation.

5.3
2023-10-19 CVE-2023-45822 Artifacthub Server-Side Request Forgery (SSRF) vulnerability in Artifacthub HUB

Artifact Hub is a web-based application that enables finding, installing, and publishing packages and configurations for CNCF projects.

5.3
2023-10-19 CVE-2023-30633 Insyde Unspecified vulnerability in Insyde Insydeh2O

An issue was discovered in TrEEConfigDriver in Insyde InsydeH2O with kernel 5.0 through 5.5.

5.3
2023-10-19 CVE-2023-42666 Dexma Unspecified vulnerability in Dexma Dexgate 20130114

The affected product is vulnerable to an exposure of sensitive information to an unauthorized actor vulnerability, which may allow an attacker to create malicious requests for obtaining the information of the version about the web server used.

5.3
2023-10-19 CVE-2023-5254 Quantumcloud Unspecified vulnerability in Quantumcloud AI Chatbot

The ChatBot plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.8.9 via the qcld_wb_chatbot_check_user function.

5.3
2023-10-19 CVE-2023-4645 Igorfuna Missing Authorization vulnerability in Igorfuna AD Inserter

The Ad Inserter for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 2.7.30 via the ai_ajax function.

5.3
2023-10-18 CVE-2023-45814 Littlebigfresh Missing Release of Resource after Effective Lifetime vulnerability in Littlebigfresh Bunkum

Bunkum is an open-source protocol-agnostic request server for custom game servers.

5.3
2023-10-17 CVE-2023-22067 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA).
5.3
2023-10-17 CVE-2023-22081 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE).
5.3
2023-10-17 CVE-2023-22126 Oracle Unspecified vulnerability in Oracle Webcenter Content 12.2.1.4.0

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server).

5.3
2023-10-17 CVE-2022-43891 IBM Information Exposure Through an Error Message vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

5.3
2023-10-17 CVE-2022-43892 IBM Improper Certificate Validation vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 does not validate, or incorrectly validates, a certificate which could disclose sensitive information which could aid further attacks against the system.

5.3
2023-10-17 CVE-2021-38859 IBM Unspecified vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain version number information using a specially crafted HTTP request that could be used in further attacks against the system.

5.3
2023-10-17 CVE-2022-43889 IBM Unspecified vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could disclose sensitive information through an HTTP request that could aid an attacker in further attacks against the system.

5.3
2023-10-17 CVE-2022-22377 IBM Missing Encryption of Sensitive Data vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security.

5.3
2023-10-16 CVE-2023-44391 Discourse Unspecified vulnerability in Discourse

Discourse is an open source platform for community discussion.

5.3
2023-10-16 CVE-2023-4933 Awsm Files or Directories Accessible to External Parties vulnerability in Awsm WP JOB Openings

The WP Job Openings WordPress plugin before 3.4.3 does not block listing the contents of the directories where it stores attachments to job applications, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.

5.3
2023-10-16 CVE-2023-5089 Wpmudev Unspecified vulnerability in Wpmudev Defender Security

The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled.

5.3
2023-10-16 CVE-2023-5177 Maurice Unspecified vulnerability in Maurice Vrm360

The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 exposes the full path of a file when putting in a non-existent file in a parameter of the shortcode.

5.3
2023-10-16 CVE-2023-5561 Wordpress Unspecified vulnerability in Wordpress

WordPress does not properly restrict which user fields are searchable via the REST API, allowing unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website via an Oracle style attack

5.3
2023-10-16 CVE-2023-45669 Webauthn4J Improper Authentication vulnerability in Webauthn4J Spring Security

WebAuthn4J Spring Security provides Web Authentication specification support for Spring applications.

5.3
2023-10-16 CVE-2023-38059 Otrs Unspecified vulnerability in Otrs

The loading of external images is not blocked, even if configured, if the attacker uses protocol-relative URL in the payload.

5.3
2023-10-19 CVE-2023-43340 EVO Cross-site Scripting vulnerability in EVO Evolution CMS 3.2.3

Cross-site scripting (XSS) vulnerability in evolution v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected into the cmsadmin, cmsadminemail, cmspassword and cmspasswordconfim parameters

5.2
2023-10-17 CVE-2023-22015 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22026 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22028 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22032 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22064 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22065 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22066 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22068 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22070 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22077 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Oracle Database Recovery Manager component of Oracle Database Server.

4.9
2023-10-17 CVE-2023-22078 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22084 Oracle
Netapp
Fedoraproject
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22092 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22097 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22103 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22104 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22110 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22111 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).
4.9
2023-10-17 CVE-2023-22112 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2023-10-17 CVE-2023-22114 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
4.9
2023-10-17 CVE-2023-22115 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
4.9
2023-10-17 CVE-2023-43794 Xgenecloud SQL Injection vulnerability in Xgenecloud Nocodb 0.109.2

Nocodb is an open source Airtable alternative.

4.9
2023-10-16 CVE-2023-3279 Imagely Unspecified vulnerability in Imagely Nextgen Gallery

The WordPress Gallery Plugin WordPress plugin before 3.39 does not validate some block attributes before using them to generate paths passed to include function/s, allowing Admin users to perform LFI attacks

4.9
2023-10-16 CVE-2023-45690 Southrivertech Incorrect Default Permissions vulnerability in Southrivertech Titan FTP Server and Titan MFT Server

Default file permissions on South River Technologies' Titan MFT and Titan SFTP servers on Linux allows a user that's authentication to the OS to read sensitive files on the filesystem

4.9
2023-10-20 CVE-2023-3996 Armemberplugin Cross-site Scripting vulnerability in Armemberplugin Armember

The ARMember Lite - Membership Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 4.0.14 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2023-4021 Webnus Cross-site Scripting vulnerability in Webnus Modern Events Calendar Lite

The Modern Events Calendar lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Google API key and Calendar ID in versions up to, but not including, 7.1.0 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2023-4648 Gowebsolutions Cross-site Scripting vulnerability in Gowebsolutions WP Customer Reviews

The WP Customer Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.6.6 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2023-5121 Wpvivid Cross-site Scripting vulnerability in Wpvivid Migration, Backup, Staging

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings (the backup path parameter) in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2022-4954 Plugin Cross-site Scripting vulnerability in Plugin Waiting

The Waiting: One-click countdowns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown name in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2023-4271 Deanoakley Cross-site Scripting vulnerability in Deanoakley Photospace Responsive Gallery

The Photospace Responsive plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘psres_button_size’ parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping.

4.8
2023-10-20 CVE-2023-4968 Wpeka Cross-site Scripting vulnerability in Wpeka Wplegalpages

The WPLegalPages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wplegalpage' shortcode in versions up to, and including, 2.9.2 due to insufficient input sanitization and output escaping on user supplied attributes.

4.8
2023-10-20 CVE-2023-5120 Wpvivid Cross-site Scripting vulnerability in Wpvivid Migration, Backup, Staging

The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image file path parameter in versions up to, and including, 0.9.89 due to insufficient input sanitization and output escaping.

4.8
2023-10-18 CVE-2023-45604 GET Custom Field Values Project Cross-site Scripting vulnerability in GET Custom Field Values Project GET Custom Field Values

Auth.

4.8
2023-10-18 CVE-2023-45072 Order Auto Complete FOR Woocommerce Project Cross-site Scripting vulnerability in Order Auto Complete for Woocommerce Project Order Auto Complete for Woocommerce

Auth.

4.8
2023-10-18 CVE-2023-45073 Kochm Cross-site Scripting vulnerability in Kochm Mendeley Plugin

Auth.

4.8
2023-10-18 CVE-2023-45051 Gopiplus Cross-site Scripting vulnerability in Gopiplus Image Vertical Reel Scroll Slideshow

Auth.

4.8
2023-10-18 CVE-2023-45056 100Plugins Cross-site Scripting vulnerability in 100Plugins Open User MAP

Auth.

4.8
2023-10-18 CVE-2023-45057 Hitsteps Cross-site Scripting vulnerability in Hitsteps web Analytics

Auth.

4.8
2023-10-18 CVE-2023-45008 Wpjohnny Cross-site Scripting vulnerability in Wpjohnny Comment Reply Email

Auth.

4.8
2023-10-18 CVE-2023-5621 I13Websolution Cross-site Scripting vulnerability in I13Websolution Thumbnail Slider With Lightbox 1.0

The Thumbnail Slider With Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Title field in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping.

4.8
2023-10-17 CVE-2023-22091 Oracle Unspecified vulnerability in Oracle Graalvm for JDK 17.0.8/21

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler).

4.8
2023-10-17 CVE-2023-45010 Alexmacarthur Cross-site Scripting vulnerability in Alexmacarthur Complete Open Graph

Auth.

4.8
2023-10-17 CVE-2023-44990 Pluginus Cross-site Scripting vulnerability in Pluginus Wolf - Wordpress Posts Bulk Editor and products Manager Professional

Auth.

4.8
2023-10-17 CVE-2023-24385 Davidlingren Cross-site Scripting vulnerability in Davidlingren Media Library Assistant

Auth.

4.8
2023-10-16 CVE-2023-4388 Myeventon Unspecified vulnerability in Myeventon Eventon

The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-10-16 CVE-2023-4725 Sayandatta Unspecified vulnerability in Sayandatta Simple Posts Ticker

The Simple Posts Ticker WordPress plugin before 1.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2023-10-16 CVE-2023-4862 Ninjateam Unspecified vulnerability in Ninjateam Filester

The File Manager Pro WordPress plugin before 1.8.1 does not adequately validate and escape some inputs, leading to XSS by high-privilege users.

4.8
2023-10-16 CVE-2023-44987 Gettimely Cross-site Scripting vulnerability in Gettimely Timely Booking Button

Auth.

4.8
2023-10-16 CVE-2023-44229 Gopiplus Cross-site Scripting vulnerability in Gopiplus Tiny Carosel Horizontal Slider

Auth.

4.8
2023-10-16 CVE-2023-44986 Tychesoftwares Cross-site Scripting vulnerability in Tychesoftwares Abandoned Cart Lite for Woocommerce

Auth.

4.8
2023-10-17 CVE-2023-22109 Oracle Unspecified vulnerability in Oracle Business Intelligence 12.2.1.4.0/6.4.0.0.0/7.0.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Analytics Web Dashboards).

4.6
2023-10-17 CVE-2022-43893 IBM Resource Exhaustion vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a privileged user to cause by using a malicious payload.

4.4
2023-10-17 CVE-2023-38719 IBM Unspecified vulnerability in IBM DB2 11.5.8

IBM Db2 11.5 could allow a local user with special privileges to cause a denial of service during database deactivation on DPF.

4.4
2023-10-16 CVE-2023-35013 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Security Verify Governance 10.0/10.0.1

IBM Security Verify Governance 10.0, Identity Manager could allow a local privileged user to obtain sensitive information from source code.

4.4
2023-10-20 CVE-2020-36751 Jesseeproductions Cross-Site Request Forgery (CSRF) vulnerability in Jesseeproductions Coupon Creator

The Coupon Creator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.1.

4.3
2023-10-20 CVE-2020-36753 Presscustomizr Cross-Site Request Forgery (CSRF) vulnerability in Presscustomizr Hueman

The Hueman theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.6.3.

4.3
2023-10-20 CVE-2020-36754 Strangerstudios Cross-Site Request Forgery (CSRF) vulnerability in Strangerstudios Paid Memberships PRO

The Paid Memberships Pro plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.2.

4.3
2023-10-20 CVE-2020-36755 Presscustomizr Cross-Site Request Forgery (CSRF) vulnerability in Presscustomizr Customizr

The Customizr theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.0.

4.3
2023-10-20 CVE-2020-36758 Themeisle Cross-Site Request Forgery (CSRF) vulnerability in Themeisle RSS Aggregator BY Feedzy

The RSS Aggregator by Feedzy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.4.2.

4.3
2023-10-20 CVE-2020-36759 CM WP Cross-Site Request Forgery (CSRF) vulnerability in Cm-Wp Woody Code Snippets

The Woody code snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.3.9.

4.3
2023-10-20 CVE-2021-4418 Wpfactory Cross-Site Request Forgery (CSRF) vulnerability in Wpfactory Custom Css, JS & PHP 2.0.7

The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.7.

4.3
2023-10-20 CVE-2022-3622 Adenion Missing Authorization vulnerability in Adenion Blog2Social

The Blog2Social plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in versions up to, and including, 6.9.11.

4.3
2023-10-20 CVE-2023-4796 Booster Information Exposure vulnerability in Booster for Woocommerce

The Booster for WooCommerce for WordPress is vulnerable to Information Disclosure via the 'wcj_wp_option' shortcode in versions up to, and including, 7.1.0 due to insufficient controls on the information retrievable via the shortcode.

4.3
2023-10-20 CVE-2023-4923 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4924 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4926 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4941 Pluginus Missing Authorization vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4935 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4937 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4940 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4942 Pluginus Cross-Site Request Forgery (CSRF) vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4943 Pluginus Missing Authorization vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3.

4.3
2023-10-20 CVE-2023-4947 Wpfactory Missing Authorization vulnerability in Wpfactory EAN for Woocommerce

The WooCommerce EAN Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the refresh_order_ean_data AJAX action in versions up to 6.1.0.

4.3
2023-10-20 CVE-2023-4975 Seedprod Cross-Site Request Forgery (CSRF) vulnerability in Seedprod Website Builder BY Seedprod

The Website Builder by SeedProd plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.15.13.1.

4.3
2023-10-19 CVE-2023-34050 Vmware Deserialization of Untrusted Data vulnerability in VMWare Spring Advanced Message Queuing Protocol

In spring AMQP versions 1.0.0 to 2.4.16 and 3.0.0 to 3.0.9 , allowed list patterns for deserializable class names were added to Spring AMQP, allowing users to lock down deserialization of data in messages from untrusted sources; however by default, when no allowed list was provided, all classes could be deserialized. Specifically, an application is vulnerable if * the SimpleMessageConverter or SerializerMessageConverter is used * the user does not configure allowed list patterns * untrusted message originators gain permissions to write messages to the RabbitMQ broker to send malicious content

4.3
2023-10-18 CVE-2023-4938 Pluginus Missing Authorization vulnerability in Pluginus Bear - Woocommerce Bulk Editor and products Manager Professional

The BEAR for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.1.3.3.

4.3
2023-10-18 CVE-2023-3254 Trustedindex Cross-Site Request Forgery (CSRF) vulnerability in Trustedindex Widgets for Google Reviews

The Widgets for Google Reviews plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 10.9.

4.3
2023-10-17 CVE-2023-22073 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Oracle Notification Server component of Oracle Database Server.

4.3
2023-10-17 CVE-2023-22083 Oracle Unspecified vulnerability in Oracle Enterprise Session Border Controller 9.0

Vulnerability in the Oracle Enterprise Session Border Controller product of Oracle Communications (component: Web UI).

4.3
2023-10-17 CVE-2023-22088 Oracle Unspecified vulnerability in Oracle Communications Order and Service Management 7.4.0/7.4.1

Vulnerability in the Oracle Communications Order and Service Management product of Oracle Communications Applications (component: User Management).

4.3
2023-10-17 CVE-2023-22096 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Java VM component of Oracle Database Server.

4.3
2023-10-17 CVE-2023-5522 Mattermost Unspecified vulnerability in Mattermost

Mattermost Mobile fails to limit the maximum number of Markdown elements in a post allowing an attacker to send a post with hundreds of emojis to a channel and freeze the mobile app of users when viewing that particular channel. 

4.3
2023-10-17 CVE-2023-34209 Easyuse Unspecified vulnerability in Easyuse Mailhunter Ultimate 2020/2023

Exposure of Sensitive System Information to an Unauthorized Control Sphere in create template function in EasyUse MailHunter Ultimate 2023 and earlier allow remote authenticated users to obtain the absolute path via unencrypted VIEWSTATE parameter.

4.3
2023-10-17 CVE-2021-20581 IBM Insufficient Session Expiration vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow a user to obtain sensitive information due to insufficient session expiration.

4.3
2023-10-17 CVE-2022-22380 IBM Improper Certificate Validation vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow an attacker to spoof a trusted entity due to improperly validating certificates.

4.3
2023-10-17 CVE-2022-22384 IBM Improper Input Validation vulnerability in IBM Security Verify Privilege On-Premises

IBM Security Verify Privilege On-Premises 11.5 could allow an attacker to modify messages returned from the server due to hazardous input validation.

4.3
2023-10-16 CVE-2023-44394 Mantisbt Exposure of Resource to Wrong Sphere vulnerability in Mantisbt

MantisBT is an open source bug tracker.

4.3
2023-10-16 CVE-2023-3706 Automattic Unspecified vulnerability in Automattic Activitypub

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post titles to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the title of arbitrary post (such as draft and private) via an IDOR vector

4.3
2023-10-16 CVE-2023-3707 Automattic Unspecified vulnerability in Automattic Activitypub

The ActivityPub WordPress plugin before 1.0.0 does not ensure that post contents to be displayed are public and belong to the plugin, allowing any authenticated user, such as subscriber to retrieve the content of arbitrary post (such as draft and private) via an IDOR vector.

4.3
2023-10-16 CVE-2023-45149 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Talk

Nextcloud talk is a chat module for the Nextcloud server platform.

4.3
2023-10-16 CVE-2023-45150 Nextcloud Improper Validation of Integrity Check Value vulnerability in Nextcloud Calendar

Nextcloud calendar is a calendar app for the Nextcloud server platform.

4.3
2023-10-16 CVE-2023-45148 Nextcloud Improper Restriction of Excessive Authentication Attempts vulnerability in Nextcloud Server

Nextcloud is an open source home cloud server.

4.3
2023-10-16 CVE-2023-45660 Nextcloud Server-Side Request Forgery (SSRF) vulnerability in Nextcloud Mail

Nextcloud mail is an email app for the Nextcloud home server platform.

4.3
2023-10-16 CVE-2023-45688 Southrivertech Path Traversal vulnerability in Southrivertech Titan MFT Server and Titan Sftp Server

Lack of sufficient path validation in South River Technologies' Titan MFT and Titan SFTP servers on Linux allows an authenticated attacker to get the size of an arbitrary file on the filesystem using path traversal in the ftp "SIZE" command

4.3
2023-10-16 CVE-2023-4834 Helmholz
Mbconnectline
Improper Privilege Management vulnerability in multiple products

In Red Lion Europe mbCONNECT24 and mymbCONNECT24 and Helmholz myREX24 and myREX24.virtual up to and including 2.14.2 an improperly implemented access validation allows an authenticated, low privileged attacker to gain read access to limited, non-critical device information in his account he should not have access to.

4.3
2023-10-17 CVE-2023-45803 Python
Fedoraproject
Information Exposure vulnerability in multiple products

urllib3 is a user-friendly HTTP client library for Python.

4.2
2023-10-19 CVE-2022-25332 TI Information Exposure Through Discrepancy vulnerability in TI Omap L138 Firmware

The AES implementation in the Texas Instruments OMAP L138 (secure variants), present in mask ROM, suffers from a timing side channel which can be exploited by an adversary with non-secure supervisor privileges by managing cache contents and collecting timing information for different ciphertext inputs.

4.1

13 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-10-18 CVE-2023-38546 Haxx Unspecified vulnerability in Haxx Libcurl

This flaw allows an attacker to insert cookies at will into a running program using libcurl, if the specific series of conditions are met. libcurl performs transfers.

3.7
2023-10-17 CVE-2023-22025 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, product of Oracle Java SE (component: Hotspot).
3.7
2023-10-16 CVE-2023-43814 Discourse Unspecified vulnerability in Discourse

Discourse is an open source platform for community discussion.

3.7
2023-10-18 CVE-2023-45145 Redis
Fedoraproject
Debian
Exposure of Resource to Wrong Sphere vulnerability in multiple products

Redis is an in-memory database that persists on disk.

3.6
2023-10-17 CVE-2023-22128 Oracle Unspecified vulnerability in Oracle Solaris 10/11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem).

3.1
2023-10-16 CVE-2023-45147 Discourse Unspecified vulnerability in Discourse

Discourse is an open source community platform.

3.1
2023-10-17 CVE-2023-45659 Engelsystem Insufficient Session Expiration vulnerability in Engelsystem 2.0.0/3.0.0

Engelsystem is a shift planning system for chaos events.

2.8
2023-10-19 CVE-2023-45809 Torchbox Information Exposure Through Log Files vulnerability in Torchbox Wagtail

Wagtail is an open source content management system built on Django.

2.7
2023-10-17 CVE-2023-22113 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).
2.7
2023-10-17 CVE-2023-4089 Wago Externally Controlled Reference to a Resource in Another Sphere vulnerability in Wago products

On affected Wago products an remote attacker with administrative privileges can access files to which he has already access to through an undocumented local file inclusion.

2.7
2023-10-17 CVE-2023-22074 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Oracle Database Sharding component of Oracle Database Server.

2.4
2023-10-17 CVE-2023-22075 Oracle Unspecified vulnerability in Oracle Database Server

Vulnerability in the Oracle Database Sharding component of Oracle Database Server.

2.4
2023-10-17 CVE-2023-45152 Engelsystem Server-Side Request Forgery (SSRF) vulnerability in Engelsystem 2.0.0/3.0.0

Engelsystem is a shift planning system for chaos events.

2.3