Weekly Vulnerabilities Reports > December 25 to 31, 2023

Overview

447 new vulnerabilities reported during this period, including 95 critical vulnerabilities and 191 high severity vulnerabilities. This weekly summary report vulnerabilities in 327 products from 257 vendors including Hihonor, Code Projects, Weseek, Tenda, and Sesami. Vulnerabilities are notably categorized as "SQL Injection", "Cross-site Scripting", "Out-of-bounds Write", "Unrestricted Upload of File with Dangerous Type", and "Code Injection".

  • 381 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 228 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 244 reported vulnerabilities are exploitable by an anonymous user.
  • Hihonor has the most reported vulnerabilities, with 30 reported vulnerabilities.
  • Tenda has the most reported critical vulnerabilities, with 12 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

95 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-31 CVE-2023-51423 Saleswonder SQL Injection vulnerability in Saleswonder Webinarignition

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.

9.8
2023-12-31 CVE-2023-51469 Mestresdowp SQL Injection vulnerability in Mestresdowp Checkout Mestres WP

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestres do WP Checkout Mestres WP.This issue affects Checkout Mestres WP: from n/a through 7.1.9.6.

9.8
2023-12-31 CVE-2023-52181 Presslabs Deserialization of Untrusted Data vulnerability in Presslabs Theme PER User 1.0/1.0.1

Deserialization of Untrusted Data vulnerability in Presslabs Theme per user.This issue affects Theme per user: from n/a through 1.0.1.

9.8
2023-12-30 CVE-2023-52262 Outdoorbits Unspecified vulnerability in Outdoorbits Little Backup BOX

outdoorbits little-backup-box (aka Little Backup Box) before f39f91c allows remote attackers to execute arbitrary code because the PHP extract function is used for untrusted input.

9.8
2023-12-30 CVE-2023-50589 Embras SQL Injection vulnerability in Embras Geosiap ERP 2.2.167.02

Grupo Embras GEOSIAP ERP v2.2.167.02 was discovered to contain a SQL injection vulnerability via the codLogin parameter on the login page.

9.8
2023-12-30 CVE-2023-50651 Totolink OS Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi.

9.8
2023-12-30 CVE-2023-50578 Mingsoft SQL Injection vulnerability in Mingsoft Mcms 5.2.9

Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do.

9.8
2023-12-30 CVE-2023-51133 Totolink Out-of-bounds Write vulnerability in Totolink X2000R Firmware 1.0.0B20230221.0948.Web

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formRoute.

9.8
2023-12-30 CVE-2023-51135 Totolink Out-of-bounds Write vulnerability in Totolink X2000R Firmware 1.0.0B20230221.0948.Web

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formPasswordSetup.

9.8
2023-12-30 CVE-2023-51136 Totolink Out-of-bounds Write vulnerability in Totolink X2000R Firmware 1.0.0B20230221.0948.Web

TOTOLINK X2000R Gh v1.0.0-B20230221.0948.web was discovered to contain a stack overflow via the function formRebootSchedule.

9.8
2023-12-30 CVE-2023-7175 Campcodes SQL Injection vulnerability in Campcodes Online College Library System 1.0

A vulnerability was found in Campcodes Online College Library System 1.0.

9.8
2023-12-30 CVE-2023-52252 Unifiedremote XXE vulnerability in Unifiedremote Unified Remote 3.13.0

Unified Remote 3.13.0 allows remote attackers to execute arbitrary Lua code because of a wildcarded Access-Control-Allow-Origin for the Remote upload endpoint.

9.8
2023-12-30 CVE-2023-41544 Jeecg Code Injection vulnerability in Jeecg Boot

SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component.

9.8
2023-12-30 CVE-2023-41542 Jeecg SQL Injection vulnerability in Jeecg Boot

SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the jmreport/qurestSql component.

9.8
2023-12-30 CVE-2023-41543 Jeecg SQL Injection vulnerability in Jeecg Boot

SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the component /sys/replicate/check.

9.8
2023-12-29 CVE-2023-50035 Small CRM Project SQL Injection vulnerability in Small CRM Project Small CRM 3.0

PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users login panel because of "password" parameter is directly used in the SQL query without any sanitization and the SQL Injection payload being executed.

9.8
2023-12-29 CVE-2023-4541 Ween SQL Injection vulnerability in Ween Management Panel

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection.This issue affects Admin Panel: through 20231229.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

9.8
2023-12-29 CVE-2023-4674 Yaztekteknoloji SQL Injection vulnerability in Yaztekteknoloji E-Commerce

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yaztek Software Technologies and Computer Systems E-Commerce Software allows SQL Injection.This issue affects E-Commerce Software: through 20231229.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

9.8
2023-12-29 CVE-2023-4675 Gmbilisim SQL Injection vulnerability in Gmbilisim Multi-Disciplinary Design Optimization

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GM Information Technologies MDO allows SQL Injection.This issue affects MDO: through 20231229.  NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

9.8
2023-12-29 CVE-2023-51411 Dynamiapps Unrestricted Upload of File with Dangerous Type vulnerability in Dynamiapps Frontend Admin

Unrestricted Upload of File with Dangerous Type vulnerability in Shabti Kaplan Frontend Admin by DynamiApps.This issue affects Frontend Admin by DynamiApps: from n/a through 3.18.3.

9.8
2023-12-29 CVE-2023-51412 Piotnet Unrestricted Upload of File with Dangerous Type vulnerability in Piotnet Forms

Unrestricted Upload of File with Dangerous Type vulnerability in Piotnet Piotnet Forms.This issue affects Piotnet Forms: from n/a through 1.0.25.

9.8
2023-12-29 CVE-2023-51419 Bertha Unrestricted Upload of File with Dangerous Type vulnerability in Bertha AI

Unrestricted Upload of File with Dangerous Type vulnerability in Bertha.Ai BERTHA AI.

9.8
2023-12-29 CVE-2023-51468 Boiteasite Unrestricted Upload of File with Dangerous Type vulnerability in Boiteasite Download Rencontre - Dating Site

Unrestricted Upload of File with Dangerous Type vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.10.1.

9.8
2023-12-29 CVE-2023-51473 Pixelemu Unrestricted Upload of File with Dangerous Type vulnerability in Pixelemu Terraclassifieds

Unrestricted Upload of File with Dangerous Type vulnerability in Pixelemu TerraClassifieds – Simple Classifieds Plugin.This issue affects TerraClassifieds – Simple Classifieds Plugin: from n/a through 2.0.3.

9.8
2023-12-29 CVE-2023-51475 Wpmlmsoftware Unrestricted Upload of File with Dangerous Type vulnerability in Wpmlmsoftware WP MLM Unilevel

Unrestricted Upload of File with Dangerous Type vulnerability in IOSS WP MLM SOFTWARE PLUGIN.This issue affects WP MLM SOFTWARE PLUGIN: from n/a through 4.0.

9.8
2023-12-29 CVE-2023-51414 Donweb Deserialization of Untrusted Data vulnerability in Donweb Envialosimple:Email Marketing Y Newsletters

Deserialization of Untrusted Data vulnerability in EnvialoSimple EnvíaloSimple: Email Marketing y Newsletters.This issue affects EnvíaloSimple: Email Marketing y Newsletters: from n/a through 2.1.

9.8
2023-12-29 CVE-2023-51505 Pluginus Deserialization of Untrusted Data vulnerability in Pluginus Woot

Deserialization of Untrusted Data vulnerability in realmag777 Active Products Tables for WooCommerce.

9.8
2023-12-29 CVE-2023-25054 Carrcommunications Code Injection vulnerability in Carrcommunications Rsvpmaker

Improper Control of Generation of Code ('Code Injection') vulnerability in David F.

9.8
2023-12-29 CVE-2023-7161 Netentsec SQL Injection vulnerability in Netentsec Application Security Gateway Firmware 6.3.1

A vulnerability classified as critical has been found in Netentsec NS-ASG Application Security Gateway 6.3.1.

9.8
2023-12-29 CVE-2023-23634 Documize SQL Injection vulnerability in Documize 5.4.2

SQL Injection vulnerability in Documize version 5.4.2, allows remote attackers to execute arbitrary code via the user parameter of the /api/dashboard/activity endpoint.

9.8
2023-12-29 CVE-2023-7158 Micropython Out-of-bounds Write vulnerability in Micropython 1.21.0

A vulnerability was found in MicroPython up to 1.21.0.

9.8
2023-12-29 CVE-2023-7159 Masterlab Unrestricted Upload of File with Dangerous Type vulnerability in Masterlab

A vulnerability was found in gopeak MasterLab up to 3.3.10.

9.8
2023-12-29 CVE-2023-7156 Campcodes SQL Injection vulnerability in Campcodes Online College Library System 1.0

A vulnerability has been found in Campcodes Online College Library System 1.0 and classified as critical.

9.8
2023-12-29 CVE-2023-7157 Mayurik SQL Injection vulnerability in Mayurik Free and Open Source Inventory Management System 1.0

A vulnerability was found in SourceCodester Free and Open Source Inventory Management System 1.0 and classified as critical.

9.8
2023-12-29 CVE-2023-7152 Micropython Use After Free vulnerability in Micropython 1.21.0/1.22.0

A vulnerability, which was classified as critical, has been found in MicroPython 1.21.0/1.22.0-preview.

9.8
2023-12-29 CVE-2023-52173 Xnview Out-of-bounds Write vulnerability in Xnview Classic

XnView Classic before 2.51.3 on Windows has a Write Access Violation at xnview.exe+0x3ADBD0.

9.8
2023-12-29 CVE-2023-52174 Xnview Out-of-bounds Write vulnerability in Xnview Classic

XnView Classic before 2.51.3 on Windows has a Write Access Violation at xnview.exe+0x3125D6.

9.8
2023-12-29 CVE-2023-23424 Hihonor Unspecified vulnerability in Hihonor Nth-An00 Firmware

Some Honor products are affected by file writing vulnerability, successful exploitation could cause code execution

9.8
2023-12-29 CVE-2023-7147 Masterlab Unrestricted Upload of File with Dangerous Type vulnerability in Masterlab

A vulnerability, which was classified as critical, was found in gopeak MasterLab up to 3.3.10.

9.8
2023-12-29 CVE-2023-7145 Masterlab SQL Injection vulnerability in Masterlab

A vulnerability classified as critical was found in gopeak MasterLab up to 3.3.10.

9.8
2023-12-29 CVE-2023-7146 Masterlab SQL Injection vulnerability in Masterlab

A vulnerability, which was classified as critical, has been found in gopeak MasterLab up to 3.3.10.

9.8
2023-12-29 CVE-2023-7144 Masterlab SQL Injection vulnerability in Masterlab

A vulnerability classified as critical has been found in gopeak MasterLab up to 3.3.10.

9.8
2023-12-29 CVE-2023-50104 Zzcms Unrestricted Upload of File with Dangerous Type vulnerability in Zzcms 2023

ZZCMS 2023 has a file upload vulnerability in 3/E_bak5.1/upload/index.php, allowing attackers to exploit this loophole to gain server privileges and execute arbitrary code.

9.8
2023-12-29 CVE-2023-7141 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability was found in code-projects Client Details System 1.0.

9.8
2023-12-29 CVE-2023-7142 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability was found in code-projects Client Details System 1.0.

9.8
2023-12-28 CVE-2023-7139 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability has been found in code-projects Client Details System 1.0 and classified as problematic.

9.8
2023-12-28 CVE-2023-7140 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability was found in code-projects Client Details System 1.0 and classified as problematic.

9.8
2023-12-28 CVE-2023-50839 Wiselyhub SQL Injection vulnerability in Wiselyhub JS Help Desk

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.1.

9.8
2023-12-28 CVE-2023-7134 Oretnom23 Path Traversal vulnerability in Oretnom23 Medicine Tracker System 1.0

A vulnerability was found in SourceCodester Medicine Tracking System 1.0.

9.8
2023-12-28 CVE-2023-7131 Carmelogarcia SQL Injection vulnerability in Carmelogarcia Intern Membership Management System 2.0

A vulnerability was found in code-projects Intern Membership Management System 2.0 and classified as critical.

9.8
2023-12-28 CVE-2023-52082 Lycheeorg SQL Injection vulnerability in Lycheeorg Lychee

Lychee is a free photo-management tool.

9.8
2023-12-28 CVE-2023-7163 Dlink Unspecified vulnerability in Dlink D-View 8 2.0.2.89

A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inventory of the D-View service.

9.8
2023-12-28 CVE-2023-7127 Code Projects SQL Injection vulnerability in Code-Projects Automated Voting System 1.0

A vulnerability classified as critical was found in code-projects Automated Voting System 1.0.

9.8
2023-12-28 CVE-2023-32513 Givewp Deserialization of Untrusted Data vulnerability in Givewp

Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.3.

9.8
2023-12-28 CVE-2023-4671 Talentyazilim SQL Injection vulnerability in Talentyazilim Ecop 32255

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software ECOP allows Command Line Execution through SQL Injection.This issue affects ECOP: before 32255.

9.8
2023-12-28 CVE-2023-7123 Oretnom SQL Injection vulnerability in Oretnom Medicine Tracker System 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracking System 1.0.

9.8
2023-12-27 CVE-2023-6879 Aomedia
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().

9.8
2023-12-27 CVE-2023-49000 Artistscope Code Injection vulnerability in Artistscope Artisbrowser

An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component.

9.8
2023-12-27 CVE-2023-49001 Indibrowser Code Injection vulnerability in Indibrowser Indi Browser 12.11.23

An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component.

9.8
2023-12-27 CVE-2023-43481 TCL Code Injection vulnerability in TCL Browser TV web - Browsehere 6.65.022Dab24Cc6231221Gp

An issue in Shenzhen TCL Browser TV Web BrowseHere (aka com.tcl.browser) 6.65.022_dab24cc6_231221_gp allows a remote attacker to execute arbitrary JavaScript code via the com.tcl.browser.portal.browse.activity.BrowsePageActivity component.

9.8
2023-12-27 CVE-2023-43955 Fedirtsapana Code Injection vulnerability in Fedirtsapana TV BRO

The com.phlox.tvwebbrowser TV Bro application through 2.0.0 for Android mishandles external intents through WebView.

9.8
2023-12-27 CVE-2023-47883 Vladymix Code Injection vulnerability in Vladymix TV Browser

The com.altamirano.fabricio.tvbrowser TV browser application through 4.5.1 for Android is vulnerable to JavaScript code execution via an explicit intent due to an exposed MainActivity.

9.8
2023-12-27 CVE-2023-51084 Yavijava Out-of-bounds Write vulnerability in Yavijava 6.0.07.1

hyavijava v6.0.07.1 was discovered to contain a stack overflow via the ResultConverter.convert2Xml method.

9.8
2023-12-27 CVE-2023-52077 Nexryai Incorrect Authorization vulnerability in Nexryai Nexkey

Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers.

9.8
2023-12-27 CVE-2023-51700 Jamieblomerus Deserialization of Untrusted Data vulnerability in Jamieblomerus Unofficial Mobile Bankid Integration

Unofficial Mobile BankID Integration for WordPress lets users employ Mobile BankID to authenticate themselves on your WordPress site.

9.8
2023-12-27 CVE-2023-51664 TJ Actions Command Injection vulnerability in Tj-Actions Changed-Files

tj-actions/changed-files is a Github action to retrieve all files and directories.

9.8
2023-12-27 CVE-2023-7116 Datax WEB Project OS Command Injection vulnerability in Datax-Web Project Datax-Web 2.1.2

A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2.

9.8
2023-12-27 CVE-2023-6190 Ikcu Path Traversal vulnerability in Ikcu University Information Management System

Improper Input Validation vulnerability in ?zmir Katip Çelebi University University Information Management System allows Absolute Path Traversal.This issue affects University Information Management System: before 30.11.2023.

9.8
2023-12-26 CVE-2023-5991 Motopress Path Traversal vulnerability in Motopress Hotel Booking Lite

The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server

9.8
2023-12-26 CVE-2023-51090 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow via the function formGetWeiXinConfig.

9.8
2023-12-26 CVE-2023-51091 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow via the function R7WebsSecurityHandler.

9.8
2023-12-26 CVE-2023-51092 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow via the function upgrade.

9.8
2023-12-26 CVE-2023-51093 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow via the function fromSetLocalVlanInfo.

9.8
2023-12-26 CVE-2023-51094 Tenda OS Command Injection vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a Command Execution vulnerability via the function TendaTelnet.

9.8
2023-12-26 CVE-2023-51097 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a stack overflow via the function formSetAutoPing.

9.8
2023-12-26 CVE-2023-51098 Tenda OS Command Injection vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a command injection vulnerability via the function formSetDiagnoseInfo .

9.8
2023-12-26 CVE-2023-51099 Tenda OS Command Injection vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a command injection vulnerability via the function formexeCommand .

9.8
2023-12-26 CVE-2023-51100 Tenda OS Command Injection vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a command injection vulnerability via the function formGetDiagnoseInfo .

9.8
2023-12-26 CVE-2023-51101 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a stack overflow via the function formSetUplinkInfo.

9.8
2023-12-26 CVE-2023-51102 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)Cn

Tenda W9 V1.0.0.7(4456)_CN was discovered to contain a stack overflow via the function formWifiMacFilterSet.

9.8
2023-12-26 CVE-2023-51095 Tenda Out-of-bounds Write vulnerability in Tenda M3 Firmware 1.0.0.12(4856)

Tenda M3 V1.0.0.12(4856) was discovered to contain a stack overflow via the function formDelWlRfPolicy.

9.8
2023-12-26 CVE-2023-51467 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz

The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code

9.8
2023-12-26 CVE-2023-7111 Fabianros SQL Injection vulnerability in Fabianros Library Management System 2.0

A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0.

9.8
2023-12-25 CVE-2022-34267 RWS Improper Authentication vulnerability in RWS Worldserver

An issue was discovered in RWS WorldServer before 11.7.3.

9.8
2023-12-25 CVE-2022-34268 RWS Deserialization of Untrusted Data vulnerability in RWS Worldserver

An issue was discovered in RWS WorldServer before 11.7.3.

9.8
2023-12-25 CVE-2023-31224 Jamf Improper Authentication vulnerability in Jamf

There is broken access control during authentication in Jamf Pro Server before 10.46.1.

9.8
2023-12-25 CVE-2023-49954 3CX SQL Injection vulnerability in 3CX

The CRM Integration in 3CX before 18.0.9.23 and 20 before 20.0.0.1494 allows SQL Injection via a first name, search string, or email address.

9.8
2023-12-25 CVE-2023-48654 Oneidentity Unspecified vulnerability in Oneidentity Password Manager

One Identity Password Manager before 5.13.1 allows Kiosk Escape.

9.8
2023-12-25 CVE-2023-51771 Starnight Classic Buffer Overflow vulnerability in Starnight Micro Http Server

In MicroHttpServer (aka Micro HTTP Server) through a8ab029, _ParseHeader in lib/server.c allows a one-byte recv buffer overflow via a long URI.

9.8
2023-12-25 CVE-2023-7099 Phpgurukul SQL Injection vulnerability in PHPgurukul Nipah Virus Testing Management System 1.0

A vulnerability, which was classified as critical, has been found in PHPGurukul Nipah Virus Testing Management System 1.0.

9.8
2023-12-25 CVE-2023-7100 Phpgurukul SQL Injection vulnerability in PHPgurukul Restaurant Table Booking System 1.0

A vulnerability, which was classified as critical, was found in PHPGurukul Restaurant Table Booking System 1.0.

9.8
2023-12-25 CVE-2023-7097 Fabianros SQL Injection vulnerability in Fabianros Water Billing System 1.0

A vulnerability classified as critical has been found in code-projects Water Billing System 1.0.

9.8
2023-12-25 CVE-2023-7095 Totolink Classic Buffer Overflow vulnerability in Totolink A7100Ru Firmware 7.4Cu.2313B20191024

A vulnerability, which was classified as critical, has been found in Totolink A7100RU 7.4cu.2313_B20191024.

9.8
2023-12-25 CVE-2023-7096 Carmelogarcia SQL Injection vulnerability in Carmelogarcia Faculty Management System 1.0

A vulnerability was found in code-projects Faculty Management System 1.0.

9.8
2023-12-29 CVE-2023-52139 Misskey Improper Authorization vulnerability in Misskey

Misskey is an open source, decentralized social media platform.

9.6

191 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-31 CVE-2023-52133 Whiletrue SQL Injection vulnerability in Whiletrue Most and Least Read Posts Widget

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WhileTrue Most And Least Read Posts Widget.This issue affects Most And Least Read Posts Widget: from n/a through 2.5.16.

8.8
2023-12-31 CVE-2023-7190 S CMS SQL Injection vulnerability in S-Cms 1.0/1.5/2.0

A vulnerability, which was classified as critical, has been found in S-CMS up to 2.0_build20220529-20231006.

8.8
2023-12-31 CVE-2023-7191 S CMS SQL Injection vulnerability in S-Cms 1.0/1.5/2.0

A vulnerability, which was classified as critical, was found in S-CMS up to 2.0_build20220529-20231006.

8.8
2023-12-31 CVE-2023-7189 S CMS SQL Injection vulnerability in S-Cms 1.0/1.5/2.0

A vulnerability classified as critical was found in S-CMS up to 2.0_build20220529-20231006.

8.8
2023-12-31 CVE-2023-7187 Totolink Stack-based Buffer Overflow vulnerability in Totolink N350Rt Firmware 9.3.5U.6139B20201216

A vulnerability was found in Totolink N350RT 9.3.5u.6139_B20201216.

8.8
2023-12-31 CVE-2023-7186 7 Card SQL Injection vulnerability in 7-Card Fakabao 1.0

A vulnerability was found in 7-card Fakabao up to 1.0_build20230805.

8.8
2023-12-31 CVE-2023-7185 7 Card SQL Injection vulnerability in 7-Card Fakabao 1.0

A vulnerability was found in 7-card Fakabao up to 1.0_build20230805.

8.8
2023-12-31 CVE-2023-49777 Yithemes Deserialization of Untrusted Data vulnerability in Yithemes Yith Woocommerce Product Add-Ons

Deserialization of Untrusted Data vulnerability in YITH YITH WooCommerce Product Add-Ons.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.3.0.

8.8
2023-12-31 CVE-2023-7183 7 Card SQL Injection vulnerability in 7-Card Fakabao 1.0

A vulnerability has been found in 7-card Fakabao up to 1.0_build20230805 and classified as critical.

8.8
2023-12-31 CVE-2023-7184 7 Card SQL Injection vulnerability in 7-Card Fakabao 1.0

A vulnerability was found in 7-card Fakabao up to 1.0_build20230805 and classified as critical.

8.8
2023-12-31 CVE-2023-39157 Crocoblock Code Injection vulnerability in Crocoblock Jetelements

Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.10.

8.8
2023-12-31 CVE-2023-52182 ARI Soft Deserialization of Untrusted Data vulnerability in Ari-Soft ARI Stream Quiz

Deserialization of Untrusted Data vulnerability in ARI Soft ARI Stream Quiz – WordPress Quizzes Builder.This issue affects ARI Stream Quiz – WordPress Quizzes Builder: from n/a through 1.3.0.

8.8
2023-12-31 CVE-2023-7130 Carmelogarcia SQL Injection vulnerability in Carmelogarcia College Notes Gallery 2.0

A vulnerability has been found in code-projects College Notes Gallery 2.0 and classified as critical.

8.8
2023-12-30 CVE-2023-49299 Apache Improper Input Validation vulnerability in Apache Dolphinscheduler

Improper Input Validation vulnerability in Apache DolphinScheduler.

8.8
2023-12-30 CVE-2023-7179 Online College Library System Project SQL Injection vulnerability in Online College Library System Project Online College Library System 1.0

A vulnerability, which was classified as critical, was found in Campcodes Online College Library System 1.0.

8.8
2023-12-30 CVE-2023-7176 Online College Library System Project SQL Injection vulnerability in Online College Library System Project Online College Library System 1.0

A vulnerability classified as critical has been found in Campcodes Online College Library System 1.0.

8.8
2023-12-30 CVE-2023-7177 Online College Library System Project SQL Injection vulnerability in Online College Library System Project Online College Library System 1.0

A vulnerability classified as critical was found in Campcodes Online College Library System 1.0.

8.8
2023-12-30 CVE-2018-25096 Petrk94 Cross-Site Request Forgery (CSRF) vulnerability in Petrk94 Ownhealthrecord

A vulnerability was found in MdAlAmin-aol Own Health Record 0.1-alpha/0.2-alpha/0.3-alpha/0.3.1-alpha.

8.8
2023-12-29 CVE-2023-50070 Oretnom23 SQL Injection vulnerability in Oretnom23 Customer Support System 1.0

Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket via department_id, customer_id, and subject.

8.8
2023-12-29 CVE-2023-50071 Customer Support System Project SQL Injection vulnerability in Customer Support System Project Customer Support System 1.0

Sourcecodester Customer Support System 1.0 has multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_department via id or name.

8.8
2023-12-29 CVE-2023-52137 TJ Actions Command Injection vulnerability in Tj-Actions Verify-Changed-Files

The [`tj-actions/verify-changed-files`](https://github.com/tj-actions/verify-changed-files) action allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

8.8
2023-12-29 CVE-2023-47804 Apache Argument Injection or Modification vulnerability in Apache Openoffice

Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments.

8.8
2023-12-29 CVE-2023-51410 Wpvibes Unrestricted Upload of File with Dangerous Type vulnerability in Wpvibes WP Mail LOG

Unrestricted Upload of File with Dangerous Type vulnerability in WPVibes WP Mail Log.This issue affects WP Mail Log: from n/a through 1.1.2.

8.8
2023-12-29 CVE-2023-51417 Jorisvm Unrestricted Upload of File with Dangerous Type vulnerability in Jorisvm JVM Gutenberg Rich Text Icons

Unrestricted Upload of File with Dangerous Type vulnerability in Joris van Montfort JVM Gutenberg Rich Text Icons.This issue affects JVM Gutenberg Rich Text Icons: from n/a through 1.2.3.

8.8
2023-12-29 CVE-2023-51421 Soft8Soft Unrestricted Upload of File with Dangerous Type vulnerability in Soft8Soft Verge3D

Unrestricted Upload of File with Dangerous Type vulnerability in Soft8Soft LLC Verge3D Publishing and E-Commerce.This issue affects Verge3D Publishing and E-Commerce: from n/a through 4.5.2.

8.8
2023-12-29 CVE-2023-50878 Inspireui Cross-Site Request Forgery (CSRF) vulnerability in Inspireui Mstore API

Cross-Site Request Forgery (CSRF) vulnerability in InspireUI MStore API.This issue affects MStore API: from n/a through 4.10.1.

8.8
2023-12-29 CVE-2023-50902 Wpexperts Cross-Site Request Forgery (CSRF) vulnerability in Wpexperts NEW User Approve

Cross-Site Request Forgery (CSRF) vulnerability in WPExpertsio New User Approve.This issue affects New User Approve: from n/a through 2.5.1.

8.8
2023-12-29 CVE-2023-51354 Webba Booking Cross-Site Request Forgery (CSRF) vulnerability in Webba-Booking Webba Booking

Cross-Site Request Forgery (CSRF) vulnerability in WebbaPlugins Appointment & Event Booking Calendar Plugin – Webba Booking.This issue affects Appointment & Event Booking Calendar Plugin – Webba Booking: from n/a through 4.5.33.

8.8
2023-12-29 CVE-2023-51358 Brightplugins Cross-Site Request Forgery (CSRF) vulnerability in Brightplugins Block IPS for Gravity Forms

Cross-Site Request Forgery (CSRF) vulnerability in Bright Plugins Block IPs for Gravity Forms.This issue affects Block IPs for Gravity Forms: from n/a through 1.0.1.

8.8
2023-12-29 CVE-2023-51378 Eaglevisionit Cross-Site Request Forgery (CSRF) vulnerability in Eaglevisionit Rise Blocks

Cross-Site Request Forgery (CSRF) vulnerability in Rise Themes Rise Blocks – A Complete Gutenberg Page Builder.This issue affects Rise Blocks – A Complete Gutenberg Page Builder: from n/a through 3.1.

8.8
2023-12-29 CVE-2023-51422 Saleswonder Deserialization of Untrusted Data vulnerability in Saleswonder Webinarignition

Deserialization of Untrusted Data vulnerability in Saleswonder Team Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition.This issue affects Webinar Plugin: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition: from n/a through 3.05.0.

8.8
2023-12-29 CVE-2023-51470 Boiteasite Deserialization of Untrusted Data vulnerability in Boiteasite Rencontre

Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1.

8.8
2023-12-29 CVE-2023-51545 Themehigh Deserialization of Untrusted Data vulnerability in Themehigh JOB Manager & Career

Cross-Site Request Forgery (CSRF), Deserialization of Untrusted Data vulnerability in ThemeHigh Job Manager & Career – Manage job board listings, and recruitments.This issue affects Job Manager & Career – Manage job board listings, and recruitments: from n/a through 1.4.4.

8.8
2023-12-29 CVE-2023-7114 Mattermost Path Traversal vulnerability in Mattermost

Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server.

8.8
2023-12-29 CVE-2023-44088 Pandorafms SQL Injection vulnerability in Pandorafms Pandora FMS

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pandora FMS on all allows SQL Injection. Arbitrary SQL queries were allowed to be executed using any account with low privileges. This issue affects Pandora FMS: from 700 through 774.

8.8
2023-12-29 CVE-2023-51402 Brainstormforce Cross-Site Request Forgery (CSRF) vulnerability in Brainstormforce Ultimate Addons for Wpbakery Page Builder 3.19.14/3.19.15

Cross-Site Request Forgery (CSRF) vulnerability in Brain Storm Force Ultimate Addons for WPBakery Page Builder.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through 3.19.17.

8.8
2023-12-29 CVE-2023-49830 Brainstormforce Code Injection vulnerability in Brainstormforce Astra

Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1.

8.8
2023-12-29 CVE-2023-51420 Soft8Soft Code Injection vulnerability in Soft8Soft Verge3D

Improper Control of Generation of Code ('Code Injection') vulnerability in Soft8Soft LLC Verge3D Publishing and E-Commerce.This issue affects Verge3D Publishing and E-Commerce: from n/a through 4.5.2.

8.8
2023-12-29 CVE-2023-22676 Andersthorborg Missing Authorization vulnerability in Andersthorborg Advanced Custom Fields:Image Crop Add-On

Missing Authorization vulnerability in Anders Thorborg.This issue affects Anders Thorborg: from n/a through 1.4.12.

8.8
2023-12-29 CVE-2023-22677 Binarystash Code Injection vulnerability in Binarystash WP Booklet

Improper Control of Generation of Code ('Code Injection') vulnerability in BinaryStash WP Booklet.This issue affects WP Booklet: from n/a through 2.1.8.

8.8
2023-12-29 CVE-2023-32095 Milandinic Code Injection vulnerability in Milandinic Rename Media Files

Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dini? Rename Media Files.This issue affects Rename Media Files: from n/a through 1.0.1.

8.8
2023-12-29 CVE-2023-46623 Wpvnteam Code Injection vulnerability in Wpvnteam WP Extra

Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2.

8.8
2023-12-29 CVE-2023-47840 Qodeinteractive Code Injection vulnerability in Qodeinteractive Qode Essential Addons

Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2.

8.8
2023-12-29 CVE-2023-7155 Mayurik SQL Injection vulnerability in Mayurik Free and Open Source Inventory Management System 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Free and Open Source Inventory Management System 1.0.

8.8
2023-12-29 CVE-2023-7150 Campcodes Unrestricted Upload of File with Dangerous Type vulnerability in Campcodes Chic Beauty Salon 20230703

A vulnerability classified as critical was found in Campcodes Chic Beauty Salon 20230703.

8.8
2023-12-28 CVE-2023-7137 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability, which was classified as critical, has been found in code-projects Client Details System 1.0.

8.8
2023-12-28 CVE-2023-7138 Code Projects SQL Injection vulnerability in Code-Projects Client Details System 1.0

A vulnerability, which was classified as critical, was found in code-projects Client Details System 1.0.

8.8
2023-12-28 CVE-2023-50840 Oplugins SQL Injection vulnerability in Oplugins Booking Manager

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop, oplugins Booking Manager.This issue affects Booking Manager: from n/a through 2.1.5.

8.8
2023-12-28 CVE-2023-50841 Reputeinfosystems SQL Injection vulnerability in Reputeinfosystems Bookingpress

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.72.

8.8
2023-12-28 CVE-2023-50842 MF GIG Calendar Project SQL Injection vulnerability in MF GIG Calendar Project MF GIG Calendar

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Matthew Fries MF Gig Calendar.This issue affects MF Gig Calendar: from n/a through 1.2.1.

8.8
2023-12-28 CVE-2023-7129 Code Projects SQL Injection vulnerability in Code-Projects Voting System 1.0

A vulnerability, which was classified as critical, was found in code-projects Voting System 1.0.

8.8
2023-12-28 CVE-2023-46987 Seacms Code Injection vulnerability in Seacms 12.9

SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php.

8.8
2023-12-28 CVE-2023-7128 Code Projects SQL Injection vulnerability in Code-Projects Voting System 1.0

A vulnerability, which was classified as critical, has been found in code-projects Voting System 1.0.

8.8
2023-12-28 CVE-2023-7126 Code Projects SQL Injection vulnerability in Code-Projects Automated Voting System 1.0

A vulnerability classified as critical has been found in code-projects Automated Voting System 1.0.

8.8
2023-12-28 CVE-2023-36381 Gesundheit Bewegt Deserialization of Untrusted Data vulnerability in Gesundheit-Bewegt Zippy

Deserialization of Untrusted Data vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.5.

8.8
2023-12-28 CVE-2023-50858 Billminozzi Cross-Site Request Forgery (CSRF) vulnerability in Billminozzi Anti Hacker 4.34

Cross-Site Request Forgery (CSRF) vulnerability in Bill Minozzi Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan.This issue affects Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan: from n/a through 4.34.

8.8
2023-12-28 CVE-2023-50873 Infolific Cross-Site Request Forgery (CSRF) vulnerability in Infolific ADD ANY Extension to Pages

Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Add Any Extension to Pages.This issue affects Add Any Extension to Pages: from n/a through 1.4.

8.8
2023-12-28 CVE-2023-50038 Textpattern Unrestricted Upload of File with Dangerous Type vulnerability in Textpattern 4.8.8

There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.

8.8
2023-12-28 CVE-2023-50692 Jizhicms Unrestricted Upload of File with Dangerous Type vulnerability in Jizhicms 2.5

File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.

8.8
2023-12-28 CVE-2023-49230 Peplink Missing Authorization vulnerability in Peplink Balance TWO Firmware 8.1.0

An issue was discovered in Peplink Balance Two before 8.4.0.

8.8
2023-12-27 CVE-2023-40038 Arris Improper Authentication vulnerability in Arris Dg1670A Firmware and Dg860A Firmware

Arris DG860A and DG1670A devices have predictable default WPA2 PSKs that could lead to unauthorized remote access.

8.8
2023-12-26 CVE-2023-5645 Wpvibes SQL Injection vulnerability in Wpvibes WP Mail LOG

The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

8.8
2023-12-26 CVE-2023-5673 Wpvibes Unrestricted Upload of File with Dangerous Type vulnerability in Wpvibes WP Mail LOG

The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file extensions uploading files to attach to emails, allowing attackers to upload PHP files, leading to remote code execution.

8.8
2023-12-26 CVE-2023-5674 Wpvibes SQL Injection vulnerability in Wpvibes WP Mail LOG

The WP Mail Log WordPress plugin before 1.1.3 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by users with a role as low as Contributor.

8.8
2023-12-26 CVE-2023-5931 Rtcamp Unrestricted Upload of File with Dangerous Type vulnerability in Rtcamp Rtmedia

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 does not validate files to be uploaded, which could allow attackers with a low-privilege account (e.g.

8.8
2023-12-26 CVE-2012-10017 Bestwebsoft Cross-Site Request Forgery (CSRF) vulnerability in Bestwebsoft Portfolio

A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.04 on WordPress.

8.8
2023-12-25 CVE-2023-28872 NCP E Link Following vulnerability in Ncp-E Secure Enterprise Client 10.14/10.15/12.22

Support Assistant in NCP Secure Enterprise Client before 13.10 allows attackers to execute DLL files with SYSTEM privileges by creating a symbolic link from a %LOCALAPPDATA%\Temp\NcpSupport* location.

8.8
2023-12-25 CVE-2022-39818 Nokia OS Command Injection vulnerability in Nokia Network Functions Manager for Transport 19.9

In NOKIA NFM-T R19.9, an OS Command Injection vulnerability occurs in /cgi-bin/R19.9/log.pl of the VM Manager WebUI via the cmd HTTP GET parameter.

8.8
2023-12-25 CVE-2022-39822 Nokia SQL Injection vulnerability in Nokia Network Functions Manager for Transport 19.9

In NOKIA NFM-T R19.9, a SQL Injection vulnerability occurs in /cgi-bin/R19.9/easy1350.pl of the VM Manager WebUI via the id or host HTTP GET parameter.

8.8
2023-12-25 CVE-2023-51772 Oneidentity Insufficient Session Expiration vulnerability in Oneidentity Password Manager

One Identity Password Manager before 5.13.1 allows Kiosk Escape.

8.8
2023-12-31 CVE-2023-7193 Mtab Unspecified vulnerability in Mtab Bookmark

A vulnerability was found in MTab Bookmark up to 1.2.6 and classified as critical.

8.1
2023-12-31 CVE-2023-7188 Fahuo100 SQL Injection vulnerability in Fahuo100 1.1

A vulnerability classified as critical has been found in Shipping 100 Fahuo100 up to 1.1.

8.1
2023-12-31 CVE-2023-52180 Really Simple Plugins SQL Injection vulnerability in Really-Simple-Plugins Recipe Maker for Your Food Blog From ZIP Recipes

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Really Simple Plugins Recipe Maker For Your Food Blog from Zip Recipes.This issue affects Recipe Maker For Your Food Blog from Zip Recipes: from n/a through 8.1.0.

8.1
2023-12-29 CVE-2023-7078 Cloudflare Server-Side Request Forgery (SSRF) vulnerability in Cloudflare Miniflare

Sending specially crafted HTTP requests to Miniflare's server could result in arbitrary HTTP and WebSocket requests being sent from the server.

8.1
2023-12-29 CVE-2023-7148 Shifuml Code Injection vulnerability in Shifuml Shifu 0.12.0

A vulnerability has been found in ShifuML shifu 0.12.0 and classified as critical.

8.1
2023-12-26 CVE-2023-52086 Startutorial Unrestricted Upload of File with Dangerous Type vulnerability in Startutorial PHP Backend for Resumable.Js 0.1.4

resumable.php (aka PHP backend for resumable.js) 0.1.4 before 3c6dbf5 allows arbitrary file upload anywhere in the filesystem via ../ in multipart/form-data content to upload.php.

8.1
2023-12-26 CVE-2023-49949 Passwork Incorrect Authorization vulnerability in Passwork 4.6.13/5.0.9

Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes.

8.1
2023-12-29 CVE-2023-7080 Cloudflare Unspecified vulnerability in Cloudflare Wrangler

The V8 inspector intentionally allows arbitrary code execution within the Workers sandbox for debugging.

8.0
2023-12-31 CVE-2023-52277 Royalapps Out-of-bounds Write vulnerability in Royalapps Royaltsx

Royal RoyalTSX before 6.0.2.1 allows attackers to cause a denial of service (Heap Memory Corruption and application crash) or possibly have unspecified other impact via a long hostname in an RTSZ file, if the victim clicks on Test Connection.

7.8
2023-12-30 CVE-2022-46487 Scontain Improper Initialization vulnerability in Scontain Scone

Improper initialization of x87 and SSE floating-point configuration registers in the __scone_entry component of SCONE before 5.8.0 for Intel SGX allows a local attacker to compromise the execution integrity of floating-point operations in an enclave or access sensitive information via side-channel analysis.

7.8
2023-12-29 CVE-2020-17163 Microsoft Unspecified vulnerability in Microsoft Python Extension

Visual Studio Code Python Extension Remote Code Execution Vulnerability

7.8
2023-12-29 CVE-2023-50571 Jeasy Unspecified vulnerability in Jeasy Easy Rules 4.1.0

easy-rules-mvel v4.1.0 was discovered to contain a remote code execution (RCE) vulnerability via the component MVELRule.

7.8
2023-12-29 CVE-2023-51434 Hihonor Classic Buffer Overflow vulnerability in Hihonor Magic UI

Some Honor products are affected by buffer overflow vulnerability, successful exploitation could cause code execution.

7.8
2023-12-28 CVE-2023-46989 Innovadeluxe SQL Injection vulnerability in Innovadeluxe Quick Order

SQL Injection vulnerability in the Innovadeluxe Quick Order module for PrestaShop before v.1.4.0, allows local attackers to execute arbitrary code via the getProducts() function in the productlist.php file.

7.8
2023-12-28 CVE-2023-50445 GL Inet OS Command Injection vulnerability in Gl-Inet products

Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

7.8
2023-12-27 CVE-2023-50255 Deepin Path Traversal: '/dir/../filename' vulnerability in Deepin Deepin-Compressor

Deepin-Compressor is the default archive manager of Deepin Linux OS.

7.8
2023-12-26 CVE-2023-5180 Opendesign Out-of-bounds Write vulnerability in Opendesign Drawings SDK

An issue was discovered in Open Design Alliance Drawings SDK before 2024.12.

7.8
2023-12-26 CVE-2023-46681 Buffalo Argument Injection or Modification vulnerability in Buffalo Vr-S1000 Firmware

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in VR-S1000 firmware Ver.

7.8
2023-12-25 CVE-2023-43064 IBM Uncontrolled Search Path Element vulnerability in IBM I

Facsimile Support for IBM i 7.2, 7.3, 7.4, and 7.5 could allow a local user to gain elevated privileges due to an unqualified library call.

7.8
2023-12-25 CVE-2023-7093 Kylinos OS Command Injection vulnerability in Kylinos Kylin-System-Updater

A vulnerability classified as critical has been found in KylinSoft kylin-system-updater up to 2.0.5.16-0k2.33.

7.8
2023-12-30 CVE-2023-6998 Coolkit Unspecified vulnerability in Coolkit Ewelink

Improper privilege management vulnerability in CoolKit Technology eWeLink on Android and iOS allows application lockscreen bypass.This issue affects eWeLink before 5.2.0.

7.7
2023-12-29 CVE-2023-4468 Poly Missing Authorization vulnerability in Poly Lens, Trio 8800 Firmware and Trio C60

A vulnerability was found in Poly Trio 8500, Trio 8800 and Trio C60.

7.6
2023-12-26 CVE-2023-5644 Wpvibes Incorrect Authorization vulnerability in Wpvibes WP Mail LOG

The WP Mail Log WordPress plugin before 1.1.3 does not correctly authorize its REST API endpoints, allowing users with the Contributor role to view and delete data that should only be accessible to Admin users.

7.6
2023-12-31 CVE-2023-51503 Automattic Authorization Bypass Through User-Controlled Key vulnerability in Automattic Woopayments

Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments – Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments – Fully Integrated Solution Built and Supported by Woo: from n/a through 6.9.2.

7.5
2023-12-31 CVE-2023-52185 Everestthemes Unspecified vulnerability in Everestthemes Everest Backup

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Everestthemes Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin.This issue affects Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin: from n/a through 2.1.9.

7.5
2023-12-31 CVE-2021-46901 Cetic Out-of-bounds Write vulnerability in Cetic Cetic-6Lbr 1.5.0

examples/6lbr/apps/6lbr-webserver/httpd.c in CETIC-6LBR (aka 6lbr) 1.5.0 has a strcat stack-based buffer overflow via a request for a long URL over a 6LoWPAN network.

7.5
2023-12-31 CVE-2023-52286 Tencent Unspecified vulnerability in Tencent Distributed SQL 1.8.5

Tencent tdsqlpcloud through 1.8.5 allows unauthenticated remote attackers to discover database credentials via an index.php/api/install/get_db_info request, a related issue to CVE-2023-42387.

7.5
2023-12-31 CVE-2021-46900 Sympa Use of a Broken or Risky Cryptographic Algorithm vulnerability in Sympa

Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value.

7.5
2023-12-31 CVE-2023-52266 Hongliuliao Use After Free vulnerability in Hongliuliao Ehttp 1.0.6

ehttp 1.0.6 before 17405b9 has an epoll_socket.cpp read_func use-after-free.

7.5
2023-12-31 CVE-2023-52267 Hongliuliao Out-of-bounds Read vulnerability in Hongliuliao Ehttp 1.0.6

ehttp 1.0.6 before 17405b9 has a simple_log.cpp _log out-of-bounds-read during error logging for long strings.

7.5
2023-12-30 CVE-2023-50110 Testlink Unspecified vulnerability in Testlink

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used.

7.5
2023-12-29 CVE-2023-51527 Aipower Unspecified vulnerability in Aipower

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Senol Sahin AI Power: Complete AI Pack – Powered by GPT-4.This issue affects AI Power: Complete AI Pack – Powered by GPT-4: from n/a through 1.8.2.

7.5
2023-12-29 CVE-2023-51687 Implecode Unspecified vulnerability in Implecode Product Catalog Simple

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in impleCode Product Catalog Simple.This issue affects Product Catalog Simple: from n/a through 1.7.6.

7.5
2023-12-29 CVE-2023-51688 Implecode Unspecified vulnerability in Implecode Ecommerce Product Catalog

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in impleCode eCommerce Product Catalog Plugin for WordPress.This issue affects eCommerce Product Catalog Plugin for WordPress: from n/a through 3.3.26.

7.5
2023-12-29 CVE-2022-44589 Miniorange Unspecified vulnerability in Miniorange Google Authenticator

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login: from n/a through 5.6.1.

7.5
2023-12-29 CVE-2023-4463 Poly Improper Resource Shutdown or Release vulnerability in Poly products

A vulnerability classified as problematic was found in Poly CCX 400, CCX 600, Trio 8800 and Trio C60.

7.5
2023-12-29 CVE-2023-31295 Sesami Improper Neutralization of Formula Elements in a CSV File vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the User Profile field.

7.5
2023-12-29 CVE-2023-31300 Sesami Cleartext Transmission of Sensitive Information vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during Password Reset feature.

7.5
2023-12-29 CVE-2023-23427 Hihonor Improper Privilege Management vulnerability in Hihonor Magic OS

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

7.5
2023-12-29 CVE-2023-23428 Hihonor Improper Privilege Management vulnerability in Hihonor Magic OS

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

7.5
2023-12-29 CVE-2023-23429 Hihonor Improper Privilege Management vulnerability in Hihonor Magic OS

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

7.5
2023-12-29 CVE-2023-23430 Hihonor Improper Privilege Management vulnerability in Hihonor Magichome

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

7.5
2023-12-29 CVE-2023-31294 Sesami Improper Neutralization of Formula Elements in a CSV File vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to obtain sensitive information via the Delivery Name field.

7.5
2023-12-28 CVE-2023-52152 Cybergarage Out-of-bounds Read vulnerability in Cybergarage Mupnp for C

mupnp/net/uri.c in mUPnP for C through 3.0.2 has an out-of-bounds read and application crash because it lacks a certain host length recalculation.

7.5
2023-12-28 CVE-2022-36399 Boxystudio Unspecified vulnerability in Boxystudio Booked

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.This issue affects Booked - Appointment Booking for WordPress | Calendars: from n/a before 2.4.4.

7.5
2023-12-28 CVE-2023-27447 Veronalabs Information Exposure vulnerability in Veronalabs WP SMS

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.This issue affects WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc: from n/a through 6.0.4.

7.5
2023-12-28 CVE-2023-51006 Zhwnl Unspecified vulnerability in Zhwnl Chinese Perpetual Calendar 9.0.0

An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 allows attackers to read any file via unspecified vectors.

7.5
2023-12-27 CVE-2023-49002 Xenomtechnologies Unspecified vulnerability in Xenomtechnologies Phone Dialer-Voice Call Dialer 1.2.5

An issue in Xenom Technologies (sinous) Phone Dialer-voice Call Dialer v.1.2.5 allows an attacker to bypass intended access restrictions via interaction with com.funprime.calldialer.ui.activities.OutgoingActivity.

7.5
2023-12-27 CVE-2023-51075 Hutool Infinite Loop vulnerability in Hutool 5.8.23

hutool-core v5.8.23 was discovered to contain an infinite loop in the StrSplitter.splitByRegex function.

7.5
2023-12-27 CVE-2023-51080 Hutool Out-of-bounds Write vulnerability in Hutool 5.8.23

The NumberUtil.toBigDecimal method in hutool-core v5.8.23 was discovered to contain a stack overflow.

7.5
2023-12-27 CVE-2023-52075 Revanced Improper Handling of Exceptional Conditions vulnerability in Revanced

ReVanced API proxies requests needed to feed the ReVanced Manager and website with data.

7.5
2023-12-27 CVE-2023-51665 Audiobookshelf Server-Side Request Forgery (SSRF) vulnerability in Audiobookshelf

Audiobookshelf is a self-hosted audiobook and podcast server.

7.5
2023-12-27 CVE-2023-51697 Audiobookshelf Server-Side Request Forgery (SSRF) vulnerability in Audiobookshelf

Audiobookshelf is a self-hosted audiobook and podcast server.

7.5
2023-12-27 CVE-2023-3171 Redhat Allocation of Resources Without Limits or Throttling vulnerability in Redhat Jboss Enterprise Application Platform 7.4

A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed.

7.5
2023-12-26 CVE-2023-52096 Steve Community SQL Injection vulnerability in Steve-Community Ocpp-Jaxb

SteVe Community ocpp-jaxb before 0.0.8 generates invalid timestamps such as ones with month 00 in certain situations (such as when an application receives a StartTransaction Open Charge Point Protocol message with a timestamp parameter of 1000000).

7.5
2023-12-26 CVE-2023-5203 Swit SQL Injection vulnerability in Swit WP Sessions Time Monitoring Full Automatic

The WP Sessions Time Monitoring Full Automatic WordPress plugin before 1.0.9 does not sanitize the request URL or query parameters before using them in an SQL query, allowing unauthenticated attackers to extract sensitive data from the database via blind time based SQL injection techniques, or in some cases an error/union based technique.

7.5
2023-12-26 CVE-2023-6114 Awesomemotive Files or Directories Accessible to External Parties vulnerability in Awesomemotive Duplicator

The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the `backups-dup-lite/tmp` directory (or the `backups-dup-pro/tmp` directory in the Pro version), which temporarily stores files containing sensitive data.

7.5
2023-12-26 CVE-2023-6250 Bestwebsoft Cleartext Storage of Sensitive Information vulnerability in Bestwebsoft Like & Share

The BestWebSoft's Like & Share WordPress plugin before 2.74 discloses the content of password protected posts to unauthenticated users via a meta tag

7.5
2023-12-26 CVE-2023-51103 Artifex Divide By Zero vulnerability in Artifex Mupdf 1.23.4

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon fz_new_pixmap_from_float_data() of pixmap.c.

7.5
2023-12-26 CVE-2023-51104 Artifex Divide By Zero vulnerability in Artifex Mupdf 1.23.4

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon pnm_binary_read_image() of load-pnm.c line 527.

7.5
2023-12-26 CVE-2023-51105 Artifex Divide By Zero vulnerability in Artifex Mupdf 1.23.4

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in function bmp_decompress_rle4() of load-bmp.c.

7.5
2023-12-26 CVE-2023-51106 Artifex Divide By Zero vulnerability in Artifex Mupdf 1.23.4

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon pnm_binary_read_image() of load-pnm.c.

7.5
2023-12-26 CVE-2023-51107 Artifex Divide By Zero vulnerability in Artifex Mupdf 1.23.4

A floating point exception (divide-by-zero) vulnerability was discovered in mupdf 1.23.4 in functon compute_color() of jquant2.c.

7.5
2023-12-26 CVE-2023-50968 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Ofbiz

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

7.5
2023-12-26 CVE-2023-28616 Stormshield Cleartext Transmission of Sensitive Information vulnerability in Stormshield Network Security

An issue was discovered in Stormshield Network Security (SNS) before 4.3.17, 4.4.x through 4.6.x before 4.6.4, and 4.7.x before 4.7.1.

7.5
2023-12-25 CVE-2023-38321 Sierrawireless NULL Pointer Dereference vulnerability in Sierrawireless Aleos

OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token.

7.5
2023-12-25 CVE-2023-37185 C Blosc2 Project NULL Pointer Dereference vulnerability in C-Blosc2 Project C-Blosc2

C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference via the function zfp_prec_decompress at zfp/blosc2-zfp.c.

7.5
2023-12-25 CVE-2023-37186 C Blosc2 Project NULL Pointer Dereference vulnerability in C-Blosc2 Project C-Blosc2

C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference in ndlz/ndlz8x8.c via a NULL pointer to memset.

7.5
2023-12-25 CVE-2023-37187 C Blosc2 Project NULL Pointer Dereference vulnerability in C-Blosc2 Project C-Blosc2

C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference via the zfp/blosc2-zfp.c zfp_acc_decompress.

7.5
2023-12-25 CVE-2023-37188 C Blosc2 Project NULL Pointer Dereference vulnerability in C-Blosc2 Project C-Blosc2

C-blosc2 before 2.9.3 was discovered to contain a NULL pointer dereference via the function zfp_rate_decompress at zfp/blosc2-zfp.c.

7.5
2023-12-25 CVE-2023-47091 Stormshield Classic Buffer Overflow vulnerability in Stormshield Network Security

An issue was discovered in Stormshield Network Security (SNS) SNS 4.3.13 through 4.3.22 before 4.3.23, SNS 4.6.0 through 4.6.9 before 4.6.10, and SNS 4.7.0 through 4.7.1 before 4.7.2.

7.5
2023-12-25 CVE-2023-31289 Pexip Improper Input Validation vulnerability in Pexip Infinity

Pexip Infinity before 31.2 has Improper Input Validation for signalling, allowing remote attackers to trigger an abort.

7.5
2023-12-25 CVE-2023-31455 Pexip Improper Input Validation vulnerability in Pexip Infinity

Pexip Infinity before 31.2 has Improper Input Validation for RTCP, allowing remote attackers to trigger an abort.

7.5
2023-12-25 CVE-2023-49880 IBM Unspecified vulnerability in IBM Financial Transaction Manager 3.2.4

In the Message Entry and Repair (MER) facility of IBM Financial Transaction Manager for SWIFT Services 3.2.4 the sending address and the message type of FIN messages are assumed to be immutable.

7.5
2023-12-25 CVE-2023-7094 Netentsec Unspecified vulnerability in Netentsec Application Security Gateway 6.3

A vulnerability classified as problematic was found in Netentsec NS-ASG Application Security Gateway 6.3.

7.5
2023-12-29 CVE-2023-7104 Sqlite
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical.

7.3
2023-12-31 CVE-2023-51547 Wpmanageninja SQL Injection vulnerability in Wpmanageninja Fluent Support

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPManageNinja LLC Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin.This issue affects Fluent Support – WordPress Helpdesk and Customer Support Ticket Plugin: from n/a through 1.7.6.

7.2
2023-12-31 CVE-2023-52131 Wpzinc SQL Injection vulnerability in Wpzinc Page Generator

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Zinc Page Generator.This issue affects Page Generator: from n/a through 1.7.1.

7.2
2023-12-31 CVE-2023-52132 Wpadminify SQL Injection vulnerability in Wpadminify WP Adminify

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Jewel Theme WP Adminify.This issue affects WP Adminify: from n/a through 3.1.6.

7.2
2023-12-31 CVE-2023-52134 Geomywp SQL Injection vulnerability in Geomywp GEO MY Wordpress

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eyal Fitoussi GEO my WordPress.This issue affects GEO my WordPress: from n/a through 4.0.2.

7.2
2023-12-30 CVE-2023-7181 Dedebiz Unrestricted Upload of File with Dangerous Type vulnerability in Dedebiz

A vulnerability was found in Muyun DedeBIZ up to 6.2.12 and classified as critical.

7.2
2023-12-30 CVE-2023-7178 Online College Library System Project SQL Injection vulnerability in Online College Library System Project Online College Library System 1.0

A vulnerability, which was classified as critical, has been found in Campcodes Online College Library System 1.0.

7.2
2023-12-30 CVE-2023-7172 Phpgurukul SQL Injection vulnerability in PHPgurukul Hospital Management System 1.0

A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 1.0.

7.2
2023-12-29 CVE-2023-50837 Webfactoryltd SQL Injection vulnerability in Webfactoryltd WP Login Lockdown

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WebFactory Ltd Login Lockdown – Protect Login Form.This issue affects Login Lockdown – Protect Login Form: from n/a through 2.06.

7.2
2023-12-29 CVE-2023-52135 Westguardsolutions SQL Injection vulnerability in Westguardsolutions WS Form

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WS Form WS Form LITE – Drag & Drop Contact Form Builder for WordPress.This issue affects WS Form LITE – Drag & Drop Contact Form Builder for WordPress: from n/a through 1.9.170.

7.2
2023-12-29 CVE-2023-4464 Poly OS Command Injection vulnerability in Poly products

A vulnerability, which was classified as critical, has been found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601.

7.2
2023-12-29 CVE-2023-40606 Kanbanwp Code Injection vulnerability in Kanbanwp Kanban Boards for Wordpress

Improper Control of Generation of Code ('Code Injection') vulnerability in Kanban for WordPress Kanban Boards for WordPress.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21.

7.2
2023-12-29 CVE-2023-45751 Posimyth Code Injection vulnerability in Posimyth Nexter Extension 2.0.3

Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3.

7.2
2023-12-28 CVE-2023-50838 Basixonline SQL Injection vulnerability in Basixonline Nex-Forms

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more.This issue affects NEX-Forms – Ultimate Form Builder – Contact forms and much more: from n/a through 8.5.5.

7.2
2023-12-28 CVE-2023-50843 Mediaburst SQL Injection vulnerability in Mediaburst Clockwork SMS Notfications

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Clockwork Clockwork SMS Notfications.This issue affects Clockwork SMS Notfications: from n/a through 3.0.4.

7.2
2023-12-28 CVE-2023-50844 Jamesward SQL Injection vulnerability in Jamesward WP Mail Catcher

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in James Ward Mail logging – WP Mail Catcher.This issue affects Mail logging – WP Mail Catcher: from n/a through 2.1.3.

7.2
2023-12-28 CVE-2023-50845 Ayecode SQL Injection vulnerability in Ayecode Geodirectory

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AyeCode - WordPress Business Directory Plugins GeoDirectory – WordPress Business Directory Plugin, or Classified Directory.This issue affects GeoDirectory – WordPress Business Directory Plugin, or Classified Directory: from n/a through 2.3.28.

7.2
2023-12-28 CVE-2023-50846 Metagauss SQL Injection vulnerability in Metagauss Registrationmagic

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RegistrationMagic RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.5.

7.2
2023-12-28 CVE-2023-50847 Collne SQL Injection vulnerability in Collne Welcart E-Commerce

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc.

7.2
2023-12-28 CVE-2023-50848 Ajexperience SQL Injection vulnerability in Ajexperience 404 Solution

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.34.0.

7.2
2023-12-28 CVE-2023-50849 E2Pdf SQL Injection vulnerability in E2Pdf

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.23.

7.2
2023-12-28 CVE-2023-50851 Nsqua SQL Injection vulnerability in Nsqua Simply Schedule Appointments

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin.This issue affects Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin: from n/a before 1.6.6.1.

7.2
2023-12-28 CVE-2023-50852 Stylemixthemes SQL Injection vulnerability in Stylemixthemes Bookit

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.

7.2
2023-12-28 CVE-2023-50853 Advancedformintegration SQL Injection vulnerability in Advancedformintegration Advanced Form Integration

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nasirahmed Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms.This issue affects Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms: from n/a through 1.75.0.

7.2
2023-12-28 CVE-2023-50854 Squirrly SQL Injection vulnerability in Squirrly SEO Plugin BY Squirrly SEO

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Squirrly Squirrly SEO - Advanced Pack.This issue affects Squirrly SEO - Advanced Pack: from n/a through 2.3.8.

7.2
2023-12-28 CVE-2023-50855 Samperrow SQL Injection vulnerability in Samperrow PRE Party Resource Hints

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sam Perrow Pre* Party Resource Hints.This issue affects Pre* Party Resource Hints: from n/a through 1.8.18.

7.2
2023-12-28 CVE-2023-32795 Woocommerce Deserialization of Untrusted Data vulnerability in Woocommerce Product Addons

Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.

7.2
2023-12-28 CVE-2023-50856 Funnelkit SQL Injection vulnerability in Funnelkit Funnel Builder

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits.This issue affects Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits: from n/a through 2.14.3.

7.2
2023-12-28 CVE-2023-50857 Funnelkit SQL Injection vulnerability in Funnelkit Automations

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit.This issue affects Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit: from n/a through 2.6.1.

7.2
2023-12-26 CVE-2023-5939 Rtcamp Unspecified vulnerability in Rtcamp Rtmedia

The rtMedia for WordPress, BuddyPress and bbPress WordPress plugin before 4.6.16 loads the contents of the import file in an unsafe manner, leading to remote code execution by privileged users.

7.2
2023-12-25 CVE-2023-36485 Ilias Unspecified vulnerability in Ilias

The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user via a malicious BPMN2 workflow definition file.

7.2
2023-12-25 CVE-2023-36486 Ilias Unspecified vulnerability in Ilias

The workflow-engine of ILIAS before 7.23 and 8 before 8.3 allows remote authenticated users to run arbitrary system commands on the application server as the application user by uploading a workflow definition file with a malicious filename.

7.2
2023-12-25 CVE-2023-49226 Peplink Command Injection vulnerability in Peplink Balance TWO Firmware 8.1.0

An issue was discovered in Peplink Balance Two before 8.4.0.

7.2
2023-12-25 CVE-2023-49328 Wolterskluwer Injection vulnerability in Wolterskluwer B.Point 23.70.00

On a Wolters Kluwer B.POINT 23.70.00 server running Linux on premises, during the authentication phase, a validated system user can achieve remote code execution via Argument Injection in the server-to-server module.

7.2
2023-12-29 CVE-2023-23442 Hihonor Type Confusion vulnerability in Hihonor Magic OS

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-23443 Hihonor Type Confusion vulnerability in Hihonor Magic OS

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-51426 Hihonor Type Confusion vulnerability in Hihonor Magic OS

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-51427 Hihonor Type Confusion vulnerability in Hihonor Magic OS

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-51428 Hihonor Type Confusion vulnerability in Hihonor Magic OS

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-51435 Hihonor Improper Privilege Management vulnerability in Hihonor Magic UI

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.

7.1
2023-12-29 CVE-2023-23431 Hihonor Improper Verification of Cryptographic Signature vulnerability in Hihonor Nth-An00 Firmware

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.

7.1
2023-12-29 CVE-2023-23432 Hihonor Improper Verification of Cryptographic Signature vulnerability in Hihonor Nth-An00 Firmware

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.

7.1
2023-12-29 CVE-2023-23433 Hihonor Improper Verification of Cryptographic Signature vulnerability in Hihonor Nth-An00 Firmware

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file.

7.1
2023-12-29 CVE-2023-23435 Hihonor Improper Verification of Cryptographic Signature vulnerability in Hihonor Magic OS

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file

7.1
2023-12-29 CVE-2023-23436 Hihonor Improper Verification of Cryptographic Signature vulnerability in Hihonor Magic OS

Some Honor products are affected by signature management vulnerability, successful exploitation could cause the forged system file overwrite the correct system file

7.1
2023-12-27 CVE-2023-47882 Kamivision Unspecified vulnerability in Kamivision YI IOT 4.1.920231127

The Kami Vision YI IoT com.yunyi.smartcamera application through 4.1.9_20231127 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.

7.1

160 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-26 CVE-2023-45741 Buffalo OS Command Injection vulnerability in Buffalo Vr-S1000 Firmware

VR-S1000 firmware Ver.

6.8
2023-12-25 CVE-2023-49944 Beyondtrust Unspecified vulnerability in Beyondtrust Privilege Management for Windows

The Challenge Response feature of BeyondTrust Privilege Management for Windows (PMfW) before 2023-07-14 allows local administrators to bypass this feature by decrypting the shared key, or by locating the decrypted shared key in process memory.

6.7
2023-12-29 CVE-2023-4467 Poly Hidden Functionality vulnerability in Poly Trio 8800 Firmware 7.2.6.0019

A vulnerability was found in Poly Trio 8800 7.2.6.0019 and classified as critical.

6.6
2023-12-29 CVE-2023-51676 Wedevs Server-Side Request Forgery (SSRF) vulnerability in Wedevs Happy Addons for Elementor

Server-Side Request Forgery (SSRF) vulnerability in Leevio Happy Addons for Elementor.This issue affects Happy Addons for Elementor: from n/a through 3.9.1.1.

6.5
2023-12-29 CVE-2023-4465 Poly Unverified Password Change vulnerability in Poly products

A vulnerability, which was classified as problematic, was found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601.

6.5
2023-12-28 CVE-2023-50448 Activeadmin Improper Neutralization of Formula Elements in a CSV File vulnerability in Activeadmin

In ActiveAdmin (aka Active Admin) before 2.12.0, a concurrency issue allows a malicious actor to access potentially private data (that belongs to another user) by making CSV export requests at certain specific times.

6.5
2023-12-28 CVE-2023-52079 Kriszyp Uncontrolled Recursion vulnerability in Kriszyp Msgpackr

msgpackr is a fast MessagePack NodeJS/JavaScript implementation.

6.5
2023-12-28 CVE-2023-45701 Hcltechsw Information Exposure Through an Error Message vulnerability in Hcltechsw HCL Launch

HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser.

6.5
2023-12-28 CVE-2023-34829 TP Link Cleartext Transmission of Sensitive Information vulnerability in Tp-Link Tapo 2.11.44/2.8.14

Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.

6.5
2023-12-26 CVE-2023-5672 Wpvibes Path Traversal vulnerability in Wpvibes WP Mail LOG

The WP Mail Log WordPress plugin before 1.1.3 does not properly validate file path parameters when attaching files to emails, leading to local file inclusion, and allowing an attacker to leak the contents of arbitrary files.

6.5
2023-12-26 CVE-2023-50294 Weseek Cleartext Storage of Sensitive Information vulnerability in Weseek Growi

The App Settings (/admin/app) page in GROWI versions prior to v6.0.6 stores sensitive information in cleartext form.

6.5
2023-12-26 CVE-2023-50332 Weseek Unspecified vulnerability in Weseek Growi

Improper authorization vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.0.6.

6.5
2023-12-26 CVE-2023-51363 Buffalo Unspecified vulnerability in Buffalo Vr-S1000 Firmware

VR-S1000 firmware Ver.

6.5
2023-12-25 CVE-2022-39820 Nokia Insufficiently Protected Credentials vulnerability in Nokia Network Functions Manager for Transport 19.9

In Network Element Manager in NOKIA NFM-T R19.9, an Unprotected Storage of Credentials vulnerability occurs under /root/RestUploadManager.xml.DRC and /DEPOT/KECustom_199/OTNE_DRC/RestUploadManager.xml.

6.5
2023-12-25 CVE-2022-41760 Nokia Path Traversal vulnerability in Nokia Network Functions Manager for Transport 19.9

An issue was discovered in NOKIA NFM-T R19.9.

6.5
2023-12-25 CVE-2022-41761 Nokia Path Traversal vulnerability in Nokia Network Functions Manager for Transport 19.9

An issue was discovered in NOKIA NFM-T R19.9.

6.5
2023-12-28 CVE-2023-49228 Peplink Use of Hard-coded Credentials vulnerability in Peplink Balance TWO Firmware 8.1.0

An issue was discovered in Peplink Balance Two before 8.4.0.

6.4
2023-12-27 CVE-2023-46919 Fedirtsapana Use of Hard-coded Credentials vulnerability in Fedirtsapana Simple Http Server and Simple Http Server Plus

Phlox com.phlox.simpleserver (aka Simple HTTP Server) 1.8 and com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus have a hardcoded aKySWb2jjrr4dzkYXczKRt7K encryption key.

6.3
2023-12-31 CVE-2023-6093 Moxa Improper Restriction of Rendered UI Layers or Frames vulnerability in Moxa Oncell G3150A-Lte Firmware

A clickjacking vulnerability has been identified in OnCell G3150A-LTE Series firmware versions v1.3 and prior.

6.1
2023-12-30 CVE-2023-52264 Thirtybees Cross-site Scripting vulnerability in Thirtybees Bees Blog

The beesblog (aka Bees Blog) component before 1.6.2 for thirty bees allows Reflected XSS because controllers/front/post.php sharing_url is mishandled.

6.1
2023-12-30 CVE-2023-52263 Brave Open Redirect vulnerability in Brave Browser

Brave Browser before 1.59.40 does not properly restrict the schema for WebUI factory and redirect.

6.1
2023-12-30 CVE-2023-52257 Logobee Cross-site Scripting vulnerability in Logobee 0.2

LogoBee 0.2 allows updates.php?id= XSS.

6.1
2023-12-29 CVE-2023-52240 Kantega SSO Cross-site Scripting vulnerability in Kantega-Sso Kantega Saml SSO Oidc Kerberos Single Sign-On

The Kantega SAML SSO OIDC Kerberos Single Sign-on apps before 6.20.0 for Atlassian products allow XSS if SAML POST Binding is enabled.

6.1
2023-12-29 CVE-2023-50069 Wiremock Cross-site Scripting vulnerability in Wiremock 3.0.4

WireMock with GUI versions 3.2.0.0 through 3.0.4.0 are vulnerable to stored cross-site scripting (SXSS) through the recording feature.

6.1
2023-12-29 CVE-2023-7113 Mattermost Cross-site Scripting vulnerability in Mattermost Server

Mattermost version 8.1.6 and earlier fails to sanitize channel mention data in posts, which allows an attacker to inject markup in the web client.

6.1
2023-12-29 CVE-2023-41813 Pandorafms Cross-site Scripting vulnerability in Pandorafms Pandora FMS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Allows you to edit the Web Console user notification options. This issue affects Pandora FMS: from 700 through 774.

6.1
2023-12-29 CVE-2023-41814 Pandorafms Cross-site Scripting vulnerability in Pandorafms Pandora FMS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS).

6.1
2023-12-29 CVE-2023-41815 Pandorafms Cross-site Scripting vulnerability in Pandorafms Pandora FMS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). Malicious code could be executed in the File Manager section. This issue affects Pandora FMS: from 700 through 774.

6.1
2023-12-29 CVE-2023-44089 Pandorafms Cross-site Scripting vulnerability in Pandorafms Pandora FMS

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pandora FMS on all allows Cross-Site Scripting (XSS). It was possible to execute malicious JS code on Visual Consoles. This issue affects Pandora FMS: from 700 through 774.

6.1
2023-12-29 CVE-2023-50892 Codex Themes Cross-site Scripting vulnerability in Codex-Themes Thegem

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme allows Reflected XSS.This issue affects TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: from n/a through 5.9.1.

6.1
2023-12-29 CVE-2023-50893 Upsolution Cross-site Scripting vulnerability in Upsolution Impreza

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution Impreza – WordPress Website and WooCommerce Builder allows Reflected XSS.This issue affects Impreza – WordPress Website and WooCommerce Builder: from n/a through 8.17.4.

6.1
2023-12-29 CVE-2023-50901 Hasthemes Cross-site Scripting vulnerability in Hasthemes HT Mega - Absolute Addons for Elementor Page Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HT Mega – Absolute Addons For Elementor allows Reflected XSS.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.8.

6.1
2023-12-29 CVE-2023-51373 Nakunakifi Cross-site Scripting vulnerability in Nakunakifi Google Photos Gallery With Shortcodes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ian Kennerley Google Photos Gallery with Shortcodes allows Reflected XSS.This issue affects Google Photos Gallery with Shortcodes: from n/a through 4.0.2.

6.1
2023-12-29 CVE-2023-28786 Solidwp Open Redirect vulnerability in Solidwp Solid Security

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SolidWP Solid Security – Password, Two Factor Authentication, and Brute Force Protection.This issue affects Solid Security – Password, Two Factor Authentication, and Brute Force Protection: from n/a through 8.1.4.

6.1
2023-12-29 CVE-2023-31095 Crmperks Open Redirect vulnerability in Crmperks Database for Contact Form 7, Wpforms, Elementor Forms

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.8.

6.1
2023-12-29 CVE-2023-31229 Wpdirectorykit Open Redirect vulnerability in Wpdirectorykit WP Directory KIT

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in WP Directory Kit.This issue affects WP Directory Kit: from n/a through 1.1.9.

6.1
2023-12-29 CVE-2023-31237 Zephyr Project Manager Project Open Redirect vulnerability in Zephyr Project Manager Project Zephyr Project Manager

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.9.

6.1
2023-12-29 CVE-2023-32101 Pexlechris Open Redirect vulnerability in Pexlechris Library Viewer

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Pexle Chris Library Viewer.This issue affects Library Viewer: from n/a through 2.0.6.

6.1
2023-12-29 CVE-2023-32517 Ibericode Open Redirect vulnerability in Ibericode Mailchimp

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in PluginOps MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder.This issue affects MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder: from n/a through 4.0.9.3.

6.1
2023-12-29 CVE-2023-7160 Janobe Cross-site Scripting vulnerability in Janobe Engineers Online Portal 1.0

A vulnerability was found in SourceCodester Engineers Online Portal 1.0.

6.1
2023-12-29 CVE-2023-31302 Sesami Cross-site Scripting vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Teller field.

6.1
2023-12-29 CVE-2023-31299 Sesami Cross-site Scripting vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code via the Barcode field of a container.

6.1
2023-12-29 CVE-2023-7149 Code Projects Cross-site Scripting vulnerability in Code-Projects QR Code Generator 1.0

A vulnerability was found in code-projects QR Code Generator 1.0.

6.1
2023-12-29 CVE-2023-31301 Sesami Cross-site Scripting vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

Stored Cross Site Scripting (XSS) Vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code and obtain sensitive information via the Username field of the login form and application log.

6.1
2023-12-28 CVE-2023-7133 Ruoyi Cross-site Scripting vulnerability in Ruoyi 4.7.8

A vulnerability was found in y_project RuoYi 4.7.8.

6.1
2023-12-28 CVE-2023-4672 Talentyazilim Cross-site Scripting vulnerability in Talentyazilim Ecop 32255

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Talent Software ECOP allows Reflected XSS.This issue affects ECOP: before 32255.

6.1
2023-12-28 CVE-2023-51501 Undsgn Cross-site Scripting vulnerability in Undsgn Uncode

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Undsgn Uncode - Creative & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Uncode - Creative & WooCommerce WordPress Theme: from n/a through 2.8.6.

6.1
2023-12-28 CVE-2023-49469 Shaarli Project Cross-site Scripting vulnerability in Shaarli Project Shaarli 0.12.2

Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function.

6.1
2023-12-28 CVE-2023-7124 Fabianros Cross-site Scripting vulnerability in Fabianros E-Commerce Site 1.0

A vulnerability, which was classified as problematic, was found in code-projects E-Commerce Site 1.0.

6.1
2023-12-26 CVE-2023-48003 Aspnetzero Open Redirect vulnerability in Aspnetzero Asp.Net Zero

An open redirect through HTML injection in user messages in Asp.Net Zero before 12.3.0 allows remote attackers to redirect targeted victims to any URL via the '<meta http-equiv="refresh"' in the WebSocket messages.

6.1
2023-12-26 CVE-2023-49438 Flask Security TOO Project Open Redirect vulnerability in Flask-Security-Too Project Flask-Security-Too

An open redirect vulnerability in the python package Flask-Security-Too <=5.3.2 allows attackers to redirect unsuspecting users to malicious sites via a crafted URL by abusing the ?next parameter on the /login and /register routes.

6.1
2023-12-26 CVE-2023-6166 AYS PRO Cross-site Scripting vulnerability in Ays-Pro Quiz Maker

The Quiz Maker WordPress plugin before 6.4.9.5 does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting

6.1
2023-12-26 CVE-2023-6268 Json Content Importer Cross-site Scripting vulnerability in Json-Content-Importer Json Content Importer

The JSON Content Importer WordPress plugin before 1.5.4 does not sanitise and escape the tab parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2023-12-26 CVE-2015-10127 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Pluscaptcha

A vulnerability was found in PlusCaptcha Plugin up to 2.0.6 on WordPress and classified as problematic.

6.1
2023-12-26 CVE-2014-125109 Bestwebsoft Cross-site Scripting vulnerability in Bestwebsoft Portfolio

A vulnerability was found in BestWebSoft Portfolio Plugin up to 2.27.

6.1
2023-12-26 CVE-2023-50297 Alfasado Open Redirect vulnerability in Alfasado Powercms

Open redirect vulnerability in PowerCMS (6 Series, 5 Series, and 4 Series) allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL.

6.1
2023-12-25 CVE-2023-38826 Follettlearning Cross-site Scripting vulnerability in Follettlearning Solutions Destiny

A Cross Site Scripting (XSS) vulnerability exists in Follet Learning Solutions Destiny through 20.0_1U.

6.1
2023-12-25 CVE-2022-41762 Nokia Cross-site Scripting vulnerability in Nokia Network Functions Manager for Transport 19.9

An issue was discovered in NOKIA NFM-T R19.9.

6.1
2023-12-25 CVE-2022-43675 Nokia Cross-site Scripting vulnerability in Nokia Network Functions Manager for Transport 19.9

An issue was discovered in NOKIA NFM-T R19.9.

6.1
2023-12-25 CVE-2023-37225 Pexip Cross-site Scripting vulnerability in Pexip Infinity

Pexip Infinity before 32 allows Webapp1 XSS via preconfigured links.

6.1
2023-12-25 CVE-2021-38927 IBM Cross-site Scripting vulnerability in IBM Aspera Console 3.4.0/3.4.1/3.4.2

IBM Aspera Console 3.4.0 is vulnerable to cross-site scripting.

6.1
2023-12-29 CVE-2023-4462 Poly Use of Insufficiently Random Values vulnerability in Poly products

A vulnerability classified as problematic has been found in Poly Trio 8300, Trio 8500, Trio 8800, Trio C60, CCX 350, CCX 400, CCX 500, CCX 505, CCX 600, CCX 700, EDGE E100, EDGE E220, EDGE E300, EDGE E320, EDGE E350, EDGE E400, EDGE E450, EDGE E500, EDGE E550, VVX 101, VVX 150, VVX 201, VVX 250, VVX 300, VVX 301, VVX 310, VVX 311, VVX 350, VVX 400, VVX 401, VVX 410, VVX 411, VVX 450, VVX 500, VVX 501, VVX 600 and VVX 601.

5.9
2023-12-27 CVE-2023-51443 Freeswitch Improper Check or Handling of Exceptional Conditions vulnerability in Freeswitch

FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware.

5.9
2023-12-29 CVE-2023-7079 Cloudflare Improper Authentication vulnerability in Cloudflare Wrangler

Sending specially crafted HTTP requests and inspector messages to Wrangler's dev server could result in any file on the user's computer being accessible over the local network.

5.7
2023-12-31 CVE-2023-52284 Bytecodealliance Double Free vulnerability in Bytecodealliance Webassembly Micro Runtime 1.2.3

Bytecode Alliance wasm-micro-runtime (aka WebAssembly Micro Runtime or WAMR) before 1.3.0 can have an "double free or corruption" error for a valid WebAssembly module because push_pop_frame_ref_offset is mishandled.

5.5
2023-12-30 CVE-2022-46486 Scontain Release of Invalid Pointer or Reference vulnerability in Scontain Scone

A lack of pointer-validation logic in the __scone_dispatch component of SCONE before v5.8.0 for Intel SGX allows attackers to access sensitive information.

5.5
2023-12-30 CVE-2023-38021 Fortanix Unspecified vulnerability in Fortanix Confidential Computing Manager 3.29

An issue was discovered in Fortanix EnclaveOS Confidential Computing Manager (CCM) Platform before 3.32 for Intel SGX.

5.5
2023-12-30 CVE-2023-38022 Fortanix Unspecified vulnerability in Fortanix Confidential Computing Manager

An issue was discovered in Fortanix EnclaveOS Confidential Computing Manager (CCM) Platform before 3.29 for Intel SGX.

5.5
2023-12-30 CVE-2023-38023 Scontain Unspecified vulnerability in Scontain Scone

An issue was discovered in SCONE Confidential Computing Platform before 5.8.0 for Intel SGX.

5.5
2023-12-30 CVE-2023-50559 Openxiangshan Unspecified vulnerability in Openxiangshan Xiangshan 2.1

An issue was discovered in XiangShan v2.1, allows local attackers to obtain sensitive information via the L1D cache.

5.5
2023-12-29 CVE-2023-50570 Seancfoley Infinite Loop vulnerability in Seancfoley Ipaddress 5.1.0

An issue in the component IPAddressBitsDivision of IPAddress v5.1.0 leads to an infinite loop.

5.5
2023-12-29 CVE-2023-50572 Jline Out-of-bounds Write vulnerability in Jline 3.24.1

An issue in the component GroovyEngine.execute of jline-groovy v3.24.1 allows attackers to cause an OOM (OutofMemory) error.

5.5
2023-12-29 CVE-2023-23441 Hihonor Out-of-bounds Read vulnerability in Hihonor Magic UI

Some Honor products are affected by out of bounds read vulnerability, successful exploitation could cause information leak.

5.5
2023-12-29 CVE-2023-51429 Hihonor Improper Privilege Management vulnerability in Hihonor Magic OS

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.

5.5
2023-12-29 CVE-2023-51430 Hihonor Improper Privilege Management vulnerability in Hihonor Magic UI

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.

5.5
2023-12-29 CVE-2023-51431 Hihonor Unspecified vulnerability in Hihonor Phoneservice

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions.

5.5
2023-12-29 CVE-2023-51432 Hihonor Out-of-bounds Read vulnerability in Hihonor Magic UI

Some Honor products are affected by out of bounds read vulnerability, successful exploitation could cause information leak.

5.5
2023-12-29 CVE-2023-51433 Hihonor Improper Privilege Management vulnerability in Hihonor Magic UI

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause information leak.

5.5
2023-12-29 CVE-2023-6939 Hihonor Type Confusion vulnerability in Hihonor Magic UI

Some Honor products are affected by type confusion vulnerability, successful exploitation could cause denial of service.

5.5
2023-12-29 CVE-2023-23426 Hihonor Unspecified vulnerability in Hihonor Fri-An00 Firmware

Some Honor products are affected by file writing vulnerability, successful exploitation could cause information disclosure.

5.5
2023-12-29 CVE-2023-23437 Hihonor Unspecified vulnerability in Hihonor Vmall

Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak

5.5
2023-12-29 CVE-2023-23438 Hihonor Improper Privilege Management vulnerability in Hihonor Lge-An00 Firmware

Some Honor products are affected by incorrect privilege assignment vulnerability, successful exploitation could cause device service exceptions

5.5
2023-12-29 CVE-2023-23439 Hihonor Unspecified vulnerability in Hihonor Lge-An00 Firmware

Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak.

5.5
2023-12-29 CVE-2023-23440 Hihonor Unspecified vulnerability in Hihonor Lge-An00 Firmware

Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak.

5.5
2023-12-29 CVE-2023-23434 Hihonor Unspecified vulnerability in Hihonor Honorboardapp

Some Honor products are affected by information leak vulnerability, successful exploitation could cause the information leak.

5.5
2023-12-29 CVE-2023-31292 Sesami Improper Authentication vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows local attackers to obtain sensitive information and bypass authentication via "Back Button Refresh" attack.

5.5
2023-12-28 CVE-2023-45702 Hcltechsw Unspecified vulnerability in Hcltechsw HCL Launch

An HCL UrbanCode Deploy Agent installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts..

5.5
2023-12-27 CVE-2023-4641 Shadow Maint
Redhat
Improper Authentication vulnerability in multiple products

A flaw was found in shadow-utils.

5.5
2023-12-26 CVE-2023-51654 Brother Link Following vulnerability in Brother Iprint&Scan

Improper link resolution before file access ('Link Following') issue exists in iPrint&Scan Desktop for Windows versions 11.0.0 and earlier.

5.5
2023-12-30 CVE-2023-52265 Idurar Project Cross-site Scripting vulnerability in Idurar Project Idurar 1.0.0/2.0.0/2.0.1

IDURAR (aka idurar-erp-crm) through 2.0.1 allows stored XSS via a PATCH request with a crafted JSON email template in the /api/email/update data.

5.4
2023-12-30 CVE-2023-50550 Layui Cross-site Scripting vulnerability in Layui

layui up to v2.74 was discovered to contain a cross-site scripting (XSS) vulnerability via the data-content parameter.

5.4
2023-12-30 CVE-2023-7173 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Hospital Management System 1.0

A vulnerability, which was classified as problematic, was found in PHPGurukul Hospital Management System 1.0.

5.4
2023-12-29 CVE-2023-51517 Codepeople Open Redirect vulnerability in Codepeople Calculated Fields Form

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CodePeople Calculated Fields Form.This issue affects Calculated Fields Form: from n/a through 1.2.28.

5.4
2023-12-29 CVE-2023-51675 Vasyltech Open Redirect vulnerability in Vasyltech Advanced Access Manager

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.18.

5.4
2023-12-29 CVE-2023-50879 Automattic Cross-site Scripting vulnerability in Automattic Wordpress.Com Editing Toolkit

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic WordPress.Com Editing Toolkit allows Stored XSS.This issue affects WordPress.Com Editing Toolkit: from n/a through 3.78784.

5.4
2023-12-29 CVE-2023-50880 Buddypress Cross-site Scripting vulnerability in Buddypress

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The BuddyPress Community BuddyPress allows Stored XSS.This issue affects BuddyPress: from n/a through 11.3.1.

5.4
2023-12-29 CVE-2023-50881 Vasyltech Cross-site Scripting vulnerability in Vasyltech Advanced Access Manager

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.15.

5.4
2023-12-29 CVE-2023-50889 Fastlinemedia Cross-site Scripting vulnerability in Fastlinemedia Beaver Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Beaver Builder Team Beaver Builder – WordPress Page Builder allows Stored XSS.This issue affects Beaver Builder – WordPress Page Builder: from n/a through 2.7.2.

5.4
2023-12-29 CVE-2023-50891 Zohocorp Cross-site Scripting vulnerability in Zohocorp Zoho Forms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoho Forms Form plugin for WordPress – Zoho Forms allows Stored XSS.This issue affects Form plugin for WordPress – Zoho Forms: from n/a through 3.0.1.

5.4
2023-12-29 CVE-2023-51396 Brizy Cross-site Scripting vulnerability in Brizy Brizy-Page Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brizy.Io Brizy – Page Builder allows Stored XSS.This issue affects Brizy – Page Builder: from n/a through 2.4.29.

5.4
2023-12-29 CVE-2023-51397 Brainstormforce Cross-site Scripting vulnerability in Brainstormforce WP Remote Site Search

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force WP Remote Site Search allows Stored XSS.This issue affects WP Remote Site Search: from n/a through 1.0.4.

5.4
2023-12-29 CVE-2023-51399 Wpfactory Cross-site Scripting vulnerability in Wpfactory Back Button Widget

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Back Button Widget allows Stored XSS.This issue affects Back Button Widget: from n/a through 1.6.3.

5.4
2023-12-29 CVE-2023-51541 Urosevic Cross-site Scripting vulnerability in Urosevic Stock Ticker

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aleksandar Uroševi? Stock Ticker allows Stored XSS.This issue affects Stock Ticker: from n/a through 3.23.4.

5.4
2023-12-29 CVE-2023-7166 Xxyopen Cross-site Scripting vulnerability in Xxyopen Novel-Plus

A vulnerability classified as problematic has been found in Novel-Plus up to 4.2.0.

5.4
2023-12-29 CVE-2023-52085 Wintercms Path Traversal vulnerability in Wintercms Winter

Winter is a free, open-source content management system.

5.4
2023-12-28 CVE-2023-52084 Wintercms Cross-site Scripting vulnerability in Wintercms Winter

Winter is a free, open-source content management system.

5.4
2023-12-28 CVE-2023-7135 Code Projects Cross-site Scripting vulnerability in Code-Projects Record Management System 1.0

A vulnerability classified as problematic has been found in code-projects Record Management System 1.0.

5.4
2023-12-28 CVE-2023-7136 Code Projects Cross-site Scripting vulnerability in Code-Projects Record Management System 1.0

A vulnerability classified as problematic was found in code-projects Record Management System 1.0.

5.4
2023-12-28 CVE-2023-7132 Carmelogarcia Cross-site Scripting vulnerability in Carmelogarcia Intern Membership Management System 2.0

A vulnerability was found in code-projects Intern Membership Management System 2.0.

5.4
2023-12-28 CVE-2023-50470 Seacms Cross-site Scripting vulnerability in Seacms 12.8

A cross-site scripting (XSS) vulnerability in the component admin_ Video.php of SeaCMS v12.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

5.4
2023-12-28 CVE-2023-50859 Themeum Cross-site Scripting vulnerability in Themeum WP Crowdfunding

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum WP Crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through 2.1.6.

5.4
2023-12-28 CVE-2023-50860 TMS Outsource Cross-site Scripting vulnerability in Tms-Outsource Amelia

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar – Amelia allows Stored XSS.This issue affects Booking for Appointments and Events Calendar – Amelia: from n/a through 1.0.85.

5.4
2023-12-28 CVE-2023-50874 Connekthq Cross-site Scripting vulnerability in Connekthq Ajax Load More

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Darren Cooney WordPress Infinite Scroll – Ajax Load More allows Stored XSS.This issue affects WordPress Infinite Scroll – Ajax Load More: from n/a through 6.1.0.1.

5.4
2023-12-26 CVE-2023-42436 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the presentation feature of GROWI versions prior to v3.4.0.

5.4
2023-12-26 CVE-2023-45737 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page and the Markdown Settings (/admin/markdown) page of GROWI versions prior to v3.5.0.

5.4
2023-12-26 CVE-2023-45740 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability when processing profile images exists in GROWI versions prior to v4.1.3.

5.4
2023-12-26 CVE-2023-47215 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability which is exploiting a behavior of the XSS Filter exists in GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-49119 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability via the img tags exists in GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-49598 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the event handlers of the pre tags in GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-49779 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the anchor tag of GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-49807 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability when processing the MathJax exists in GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-50175 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the App Settings (/admin/app) page, the Markdown Settings (/admin/markdown) page, and the Customize (/admin/customize) page of GROWI versions prior to v6.0.0.

5.4
2023-12-26 CVE-2023-50339 Weseek Cross-site Scripting vulnerability in Weseek Growi

Stored cross-site scripting vulnerability exists in the User Management (/admin/users) page of GROWI versions prior to v6.1.11.

5.4
2023-12-26 CVE-2023-49117 Alfasado Cross-site Scripting vulnerability in Alfasado Powercms

PowerCMS (6 Series, 5 Series, and 4 Series) contains a stored cross-site scripting vulnerability.

5.4
2023-12-26 CVE-2023-27150 Opencrx Cross-site Scripting vulnerability in Opencrx 5.2.0

openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity.

5.4
2023-12-31 CVE-2023-6094 Moxa Cleartext Transmission of Sensitive Information vulnerability in Moxa Oncell G3150A-Lte Firmware

A vulnerability has been identified in OnCell G3150A-LTE Series firmware versions v1.3 and prior.

5.3
2023-12-29 CVE-2023-51663 Hail Authentication Bypass by Alternate Name vulnerability in Hail

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data.

5.3
2023-12-29 CVE-2023-31296 Sesami Improper Neutralization of Formula Elements in a CSV File vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

CSV Injection vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows attackers to obtain sensitive information via the User Name field.

5.3
2023-12-28 CVE-2023-52081 Ewen LBH Injection vulnerability in Ewen-Lbh Firefox CSS 0.1.0/0.1.1/0.1.2

ffcss is a CLI interface to apply and configure Firefox CSS themes.

5.3
2023-12-28 CVE-2023-51010 QD Metro Unspecified vulnerability in Qd-Metro Qingdao Metro 4.2.2

An issue in the export component AdSdkH5Activity of com.sdjictec.qdmetro v4.2.2 allows attackers to open a crafted URL without any filtering or checking.

5.3
2023-12-27 CVE-2023-49003 Simplemobiletools Missing Authorization vulnerability in Simplemobiletools Simple Dialer 5.18.1

An issue in simplemobiletools Simple Dialer 5.18.1 allows an attacker to bypass intended access restrictions via interaction with com.simplemobiletools.dialer.activities.DialerActivity.

5.3
2023-12-27 CVE-2023-51074 Json Path Unspecified vulnerability in Json-Path Jayway Jsonpath 2.8.0

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

5.3
2023-12-27 CVE-2023-51079 Mvel Unspecified vulnerability in Mvel 2.5.0

A long execution time can occur in the ParseTools.subCompileExpression method in MVEL 2.5.0.Final because of many Java class lookups.

5.3
2023-12-26 CVE-2023-6155 AYS PRO Improper Authentication vulnerability in Ays-Pro Quiz Maker

The Quiz Maker WordPress plugin before 6.4.9.5 does not adequately authorize the `ays_quiz_author_user_search` AJAX action, allowing an unauthenticated attacker to perform a search for users of the system, ultimately leaking user email addresses.

5.3
2023-12-25 CVE-2023-40236 Pexip Use of Hard-coded Credentials vulnerability in Pexip Virtual Meeting Rooms

In Pexip VMR self-service portal before 3, the same SSH host key is used across different customers' installations, which allows authentication bypass.

5.3
2023-12-25 CVE-2023-7098 Easyimages2 0 Project Path Traversal: '../filedir' vulnerability in Easyimages2.0 Project Easyimages2.0 2.8.3

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability classified as problematic was found in icret EasyImages 2.8.3.

5.3
2023-12-29 CVE-2023-4466 Poly Protection Mechanism Failure vulnerability in Poly products

A vulnerability has been found in Poly CCX 400, CCX 600, Trio 8800 and Trio C60 and classified as problematic.

4.9
2023-12-25 CVE-2023-30451 Typo3 Path Traversal vulnerability in Typo3 11.5.24

In TYPO3 11.5.24, the filelist component allows attackers (who have access to the administrator panel) to read arbitrary files via directory traversal in the baseuri field, as demonstrated by POST /typo3/record/edit with ../../../ in data[sys_file_storage]*[data][sDEF][lDEF][basePath][vDEF].

4.9
2023-12-31 CVE-2023-52269 Mdaemon Cross-site Scripting vulnerability in Mdaemon Securitygateway 9.0.3

MDaemon SecurityGateway through 9.0.3 allows XSS via a crafted Message Content Filtering rule.

4.8
2023-12-29 CVE-2023-7171 Xxyopen Cross-site Scripting vulnerability in Xxyopen Novel-Plus

A vulnerability was found in Novel-Plus up to 4.2.0.

4.8
2023-12-29 CVE-2023-50896 Weformspro Cross-site Scripting vulnerability in Weformspro Weforms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weForms weForms – Easy Drag & Drop Contact Form Builder For WordPress allows Stored XSS.This issue affects weForms – Easy Drag & Drop Contact Form Builder For WordPress: from n/a through 1.6.17.

4.8
2023-12-29 CVE-2023-51361 Gingerplugins Cross-site Scripting vulnerability in Gingerplugins Sticky Chat Widget

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ginger Plugins Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button allows Stored XSS.This issue affects Sticky Chat Widget: Click to chat, SMS, Email, Messages, Call Button, Live Chat and Live Support Button: from n/a through 1.1.8.

4.8
2023-12-29 CVE-2023-51371 Bitapps Cross-site Scripting vulnerability in Bitapps BIT Assist

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bit Assist Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget allows Stored XSS.This issue affects Chat Widget: WhatsApp Chat, Facebook Messenger Chat, Telegram Chat Bubble, Line Messenger, Live Chat Support Chat Button, WeChat, SMS, Call Button, Customer Support Button with floating Chat Widget: from n/a through 1.1.9.

4.8
2023-12-29 CVE-2023-51372 Hasthemes Cross-site Scripting vulnerability in Hasthemes Hashbar

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HasThemes HashBar – WordPress Notification Bar allows Stored XSS.This issue affects HashBar – WordPress Notification Bar: from n/a through 1.4.1.

4.8
2023-12-29 CVE-2023-51374 Zerobounce Cross-site Scripting vulnerability in Zerobounce Email Verification & Validation

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZeroBounce ZeroBounce Email Verification & Validation allows Stored XSS.This issue affects ZeroBounce Email Verification & Validation: from n/a through 1.0.11.

4.8
2023-12-29 CVE-2023-31298 Sesami Cross-site Scripting vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

Cross Site Scripting (XSS) vulnerability in Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 (#718), allows remote attackers to execute arbitrary code and obtain sensitive information via the User ID field when creating a new system user.

4.8
2023-12-29 CVE-2023-7143 Code Projects Cross-site Scripting vulnerability in Code-Projects Client Details System 1.0

A vulnerability was found in code-projects Client Details System 1.0.

4.8
2023-12-28 CVE-2023-52083 Wintercms Cross-site Scripting vulnerability in Wintercms Winter

Winter is a free, open-source content management system.

4.8
2023-12-28 CVE-2023-50836 Ibericode Cross-site Scripting vulnerability in Ibericode Html Forms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28.

4.8
2023-12-26 CVE-2023-5980 Bannersky Cross-site Scripting vulnerability in Bannersky BSK Forms Blacklist

The BSK Forms Blacklist WordPress plugin before 3.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2023-12-25 CVE-2023-31297 Sesami Cross-site Scripting vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

An issue was discovered in SESAMI planfocus CPTO (Cash Point & Transport Optimizer) 6.3.8.6 718.

4.8
2023-12-27 CVE-2023-46918 Fedirtsapana Use of Hard-coded Credentials vulnerability in Fedirtsapana Simple Http Server Plus 1.8.1Plus

Phlox com.phlox.simpleserver.plus (aka Simple HTTP Server PLUS) 1.8.1-plus has an Android manifest file that contains an entry with the android:allowBackup attribute set to true.

4.6
2023-12-26 CVE-2023-46711 Buffalo Use of Hard-coded Credentials vulnerability in Buffalo Vr-S1000 Firmware

VR-S1000 firmware Ver.

4.6
2023-12-30 CVE-2023-7180 Tongda2000 SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9

A vulnerability has been found in Tongda OA 2017 up to 11.9 and classified as critical.

4.3
2023-12-29 CVE-2023-31293 Sesami Unspecified vulnerability in Sesami Cash Point & Transport Optimizer 6.3.8.6.718

An issue was discovered in Sesami Cash Point & Transport Optimizer (CPTO) 6.3.8.6 (#718), allows remote attackers to obtain sensitive information and bypass profile restriction via improper access control in the Reader system user's web browser, allowing the journal to be displayed, despite the option being disabled.

4.3
2023-12-28 CVE-2023-50267 Metersphere Authorization Bypass Through User-Controlled Key vulnerability in Metersphere

MeterSphere is a one-stop open source continuous testing platform.

4.3
2023-12-28 CVE-2023-49229 Peplink Missing Authorization vulnerability in Peplink Balance TWO Firmware 8.1.0

An issue was discovered in Peplink Balance Two before 8.4.0.

4.3
2023-12-26 CVE-2023-46699 Weseek Cross-Site Request Forgery (CSRF) vulnerability in Weseek Growi

Cross-site request forgery (CSRF) vulnerability exists in the User settings (/me) page of GROWI versions prior to v6.0.0.

4.3
2023-12-25 CVE-2023-48652 Concretecms Cross-Site Request Forgery (CSRF) vulnerability in Concretecms Concrete CMS

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit.

4.3
2023-12-25 CVE-2023-47247 Sysaid Unspecified vulnerability in Sysaid

In SysAid On-Premise before 23.3.34, there is an edge case in which an end user is able to delete a Knowledge Base article, aka bug 15102.

4.3

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2023-12-31 CVE-2023-52275 Tecno Mobile Missing Authorization vulnerability in Tecno-Mobile Camon X Firmware

Gallery3d on Tecno Camon X CA7 devices allows attackers to view hidden images by navigating to data/com.android.gallery3d/.privatealbum/.encryptfiles and guessing the correct image file extension.

2.1