Weekly Vulnerabilities Reports > December 18 to 24, 2023
Overview
536 new vulnerabilities reported during this period, including 135 critical vulnerabilities and 204 high severity vulnerabilities. This weekly summary report vulnerabilities in 495 products from 327 vendors including Totolink, Ivanti, Debian, Mozilla, and IBM. Vulnerabilities are notably categorized as "Out-of-bounds Write", "Cross-site Scripting", "SQL Injection", "Cross-Site Request Forgery (CSRF)", and "OS Command Injection".
- 492 reported vulnerabilities are remotely exploitables.
- 80 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 333 reported vulnerabilities are exploitable by an anonymous user.
- Totolink has the most reported vulnerabilities, with 23 reported vulnerabilities.
- Totolink has the most reported critical vulnerabilities, with 23 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
135 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-12-24 | CVE-2023-7102 | Barracuda | Unspecified vulnerability in Barracuda products Use of a Third Party library produced a vulnerability in Barracuda Networks Inc. | 9.8 |
2023-12-24 | CVE-2023-51714 | QT | Integer Overflow or Wraparound vulnerability in QT An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. | 9.8 |
2023-12-24 | CVE-2023-51763 | Activeadmin | Improper Neutralization of Formula Elements in a CSV File vulnerability in Activeadmin Active Admin csv_builder.rb in ActiveAdmin (aka Active Admin) before 3.2.0 allows CSV injection. | 9.8 |
2023-12-23 | CVE-2023-6971 | Backupbliss | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Backupbliss Backup Migration The Backup Migration plugin for WordPress is vulnerable to Remote File Inclusion in versions 1.0.8 to 1.3.9 via the 'content-dir' HTTP header. | 9.8 |
2023-12-23 | CVE-2023-6972 | Backupbliss | Path Traversal vulnerability in Backupbliss Backup Migration The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. | 9.8 |
2023-12-22 | CVE-2023-50147 | Totolink | OS Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.5822B20200513 There is an arbitrary command execution vulnerability in the setDiagnosisCfg function of the cstecgi .cgi of the TOTOlink A3700R router device in its firmware version V9.1.2u.5822_B20200513. | 9.8 |
2023-12-22 | CVE-2023-50708 | Yiiframework | Unspecified vulnerability in Yiiframework Yii2-Authclient yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. | 9.8 |
2023-12-22 | CVE-2023-51011 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanPriDns parameter’ of the setLanConfig interface of the cstecgi .cgi | 9.8 |
2023-12-22 | CVE-2023-51012 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanGateway parameter’ of the setLanConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51013 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanNetmask parameter’ of the setLanConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51014 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOLINK EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanSecDns parameter’ of the setLanConfig interface of the cstecgi .cgi | 9.8 |
2023-12-22 | CVE-2023-51015 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOLINX EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘enable parameter’ of the setDmzCfg interface of the cstecgi .cgi | 9.8 |
2023-12-22 | CVE-2023-51016 | Totolink | Command Injection vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the setRebootScheCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51017 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the lanIp parameter’ of the setLanConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51018 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘opmode’ parameter of the setWiFiApConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51019 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘key5g’ parameter of the setWiFiExtenderConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51020 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langType’ parameter of the setLanguageCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51021 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘merge’ parameter of the setRptWizardCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51022 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘langFlag’ parameter of the setLanguageCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51033 | Totolink | OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi setOpModeCfg interface. | 9.8 |
2023-12-22 | CVE-2023-51034 | Totolink | Unrestricted Upload of File with Dangerous Type vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 TOTOlink EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution via the cstecgi.cgi UploadFirmwareFile interface. | 9.8 |
2023-12-22 | CVE-2023-51035 | Totolink | OS Command Injection vulnerability in Totolink Ex1200L Firmware 9.3.5U.6146B20201023 TOTOLINK EX1200L V9.3.5u.6146_B20201023 is vulnerable to arbitrary command execution on the cstecgi.cgi NTPSyncWithHost interface. | 9.8 |
2023-12-22 | CVE-2023-51023 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to arbitrary command execution in the ‘host_time’ parameter of the NTPSyncWithHost interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51024 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T v9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘tz’ parameter of the setNtpCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51025 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to an unauthorized arbitrary command execution in the ‘admuser’ parameter of the setPasswordCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51026 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘hour’ parameter of the setRebootScheCfg interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51027 | Totolink | Unspecified vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOlink EX1800T V9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the ‘apcliAuthMode’ parameter of the setWiFiExtenderConfig interface of the cstecgi .cgi. | 9.8 |
2023-12-22 | CVE-2023-51028 | Totolink | OS Command Injection vulnerability in Totolink Ex1800T Firmware 9.1.0Cu.2112B20220316 TOTOLINK EX1800T 9.1.0cu.2112_B20220316 is vulnerable to unauthorized arbitrary command execution in the apcliChannel parameter of the setWiFiExtenderConfig interface of the cstecgi.cgi. | 9.8 |
2023-12-22 | CVE-2023-49792 | Nextcloud | Unspecified vulnerability in Nextcloud Server Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. | 9.8 |
2023-12-22 | CVE-2023-42017 | IBM | Unspecified vulnerability in IBM Planning Analytics 2.0 IBM Planning Analytics Local 2.0 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions. | 9.8 |
2023-12-22 | CVE-2023-7058 | Oretnom23 | Unspecified vulnerability in Oretnom23 Simple Student Attendance System 1.0 A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. | 9.8 |
2023-12-22 | CVE-2022-47532 | Filerun | SQL Injection vulnerability in Filerun 20220519 FileRun 20220519 allows SQL Injection via the "dir" parameter in a /?module=users§ion=cpanel&page=list request. | 9.8 |
2023-12-22 | CVE-2023-51707 | Arraynetworks | Command Injection vulnerability in Arraynetworks Arrayos AG MotionPro in Array ArrayOS AG before 9.4.0.505 on AG and vxAG allows remote command execution via crafted packets. | 9.8 |
2023-12-21 | CVE-2023-7039 | Byzoro | Unspecified vulnerability in Byzoro Smart S210 Firmware 20231121 A vulnerability classified as critical has been found in Byzoro S210 up to 20231210. | 9.8 |
2023-12-21 | CVE-2023-51048 | S CMS | SQL Injection vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_newsauth parameter at /admin/ajax.php. | 9.8 |
2023-12-21 | CVE-2023-51049 | S CMS | SQL Injection vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_bbsauth parameter at /admin/ajax.php. | 9.8 |
2023-12-21 | CVE-2023-51050 | S CMS | SQL Injection vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_productauth parameter at /admin/ajax.php. | 9.8 |
2023-12-21 | CVE-2023-51051 | S CMS | SQL Injection vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_textauth parameter at /admin/ajax.php. | 9.8 |
2023-12-21 | CVE-2023-51052 | S CMS | SQL Injection vulnerability in S-Cms 5.0 S-CMS v5.0 was discovered to contain a SQL injection vulnerability via the A_formauth parameter at /admin/ajax.php. | 9.8 |
2023-12-21 | CVE-2022-45377 | Codedropz | Unspecified vulnerability in Codedropz Drag and Drop multiple File Upload for Woocommerce Unrestricted Upload of File with Dangerous Type vulnerability in Glen Don L. | 9.8 |
2023-12-21 | CVE-2023-32242 | Xtemos | Unspecified vulnerability in Xtemos Woodmart 1.0.36 Deserialization of Untrusted Data vulnerability in xtemos WoodMart - Multipurpose WooCommerce Theme.This issue affects WoodMart - Multipurpose WooCommerce Theme: from n/a through 1.0.36. | 9.8 |
2023-12-21 | CVE-2023-49778 | Dmry | Unspecified vulnerability in Dmry Sayfa Sayac 2.6 Deserialization of Untrusted Data vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6. | 9.8 |
2023-12-21 | CVE-2023-49826 | Pencidesign | Unspecified vulnerability in Pencidesign Soledad Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1. | 9.8 |
2023-12-21 | CVE-2023-51656 | Apache | Unspecified vulnerability in Apache Iotdb Deserialization of Untrusted Data vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 0.13.0 through 0.13.4. Users are recommended to upgrade to version 1.2.2, which fixes the issue. | 9.8 |
2023-12-21 | CVE-2023-50477 | NOS | Unspecified vulnerability in NOS Client 0.6.6 An issue was discovered in nos client version 0.6.6, allows remote attackers to escalate privileges via getRPCEndpoint.js. | 9.8 |
2023-12-21 | CVE-2023-51655 | Jetbrains | Insufficient Verification of Data Authenticity vulnerability in Jetbrains Intellij Idea In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration | 9.8 |
2023-12-21 | CVE-2023-7022 | Tongda2000 | Unspecified vulnerability in Tongda2000 Office Anywhere 2017 11.9 A vulnerability was found in Tongda OA 2017 up to 11.9. | 9.8 |
2023-12-21 | CVE-2023-7023 | Tongda2000 | Unspecified vulnerability in Tongda2000 Office Anywhere 2017 11.9 A vulnerability was found in Tongda OA 2017 up to 11.9. | 9.8 |
2023-12-21 | CVE-2023-29485 | Heimdalsecurity | Missing Authentication for Critical Function vulnerability in Heimdalsecurity Thor An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to bypass network filtering, execute arbitrary code, and obtain sensitive information via DarkLayer Guard threat prevention module. | 9.8 |
2023-12-21 | CVE-2023-29486 | Heimdalsecurity | Unspecified vulnerability in Heimdalsecurity Thor An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component. | 9.8 |
2023-12-21 | CVE-2023-7020 | Tongda2000 | Unspecified vulnerability in Tongda2000 Office Anywhere 2017 11.9 A vulnerability was found in Tongda OA 2017 up to 11.9 and classified as critical. | 9.8 |
2023-12-21 | CVE-2023-7021 | Tongda2000 | Unspecified vulnerability in Tongda2000 Office Anywhere 2017 11.9 A vulnerability was found in Tongda OA 2017 up to 11.9. | 9.8 |
2023-12-21 | CVE-2023-49032 | LTB Project | Unspecified vulnerability in Ltb-Project Self Service Password An issue in LTB Self Service Password before v.1.5.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via hijack of the SMS verification code function to arbitrary phone. | 9.8 |
2023-12-20 | CVE-2023-50983 | Tenda | Command Injection vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the sysScheduleRebootSet function. | 9.8 |
2023-12-20 | CVE-2023-50984 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the ip parameter in the spdtstConfigAndStart function. | 9.8 |
2023-12-20 | CVE-2023-50985 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw parameter in the lanCfgSet function. | 9.8 |
2023-12-20 | CVE-2023-50986 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysLogin function. | 9.8 |
2023-12-20 | CVE-2023-50987 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysTimeInfoSet function. | 9.8 |
2023-12-20 | CVE-2023-50988 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth parameter in the wifiRadioSetIndoor function. | 9.8 |
2023-12-20 | CVE-2023-50989 | Tenda | Command Injection vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the pingSet function. | 9.8 |
2023-12-20 | CVE-2023-50990 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the rebootTime parameter in the sysScheduleRebootSet function. | 9.8 |
2023-12-20 | CVE-2023-50992 | Tenda | Out-of-bounds Write vulnerability in Tenda I29 Firmware 1.0.0.2/1.0.0.5 Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via the ip parameter in the setPing function. | 9.8 |
2023-12-20 | CVE-2023-50993 | Ruijie | OS Command Injection vulnerability in Ruijie Rg-Ws6008 Firmware and Rg-Ws6108 Firmware Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 v1.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 was discovered to contain a command injection vulnerability via the function downFiles. | 9.8 |
2023-12-20 | CVE-2023-25970 | Zendrop | Unspecified vulnerability in Zendrop 1.0.0 Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop – Global Dropshipping.This issue affects Zendrop – Global Dropshipping: from n/a through 1.0.0. | 9.8 |
2023-12-20 | CVE-2023-29384 | Hmplugin | Unspecified vulnerability in Hmplugin Jobwp Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.0. | 9.8 |
2023-12-20 | CVE-2023-45603 | Plugin Planet | Unspecified vulnerability in Plugin-Planet User Submitted Posts Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts – Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts – Enable Users to Submit Posts from the Front End: from n/a through 20230902. | 9.8 |
2023-12-20 | CVE-2023-47990 | Cuppacms | SQL Injection vulnerability in Cuppacms 1.0 SQL Injection vulnerability in components/table_manager/html/edit_admin_table.php in CuppaCMS V1.0 allows attackers to run arbitrary SQL commands via the table parameter. | 9.8 |
2023-12-20 | CVE-2023-29432 | Favethemes | Unspecified vulnerability in Favethemes Houzez 1.3.4 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3. | 9.8 |
2023-12-20 | CVE-2023-49752 | Spoonthemes | Unspecified vulnerability in Spoonthemes Adifier Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4. | 9.8 |
2023-12-20 | CVE-2023-47118 | Clickhouse | Out-of-bounds Write vulnerability in Clickhouse and Clickhouse Cloud ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. | 9.8 |
2023-12-20 | CVE-2023-35915 | Automattic | Unspecified vulnerability in Automattic Woopayments Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. | 9.8 |
2023-12-20 | CVE-2023-49772 | Phpbits | Unspecified vulnerability in PHPbits Genesis Simple Love 2.0 Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0. | 9.8 |
2023-12-20 | CVE-2023-49773 | Bcorp Shortcodes Project | Deserialization of Untrusted Data vulnerability in Bcorp Shortcodes Project Bcorp Shortcodes 0.23 Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23. | 9.8 |
2023-12-20 | CVE-2023-49776 | Dmry | Unspecified vulnerability in Dmry Sayfa Sayac 2.6 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6. | 9.8 |
2023-12-20 | CVE-2023-5011 | Kashipara | Unspecified vulnerability in Kashipara Student Information System 1.0 Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. | 9.8 |
2023-12-20 | CVE-2023-28782 | Gravityforms | Unspecified vulnerability in Gravityforms Gravity Forms 2.7.3 Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. | 9.8 |
2023-12-20 | CVE-2023-35895 | IBM | Injection vulnerability in IBM Informix Jdbc 4.10/4.50 IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. | 9.8 |
2023-12-20 | CVE-2023-40010 | Pluginus | Unspecified vulnerability in Pluginus Husky - products Filter Professional for Woocommerce Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY – Products Filter for WooCommerce Professional.This issue affects HUSKY – Products Filter for WooCommerce Professional: from n/a through 1.3.4.2. | 9.8 |
2023-12-20 | CVE-2023-40555 | Uxthemes | Unspecified vulnerability in Uxthemes Flatsome Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5. | 9.8 |
2023-12-20 | CVE-2023-47507 | Averta | Unspecified vulnerability in Averta Master Slider PRO 3.6.5 Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5. | 9.8 |
2023-12-20 | CVE-2023-6768 | MR Corner | Unspecified vulnerability in Mr-Corner Amazing Little Poll 1.3/1.4 Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. | 9.8 |
2023-12-20 | CVE-2023-6912 | M Files | Improper Restriction of Excessive Authentication Attempts vulnerability in M-Files Server Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords. | 9.8 |
2023-12-20 | CVE-2023-50044 | Cesanta | Classic Buffer Overflow vulnerability in Cesanta MJS 2.22.0 Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string. | 9.8 |
2023-12-20 | CVE-2023-50628 | Libming | Classic Buffer Overflow vulnerability in Libming 0.4.8 Buffer Overflow vulnerability in libming version 0.4.8, allows attackers to execute arbitrary code and obtain sensitive information via parser.c component. | 9.8 |
2023-12-20 | CVE-2023-6974 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine. | 9.8 |
2023-12-20 | CVE-2023-6975 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. | 9.8 |
2023-12-20 | CVE-2023-45887 | Nintendo | Unspecified vulnerability in Nintendo DS Wireless Communication 11/3 DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message. | 9.8 |
2023-12-19 | CVE-2023-6928 | Eurotel | Improper Restriction of Excessive Authentication Attempts vulnerability in Eurotel Etl3100 Firmware 01C01/01X37 EuroTel ETL3100 versions v01c01 and v01x37 does not limit the number of attempts to guess administrative credentials in remote password attacks to gain full control of the system. | 9.8 |
2023-12-19 | CVE-2023-6929 | Eurotel | Authorization Bypass Through User-Controlled Key vulnerability in Eurotel Etl3100 Firmware 01C01/01X37 EuroTel ETL3100 versions v01c01 and v01x37 are vulnerable to insecure direct object references that occur when the application provides direct access to objects based on user-supplied input. | 9.8 |
2023-12-19 | CVE-2023-6930 | Eurotel | Unspecified vulnerability in Eurotel Etl3100 Firmware 01C01/01X37 EuroTel ETL3100 versions v01c01 and v01x37 suffer from an unauthenticated configuration and log download vulnerability. | 9.8 |
2023-12-19 | CVE-2023-47267 | Thegreenbow | Improper Privilege Management vulnerability in Thegreenbow products An issue discovered in TheGreenBow Windows Enterprise Certified VPN Client 6.52, Windows Standard VPN Client 6.87, and Windows Enterprise VPN Client 6.87 allows attackers to gain escalated privileges via crafted changes to memory mapped file. | 9.8 |
2023-12-19 | CVE-2023-49004 | Dlink | Code Injection vulnerability in Dlink Dir-850L Firmware Fw223Wwb01 An issue in D-Link DIR-850L v.B1_FW223WWb01 allows a remote attacker to execute arbitrary code via a crafted script to the en parameter. | 9.8 |
2023-12-19 | CVE-2023-48738 | Portotheme | Unspecified vulnerability in Portotheme Functionality Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Porto Theme Porto Theme - Functionality.This issue affects Porto Theme - Functionality: from n/a before 2.12.1. | 9.8 |
2023-12-19 | CVE-2023-49750 | Spoonthemes | Unspecified vulnerability in Spoonthemes Couponis Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoonthemes Couponis - Affiliate & Submitting Coupons WordPress Theme.This issue affects Couponis - Affiliate & Submitting Coupons WordPress Theme: from n/a before 2.2. | 9.8 |
2023-12-19 | CVE-2023-34027 | Rajarora795 | Unspecified vulnerability in Rajarora795 Recently Viewed products 1.0.0 Deserialization of Untrusted Data vulnerability in Rajnish Arora Recently Viewed Products.This issue affects Recently Viewed Products: from n/a through 1.0.0. | 9.8 |
2023-12-19 | CVE-2023-37390 | Themesflat | Unspecified vulnerability in Themesflat Addons for Elementor 2.0.0 Deserialization of Untrusted Data vulnerability in Themesflat Themesflat Addons For Elementor.This issue affects Themesflat Addons For Elementor: from n/a through 2.0.0. | 9.8 |
2023-12-19 | CVE-2023-41727 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46216 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46217 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46220 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46221 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46222 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46223 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46224 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46225 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46257 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46258 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46259 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46260 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46261 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS) or code execution. | 9.8 |
2023-12-19 | CVE-2023-46263 | Ivanti | Unrestricted Upload of File with Dangerous Type vulnerability in Ivanti Avalanche An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remote code execution. | 9.8 |
2023-12-19 | CVE-2023-46264 | Ivanti | Unrestricted Upload of File with Dangerous Type vulnerability in Ivanti Avalanche An unrestricted upload of file with dangerous type vulnerability exists in Avalanche versions 6.4.1 and below that could allow an attacker to achieve a remove code execution. | 9.8 |
2023-12-19 | CVE-2023-46265 | Ivanti | XXE vulnerability in Ivanti Avalanche An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). | 9.8 |
2023-12-19 | CVE-2023-50272 | HPE | Unspecified vulnerability in HPE products A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). | 9.8 |
2023-12-19 | CVE-2023-43870 | Paxton Access | Use of Hard-coded Credentials vulnerability in Paxton-Access Net2 6.02/6.07 When installing the Net2 software a root certificate is installed into the trusted store. | 9.8 |
2023-12-19 | CVE-2019-25158 | Pedroetb | Unspecified vulnerability in Pedroetb Tts-Api A vulnerability has been found in pedroetb tts-api up to 2.1.4 and classified as critical. | 9.8 |
2023-12-19 | CVE-2023-47754 | Cleverplugins | Unspecified vulnerability in Cleverplugins Delete Duplicate Posts Missing Authorization vulnerability in Clever plugins Delete Duplicate Posts allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Delete Duplicate Posts: from n/a through 4.8.9. | 9.8 |
2023-12-19 | CVE-2023-49819 | Wpsc Plugin | Unspecified vulnerability in Wpsc-Plugin Structured Content Deserialization of Untrusted Data vulnerability in Gordon Böhme, Antonio Leutsch Structured Content (JSON-LD) #wpsc.This issue affects Structured Content (JSON-LD) #wpsc: from n/a through 1.5.3. | 9.8 |
2023-12-18 | CVE-2023-6272 | Thememylogin | Improper Restriction of Excessive Authentication Attempts vulnerability in Thememylogin 2FA The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits. | 9.8 |
2023-12-18 | CVE-2023-32728 | Zabbix | Code Injection vulnerability in Zabbix Zabbix-Agent2 The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. | 9.8 |
2023-12-18 | CVE-2023-6483 | Aditaas | Improper Authentication vulnerability in Aditaas Allied Digital Integrated Tool-As-A-Service 5.1 The vulnerability exists in ADiTaaS (Allied Digital Integrated Tool-as-a-Service) version 5.1 due to an improper authentication vulnerability in the ADiTaaS backend API. | 9.8 |
2023-12-18 | CVE-2023-6906 | Totolink | Classic Buffer Overflow vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024 A vulnerability, which was classified as critical, was found in Totolink A7100RU 7.4cu.2313_B20191024. | 9.8 |
2023-12-18 | CVE-2023-50976 | Redpanda | Missing Authorization vulnerability in Redpanda Redpanda before 23.1.21 and 23.2.x before 23.2.18 has missing authorization checks in the Transactions API. | 9.8 |
2023-12-18 | CVE-2023-6905 | Nxfilter | Unspecified vulnerability in Nxfilter 4.3.2.5 A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5. | 9.8 |
2023-12-22 | CVE-2023-50731 | Mindsdb | Path Traversal vulnerability in Mindsdb MindsDB is a SQL Server for artificial intelligence. | 9.1 |
2023-12-21 | CVE-2023-50475 | Bcoin | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Bcoin 2.2.0 An issue was discovered in bcoin-org bcoin version 2.2.0, allows remote attackers to obtain sensitive information via weak hashing algorithms in the component \vendor\faye-websocket.js. | 9.1 |
2023-12-21 | CVE-2023-29487 | Heimdalsecurity | Unspecified vulnerability in Heimdalsecurity Thor An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module. | 9.1 |
2023-12-20 | CVE-2023-49161 | Guelbetech | Unspecified vulnerability in Guelbetech Bravo Translate 1.2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Guelben Bravo Translate.This issue affects Bravo Translate: from n/a through 1.2. | 9.1 |
2023-12-20 | CVE-2023-49166 | Magiclogix | Unspecified vulnerability in Magiclogix Msync Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0. | 9.1 |
2023-12-20 | CVE-2023-47702 | IBM | Unspecified vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to traverse directories on the system. | 9.1 |
2023-12-20 | CVE-2023-27172 | Xpand IT | Improper Restriction of Excessive Authentication Attempts vulnerability in Xpand-It Write-Back Manager 2.3.1 Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. | 9.1 |
2023-12-19 | CVE-2021-22962 | Ivanti | Unspecified vulnerability in Ivanti Avalanche An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | 9.1 |
2023-12-19 | CVE-2023-46266 | Ivanti | Unspecified vulnerability in Ivanti Avalanche An attacker can send a specially crafted request which could lead to leakage of sensitive data or potentially a resource-based DoS attack. | 9.1 |
2023-12-18 | CVE-2023-6907 | Codelyfe | Unspecified vulnerability in Codelyfe Stupid Simple CMS A vulnerability has been found in codelyfe Stupid Simple CMS up to 1.2.4 and classified as critical. | 9.1 |
2023-12-22 | CVE-2023-50928 | Amazon | Unspecified vulnerability in Amazon Awslabs Sandbox Accounts for Events "Sandbox Accounts for Events" provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. | 9.0 |
204 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-12-24 | CVE-2023-7091 | Iteachyou | Unspecified vulnerability in Iteachyou Dreamer CMS 4.1.3 A vulnerability was found in Dreamer CMS 4.1.3. | 8.8 |
2023-12-23 | CVE-2023-7090 | Sudo Project | Improper Privilege Management vulnerability in Sudo Project Sudo A flaw was found in sudo in the handling of ipa_hostname, where ipa_hostname from /etc/sssd/sssd.conf was not propagated in sudo. | 8.8 |
2023-12-23 | CVE-2023-5961 | Moxa | Cross-Site Request Forgery (CSRF) vulnerability in Moxa products A Cross-Site Request Forgery (CSRF) vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. | 8.8 |
2023-12-22 | CVE-2023-51387 | Apache | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 8.8 |
2023-12-22 | CVE-2023-50714 | Yiiframework | Improper Authentication vulnerability in Yiiframework Yii2-Authclient yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. | 8.8 |
2023-12-22 | CVE-2023-49085 | Cacti | Unspecified vulnerability in Cacti Cacti provides an operational monitoring and fault management framework. | 8.8 |
2023-12-22 | CVE-2023-51448 | Cacti | Unspecified vulnerability in Cacti 1.2.25 Cacti provides an operational monitoring and fault management framework. | 8.8 |
2023-12-22 | CVE-2023-7053 | Phpgurukul | Unspecified vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0. | 8.8 |
2023-12-21 | CVE-2023-49084 | Cacti | Unspecified vulnerability in Cacti 1.2.25 Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). | 8.8 |
2023-12-21 | CVE-2023-7024 | Google Debian Fedoraproject | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in WebRTC in Google Chrome prior to 120.0.6099.129 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2023-12-21 | CVE-2023-46647 | Github | Improper Privilege Management vulnerability in Github Enterprise Server Improper privilege management in all versions of GitHub Enterprise Server allows users with authorized access to the management console with an editor role to escalate their privileges by making requests to the endpoint used for bootstrapping the instance. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.6, 3.10.3, and 3.11.0. | 8.8 |
2023-12-21 | CVE-2023-45120 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'qid' parameter of the /update.php?q=quiz&step=2 resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-45121 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'desc' parameter of the /update.php?q=addquiz resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-7037 | Automad | Unspecified vulnerability in Automad A vulnerability was found in automad up to 1.10.9. | 8.8 |
2023-12-21 | CVE-2023-45115 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'ch' parameter of the /update.php?q=addqns resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-45116 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'demail' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-45117 | Projectworlds | SQL Injection vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'eid' parameter of the /update.php?q=rmquiz resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-45118 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'fdid' parameter of the /update.php resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-45119 | Projectworlds | Unspecified vulnerability in Projectworlds Online Examination System 1.0 Online Examination System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'n' parameter of the /update.php?q=quiz resource does not validate the characters received and they are sent unfiltered to the database. | 8.8 |
2023-12-21 | CVE-2023-22674 | Halgatewood | Unspecified vulnerability in Halgatewood Dashicons + Custom Post Types 1.0.2 Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Hal Gatewood Dashicons + Custom Post Types.This issue affects Dashicons + Custom Post Types: from n/a through 1.0.2. | 8.8 |
2023-12-20 | CVE-2023-23970 | Woorockets | Unrestricted Upload of File with Dangerous Type vulnerability in Woorockets Corsa Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa.This issue affects Corsa: from n/a through 1.5. | 8.8 |
2023-12-20 | CVE-2023-31215 | Amadercode | Unspecified vulnerability in Amadercode Dropshipping & Affiliation With Amazon 2.1.2 Unrestricted Upload of File with Dangerous Type vulnerability in AmaderCode Lab Dropshipping & Affiliation with Amazon.This issue affects Dropshipping & Affiliation with Amazon: from n/a through 2.1.2. | 8.8 |
2023-12-20 | CVE-2023-33318 | Woocommerce | Unspecified vulnerability in Woocommerce Automatewoo Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40. | 8.8 |
2023-12-20 | CVE-2023-34007 | Wpchill | Unspecified vulnerability in Wpchill Download Monitor Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3. | 8.8 |
2023-12-20 | CVE-2023-34385 | Akshaymenariya | Unspecified vulnerability in Akshaymenariya Export Import Menus Unrestricted Upload of File with Dangerous Type vulnerability in Akshay Menariya Export Import Menus.This issue affects Export Import Menus: from n/a through 1.8.0. | 8.8 |
2023-12-20 | CVE-2023-46149 | Themify | Unspecified vulnerability in Themify Ultra Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. | 8.8 |
2023-12-20 | CVE-2023-47784 | Themepunch | Unspecified vulnerability in Themepunch Slider Revolution Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a through 6.6.15. | 8.8 |
2023-12-20 | CVE-2023-28788 | Pagevisitcounter | SQL Injection vulnerability in Pagevisitcounter Advanced Page Visit Counter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress.This issue affects Advanced Page Visit Counter – Most Wanted Analytics Plugin for WordPress: from n/a through 6.4.2. | 8.8 |
2023-12-20 | CVE-2023-29096 | Bestwebsoft | Unspecified vulnerability in Bestwebsoft Contact Form to DB Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress.This issue affects Contact Form to DB by BestWebSoft – Messages Database Plugin For WordPress: from n/a through 1.7.0. | 8.8 |
2023-12-20 | CVE-2023-46147 | Themify | Unspecified vulnerability in Themify Ultra Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5. | 8.8 |
2023-12-20 | CVE-2023-6976 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process. | 8.8 |
2023-12-20 | CVE-2023-47706 | IBM | Unspecified vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. | 8.8 |
2023-12-20 | CVE-2023-6689 | Efacec | Cross-Site Request Forgery (CSRF) vulnerability in Efacec BCU 500 Firmware 4.07 A successful CSRF attack could force the user to perform state changing requests on the application. | 8.8 |
2023-12-19 | CVE-2023-49164 | Oceanwp | Cross-Site Request Forgery (CSRF) vulnerability in Oceanwp Ocean Extra Cross-Site Request Forgery (CSRF) vulnerability in OceanWP Ocean Extra.This issue affects Ocean Extra: from n/a through 2.2.2. | 8.8 |
2023-12-19 | CVE-2023-50835 | Praveengoswami | Unspecified vulnerability in Praveengoswami Advanced Category Template 0.1 Cross-Site Request Forgery (CSRF) vulnerability in Praveen Goswami Advanced Category Template.This issue affects Advanced Category Template: from n/a through 0.1. | 8.8 |
2023-12-19 | CVE-2023-50466 | Weintek | OS Command Injection vulnerability in Weintek Cmt2078X Firmware 2.1.3 An authenticated command injection vulnerability in Weintek cMT2078X easyweb Web Version v2.1.3, OS v20220215 allows attackers to execute arbitrary code or access sensitive information via injecting a crafted payload into the HMI Name parameter. | 8.8 |
2023-12-19 | CVE-2023-34382 | Wedevs | Unspecified vulnerability in Wedevs Dokan Deserialization of Untrusted Data vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.19. | 8.8 |
2023-12-19 | CVE-2023-43826 | Apache | Unspecified vulnerability in Apache Guacamole Apache Guacamole 1.5.3 and older do not consistently ensure that values received from a VNC server will not result in integer overflow. | 8.8 |
2023-12-19 | CVE-2023-6856 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products The WebGL `DrawElementsInstanced` method was susceptible to a heap buffer overflow when used on systems with the Mesa VM driver. | 8.8 |
2023-12-19 | CVE-2023-6858 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products Firefox was susceptible to a heap buffer overflow in `nsTextFragment` due to insufficient OOM handling. | 8.8 |
2023-12-19 | CVE-2023-6859 | Mozilla Debian | Use After Free vulnerability in multiple products A use-after-free condition affected TLS socket creation when under memory pressure. | 8.8 |
2023-12-19 | CVE-2023-6861 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products The `nsWindow::PickerOpen(void)` method was susceptible to a heap buffer overflow when running in headless mode. | 8.8 |
2023-12-19 | CVE-2023-6862 | Mozilla Debian | Use After Free vulnerability in multiple products A use-after-free was identified in the `nsDNSService::Init`. | 8.8 |
2023-12-19 | CVE-2023-6863 | Mozilla Debian | The `ShutdownObserver()` was susceptible to potentially undefined behavior due to its reliance on a dynamic type that lacked a virtual destructor. | 8.8 |
2023-12-19 | CVE-2023-6864 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products Memory safety bugs present in Firefox 120, Firefox ESR 115.5, and Thunderbird 115.5. | 8.8 |
2023-12-19 | CVE-2023-6866 | Mozilla | Improper Handling of Exceptional Conditions vulnerability in Mozilla Firefox TypedArrays can be fallible and lacked proper exception handling. | 8.8 |
2023-12-19 | CVE-2023-6873 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products Memory safety bugs present in Firefox 120. | 8.8 |
2023-12-19 | CVE-2023-6730 | Huggingface | Unspecified vulnerability in Huggingface Transformers Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. | 8.8 |
2023-12-19 | CVE-2023-49736 | Apache | Unspecified vulnerability in Apache Superset A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue. | 8.8 |
2023-12-19 | CVE-2023-6940 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow with only one user interaction(download a malicious config), attackers can gain full command execution on the victim system. | 8.8 |
2023-12-19 | CVE-2023-46212 | Wpvnteam | Missing Authorization vulnerability in Wpvnteam WP Extra Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in TienCOP WP EXtra allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects WP EXtra: from n/a through 6.2. | 8.8 |
2023-12-19 | CVE-2023-48751 | Xnau | Unspecified vulnerability in Xnau Participants Database Missing Authorization, Cross-Site Request Forgery (CSRF) vulnerability in Roland Barker, xnau webdesign Participants Database allows Accessing Functionality Not Properly Constrained by ACLs, Cross Site Request Forgery.This issue affects Participants Database: from n/a through 2.5.5. | 8.8 |
2023-12-18 | CVE-2023-34168 | Esiteq | Unspecified vulnerability in Esiteq WP Report Post 2.1.2 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alex Raven WP Report Post allows SQL Injection.This issue affects WP Report Post: from n/a through 2.1.2. | 8.8 |
2023-12-18 | CVE-2023-47506 | Masterslider | Unspecified vulnerability in Masterslider Master Slider Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Master slider Master Slider Pro allows SQL Injection.This issue affects Master Slider Pro: from n/a through 3.6.5. | 8.8 |
2023-12-18 | CVE-2023-49153 | Codeastrology | Unspecified vulnerability in Codeastrology ADD to Cart Text Changer and Customize Button, ADD Custom Icon Cross-Site Request Forgery (CSRF) vulnerability in Saiful Islam Add to Cart Text Changer and Customize Button, Add Custom Icon.This issue affects Add to Cart Text Changer and Customize Button, Add Custom Icon: from n/a through 2.0. | 8.8 |
2023-12-18 | CVE-2023-49155 | WOW Company | Unspecified vulnerability in Wow-Company Button Generator Cross-Site Request Forgery (CSRF) vulnerability in Wow-Company Button Generator – easily Button Builder.This issue affects Button Generator – easily Button Builder: from n/a through 2.3.8. | 8.8 |
2023-12-18 | CVE-2023-49163 | Mtrv | Unspecified vulnerability in Mtrv Teachpress Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.5. | 8.8 |
2023-12-18 | CVE-2023-49759 | Gvectors | Unspecified vulnerability in Gvectors Woodiscuz - Woocommerce Comments Cross-Site Request Forgery (CSRF) vulnerability in gVectors Team WooDiscuz – WooCommerce Comments.This issue affects WooDiscuz – WooCommerce Comments: from n/a through 2.3.0. | 8.8 |
2023-12-18 | CVE-2023-49760 | Giannopouloskostas | Cross-Site Request Forgery (CSRF) vulnerability in Giannopouloskostas Wpsoononlinepage Cross-Site Request Forgery (CSRF) vulnerability in Giannopoulos Kostas WPsoonOnlinePage.This issue affects WPsoonOnlinePage: from n/a through 1.9. | 8.8 |
2023-12-18 | CVE-2023-49761 | Gravitymaster | Unspecified vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0 Cross-Site Request Forgery (CSRF) vulnerability in Gravity Master Product Enquiry for WooCommerce.This issue affects Product Enquiry for WooCommerce: from n/a through 3.0. | 8.8 |
2023-12-18 | CVE-2023-49763 | Creatomatic | Unspecified vulnerability in Creatomatic Csprite 1.1 Cross-Site Request Forgery (CSRF) vulnerability in Creatomatic Ltd CSprite.This issue affects CSprite: from n/a through 1.1. | 8.8 |
2023-12-18 | CVE-2023-49821 | Livechat | Unspecified vulnerability in Livechat Cross-Site Request Forgery (CSRF) vulnerability in LiveChat LiveChat – WP live chat plugin for WordPress.This issue affects LiveChat – WP live chat plugin for WordPress: from n/a through 4.5.15. | 8.8 |
2023-12-18 | CVE-2023-24590 | Gallagher | Use of Externally-Controlled Format String vulnerability in Gallagher Controller 6000 Firmware A format string issue in the Controller 6000's optional diagnostic web interface can be used to write/read from memory, and in some instances crash the Controller 6000 leading to a Denial of Service. This issue affects: Gallagher Controller 6000 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior. | 8.8 |
2023-12-18 | CVE-2023-48768 | Codeastrology | Unspecified vulnerability in Codeastrology Quantity Plus Minus Button for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in CodeAstrology Team Quantity Plus Minus Button for WooCommerce by CodeAstrology.This issue affects Quantity Plus Minus Button for WooCommerce by CodeAstrology: from n/a through 1.1.9. | 8.8 |
2023-12-18 | CVE-2023-48769 | Bluecoral | Unspecified vulnerability in Bluecoral Chat Bubble Cross-Site Request Forgery (CSRF) vulnerability in Blue Coral Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back.This issue affects Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back: from n/a through 2.3. | 8.8 |
2023-12-18 | CVE-2023-48772 | Arulprasadj | Unspecified vulnerability in Arulprasadj Prevent Landscape Rotation Cross-Site Request Forgery (CSRF) vulnerability in Arul Prasad J Prevent Landscape Rotation.This issue affects Prevent Landscape Rotation: from n/a through 2.0. | 8.8 |
2023-12-18 | CVE-2023-48773 | Wpdoctor | Unspecified vulnerability in Wpdoctor Woocommerce Login Redirect 2.2.4 Cross-Site Request Forgery (CSRF) vulnerability in WP Doctor WooCommerce Login Redirect.This issue affects WooCommerce Login Redirect: from n/a through 2.2.4. | 8.8 |
2023-12-18 | CVE-2023-48778 | Villatheme | Unspecified vulnerability in Villatheme Product Size Chart for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in VillaTheme Product Size Chart For WooCommerce.This issue affects Product Size Chart For WooCommerce: from n/a through 1.1.5. | 8.8 |
2023-12-18 | CVE-2023-48781 | Marketingrapel | Unspecified vulnerability in Marketingrapel Mkrapel Regiones Y Ciudades DE Chile Para WC Cross-Site Request Forgery (CSRF) vulnerability in Marketing Rapel MkRapel Regiones y Ciudades de Chile para WC.This issue affects MkRapel Regiones y Ciudades de Chile para WC: from n/a through 4.3.0. | 8.8 |
2023-12-18 | CVE-2023-49148 | Affiliatebooster | Unspecified vulnerability in Affiliatebooster Affiliate Booster Cross-Site Request Forgery (CSRF) vulnerability in Kulwant Nagi Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates.This issue affects Affiliate Booster – Pros & Cons, Notice, and CTA Blocks for Affiliates: from n/a through 3.0.5. | 8.8 |
2023-12-18 | CVE-2023-4311 | Maurice | Unrestricted Upload of File with Dangerous Type vulnerability in Maurice Vrm360 1.2.1 The Vrm 360 3D Model Viewer WordPress plugin through 1.2.1 is vulnerable to arbitrary file upload due to insufficient checks in a plugin shortcode. | 8.8 |
2023-12-18 | CVE-2023-5882 | Soflyy | Cross-Site Request Forgery (CSRF) vulnerability in Soflyy products The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers to make logged in users perform unwanted actions leading to remote code execution. | 8.8 |
2023-12-18 | CVE-2023-5886 | Soflyy | Cross-Site Request Forgery (CSRF) vulnerability in Soflyy products The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not check nonce tokens early enough in the request lifecycle, allowing attackers with the ability to upload files to make logged in users perform unwanted actions leading to PHAR deserialization, which may lead to remote code execution. | 8.8 |
2023-12-18 | CVE-2023-46617 | Wpfoxly | Unspecified vulnerability in Wpfoxly Adfoxly 1.8.5 Cross-Site Request Forgery (CSRF) vulnerability in AdFoxly AdFoxly – Ad Manager, AdSense Ads & Ads.Txt.This issue affects AdFoxly – Ad Manager, AdSense Ads & Ads.Txt: from n/a through 1.8.5. | 8.8 |
2023-12-18 | CVE-2023-48762 | Crocoblock | Unspecified vulnerability in Crocoblock Jetelements for Elementor Cross-Site Request Forgery (CSRF) vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13. | 8.8 |
2023-12-18 | CVE-2023-48766 | Svgator | Cross-Site Request Forgery (CSRF) vulnerability in Svgator Cross-Site Request Forgery (CSRF) vulnerability in SVGator SVGator – Add Animated SVG Easily.This issue affects SVGator – Add Animated SVG Easily: from n/a through 1.2.4. | 8.8 |
2023-12-18 | CVE-2023-33214 | Taggbox | Unspecified vulnerability in Taggbox 2.9 Cross-Site Request Forgery (CSRF) vulnerability in Tagbox Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics.This issue affects Tagbox – UGC Galleries, Social Media Widgets, User Reviews & Analytics: from n/a through 3.1. | 8.8 |
2023-12-18 | CVE-2023-47787 | Automattic | Unspecified vulnerability in Automattic Woocommerce Bookings 1.15.78 Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 2.0.3. | 8.8 |
2023-12-18 | CVE-2023-47789 | Automattic | Unspecified vulnerability in Automattic Canada Post Shipping Method Cross-Site Request Forgery (CSRF) vulnerability in WooCommerce Canada Post Shipping Method.This issue affects Canada Post Shipping Method: from n/a through 2.8.3. | 8.8 |
2023-12-18 | CVE-2023-47806 | Saintsystems | Cross-Site Request Forgery (CSRF) vulnerability in Saintsystems Disable User Login Cross-Site Request Forgery (CSRF) vulnerability in Saint Systems Disable User Login.This issue affects Disable User Login: from n/a through 1.3.7. | 8.8 |
2023-12-18 | CVE-2023-48755 | Teachpress Project | Unspecified vulnerability in Teachpress Project Teachpress Cross-Site Request Forgery (CSRF) vulnerability in Michael Winkler teachPress.This issue affects teachPress: from n/a through 9.0.4. | 8.8 |
2023-12-18 | CVE-2023-49840 | Palscode | Unspecified vulnerability in Palscode Multi Currency for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in Palscode Multi Currency For WooCommerce.This issue affects Multi Currency For WooCommerce: from n/a through 1.5.5. | 8.8 |
2023-12-18 | CVE-2023-49843 | Quanticedge | Unspecified vulnerability in Quanticedge First Order Discount Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in QuanticEdge First Order Discount Woocommerce.This issue affects First Order Discount Woocommerce: from n/a through 1.21. | 8.8 |
2023-12-18 | CVE-2023-49844 | Reviewsignal | Unspecified vulnerability in Reviewsignal Wpperformancetester Cross-Site Request Forgery (CSRF) vulnerability in Kevin Ohashi WPPerformanceTester.This issue affects WPPerformanceTester: from n/a through 2.0.0. | 8.8 |
2023-12-18 | CVE-2023-49853 | Paytr | Unspecified vulnerability in Paytr Taksit Tablosu - Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in PayTR Ödeme ve Elektronik Para Kurulusu A.S. | 8.8 |
2023-12-18 | CVE-2023-49854 | Madebytribe | Cross-Site Request Forgery (CSRF) vulnerability in Madebytribe Caddy Cross-Site Request Forgery (CSRF) vulnerability in Tribe Interactive Caddy – Smart Side Cart for WooCommerce.This issue affects Caddy – Smart Side Cart for WooCommerce: from n/a through 1.9.7. | 8.8 |
2023-12-18 | CVE-2023-49855 | Binarycarpenter | Unspecified vulnerability in Binarycarpenter Menu BAR Cart Icon for Woocommerce Cross-Site Request Forgery (CSRF) vulnerability in BinaryCarpenter Menu Bar Cart Icon For WooCommerce By Binary Carpenter.This issue affects Menu Bar Cart Icon For WooCommerce By Binary Carpenter: from n/a through 1.49.3. | 8.8 |
2023-12-18 | CVE-2023-50372 | Wpgogo | Unspecified vulnerability in Wpgogo Custom Post Type Page Template Cross-Site Request Forgery (CSRF) vulnerability in Hiroaki Miyashita Custom Post Type Page Template.This issue affects Custom Post Type Page Template: from n/a through 1.1. | 8.8 |
2023-12-18 | CVE-2023-32725 | Zabbix | Reliance on Cookies without Validation and Integrity Checking vulnerability in Zabbix Frontend and Zabbix Server The website configured in the URL widget will receive a session cookie when testing or executing scheduled reports. | 8.8 |
2023-12-22 | CVE-2023-51661 | Wasmer | Unspecified vulnerability in Wasmer Wasmer is a WebAssembly runtime that enables containers to run anywhere: from Desktop to the Cloud, Edge and even the browser. | 8.6 |
2023-12-22 | CVE-2023-51708 | Bentley | Improper Authentication vulnerability in Bentley products Bentley eB System Management Console applications within Assetwise Integrity Information Server allow an unauthenticated user to view configuration options via a crafted request, leading to information disclosure. | 8.6 |
2023-12-21 | CVE-2023-51442 | Navidrome | Unspecified vulnerability in Navidrome Navidrome is an open source web-based music collection server and streamer. | 8.6 |
2023-12-21 | CVE-2023-5594 | Eset | Improper Certificate Validation vulnerability in Eset products Improper validation of the server’s certificate chain in secure traffic scanning feature considered intermediate certificate signed using the MD5 or SHA1 algorithm as trusted. | 8.6 |
2023-12-18 | CVE-2023-41314 | Apache | Unspecified vulnerability in Apache Doris The api /api/snapshot and /api/get_log_file would allow unauthenticated access. It could allow a DoS attack or get arbitrary files from FE node. Please upgrade to 2.0.3 to fix these issues. | 8.2 |
2023-12-21 | CVE-2023-2585 | Redhat | Unspecified vulnerability in Redhat products Keycloak's device authorization grant does not correctly validate the device code and client ID. | 8.1 |
2023-12-20 | CVE-2023-26525 | Wedevs | Unspecified vulnerability in Wedevs Dokan Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy.This issue affects Dokan – Best WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12. | 8.1 |
2023-12-20 | CVE-2023-30495 | Themefic | Unspecified vulnerability in Themefic Ultimate Addons for Contact Form 7 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.1.23. | 8.1 |
2023-12-20 | CVE-2023-30750 | Cminds | Unspecified vulnerability in Cminds CM Popup 1.5.10/1.5.8/1.5.9 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10. | 8.1 |
2023-12-20 | CVE-2023-31092 | Foxskav | Unspecified vulnerability in Foxskav Easy BET Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Foxskav Easy Bet.This issue affects Easy Bet: from n/a through 1.0.2. | 8.1 |
2023-12-20 | CVE-2023-33209 | Crawlspider | Unspecified vulnerability in Crawlspider SEO Change Monitor Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrawlSpider SEO Change Monitor – Track Website Changes.This issue affects SEO Change Monitor – Track Website Changes: from n/a through 1.2. | 8.1 |
2023-12-20 | CVE-2023-33330 | Woocommerce | Unspecified vulnerability in Woocommerce Automatewoo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50. | 8.1 |
2023-12-20 | CVE-2023-49825 | Pencidesign | Unspecified vulnerability in Pencidesign Soledad Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1. | 8.1 |
2023-12-20 | CVE-2023-35876 | Automattic | Unspecified vulnerability in Automattic Woocommerce Square Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1. | 8.1 |
2023-12-20 | CVE-2023-36520 | Zackgrossbart | Authorization Bypass Through User-Controlled Key vulnerability in Zackgrossbart Editorial Calendar Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12. | 8.1 |
2023-12-19 | CVE-2023-6913 | Imoulife | Unspecified vulnerability in Imoulife Imou Life 6.7.0 A session hijacking vulnerability has been detected in the Imou Life application affecting version 6.7.0. | 8.1 |
2023-12-18 | CVE-2023-23570 | Gallagher | Unspecified vulnerability in Gallagher Command Centre Client-Side enforcement of Server-Side security for the Command Centre server could be bypassed and lead to invalid configuration with undefined behavior. | 8.1 |
2023-12-18 | CVE-2023-32726 | Zabbix | Improper Check for Unusual or Exceptional Conditions vulnerability in Zabbix Zabbix-Agent The vulnerability is caused by improper check for check if RDLENGTH does not overflow the buffer in response from DNS server. | 8.1 |
2023-12-24 | CVE-2023-7101 | Jmcnamara Debian Fedoraproject | Code Injection vulnerability in multiple products Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. | 7.8 |
2023-12-22 | CVE-2023-50254 | Deepin | Path Traversal vulnerability in Deepin Reader Deepin Linux's default document reader `deepin-reader` software suffers from a serious vulnerability in versions prior to 6.0.7 due to a design flaw that leads to remote command execution via crafted docx document. | 7.8 |
2023-12-22 | CVE-2023-48670 | Dell | Untrusted Search Path vulnerability in Dell Supportassist for Home PCS 3.14.2.45116 Dell SupportAssist for Home PCs version 3.14.1 and prior versions contain a privilege escalation vulnerability in the installer. | 7.8 |
2023-12-22 | CVE-2023-43116 | Buildkite | Link Following vulnerability in Buildkite Elastic CI Stack A symbolic link following vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to change ownership of arbitrary directories via the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script. | 7.8 |
2023-12-21 | CVE-2023-7025 | Kylinos | Unspecified vulnerability in Kylinos Hedron-Domain-Hook A vulnerability was found in KylinSoft hedron-domain-hook up to 3.8.0.12-0k0.5. | 7.8 |
2023-12-20 | CVE-2023-7018 | Huggingface | Unspecified vulnerability in Huggingface Transformers Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36. | 7.8 |
2023-12-19 | CVE-2023-49147 | Pdf24 | Unspecified vulnerability in Pdf24 Creator An issue was discovered in PDF24 Creator 11.14.0. | 7.8 |
2023-12-19 | CVE-2023-6314 | Panasonic | Out-of-bounds Write vulnerability in Panasonic Fpwin PRO 7.5.0.1/7.5.1.1/7.7.0.0 Stack-based buffer overflow in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file. | 7.8 |
2023-12-19 | CVE-2023-6315 | Panasonic | Out-of-bounds Read vulnerability in Panasonic Fpwin PRO 7.5.0.1/7.5.1.1/7.7.0.0 Out-of-bouds read vulnerability in FPWin Pro version 7.7.0.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file. | 7.8 |
2023-12-18 | CVE-2023-6691 | Cambiumnetworks | Code Injection vulnerability in Cambiumnetworks Epmp Force 300-25 Firmware 4.7.0.1 Cambium ePMP Force 300-25 version 4.7.0.1 is vulnerable to a code injection vulnerability that could allow an attacker to perform remote code execution and gain root privileges. | 7.8 |
2023-12-18 | CVE-2023-6817 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_pipapo_walk did not skip inactive elements during set walk which could lead double deactivations of PIPAPO (Pile Packet Policies) elements, leading to use-after-free. We recommend upgrading past commit 317eb9685095678f2c9f5a8189de698c5354316a. | 7.8 |
2023-12-18 | CVE-2023-47038 | Perl | Out-of-bounds Write vulnerability in Perl 5.34.0 A vulnerability was found in perl 5.30.0 through 5.38.0. | 7.8 |
2023-12-23 | CVE-2016-15036 | Deis | Unspecified vulnerability in Deis Workflow Manager ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Deis Workflow Manager up to 2.3.2. | 7.5 |
2023-12-22 | CVE-2023-50730 | Typelevel | Unspecified vulnerability in Typelevel Grackle Grackle is a GraphQL server written in functional Scala, built on the Typelevel stack. | 7.5 |
2023-12-22 | CVE-2023-51449 | Gradio Project | Unspecified vulnerability in Gradio Project Gradio Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. | 7.5 |
2023-12-22 | CVE-2023-51650 | Apache | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system. | 7.5 |
2023-12-22 | CVE-2023-51662 | Snowflake | Unspecified vulnerability in Snowflake Connector The Snowflake .NET driver provides an interface to the Microsoft .NET open source software framework for developing applications. | 7.5 |
2023-12-22 | CVE-2023-48704 | Clickhouse | Out-of-bounds Write vulnerability in Clickhouse and Clickhouse Cloud ClickHouse is an open-source column-oriented database management system that allows generating analytical data reports in real-time. | 7.5 |
2023-12-22 | CVE-2022-39337 | Apache | Unspecified vulnerability in Apache Hertzbeat Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. | 7.5 |
2023-12-22 | CVE-2023-49391 | Free5Gc | Unspecified vulnerability in Free5Gc 3.3.0 An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message. | 7.5 |
2023-12-22 | CVE-2023-49356 | Glensawyer | Out-of-bounds Write vulnerability in Glensawyer Mp3Gain 1.6.2 A stack buffer overflow vulnerability in MP3Gain v1.6.2 allows an attacker to cause a denial of service via the WriteMP3GainAPETag function at apetag.c:592. | 7.5 |
2023-12-22 | CVE-2023-24609 | Matrixssl Rambus | Integer Overflow or Wraparound vulnerability in multiple products Matrix SSL 4.x through 4.6.0 and Rambus TLS Toolkit have a length-subtraction integer overflow for Client Hello Pre-Shared Key extension parsing in the TLS 1.3 server. | 7.5 |
2023-12-22 | CVE-2023-51713 | Proftpd | Out-of-bounds Read vulnerability in Proftpd make_ftp_cmd in main.c in ProFTPD before 1.3.8a has a one-byte out-of-bounds read, and daemon crash, because of mishandling of quote/backslash semantics. | 7.5 |
2023-12-21 | CVE-2023-48298 | Clickhouse | Unspecified vulnerability in Clickhouse and Clickhouse Cloud ClickHouse® is an open-source column-oriented database management system that allows generating analytical data reports in real-time. | 7.5 |
2023-12-21 | CVE-2023-41097 | Silabs | Information Exposure Through Discrepancy vulnerability in Silabs Gecko Software Development KIT An Observable Timing Discrepancy, Covert Timing Channel vulnerability in Silabs GSDK on ARM potentially allows Padding Oracle Crypto Attack on CBC PKCS7.This issue affects GSDK: through 4.4.0. | 7.5 |
2023-12-21 | CVE-2023-46648 | Github | Insufficient Entropy vulnerability in Github Enterprise Server An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. | 7.5 |
2023-12-21 | CVE-2023-6847 | Github | Improper Authentication vulnerability in Github Enterprise Server An improper authentication vulnerability was identified in GitHub Enterprise Server that allowed a bypass of Private Mode by using a specially crafted API request. | 7.5 |
2023-12-21 | CVE-2023-32747 | Automattic | Unspecified vulnerability in Automattic Woocommerce Bookings 1.15.78 Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Bookings.This issue affects WooCommerce Bookings: from n/a through 1.15.78. | 7.5 |
2023-12-21 | CVE-2023-28421 | Winwar | Unspecified vulnerability in Winwar WP Email Capture Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Winwar Media WordPress Email Marketing Plugin – WP Email Capture.This issue affects WordPress Email Marketing Plugin – WP Email Capture: from n/a through 3.10. | 7.5 |
2023-12-21 | CVE-2023-2487 | Smackcoders | Unspecified vulnerability in Smackcoders Export ALL Posts, Products, Orders, Refunds & Users Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Smackcoders Export All Posts, Products, Orders, Refunds & Users.This issue affects Export All Posts, Products, Orders, Refunds & Users: from n/a through 2.4.1. | 7.5 |
2023-12-21 | CVE-2023-48288 | Hmplugin | Unspecified vulnerability in Hmplugin Jobwp Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin – JobWP.This issue affects WordPress Job Board and Recruitment Plugin – JobWP: from n/a through 2.1. | 7.5 |
2023-12-21 | CVE-2023-49162 | Bigcommerce | Information Exposure vulnerability in Bigcommerce Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BigCommerce BigCommerce For WordPress.This issue affects BigCommerce For WordPress: from n/a through 5.0.6. | 7.5 |
2023-12-21 | CVE-2023-49762 | Appmysite | Unspecified vulnerability in Appmysite Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AppMySite AppMySite – Create an app with the Best Mobile App Builder.This issue affects AppMySite – Create an app with the Best Mobile App Builder: from n/a through 3.11.0. | 7.5 |
2023-12-21 | CVE-2023-50481 | Blinksocks | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Blinksocks 3.3.8 An issue was discovered in blinksocks version 3.3.8, allows remote attackers to obtain sensitive information via weak encryption algorithms in the component /presets/ssr-auth-chain.js. | 7.5 |
2023-12-21 | CVE-2023-45703 | Hcltechsw | Unspecified vulnerability in Hcltechsw HCL Launch HCL Launch may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion. | 7.5 |
2023-12-21 | CVE-2023-46131 | Grails | Unspecified vulnerability in Grails Grails is a framework used to build web applications with the Groovy programming language. | 7.5 |
2023-12-21 | CVE-2023-51390 | Aiven | Cleartext Transmission of Sensitive Information vulnerability in Aiven Journalpump journalpump is a daemon that takes log messages from journald and pumps them to a given output. | 7.5 |
2023-12-20 | CVE-2022-47597 | Code Atlantic | Unspecified vulnerability in Code-Atlantic Popup Maker Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker – Popup for opt-ins, lead gen, & more.This issue affects Popup Maker – Popup for opt-ins, lead gen, & more: from n/a through 1.17.1. | 7.5 |
2023-12-20 | CVE-2023-35914 | Automattic | Unspecified vulnerability in Automattic Woocommerce Subscriptions Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2. | 7.5 |
2023-12-20 | CVE-2023-35916 | Automattic | Unspecified vulnerability in Automattic Woopayments Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0. | 7.5 |
2023-12-20 | CVE-2023-32590 | Subscribe TO Category Project | SQL Injection vulnerability in Subscribe to Category Project Subscribe to Category Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4. | 7.5 |
2023-12-20 | CVE-2023-37871 | Automattic | Unspecified vulnerability in Automattic Woocommerce Gocardless Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6. | 7.5 |
2023-12-20 | CVE-2023-50249 | Sentry | Unspecified vulnerability in Sentry Astro Sentry-Javascript is official Sentry SDKs for JavaScript. | 7.5 |
2023-12-20 | CVE-2023-6562 | Kakadusoftware | Unrestricted Upload of File with Dangerous Type vulnerability in Kakadusoftware Kakadu SDK JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the attacker. | 7.5 |
2023-12-20 | CVE-2023-37544 | Apache | Unspecified vulnerability in Apache Pulsar Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions. | 7.5 |
2023-12-20 | CVE-2023-6977 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow This vulnerability enables malicious users to read sensitive files on the server. | 7.5 |
2023-12-20 | CVE-2023-47704 | IBM | Unspecified vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source code repository. | 7.5 |
2023-12-20 | CVE-2023-50707 | Efacec | Resource Exhaustion vulnerability in Efacec BCU 500 Firmware 4.07 Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device. | 7.5 |
2023-12-19 | CVE-2023-49812 | Wppa | Unspecified vulnerability in Wppa WP Photo Album Plus Authorization Bypass Through User-Controlled Key vulnerability in J.N. | 7.5 |
2023-12-19 | CVE-2023-44983 | Aruba | Unspecified vulnerability in Aruba Hispeed Cache Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Aruba.It Aruba HiSpeed Cache.This issue affects Aruba HiSpeed Cache: from n/a through 2.0.6. | 7.5 |
2023-12-19 | CVE-2023-44991 | Meowapps | Unspecified vulnerability in Meowapps Media File Renamer - Auto & Manual Rename Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Media File Renamer: Rename Files (Manual, Auto & AI).This issue affects Media File Renamer: Rename Files (Manual, Auto & AI): from n/a through 5.6.9. | 7.5 |
2023-12-19 | CVE-2023-46262 | Ivanti | Server-Side Request Forgery (SSRF) vulnerability in Ivanti Avalanche An unauthenticated attacked could send a specifically crafted web request causing a Server-Side Request Forgery (SSRF) in Ivanti Avalanche Remote Control server. | 7.5 |
2023-12-19 | CVE-2023-46803 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS). | 7.5 |
2023-12-19 | CVE-2023-46804 | Ivanti | Out-of-bounds Write vulnerability in Ivanti Avalanche An attacker sending specially crafted data packets to the Mobile Device Server can cause memory corruption which could result to a Denial of Service (DoS). | 7.5 |
2023-12-19 | CVE-2023-1514 | Hitachienergy | Improper Certificate Validation vulnerability in Hitachienergy Rtu500 Scripting Interface 1.0.1.30/1.0.2/1.1.1 A vulnerability exists in the component RTU500 Scripting interface. | 7.5 |
2023-12-19 | CVE-2023-6280 | 52North | Unspecified vulnerability in 52North WPS An XXE (XML External Entity) vulnerability has been detected in 52North WPS affecting versions prior to 4.0.0-beta.11. | 7.5 |
2023-12-19 | CVE-2023-6711 | Hitachienergy | Classic Buffer Overflow vulnerability in Hitachienergy Rtu500 Firmware Vulnerability exists in SCI IEC 60870-5-104 and HCI IEC 60870-5-104 that affects the RTU500 series product versions listed below. | 7.5 |
2023-12-19 | CVE-2023-44982 | Meowapps | Unspecified vulnerability in Meowapps Perfect Images Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jordy Meow Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina).This issue affects Perfect Images (Manage Image Sizes, Thumbnails, Replace, Retina): from n/a through 6.4.5. | 7.5 |
2023-12-18 | CVE-2023-5949 | Wpmudev | Missing Authorization vulnerability in Wpmudev Smartcrawl The SmartCrawl WordPress plugin before 3.8.3 does not prevent unauthorised users from accessing password-protected posts' content. | 7.5 |
2023-12-18 | CVE-2023-6203 | Stellarwp | Unspecified vulnerability in Stellarwp the Events Calendar The Events Calendar WordPress plugin before 6.2.8.1 discloses the content of password protected posts to unauthenticated users via a crafted request | 7.5 |
2023-12-18 | CVE-2023-46177 | IBM | Unspecified vulnerability in IBM MQ Appliance 9.3.0.0 IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to traverse directories on the system. | 7.5 |
2023-12-18 | CVE-2023-3430 | Openimageio | Out-of-bounds Write vulnerability in Openimageio 2.4.11 A vulnerability was found in OpenImageIO, where a heap buffer overflow exists in the src/gif.imageio/gifinput.cpp file. | 7.5 |
2023-12-18 | CVE-2023-4320 | Redhat | Insufficient Session Expiration vulnerability in Redhat Satellite An arithmetic overflow flaw was found in Satellite when creating a new personal access token. | 7.5 |
2023-12-18 | CVE-2023-32230 | Bosch | Unspecified vulnerability in Bosch products An improper handling of a malformed API request to an API server in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. | 7.5 |
2023-12-18 | CVE-2023-50980 | Cryptopp | Unspecified vulnerability in Cryptopp Crypto++ gf2n.cpp in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (application crash) via DER public-key data for an F(2^m) curve, if the degree of each term in the polynomial is not strictly decreasing. | 7.5 |
2023-12-18 | CVE-2023-50981 | Cryptopp | Infinite Loop vulnerability in Cryptopp Crypto++ ModularSquareRoot in Crypto++ (aka cryptopp) through 8.9.0 allows attackers to cause a denial of service (infinite loop) via crafted DER public-key data associated with squared odd numbers, such as the square of 268995137513890432434389773128616504853. | 7.5 |
2023-12-18 | CVE-2023-6909 | Lfprojects | Unspecified vulnerability in Lfprojects Mlflow Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | 7.5 |
2023-12-23 | CVE-2023-7002 | Backupbliss | OS Command Injection vulnerability in Backupbliss Backup Migration The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. | 7.2 |
2023-12-20 | CVE-2023-28170 | Themely | Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import 1.1.1 Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import.This issue affects Theme Demo Import: from n/a through 1.1.1. | 7.2 |
2023-12-20 | CVE-2023-29102 | Olivethemes | Unspecified vulnerability in Olivethemes Olive ONE Click Demo Import 1.1.1 Unrestricted Upload of File with Dangerous Type vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1. | 7.2 |
2023-12-20 | CVE-2023-40204 | Premio | Unspecified vulnerability in Premio Folders Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2. | 7.2 |
2023-12-20 | CVE-2023-49814 | Symbiostock | Unspecified vulnerability in Symbiostock 6.0.0 Unrestricted Upload of File with Dangerous Type vulnerability in Symbiostock symbiostock.This issue affects Symbiostock: from n/a through 6.0.0. | 7.2 |
2023-12-20 | CVE-2022-47599 | Bitapps | Unspecified vulnerability in Bitapps File Manager Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager – 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager: from n/a through 5.2.7. | 7.2 |
2023-12-20 | CVE-2023-28491 | Tribulant | Unspecified vulnerability in Tribulant Slideshow Gallery Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through 1.7.6. | 7.2 |
2023-12-20 | CVE-2023-32128 | Adastracrypto | Unspecified vulnerability in Adastracrypto Cryptocurrency Payment & Donation BOX Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box – Accept Payments in any Cryptocurrency on your WP Site for Free: from n/a through 2.2.7. | 7.2 |
2023-12-20 | CVE-2023-47852 | Linkwhisper | Unspecified vulnerability in Linkwhisper Link Whisper Free Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.6.5. | 7.2 |
2023-12-19 | CVE-2023-38126 | Softing | Path Traversal vulnerability in Softing Edgeaggregator 3.4.0 Softing edgeAggregator Restore Configuration Directory Traversal Remote Code Execution Vulnerability. | 7.2 |
2023-12-19 | CVE-2023-48327 | Wcvendors | Unspecified vulnerability in Wcvendors Woocommerce Multi-Vendor, Woocommerce Marketplace, Product Vendors 2.4.7 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Vendors WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors.This issue affects WC Vendors – WooCommerce Multi-Vendor, WooCommerce Marketplace, Product Vendors: from n/a through 2.4.7. | 7.2 |
2023-12-19 | CVE-2023-48741 | Quantumcloud | Unspecified vulnerability in Quantumcloud AI Chatbot Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud AI ChatBot.This issue affects AI ChatBot: from n/a through 4.7.8. | 7.2 |
2023-12-19 | CVE-2023-48764 | Guardgiant | Unspecified vulnerability in Guardgiant 2.2.5 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GuardGiant Brute Force Protection WordPress Brute Force Protection – Stop Brute Force Attacks.This issue affects WordPress Brute Force Protection – Stop Brute Force Attacks: from n/a through 2.2.5. | 7.2 |
2023-12-19 | CVE-2023-49764 | Sigmaplugin | Unspecified vulnerability in Sigmaplugin Advanced Database Cleaner Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Younes JFR. | 7.2 |
2023-12-19 | CVE-2023-46154 | E2Pdf | Unspecified vulnerability in E2Pdf Deserialization of Untrusted Data vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.18. | 7.2 |
2023-12-18 | CVE-2023-33331 | WOO | Unspecified vulnerability in WOO Product Vendors Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce Product Vendors allows SQL Injection.This issue affects Product Vendors: from n/a through 2.1.76. | 7.2 |
2023-12-18 | CVE-2023-47530 | Wpvibes | Unspecified vulnerability in Wpvibes Redirect 404 Error Page to Homepage or Custom Page With Logs Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPVibes Redirect 404 Error Page to Homepage or Custom Page with Logs allows SQL Injection.This issue affects Redirect 404 Error Page to Homepage or Custom Page with Logs: from n/a through 1.8.7. | 7.2 |
2023-12-18 | CVE-2023-4724 | Soflyy | Unspecified vulnerability in Soflyy products The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server | 7.2 |
2023-12-18 | CVE-2023-6222 | Quttera | Path Traversal vulnerability in Quttera web Malware Scanner IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks | 7.2 |
2023-12-18 | CVE-2023-6295 | Siteorigin | Unspecified vulnerability in Siteorigin Widgets Bundle The SiteOrigin Widgets Bundle WordPress plugin before 1.51.0 does not validate user input before using it to generate paths passed to include function/s, allowing users with the administrator role to perform LFI attacks in the context of Multisite WordPress sites. | 7.2 |
2023-12-18 | CVE-2023-39509 | Bosch | Command Injection vulnerability in Bosch Cpp13 Firmware and Cpp14 Firmware A command injection vulnerability exists in Bosch IP cameras that allows an authenticated user with administrative rights to run arbitrary commands on the OS of the camera. | 7.2 |
2023-12-18 | CVE-2023-32727 | Zabbix | Improper Input Validation vulnerability in Zabbix Server 6.0.22/6.4.7/7.0.0 An attacker who has the privilege to configure Zabbix items can use function icmpping() with additional malicious command inside it to execute arbitrary code on the current Zabbix server. | 7.2 |
2023-12-18 | CVE-2023-46686 | Gallagher | Unspecified vulnerability in Gallagher Command Centre 9.00/9.00.1507 A reliance on untrusted inputs in a security decision could be exploited by a privileged user to configure the Gallagher Command Centre Diagnostics Service to use less secure communication protocols. | 7.1 |
2023-12-24 | CVE-2023-51767 | Openbsd Fedoraproject Redhat | OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. | 7.0 |
2023-12-22 | CVE-2023-42465 | Sudo Project | Unspecified vulnerability in Sudo Project Sudo Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. | 7.0 |
2023-12-22 | CVE-2023-43741 | Buildkite | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Buildkite Elastic CI Stack A time-of-check-time-of-use race condition vulnerability in Buildkite Elastic CI for AWS versions prior to 6.7.1 and 5.22.5 allows the buildkite-agent user to bypass a symbolic link check for the PIPELINE_PATH variable in the fix-buildkite-agent-builds-permissions script. | 7.0 |
2023-12-21 | CVE-2023-46649 | Github | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server A race condition in GitHub Enterprise Server was identified that could allow an attacker administrator access. | 7.0 |
2023-12-21 | CVE-2023-6546 | Linux Fedoraproject Redhat | Race Condition vulnerability in multiple products A race condition was found in the GSM 0710 tty multiplexor in the Linux kernel. | 7.0 |
2023-12-19 | CVE-2023-6931 | Linux Debian | Out-of-bounds Write vulnerability in multiple products A heap out-of-bounds write vulnerability in the Linux kernel's Performance Events system component can be exploited to achieve local privilege escalation. A perf_event's read_size can overflow, leading to an heap out-of-bounds increment or write in perf_read_group(). We recommend upgrading past commit 382c27f4ed28f803b1f1473ac2d8db0afc795a1b. | 7.0 |
2023-12-19 | CVE-2023-6932 | Linux | Use After Free vulnerability in Linux Kernel A use-after-free vulnerability in the Linux kernel's ipv4: igmp component can be exploited to achieve local privilege escalation. A race condition can be exploited to cause a timer be mistakenly registered on a RCU read locked object which is freed by another thread. We recommend upgrading past commit e2b706c691905fe78468c361aaabc719d0a496f1. | 7.0 |
192 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-12-22 | CVE-2023-43088 | Dell | Unspecified vulnerability in Dell Precision 7865 Tower Firmware Dell Client BIOS contains a pre-boot direct memory access (DMA) vulnerability. | 6.8 |
2023-12-20 | CVE-2023-3742 | Unspecified vulnerability in Google Chrome Insufficient policy enforcement in ADB in Google Chrome on ChromeOS prior to 114.0.5735.90 allowed a local attacker to bypass device policy restrictions via physical access to the device. | 6.8 | |
2023-12-20 | CVE-2023-0011 | U Blox | OS Command Injection vulnerability in U-Blox products A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. | 6.8 |
2023-12-19 | CVE-2023-49706 | Linotp | Race Condition vulnerability in Linotp and Virtual Appliance Defective request context handling in Self Service in LinOTP 3.x before 3.2.5 allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions of another user. | 6.8 |
2023-12-18 | CVE-2023-6355 | Gallagher | Incorrect Authorization vulnerability in Gallagher Controller 7000 Firmware Incorrect selection of fuse values in the Controller 7000 platform allows an attacker to bypass some protection mechanisms to enable local debug. | 6.8 |
2023-12-22 | CVE-2023-39251 | Dell | Unspecified vulnerability in Dell products Dell BIOS contains an Improper Input Validation vulnerability. | 6.7 |
2023-12-23 | CVE-2023-49594 | Michaelkelly | Unspecified vulnerability in Michaelkelly Duouniversalkeycloakauthenticator An information disclosure vulnerability exists in the challenge functionality of instipod DuoUniversalKeycloakAuthenticator 1.0.7 plugin. | 6.5 |
2023-12-23 | CVE-2023-5962 | Moxa | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Moxa products A weak cryptographic algorithm vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. | 6.5 |
2023-12-22 | CVE-2023-48308 | Nextcloud | Improper Cross-boundary Removal of Sensitive Data vulnerability in Nextcloud Calendar Nextcloud/Cloud is a calendar app for Nextcloud. | 6.5 |
2023-12-21 | CVE-2023-6802 | Github | Information Exposure Through Log Files vulnerability in Github Enterprise Server An insertion of sensitive information into the log file in the audit log in GitHub Enterprise Server was identified that could allow an attacker to gain access to the management console. | 6.5 |
2023-12-21 | CVE-2023-7040 | Codelyfe | Unspecified vulnerability in Codelyfe Stupid Simple CMS A vulnerability classified as problematic was found in codelyfe Stupid Simple CMS up to 1.2.4. | 6.5 |
2023-12-21 | CVE-2023-32799 | Woocommerce | Authorization Bypass Through User-Controlled Key vulnerability in Woocommerce Shipping multiple Addresses Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Shipping Multiple Addresses.This issue affects Shipping Multiple Addresses: from n/a through 3.8.3. | 6.5 |
2023-12-21 | CVE-2023-47191 | Kainelabs | Unspecified vulnerability in Kainelabs Youzify Authorization Bypass Through User-Controlled Key vulnerability in KaineLabs Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress.This issue affects Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress: from n/a through 1.2.2. | 6.5 |
2023-12-21 | CVE-2023-49765 | Blazzdev | Unspecified vulnerability in Blazzdev Rate MY Post Authorization Bypass Through User-Controlled Key vulnerability in Blaz K. | 6.5 |
2023-12-21 | CVE-2023-7038 | Automad | Unspecified vulnerability in Automad A vulnerability was found in automad up to 1.10.9. | 6.5 |
2023-12-21 | CVE-2023-49920 | Apache | Unspecified vulnerability in Apache Airflow Apache Airflow, version 2.7.0 through 2.7.3, has a vulnerability that allows an attacker to trigger a DAG in a GET request without CSRF validation. As a result, it was possible for a malicious website opened in the same browser - by the user who also had Airflow UI opened - to trigger the execution of DAGs without the user's consent. Users are advised to upgrade to version 2.8.0 or later which is not affected | 6.5 |
2023-12-21 | CVE-2023-50783 | Apache | Unspecified vulnerability in Apache Airflow Apache Airflow, versions before 2.8.0, is affected by a vulnerability that allows an authenticated user without the variable edit permission, to update a variable. This flaw compromises the integrity of variable management, potentially leading to unauthorized data modification. Users are recommended to upgrade to 2.8.0, which fixes this issue | 6.5 |
2023-12-21 | CVE-2023-7026 | Lightxun | Unspecified vulnerability in Lightxun Iptv Gateway 20231208 A vulnerability was found in Lightxun IPTV Gateway up to 20231208. | 6.5 |
2023-12-21 | CVE-2023-47093 | Stormshield | Unspecified vulnerability in Stormshield Network Security An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.21, 4.4.0 through 4.6.8, and 4.7.0. | 6.5 |
2023-12-20 | CVE-2023-31231 | Unlimited Elements | Unspecified vulnerability in Unlimited-Elements Unlimited Elements for Elementor Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates).This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.65. | 6.5 |
2023-12-20 | CVE-2023-30872 | Bannersky | Unspecified vulnerability in Bannersky BSK Forms Blacklist Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BannerSky BSK Forms Blacklist.This issue affects BSK Forms Blacklist: from n/a through 3.6.2. | 6.5 |
2023-12-20 | CVE-2023-41796 | Sunshinephotocart | Unspecified vulnerability in Sunshinephotocart Sunshine Photo Cart Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0. | 6.5 |
2023-12-20 | CVE-2023-46311 | Gvectors | Unspecified vulnerability in Gvectors Wpdiscuz Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3. | 6.5 |
2023-12-20 | CVE-2023-6910 | M Files | Unspecified vulnerability in M-Files Server A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. | 6.5 |
2023-12-20 | CVE-2023-47161 | IBM | Unspecified vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion. | 6.5 |
2023-12-19 | CVE-2022-43450 | XWP | Unspecified vulnerability in XWP Stream Authorization Bypass Through User-Controlled Key vulnerability in XWP Stream.This issue affects Stream: from n/a through 3.9.2. | 6.5 |
2023-12-19 | CVE-2023-47146 | IBM | Unspecified vulnerability in IBM Qradar Security Information and Event Manager 7.5.0 IBM Qradar SIEM 7.5 could allow a privileged user to obtain sensitive domain information due to data being misidentified. | 6.5 |
2023-12-19 | CVE-2023-25715 | Gamipress | Unspecified vulnerability in Gamipress Missing Authorization vulnerability in GamiPress GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress.This issue affects GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress: from n/a through 2.5.6. | 6.5 |
2023-12-19 | CVE-2023-6860 | Mozilla Debian | The `VideoBridge` allowed any content process to use textures produced by remote decoders. | 6.5 |
2023-12-19 | CVE-2023-6865 | Mozilla Debian | `EncryptingOutputStream` was susceptible to exposing uninitialized data. | 6.5 |
2023-12-19 | CVE-2023-6869 | Mozilla | Unspecified vulnerability in Mozilla Firefox A `<dialog>` element could have been manipulated to paint content outside of a sandboxed iframe. | 6.5 |
2023-12-19 | CVE-2023-6872 | Mozilla | Unspecified vulnerability in Mozilla Firefox Browser tab titles were being leaked by GNOME to system logs. | 6.5 |
2023-12-19 | CVE-2023-46104 | Apache | Unspecified vulnerability in Apache Superset Uncontrolled resource consumption can be triggered by authenticated attacker that uploads a malicious ZIP to import database, dashboards or datasets. This vulnerability exists in Apache Superset versions up to and including 2.1.2 and versions 3.0.0, 3.0.1. | 6.5 |
2023-12-19 | CVE-2023-49006 | Phpsysinfo | Cross-Site Request Forgery (CSRF) vulnerability in PHPsysinfo 3.4.3 Cross Site Request Forgery (CSRF) vulnerability in Phpsysinfo version 3.4.3 allows a remote attacker to obtain sensitive information via a crafted page in the XML.php file. | 6.5 |
2023-12-19 | CVE-2023-49734 | Apache | Unspecified vulnerability in Apache Superset An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue. | 6.5 |
2023-12-18 | CVE-2023-47558 | Lindeni | Unspecified vulnerability in Lindeni WHO HIT the Page - HIT Counter Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mahlamusa Who Hit The Page – Hit Counter allows SQL Injection.This issue affects Who Hit The Page – Hit Counter: from n/a through 1.4.14.3. | 6.5 |
2023-12-18 | CVE-2023-6077 | Wpfrank | Unspecified vulnerability in Wpfrank Slider Factory PRO The Slider WordPress plugin before 3.5.12 does not ensure that posts to be accessed via an AJAX action are slides and can be viewed by the user making the request, allowing any authenticated users, such as subscriber to access the content arbitrary post such as private, draft and password protected | 6.5 |
2023-12-18 | CVE-2023-51385 | Openbsd Debian | OS Command Injection vulnerability in multiple products In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. | 6.5 |
2023-12-18 | CVE-2022-40312 | Givewp | Unspecified vulnerability in Givewp Server-Side Request Forgery (SSRF) vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.1. | 6.5 |
2023-12-18 | CVE-2023-3628 | Redhat Infinispan | A flaw was found in Infinispan's REST. | 6.5 |
2023-12-18 | CVE-2023-3629 | Redhat Infinispan | A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. | 6.5 |
2023-12-18 | CVE-2023-5236 | Redhat Infinispan | A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. | 6.5 |
2023-12-21 | CVE-2023-50732 | Xwiki | Incorrect Authorization vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 6.3 |
2023-12-18 | CVE-2023-5115 | Redhat Debian | Path Traversal vulnerability in multiple products An absolute path traversal attack exists in the Ansible automation platform. | 6.3 |
2023-12-23 | CVE-2014-125108 | W3 | Unspecified vulnerability in W3 Spell Checker A vulnerability was found in w3c online-spellchecker-py up to 20140130. | 6.1 |
2023-12-22 | CVE-2023-50727 | Resque | Unspecified vulnerability in Resque Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. | 6.1 |
2023-12-22 | CVE-2023-50725 | Resque | Unspecified vulnerability in Resque Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. | 6.1 |
2023-12-22 | CVE-2023-50250 | Cacti | Unspecified vulnerability in Cacti 1.2.25 Cacti is an open source operational monitoring and fault management framework. | 6.1 |
2023-12-22 | CVE-2023-7076 | MY AAC | Unspecified vulnerability in My-Aac Myaac A vulnerability was found in slawkens MyAAC up to 0.8.13. | 6.1 |
2023-12-22 | CVE-2023-7075 | Code Projects | Unspecified vulnerability in Code-Projects Point of Sales and Inventory Management System 1.0 A vulnerability was found in code-projects Point of Sales and Inventory Management System 1.0 and classified as problematic. | 6.1 |
2023-12-22 | CVE-2023-7057 | Carmelogarcia | Unspecified vulnerability in Carmelogarcia Faculty Management System 1.0 A vulnerability, which was classified as problematic, has been found in code-projects Faculty Management System 1.0. | 6.1 |
2023-12-22 | CVE-2023-51704 | Mediawiki | Cross-site Scripting vulnerability in Mediawiki An issue was discovered in MediaWiki before 1.35.14, 1.36.x through 1.39.x before 1.39.6, and 1.40.x before 1.40.2. | 6.1 |
2023-12-21 | CVE-2023-37520 | Hcltech | Cross-site Scripting vulnerability in Hcltech Bigfix Platform Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. | 6.1 |
2023-12-21 | CVE-2023-37519 | Hcltech | Cross-site Scripting vulnerability in Hcltech Bigfix Platform Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. | 6.1 |
2023-12-21 | CVE-2023-50724 | Resque | Unspecified vulnerability in Resque Resque (pronounced like "rescue") is a Redis-backed library for creating background jobs, placing those jobs on multiple queues, and processing them later. | 6.1 |
2023-12-21 | CVE-2023-5989 | Uyumsoft | Unspecified vulnerability in Uyumsoft Lioxerp .146 An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Uyumsoft Information System and Technologies' LioXERP allows an authenticated user to execute Stored XSS. This issue affects LioXERP: before v.146. | 6.1 |
2023-12-20 | CVE-2023-50704 | Efacec | Open Redirect vulnerability in Efacec UC 500E Firmware 10.1.0 An attacker could construct a URL within the application that causes a redirection to an arbitrary external domain and could be leveraged to facilitate phishing attacks against application users. | 6.1 |
2023-12-19 | CVE-2023-46624 | Parcelpro | Unspecified vulnerability in Parcelpro Parcel PRO URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Parcel Pro.This issue affects Parcel Pro: from n/a through 1.6.11. | 6.1 |
2023-12-19 | CVE-2023-35883 | Magazine3 | Unspecified vulnerability in Magazine3 Core web Vitals & Pagespeed Booster 1.0.12 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Magazine3 Core Web Vitals & PageSpeed Booster.This issue affects Core Web Vitals & PageSpeed Booster: from n/a through 1.0.12. | 6.1 |
2023-12-19 | CVE-2023-37982 | Crmperks | Open Redirect vulnerability in Crmperks Integration for Salesforce and Contact Form 7, Wpforms, Elementor, Ninja Forms 1.3.3 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.3.3. | 6.1 |
2023-12-19 | CVE-2023-38478 | Crmperks | Unspecified vulnerability in Crmperks Integration for Woocommerce and Quickbooks 1.2.3 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and QuickBooks.This issue affects Integration for WooCommerce and QuickBooks: from n/a through 1.2.3. | 6.1 |
2023-12-19 | CVE-2023-38481 | Crmperks | Open Redirect vulnerability in Crmperks Integration for Woocommerce and Zoho Crm, Books, Invoice, Inventory, Bigin URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin.This issue affects Integration for WooCommerce and Zoho CRM, Books, Invoice, Inventory, Bigin: from n/a before 1.3.7. | 6.1 |
2023-12-19 | CVE-2023-40602 | Doofinder | Unspecified vulnerability in Doofinder URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Doofinder Doofinder WP & WooCommerce Search.This issue affects Doofinder WP & WooCommerce Search: from n/a through 1.5.49. | 6.1 |
2023-12-19 | CVE-2023-41648 | Swapnilpatil | Unspecified vulnerability in Swapnilpatil Login and Logout Redirect URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Swapnil V. | 6.1 |
2023-12-19 | CVE-2023-45105 | Servit | Unspecified vulnerability in Servit Affiliate-Toolkit URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SERVIT Software Solutions affiliate-toolkit – WordPress Affiliate Plugin.This issue affects affiliate-toolkit – WordPress Affiliate Plugin: from n/a through 3.3.9. | 6.1 |
2023-12-19 | CVE-2023-6867 | Mozilla Debian | Improper Restriction of Rendered UI Layers or Frames vulnerability in multiple products The timing of a button click causing a popup to disappear was approximately the same length as the anti-clickjacking delay on permission prompts. | 6.1 |
2023-12-19 | CVE-2023-49489 | Kodcloud | Cross-site Scripting vulnerability in Kodcloud Kodexplorer 4.51 Reflective Cross Site Scripting (XSS) vulnerability in KodExplorer version 4.51, allows attackers to obtain sensitive information and escalate privileges via the APP_HOST parameter at config/i18n/en/main.php. | 6.1 |
2023-12-19 | CVE-2023-50376 | Simple Membership Plugin | Unspecified vulnerability in Simple-Membership-Plugin Simple Membership Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smp7, wp.Insider Simple Membership allows Reflected XSS.This issue affects Simple Membership: from n/a through 4.3.8. | 6.1 |
2023-12-18 | CVE-2023-6927 | Redhat | Open Redirect vulnerability in Redhat Keycloak and Single Sign-On A flaw was found in Keycloak. | 6.1 |
2023-12-18 | CVE-2023-5348 | Multivendorx | Cross-site Scripting vulnerability in Multivendorx Product Catalog Mode for Woocommerce The Product Catalog Mode For WooCommerce WordPress plugin before 5.0.3 does not properly authorize settings updates or escape settings values, leading to stored XSS by unauthenticated users. | 6.1 |
2023-12-23 | CVE-2023-7008 | Systemd Project | Unspecified vulnerability in Systemd Project Systemd 25 A vulnerability was found in systemd-resolved. | 5.9 |
2023-12-20 | CVE-2023-50703 | Efacec | Cleartext Transmission of Sensitive Information vulnerability in Efacec UC 500E Firmware 10.1.0 An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application. | 5.9 |
2023-12-18 | CVE-2023-48795 | Openbsd Putty Filezilla Project Microsoft Panic Roumenpetrov Winscp Bitvise Lancom Systems Vandyke Libssh NET SSH Ssh2 Project Proftpd Freebsd Crates Tera Term Project Oryx Embedded Crushftp Netsarang Paramiko Redhat Golang Russh Project Sftpgo Project Erlang Matez Libssh2 Asyncssh Project Dropbear SSH Project Jadaptive SSH Thorntech Netgate Connectbot Apache Tinyssh Trilead 9Bis Gentoo Fedoraproject Debian Apple | Improper Validation of Integrity Check Value vulnerability in multiple products The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. | 5.9 |
2023-12-18 | CVE-2023-35867 | Bosch | Unspecified vulnerability in Bosch products An improper handling of a malformed API answer packets to API clients in Bosch BT software products can allow an unauthenticated attacker to cause a Denial of Service (DoS) situation. | 5.9 |
2023-12-18 | CVE-2023-50979 | Cryptopp | Information Exposure Through Discrepancy vulnerability in Cryptopp Crypto++ Crypto++ (aka cryptopp) through 8.9.0 has a Marvin side channel during decryption with PKCS#1 v1.5 padding. | 5.9 |
2023-12-18 | CVE-2023-6908 | Dfirkuiper | Unspecified vulnerability in Dfirkuiper Kuiper 2.3.4 A vulnerability, which was classified as problematic, was found in DFIRKuiper Kuiper 2.3.4. | 5.9 |
2023-12-21 | CVE-2023-6746 | Github | Information Exposure Through Log Files vulnerability in Github Enterprise Server An insertion of sensitive information into log file vulnerability was identified in the log files for a GitHub Enterprise Server back-end service that could permit an `adversary in the middle attack` when combined with other phishing techniques. | 5.7 |
2023-12-19 | CVE-2023-42940 | Apple | Unspecified vulnerability in Apple Macos A session rendering issue was addressed with improved session tracking. | 5.7 |
2023-12-22 | CVE-2023-45165 | IBM | Unspecified vulnerability in IBM AIX 7.2/7.3 IBM AIX 7.2 and 7.3 could allow a non-privileged local user to exploit a vulnerability in the AIX SMB client to cause a denial of service. | 5.5 |
2023-12-21 | CVE-2023-6804 | Github | Improper Privilege Management vulnerability in Github Enterprise Server Improper privilege management allowed arbitrary workflows to be committed and run using an improperly scoped PAT. | 5.5 |
2023-12-21 | CVE-2023-7042 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel A null pointer dereference vulnerability was found in ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev() in drivers/net/wireless/ath/ath10k/wmi-tlv.c in the Linux kernel. | 5.5 |
2023-12-21 | CVE-2023-4255 | Tats Fedoraproject | Out-of-bounds Write vulnerability in multiple products An out-of-bounds write issue has been discovered in the backspace handling of the checkType() function in etc.c within the W3M application. | 5.5 |
2023-12-21 | CVE-2023-4256 | Broadcom Fedoraproject | Double Free vulnerability in multiple products Within tcpreplay's tcprewrite, a double free vulnerability has been identified in the tcpedit_dlt_cleanup() function within plugins/dlt_plugins.c. | 5.5 |
2023-12-20 | CVE-2023-42012 | IBM | Unspecified vulnerability in IBM Urbancode Deploy An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts. | 5.5 |
2023-12-19 | CVE-2023-45172 | IBM | Unspecified vulnerability in IBM AIX and Vios IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in AIX windows to cause a denial of service. | 5.5 |
2023-12-18 | CVE-2023-51384 | Openbsd Debian | In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. | 5.5 |
2023-12-23 | CVE-2020-36769 | Porternovelli | Cross-site Scripting vulnerability in Porternovelli Widget Settings Importer/Exporter The Widget Settings Importer/Exporter Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp_ajax_import_widget_dataparameter AJAX action in versions up to, and including, 1.5.3 due to insufficient input sanitization and output escaping. | 5.4 |
2023-12-23 | CVE-2023-6744 | Elegantthemes | Cross-site Scripting vulnerability in Elegantthemes Divi The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'et_pb_text' shortcode in all versions up to, and including, 4.23.1 due to insufficient input sanitization and output escaping on user supplied custom field data. | 5.4 |
2023-12-22 | CVE-2023-50924 | Engelsystem | Unspecified vulnerability in Engelsystem Englesystem is a shift planning system for chaos events. | 5.4 |
2023-12-22 | CVE-2023-50712 | Dfir Iris | Unspecified vulnerability in Dfir-Iris Iris Iris is a web collaborative platform aiming to help incident responders sharing technical details during investigations. | 5.4 |
2023-12-22 | CVE-2023-49791 | Nextcloud | Unspecified vulnerability in Nextcloud Server Nextcloud Server provides data storage for Nextcloud, an open source cloud platform. | 5.4 |
2023-12-22 | CVE-2023-45957 | Thirtybees | Cross-site Scripting vulnerability in Thirtybees Thirty Bees 1.4.0 A stored cross-site scripting (XSS) vulnerability in the component admin/AdminRequestSqlController.php of thirty bees before 1.5.0 allows attackers to execute arbitrary web script or HTML via $e->getMessage() error mishandling. | 5.4 |
2023-12-22 | CVE-2023-7059 | Remyandrade | Unspecified vulnerability in Remyandrade School Visitor LOG E-Book 1.0 A vulnerability was found in SourceCodester School Visitor Log e-Book 1.0. | 5.4 |
2023-12-22 | CVE-2023-7055 | Phpgurukul | Incorrect Permission Assignment for Critical Resource vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability classified as problematic has been found in PHPGurukul Online Notes Sharing System 1.0. | 5.4 |
2023-12-22 | CVE-2023-7056 | Carmelogarcia | Unspecified vulnerability in Carmelogarcia Faculty Management System 1.0 A vulnerability classified as problematic was found in code-projects Faculty Management System 1.0. | 5.4 |
2023-12-22 | CVE-2023-7054 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0. | 5.4 |
2023-12-22 | CVE-2023-49086 | Cacti | Unspecified vulnerability in Cacti 1.2.25 Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). | 5.4 |
2023-12-21 | CVE-2023-7050 | Phpgurukul | Cross-site Scripting vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability has been found in PHPGurukul Online Notes Sharing System 1.0 and classified as problematic. | 5.4 |
2023-12-21 | CVE-2023-7041 | Codelyfe | Unspecified vulnerability in Codelyfe Stupid Simple CMS A vulnerability, which was classified as critical, has been found in codelyfe Stupid Simple CMS up to 1.2.4. | 5.4 |
2023-12-21 | CVE-2023-50834 | Augustinfotech | Unspecified vulnerability in Augustinfotech Woocommerce Menu Extension Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in August Infotech WooCommerce Menu Extension allows Stored XSS.This issue affects WooCommerce Menu Extension: from n/a through 1.6.2. | 5.4 |
2023-12-21 | CVE-2023-50831 | Villatheme | Unspecified vulnerability in Villatheme Curcy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme CURCY – Multi Currency for WooCommerce allows Stored XSS.This issue affects CURCY – Multi Currency for WooCommerce: from n/a through 2.2.0. | 5.4 |
2023-12-21 | CVE-2023-50833 | Extendthemes | Unspecified vulnerability in Extendthemes Colibri Page Builder 1.0.227/1.0.229/1.0.239 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ExtendThemes Colibri Page Builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through 1.0.239. | 5.4 |
2023-12-21 | CVE-2023-7036 | Automad | Cross-site Scripting vulnerability in Automad A vulnerability was found in automad up to 1.10.9. | 5.4 |
2023-12-21 | CVE-2023-47525 | Awplife | Unspecified vulnerability in Awplife Event Monster Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Event Monster – Event Management, Tickets Booking, Upcoming Event allows Stored XSS.This issue affects Event Monster – Event Management, Tickets Booking, Upcoming Event: from n/a through 1.3.2. | 5.4 |
2023-12-21 | CVE-2023-47527 | Sajjadhsagor | Unspecified vulnerability in Sajjadhsagor WP Edit Username Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sajjad Hossain Sagor WP Edit Username allows Stored XSS.This issue affects WP Edit Username: from n/a through 1.0.5. | 5.4 |
2023-12-21 | CVE-2023-48114 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartermail SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS by using image/svg+xml and an uploaded SVG document. | 5.4 |
2023-12-21 | CVE-2023-48115 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartermail SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request. | 5.4 |
2023-12-21 | CVE-2023-48116 | Smartertools | Cross-site Scripting vulnerability in Smartertools Smartermail SmarterTools SmarterMail 8495 through 8664 before 8747 allows stored XSS via a crafted description of a Calendar appointment. | 5.4 |
2023-12-21 | CVE-2023-50377 | AB WP | Unspecified vulnerability in Ab-Wp Simple Counter 1.0/1.0.1/1.0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AB-WP Simple Counter allows Stored XSS.This issue affects Simple Counter: from n/a through 1.0.2. | 5.4 |
2023-12-21 | CVE-2023-50822 | Currencywiki | Unspecified vulnerability in Currencywiki Currency Converter Widget - Exchange Rates 3.0.2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Currency.Wiki Currency Converter Widget – Exchange Rates allows Stored XSS.This issue affects Currency Converter Widget – Exchange Rates: from n/a through 3.0.2. | 5.4 |
2023-12-21 | CVE-2023-50823 | Wipeoutmedia | Unspecified vulnerability in Wipeoutmedia CSS & Javascript Toolbox Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wipeout Media CSS & JavaScript Toolbox allows Stored XSS.This issue affects CSS & JavaScript Toolbox: from n/a through 11.7. | 5.4 |
2023-12-21 | CVE-2023-50824 | Elearningfreak | Unspecified vulnerability in Elearningfreak Insert or Embed Articulate Content Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Batt Insert or Embed Articulate Content into WordPress allows Stored XSS.This issue affects Insert or Embed Articulate Content into WordPress: from n/a through 4.3000000021. | 5.4 |
2023-12-21 | CVE-2023-50825 | Jacksonwhelan | Unspecified vulnerability in Jacksonwhelan Iframe Shortcode 2.0 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terrier Tenacity iframe Shortcode allows Stored XSS.This issue affects iframe Shortcode: from n/a through 2.0. | 5.4 |
2023-12-21 | CVE-2023-7035 | Automad | Unspecified vulnerability in Automad A vulnerability was found in automad up to 1.10.9 and classified as problematic. | 5.4 |
2023-12-21 | CVE-2023-50473 | Billahmed | Cross-site Scripting vulnerability in Billahmed Qbit Matui 1.16.4 Cross-Site Scripting (XSS) vulnerability in bill-ahmed qbit-matUI version 1.16.4, allows remote attackers to obtain sensitive information via fixed session identifiers (SID) in index.js file. | 5.4 |
2023-12-21 | CVE-2023-47265 | Apache | Unspecified vulnerability in Apache Airflow Apache Airflow, versions 2.6.0 through 2.7.3 has a stored XSS vulnerability that allows a DAG author to add an unbounded and not-sanitized javascript in the parameter description field of the DAG. This Javascript can be executed on the client side of any of the user who looks at the tasks in the browser sandbox. | 5.4 |
2023-12-21 | CVE-2023-45700 | Hcltechsw | Cross-site Scripting vulnerability in Hcltechsw HCL Launch HCL Launch is vulnerable to HTML injection. | 5.4 |
2023-12-20 | CVE-2023-50639 | Iscute | Cross-site Scripting vulnerability in Iscute Cute Http File Server 1.0/2.0 Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 and v.2.0 allows attackers to obtain sensitive information via the file upload function in the home page. | 5.4 |
2023-12-20 | CVE-2023-49270 | Kashipara | Unspecified vulnerability in Kashipara Hotel Management 1.0 Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. | 5.4 |
2023-12-20 | CVE-2023-49271 | Kashipara | Unspecified vulnerability in Kashipara Hotel Management 1.0 Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. | 5.4 |
2023-12-20 | CVE-2023-49272 | Kashipara | Unspecified vulnerability in Kashipara Hotel Management 1.0 Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. | 5.4 |
2023-12-20 | CVE-2023-49269 | Gvnpatidar | Unspecified vulnerability in Gvnpatidar Hotel Management System 1.0 Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. | 5.4 |
2023-12-20 | CVE-2023-38513 | Meowapps | Unspecified vulnerability in Meowapps Photo Engine Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5. | 5.4 |
2023-12-20 | CVE-2023-51459 | Adobe | Unspecified vulnerability in Adobe Experience Manager Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. | 5.4 |
2023-12-20 | CVE-2023-47707 | IBM | Unspecified vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting. | 5.4 |
2023-12-19 | CVE-2023-5432 | Gopiplus | Cross-site Scripting vulnerability in Gopiplus Jquery News Ticker The Jquery news ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jquery-news-ticker' shortcode in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2023-12-19 | CVE-2023-5413 | Gopiplus | Cross-site Scripting vulnerability in Gopiplus Image Horizontal Reel Scroll Slideshow The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'ihrss-gallery' shortcode in versions up to, and including, 13.3 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2023-12-19 | CVE-2023-6488 | Getshortcodes | Cross-site Scripting vulnerability in Getshortcodes Shortcodes Ultimate The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_button', 'su_members', and 'su_tabs' shortcodes in all versions up to, and including, 7.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2023-12-18 | CVE-2023-6778 | Clear | Unspecified vulnerability in Clear Clearml Server Cross-site Scripting (XSS) - Stored in GitHub repository allegroai/clearml-server prior to 1.13.0. | 5.4 |
2023-12-24 | CVE-2023-51765 | Sendmail Freebsd Redhat | Insufficient Verification of Data Authenticity vulnerability in multiple products sendmail through 8.17.2 allows SMTP smuggling in certain configurations. | 5.3 |
2023-12-24 | CVE-2023-51766 | Exim Fedoraproject Debian | Insufficient Verification of Data Authenticity vulnerability in multiple products Exim before 4.97.1 allows SMTP smuggling in certain PIPELINING/CHUNKING configurations. | 5.3 |
2023-12-24 | CVE-2023-51764 | Postfix Fedoraproject Redhat | Insufficient Verification of Data Authenticity vulnerability in multiple products Postfix through 3.8.5 allows SMTP smuggling unless configured with smtpd_data_restrictions=reject_unauth_pipelining and smtpd_discard_ehlo_keywords=chunking (or certain other options that exist in recent versions). | 5.3 |
2023-12-22 | CVE-2023-50258 | Pymedusa | Unspecified vulnerability in Pymedusa Medusa Medusa is an automatic video library manager for TV shows. | 5.3 |
2023-12-22 | CVE-2023-50259 | Pymedusa | Unspecified vulnerability in Pymedusa Medusa Medusa is an automatic video library manager for TV shows. | 5.3 |
2023-12-21 | CVE-2023-27319 | Netapp | Information Exposure Through an Error Message vulnerability in Netapp Ontap Mediator ONTAP Mediator versions prior to 1.7 are susceptible to a vulnerability that can allow an unauthenticated attacker to enumerate URLs via REST API. | 5.3 |
2023-12-21 | CVE-2023-46646 | Github | Authorization Bypass Through User-Controlled Key vulnerability in Github Enterprise Server Improper access control in all versions of GitHub Enterprise Server allows unauthorized users to view private repository names via the "Get a check run" API endpoint. | 5.3 |
2023-12-21 | CVE-2023-41166 | Stormshield | Unspecified vulnerability in Stormshield Network Security An issue was discovered in Stormshield Network Security (SNS) 3.7.0 through 3.7.39, 3.11.0 through 3.11.27, 4.3.0 through 4.3.22, 4.6.0 through 4.6.9, and 4.7.0 through 4.7.1. | 5.3 |
2023-12-20 | CVE-2023-47703 | IBM | Information Exposure Through an Error Message vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.3 |
2023-12-20 | CVE-2023-42013 | IBM | Unspecified vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 5.3 |
2023-12-20 | CVE-2023-50705 | Efacec | Incorrect Authorization vulnerability in Efacec UC 500E Firmware 10.1.0 An attacker could create malicious requests to obtain sensitive information about the web server. | 5.3 |
2023-12-19 | CVE-2023-6857 | Mozilla Debian | Race Condition vulnerability in multiple products When resolving a symlink, a race may occur where the buffer passed to `readlink` may actually be smaller than necessary. | 5.3 |
2023-12-19 | CVE-2014-125107 | Corveda | Unspecified vulnerability in Corveda PHPsandbox 1.3.4 A vulnerability was found in Corveda PHPSandbox 1.3.4 and classified as critical. | 5.3 |
2023-12-19 | CVE-2023-6918 | Libssh Redhat Fedoraproject | Unchecked Return Value vulnerability in multiple products A flaw was found in the libssh implements abstract layer for message digest (MD) operations implemented by different supported crypto backends. | 5.3 |
2023-12-18 | CVE-2023-47741 | IBM | Insufficiently Protected Credentials vulnerability in IBM DB2 Mirror for I and I IBM i 7.3, 7.4, 7.5, IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients may leave clear-text passwords in browser memory that can be viewed using common browser tools before the memory is garbage collected. | 5.3 |
2023-12-18 | CVE-2023-6065 | Quttera | Unspecified vulnerability in Quttera web Malware Scanner The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code | 5.3 |
2023-12-18 | CVE-2022-41677 | Bosch | Unspecified vulnerability in Bosch products An information disclosure vulnerability was discovered in Bosch IP camera devices allowing an unauthenticated attacker to retrieve information (like capabilities) about the device itself and network settings of the device, disclosing possibly internal network settings if the device is connected to the internet. | 5.3 |
2023-12-18 | CVE-2023-28053 | Dell | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Dell EMC Networker Dell NetWorker Virtual Edition versions 19.8 and below contain the use of deprecated cryptographic algorithms in the SSH component. | 5.3 |
2023-12-21 | CVE-2023-46645 | Github | Path Traversal vulnerability in Github Enterprise Server A path traversal vulnerability was identified in GitHub Enterprise Server that allowed arbitrary file reading when building a GitHub Pages site. | 4.9 |
2023-12-21 | CVE-2023-51379 | Github | Incorrect Authorization vulnerability in Github Enterprise Server An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be updated with an improperly scoped token. | 4.9 |
2023-12-20 | CVE-2023-32743 | Woocommerce | Unspecified vulnerability in Woocommerce Automatewoo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1. | 4.9 |
2023-12-20 | CVE-2023-38519 | Mainwp | Unspecified vulnerability in Mainwp Dashboard Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3. | 4.9 |
2023-12-20 | CVE-2023-47236 | Ipages Flipbook Project | Unspecified vulnerability in Ipages Flipbook Project Ipages Flipbook Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum iPages Flipbook For WordPress.This issue affects iPages Flipbook For WordPress: from n/a through 1.4.8. | 4.9 |
2023-12-18 | CVE-2023-40691 | IBM | Unspecified vulnerability in IBM Cloud PAK for Business Automation IBM Cloud Pak for Business Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 may reveal sensitive information contained in application configuration to developer and administrator users. | 4.9 |
2023-12-22 | CVE-2023-49088 | Cacti | Cross-site Scripting vulnerability in Cacti Cacti is an open source operational monitoring and fault management framework. | 4.8 |
2023-12-21 | CVE-2023-50829 | Quick Plugins | Unspecified vulnerability in Quick-Plugins Loan Repayment Calculator and Application Form Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aerin Loan Repayment Calculator and Application Form allows Stored XSS.This issue affects Loan Repayment Calculator and Application Form: from n/a through 2.9.3. | 4.8 |
2023-12-21 | CVE-2023-50830 | Seosthemes | Unspecified vulnerability in Seosthemes Seos Contact Form 1.6.0/1.8.0 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Seosbg Seos Contact Form allows Stored XSS.This issue affects Seos Contact Form: from n/a through 1.8.0. | 4.8 |
2023-12-21 | CVE-2023-50832 | Mondula | Unspecified vulnerability in Mondula Multi Step Form Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mondula GmbH Multi Step Form allows Stored XSS.This issue affects Multi Step Form: from n/a through 1.7.13. | 4.8 |
2023-12-21 | CVE-2023-50826 | Freshlightlab | Unspecified vulnerability in Freshlightlab Menu Image, Icons Made Easy Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Freshlight Lab Menu Image, Icons made easy allows Stored XSS.This issue affects Menu Image, Icons made easy: from n/a through 3.10. | 4.8 |
2023-12-21 | CVE-2023-50827 | Accredible | Unspecified vulnerability in Accredible Certificates & Open Badges Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Accredible Accredible Certificates & Open Badges allows Stored XSS.This issue affects Accredible Certificates & Open Badges: from n/a through 1.4.8. | 4.8 |
2023-12-21 | CVE-2023-50828 | Davidvongries | Cross-site Scripting vulnerability in Davidvongries Ultimate Dashboard Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David Vongries Ultimate Dashboard – Custom WordPress Dashboard allows Stored XSS.This issue affects Ultimate Dashboard – Custom WordPress Dashboard: from n/a through 3.7.11. | 4.8 |
2023-12-21 | CVE-2023-28025 | Hcltech | Cross-site Scripting vulnerability in Hcltech Bigfix Modern Client Management 2.0/2.1 Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. | 4.8 |
2023-12-19 | CVE-2023-6945 | Mayurik | Unspecified vulnerability in Mayurik Online Student Management System 1.0 A vulnerability has been found in SourceCodester Online Student Management System 1.0 and classified as problematic. | 4.8 |
2023-12-18 | CVE-2023-5005 | Codesmade | Cross-site Scripting vulnerability in Codesmade Autocomplete Location Field Contact Form 7 2.0 The Autocomplete Location field Contact Form 7 WordPress plugin before 3.0, autocomplete-location-field-contact-form-7-pro WordPress plugin before 2.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2023-12-18 | CVE-2023-6911 | Wso2 | Cross-site Scripting vulnerability in Wso2 products Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console. | 4.8 |
2023-12-20 | CVE-2023-6769 | MR Corner | Unspecified vulnerability in Mr-Corner Amazing Little Poll 1.3/1.4 Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. | 4.6 |
2023-12-18 | CVE-2023-41967 | Gallagher | Improper Cross-boundary Removal of Sensitive Data vulnerability in Gallagher Controller 6000 Firmware Sensitive information uncleared after debug/power state transition in the Controller 6000 could be abused by an attacker with knowledge of the Controller's default diagnostic password and physical access to the Controller to view its configuration through the diagnostic web pages. | 4.6 |
2023-12-21 | CVE-2023-7047 | Devolutions | Unspecified vulnerability in Devolutions Remote Desktop Manager Inadequate validation of permissions when employing remote tools and macros via the context menu within Devolutions Remote Desktop Manager versions 2023.3.31 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature. | 4.4 |
2023-12-24 | CVE-2023-7092 | Uniwayinfo | Unspecified vulnerability in Uniwayinfo Uw-302Vp Firmware 2.0 A vulnerability was found in Uniway UW-302VP 2.0. | 4.3 |
2023-12-22 | CVE-2023-51451 | Sentry | Server-Side Request Forgery (SSRF) vulnerability in Sentry Symbolicator 0.3.3/23.11.2 Symbolicator is a service used in Sentry. | 4.3 |
2023-12-22 | CVE-2023-49790 | Nextcloud | Unspecified vulnerability in Nextcloud The Nextcloud iOS Files app allows users of iOS to interact with Nextcloud, a self-hosted productivity platform. | 4.3 |
2023-12-22 | CVE-2023-51649 | Networktocode | Unspecified vulnerability in Networktocode Nautobot Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. | 4.3 |
2023-12-22 | CVE-2023-7052 | Phpgurukul | Unspecified vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0. | 4.3 |
2023-12-21 | CVE-2023-7051 | Phpgurukul | Unspecified vulnerability in PHPgurukul Online Notes Sharing System 1.0 A vulnerability was found in PHPGurukul Online Notes Sharing System 1.0 and classified as problematic. | 4.3 |
2023-12-21 | CVE-2023-51380 | Github | Incorrect Authorization vulnerability in Github Enterprise Server An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed issue comments to be read with an improperly scoped token. This vulnerability affected all versions of GitHub Enterprise Server since 3.7 and was fixed in version 3.7.19, 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | 4.3 |
2023-12-21 | CVE-2023-48291 | Apache | Unspecified vulnerability in Apache Airflow Apache Airflow, in versions prior to 2.8.0, contains a security vulnerability that allows an authenticated user with limited access to some DAGs, to craft a request that could give the user write access to various DAG resources for DAGs that the user had no access to, thus, enabling the user to clear DAGs they shouldn't. This is a missing fix for CVE-2023-42792 in Apache Airflow 2.7.2 Users of Apache Airflow are strongly advised to upgrade to version 2.8.0 or newer to mitigate the risk associated with this vulnerability. | 4.3 |
2023-12-20 | CVE-2023-6784 | Progress | Unspecified vulnerability in Progress Sitefinity A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. | 4.3 |
2023-12-20 | CVE-2023-47705 | IBM | Unspecified vulnerability in IBM Security Guardium KEY Lifecycle Manager 4.2.0 IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to manipulate username data due to improper input validation. | 4.3 |
2023-12-20 | CVE-2023-50706 | Efacec | Unspecified vulnerability in Efacec UC 500E Firmware 10.1.0 A user without administrator permissions with access to the UC500 windows system could perform a memory dump of the running processes and extract clear credentials or valid session tokens. | 4.3 |
2023-12-19 | CVE-2023-50761 | Mozilla Debian | The signature of a digitally signed S/MIME email message may optionally specify the signature creation date and time. | 4.3 |
2023-12-19 | CVE-2023-50762 | Mozilla Debian | When processing a PGP/MIME payload that contains digitally signed text, the first paragraph of the text was never shown to the user. | 4.3 |
2023-12-19 | CVE-2023-6135 | Mozilla | Information Exposure Through Discrepancy vulnerability in Mozilla Firefox Multiple NSS NIST curves were susceptible to a side-channel attack known as "Minerva". | 4.3 |
2023-12-19 | CVE-2023-6868 | Mozilla | Unspecified vulnerability in Mozilla Firefox In some instances, the user-agent would allow push requests which lacked a valid VAPID even though the push manager subscription defined one. | 4.3 |
2023-12-19 | CVE-2023-6870 | Mozilla | Unspecified vulnerability in Mozilla Firefox Applications which spawn a Toast notification in a background thread may have obscured fullscreen notifications displayed by Firefox. | 4.3 |
2023-12-19 | CVE-2023-6871 | Mozilla | Unspecified vulnerability in Mozilla Firefox Under certain conditions, Firefox did not display a warning when a user attempted to navigate to a new protocol handler. | 4.3 |
2023-12-19 | CVE-2019-25157 | Ethex | Unspecified vulnerability in Ethex Contracts A vulnerability was found in Ethex Contracts. | 4.3 |
2023-12-19 | CVE-2023-42015 | IBM | Cross-site Scripting vulnerability in IBM Urbancode Deploy IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 is vulnerable to HTML injection. | 4.3 |
2023-12-18 | CVE-2023-22439 | Gallagher | Improper Input Validation vulnerability in Gallagher Command Centre and Controller 6000 Firmware Improper input validation of a large HTTP request in the Controller 6000 and Controller 7000 optional diagnostic web interface (Port 80) can be used to perform a Denial of Service of the diagnostic web interface. This issue affects: Gallagher Controller 6000 and 7000 8.90 prior to vCR8.90.231204a (distributed in 8.90.1620 (MR2)), 8.80 prior to vCR8.80.231204a (distributed in 8.80.1369 (MR3)), 8.70 prior to vCR8.70.231204a (distributed in 8.70.2375 (MR5)), 8.60 prior to vCR8.60.231116a (distributed in 8.60.2550 (MR7)), all versions of 8.50 and prior. | 4.3 |
2023-12-18 | CVE-2023-23576 | Gallagher | Unspecified vulnerability in Gallagher Command Centre Incorrect behavior order in the Command Centre Server could allow privileged users to gain physical access to the site for longer than intended after a network outage when competencies are used in the access decision. | 4.3 |
2023-12-18 | CVE-2023-23584 | Gallagher | Information Exposure Through Discrepancy vulnerability in Gallagher Command Centre An observable response discrepancy in the Gallagher Command Centre RESTAPI allows an insufficiently-privileged user to infer the presence of items that would not otherwise be viewable. | 4.3 |
2023-12-18 | CVE-2023-6289 | Swteplugins | Unspecified vulnerability in Swteplugins Swift Performance The Swift Performance Lite WordPress plugin before 2.3.6.15 does not prevent users from exporting the plugin's settings, which may include sensitive information such as Cloudflare API tokens. | 4.3 |
2023-12-18 | CVE-2023-5056 | Redhat | Missing Authorization vulnerability in Redhat Service Interconnect 1.0 A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. | 4.1 |
2023-12-21 | CVE-2023-6803 | Github | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server A race condition in GitHub Enterprise Server allows an outside collaborator to be added while a repository is being transferred. | 4.0 |
5 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2023-12-19 | CVE-2022-45809 | Quicoto | Unspecified vulnerability in Quicoto Thumbs Rating 5.0.0 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.0.0. | 3.7 |
2023-12-22 | CVE-2023-51386 | Amazon | Unspecified vulnerability in Amazon Awslabs Sandbox Accounts for Events Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. | 3.3 |
2023-12-22 | CVE-2023-51651 | Amazon | Unspecified vulnerability in Amazon AWS Software Development KIT AWS SDK for PHP is the Amazon Web Services software development kit for PHP. | 3.3 |
2023-12-18 | CVE-2023-5384 | Redhat Infinispan | Cleartext Storage of Sensitive Information vulnerability in multiple products A flaw was found in Infinispan. | 2.7 |
2023-12-21 | CVE-2023-6690 | Github | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Github Enterprise Server A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. | 2.0 |