Weekly Vulnerabilities Reports > January 15 to 21, 2024

Overview

598 new vulnerabilities reported during this period, including 100 critical vulnerabilities and 219 high severity vulnerabilities. This weekly summary report vulnerabilities in 609 products from 294 vendors including Oracle, Skyworthdigital, Google, Huawei, and Netapp. Vulnerabilities are notably categorized as "Cross-site Scripting", "Out-of-bounds Write", "SQL Injection", "Cross-Site Request Forgery (CSRF)", and "Missing Authorization".

  • 477 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 195 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 337 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 43 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 13 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

100 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-18 CVE-2023-40051 Progress Unrestricted Upload of File with Dangerous Type vulnerability in Progress Openedge and Openedge Innovation

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0. An attacker can formulate a request for a WEB transport that allows unintended file uploads to a server directory path on the system running PASOE.

9.9
2024-01-21 CVE-2024-23730 Llamahub Unspecified vulnerability in Llamahub

The OpenAPI and ChatGPT plugin loaders in LlamaHub (aka llama-hub) before 0.0.67 allow attackers to execute arbitrary code because safe_load is not used for YAML.

9.8
2024-01-21 CVE-2024-23731 Embedchain Argument Injection or Modification vulnerability in Embedchain

The OpenAPI loader in Embedchain before 0.1.57 allows attackers to execute arbitrary code, related to the openapi.py yaml.load function argument.

9.8
2024-01-21 CVE-2024-0769 Dlink Path Traversal vulnerability in Dlink Dir-859 Firmware 1.06

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in D-Link DIR-859 1.06B01.

9.8
2024-01-20 CVE-2023-51906 Yonyou Unspecified vulnerability in Yonyou Yonbip 323.05

An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component.

9.8
2024-01-20 CVE-2023-51924 Yonyou Unrestricted Upload of File with Dangerous Type vulnerability in Yonyou Yonbip 323.05

An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

9.8
2024-01-20 CVE-2023-51925 Yonyou Unrestricted Upload of File with Dangerous Type vulnerability in Yonyou Yonbip 323.05

An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

9.8
2024-01-20 CVE-2021-31314 Ejinshan Unrestricted Upload of File with Dangerous Type vulnerability in Ejinshan Terminal Security System 8.0

File upload vulnerability in ejinshan v8+ terminal security system allows attackers to upload arbitrary files to arbitrary locations on the server.

9.8
2024-01-20 CVE-2023-51892 Weaver Unspecified vulnerability in Weaver E-Cology 10.0.2310.01

An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to the FrameworkShellController component.

9.8
2024-01-20 CVE-2023-51927 Yonyou SQL Injection vulnerability in Yonyou Yonbip 323.05

YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method.

9.8
2024-01-20 CVE-2023-51928 Yonyou Unrestricted Upload of File with Dangerous Type vulnerability in Yonyou Yonbip 323.05

An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.

9.8
2024-01-19 CVE-2024-0738 Garethhk Code Injection vulnerability in Garethhk Mldong 1.0

A vulnerability, which was classified as critical, has been found in ???? mldong 1.0.

9.8
2024-01-19 CVE-2024-0739 Leadshop Deserialization of Untrusted Data vulnerability in Leadshop

A vulnerability, which was classified as critical, was found in Hecheng Leadshop up to 1.4.20.

9.8
2024-01-19 CVE-2024-0733 Smsot SQL Injection vulnerability in Smsot 2.12

A vulnerability was found in Smsot up to 2.12.

9.8
2024-01-19 CVE-2024-0734 Smsot SQL Injection vulnerability in Smsot 2.12

A vulnerability was found in Smsot up to 2.12.

9.8
2024-01-19 CVE-2024-0735 Mayurik SQL Injection vulnerability in Mayurik Online Tours & Travels Management System 1.0

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0.

9.8
2024-01-19 CVE-2024-23679 Enonic Session Fixation vulnerability in Enonic XP

Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue.

9.8
2024-01-19 CVE-2023-50693 Jester Project Unspecified vulnerability in Jester Project Jester

An issue in Jester v.0.6.0 and before allows a remote attacker to send a malicious crafted request.

9.8
2024-01-19 CVE-2023-50694 Dom96 Unspecified vulnerability in Dom96 Httpbeast

An issue in dom96 HTTPbeast v.0.4.1 and before allows a remote attacker to send a malicious crafted request due to insufficient parsing in the parser.nim component.

9.8
2024-01-19 CVE-2024-22211 Freerdp Integer Overflow or Wraparound vulnerability in Freerdp

FreeRDP is a set of free and open source remote desktop protocol library and clients.

9.8
2024-01-19 CVE-2024-0728 Foru CMS Project Externally Controlled Reference to a Resource in Another Sphere vulnerability in Foru CMS Project Foru CMS 20200623

A vulnerability classified as problematic was found in ForU CMS up to 2020-06-23.

9.8
2024-01-19 CVE-2024-0729 Foru CMS Project SQL Injection vulnerability in Foru CMS Project Foru CMS 20200623

A vulnerability, which was classified as critical, has been found in ForU CMS up to 2020-06-23.

9.8
2024-01-19 CVE-2024-0730 Projectworlds SQL Injection vulnerability in Projectworlds Online Time Table Generator 1.0

A vulnerability, which was classified as critical, was found in Project Worlds Online Time Table Generator 1.0.

9.8
2024-01-19 CVE-2022-40700 Millionclues
Deano
Unihost
Agence Press
Montonio
Frumph
Designmodo
Paulclark
Squidesma
Longwatchstudio
Arcstone
Wpopal
Server-Side Request Forgery (SSRF) vulnerability in multiple products

Server-Side Request Forgery (SSRF) vulnerability in Montonio Montonio for WooCommerce, Wpopal Wpopal Core Features, AMO for WP – Membership Management ArcStone wp-amo, Long Watch Studio WooVirtualWallet – A virtual wallet for WooCommerce, Long Watch Studio WooVIP – Membership plugin for WordPress and WooCommerce, Long Watch Studio WooSupply – Suppliers, Supply Orders and Stock Management, Squidesma Theme Minifier, Paul Clark Styles styles, Designmodo Inc.

9.8
2024-01-19 CVE-2024-0714 Sourcefabric OS Command Injection vulnerability in Sourcefabric Phoniebox

A vulnerability was found in MiczFlor RPi-Jukebox-RFID up to 2.5.0.

9.8
2024-01-19 CVE-2023-27168 Xpand IT Unrestricted Upload of File with Dangerous Type vulnerability in Xpand-It Write-Back Manager 2.3.1

An arbitrary file upload vulnerability in Xpand IT Write-back Manager v2.3.1 allows attackers to execute arbitrary code via a crafted jsp file.

9.8
2024-01-19 CVE-2023-43985 Sunnytoo SQL Injection vulnerability in Sunnytoo Stblogsearch

SunnyToo stblogsearch up to v1.0.0 was discovered to contain a SQL injection vulnerability via the StBlogSearchClass::prepareSearch component.

9.8
2024-01-19 CVE-2023-46351 Mypresta SQL Injection vulnerability in Mypresta Manufacturers (Brands) Images Block

In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection.

9.8
2024-01-19 CVE-2023-50028 Prestashopmodules SQL Injection vulnerability in Prestashopmodules Sliding Cart Block

In the module "Sliding cart block" (blockslidingcart) up to version 2.3.8 from PrestashopModules.eu for PrestaShop, a guest can perform SQL injection.

9.8
2024-01-19 CVE-2023-50030 Joommasters SQL Injection vulnerability in Joommasters Jmssetting

In the module "Jms Setting" (jmssetting) from Joommasters for PrestaShop, a guest can perform SQL injection in versions <= 1.1.0.

9.8
2024-01-19 CVE-2024-0712 Byzoro Improper Access Control vulnerability in Byzoro Smart S150 Firmware 31R02B15

A vulnerability was found in Byzoro Smart S150 Management Platform V31R02B15.

9.8
2024-01-19 CVE-2023-5716 Asus Unspecified vulnerability in Asus Armoury Crate

ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission.

9.8
2024-01-18 CVE-2024-22415 Jupyter Path Traversal vulnerability in Jupyter Language Server Protocol Integration

jupyter-lsp is a coding assistance tool for JupyterLab (code navigation + hover suggestions + linters + autocompletion + rename) using Language Server Protocol.

9.8
2024-01-18 CVE-2024-22212 Nextcloud Missing Authentication for Critical Function vulnerability in Nextcloud Global Site Selector

Nextcloud Global Site Selector is a tool which allows you to run multiple small Nextcloud instances and redirect users to the right server.

9.8
2024-01-18 CVE-2024-22419 Vyperlang Out-of-bounds Write vulnerability in Vyperlang Vyper

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine.

9.8
2024-01-18 CVE-2023-5806 Mergentech SQL Injection vulnerability in Mergentech Quality Management System

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.This issue affects Quality Management System: before v1.2.

9.8
2024-01-18 CVE-2023-6816 X ORG
Fedoraproject
Redhat
Debian
Out-of-bounds Write vulnerability in multiple products

A flaw was found in X.Org server.

9.8
2024-01-18 CVE-2024-0655 Xxyopen SQL Injection vulnerability in Xxyopen Novel-Plus 4.3.0

A vulnerability has been found in Novel-Plus 4.3.0-RC1 and classified as critical.

9.8
2024-01-17 CVE-2024-0648 Yunyou CMS Project Unrestricted Upload of File with Dangerous Type vulnerability in Yunyou CMS Project Yunyou CMS

A vulnerability has been found in Yunyou CMS up to 2.2.6 and classified as critical.

9.8
2024-01-17 CVE-2024-0649 Zhiyun Tech Server-Side Request Forgery (SSRF) vulnerability in Zhiyun-Tech Zhihuiyun

A vulnerability was found in ZhiHuiYun up to 4.4.13 and classified as critical.

9.8
2024-01-17 CVE-2023-44077 Studionetworksolutions Improper Verification of Cryptographic Signature vulnerability in Studionetworksolutions Sharebrowser

Studio Network Solutions ShareBrowser before 7.0 on macOS mishandles signature verification, aka PMP-2636.

9.8
2024-01-17 CVE-2022-41786 Wpjobportal Missing Authorization vulnerability in Wpjobportal WP JOB Portal

Missing Authorization vulnerability in WP Job Portal WP Job Portal – A Complete Job Board.This issue affects WP Job Portal – A Complete Job Board: from n/a through 2.0.1.

9.8
2024-01-17 CVE-2024-20272 Cisco Unspecified vulnerability in Cisco Unity Connection

A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to upload arbitrary files to an affected system and execute commands on the underlying operating system.

9.8
2024-01-17 CVE-2022-36418 Dcgws Missing Authorization vulnerability in Dcgws Hreflang Tags Lite

Missing Authorization vulnerability in Vagary Digital HREFLANG Tags Lite.This issue affects HREFLANG Tags Lite: from n/a through 2.0.0.

9.8
2024-01-17 CVE-2024-0642 Cires21 Improper Access Control vulnerability in Cires21 Live Encoder 5.3

Inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3.

9.8
2024-01-17 CVE-2024-0643 Cires21 Unrestricted Upload of File with Dangerous Type vulnerability in Cires21 Live Encoder 5.3

Unrestricted upload of dangerous file types in the C21 Live Encoder and Live Mosaic product, version 5.3.

9.8
2024-01-17 CVE-2021-4434 Warfareplugins Unspecified vulnerability in Warfareplugins Social Warfare

The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter.

9.8
2024-01-16 CVE-2024-22406 Shopware SQL Injection vulnerability in Shopware

Shopware is an open headless commerce platform.

9.8
2024-01-16 CVE-2023-39691 Kodcloud Unspecified vulnerability in Kodcloud Kodbox

An issue discovered in kodbox through 1.43 allows attackers to arbitrarily add Administrator accounts via crafted GET request.

9.8
2024-01-16 CVE-2023-52042 Totolink Unspecified vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

An issue discovered in sub_4117F8 function in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the 'lang' parameter.

9.8
2024-01-16 CVE-2024-0603 Zhicms Deserialization of Untrusted Data vulnerability in Zhicms

A vulnerability classified as critical has been found in ZhiCms up to 4.0.

9.8
2024-01-16 CVE-2024-22916 Dlink Out-of-bounds Write vulnerability in Dlink Go-Rt-Ac750 Firmware 101B03

In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 function within the cgibin is susceptible to stack overflow.

9.8
2024-01-16 CVE-2023-49351 Edimax Out-of-bounds Write vulnerability in Edimax Br-6478Ac Firmware 1.23

A stack-based buffer overflow vulnerability in /bin/webs binary in Edimax BR6478AC V2 firmware veraion v1.23 allows attackers to overwrite other values located on the stack due to an incorrect use of the strcpy() function.

9.8
2024-01-16 CVE-2023-52041 Totolink Unspecified vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719

An issue discovered in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary code via the sub_410118 function of the shttpd program.

9.8
2024-01-16 CVE-2024-0200 Github Unsafe Reflection vulnerability in Github Enterprise Server

An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection.

9.8
2024-01-16 CVE-2023-37523 Hcltechsw Unspecified vulnerability in Hcltechsw Bigfix Bare OSD Metal Server Webui

Missing or insecure tags in the HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower could allow an attacker to execute a malicious script on the user's browser.

9.8
2024-01-16 CVE-2024-0579 Totolink Command Injection vulnerability in Totolink X2000R Firmware 1.0.0B20221212.1452

A vulnerability classified as critical was found in Totolink X2000R 1.0.0-B20221212.1452.

9.8
2024-01-16 CVE-2022-1609 Weblizar Code Injection vulnerability in Weblizar School Management

The School Management WordPress plugin before 9.9.7 contains an obfuscated backdoor injected in it's license checking code that registers a REST API handler, allowing an unauthenticated attacker to execute arbitrary PHP code on the site.

9.8
2024-01-16 CVE-2023-0224 Givewp SQL Injection vulnerability in Givewp

The GiveWP WordPress plugin before 2.24.1 does not properly escape user input before it reaches SQL queries, which could let unauthenticated attackers perform SQL Injection attacks

9.8
2024-01-16 CVE-2023-37522 Hcltechsw Unspecified vulnerability in Hcltechsw Bigfix Bare OSD Metal Server Webui

HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower has missing or insecure tags that could allow an attacker to execute a malicious script on the user's browser.

9.8
2024-01-16 CVE-2023-3211 Dmparekh SQL Injection vulnerability in Dmparekh Wordpress Database Administrator

The WordPress Database Administrator WordPress plugin through 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

9.8
2024-01-16 CVE-2024-0576 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2024-0577 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2024-0578 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability classified as critical has been found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2023-6395 RPM Software Management
Fedoraproject
The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege escalation, enabling the execution of arbitrary code with root user privileges.
9.8
2024-01-16 CVE-2024-0573 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability has been found in Totolink LR1200GB 9.1.0u.6619_B20230130 and classified as critical.

9.8
2024-01-16 CVE-2024-0574 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130 and classified as critical.

9.8
2024-01-16 CVE-2024-0575 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability was found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2024-0571 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability, which was classified as critical, has been found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2024-0572 Totolink Stack-based Buffer Overflow vulnerability in Totolink Lr1200Gb Firmware 9.1.0U.6619B20230130

A vulnerability, which was classified as critical, was found in Totolink LR1200GB 9.1.0u.6619_B20230130.

9.8
2024-01-16 CVE-2023-52103 Huawei Classic Buffer Overflow vulnerability in Huawei Emui and Harmonyos

Buffer overflow vulnerability in the FLP module.

9.8
2024-01-16 CVE-2023-22527 Atlassian Injection vulnerability in Atlassian Confluence Data Center and Confluence Server

A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance.

9.8
2024-01-15 CVE-2023-50729 Traccar Unrestricted Upload of File with Dangerous Type vulnerability in Traccar

Traccar is an open source GPS tracking system.

9.8
2024-01-15 CVE-2023-6049 Estatik Deserialization of Untrusted Data vulnerability in Estatik

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog

9.8
2024-01-15 CVE-2023-6623 Wpdeveloper Path Traversal vulnerability in Wpdeveloper Essential Blocks

The Essential Blocks WordPress plugin before 4.4.3 does not prevent unauthenticated attackers from overwriting local variables when rendering templates over the REST API, which may lead to Local File Inclusion attacks.

9.8
2024-01-15 CVE-2023-46226 Apache Unspecified vulnerability in Apache Iotdb 1.0.0/1.1.0

Remote Code Execution vulnerability in Apache IoTDB.This issue affects Apache IoTDB: from 1.0.0 through 1.2.2. Users are recommended to upgrade to version 1.3.0, which fixes the issue.

9.8
2024-01-15 CVE-2020-36770 Gentoo Unspecified vulnerability in Gentoo Ebuild for Slurm

pkg_postinst in the Gentoo ebuild for Slurm through 22.05.3 unnecessarily calls chown to assign root's ownership on files in the live root filesystem.

9.8
2024-01-15 CVE-2024-0539 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability was found in Tenda W9 1.0.0.7(4456) and classified as critical.

9.8
2024-01-15 CVE-2024-0540 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability was found in Tenda W9 1.0.0.7(4456).

9.8
2024-01-15 CVE-2024-0541 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability was found in Tenda W9 1.0.0.7(4456).

9.8
2024-01-15 CVE-2024-0542 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability was found in Tenda W9 1.0.0.7(4456).

9.8
2024-01-15 CVE-2024-0536 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability, which was classified as critical, has been found in Tenda W9 1.0.0.7(4456).

9.8
2024-01-15 CVE-2024-0537 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability, which was classified as critical, was found in Tenda W9 1.0.0.7(4456).

9.8
2024-01-15 CVE-2024-0538 Tenda Out-of-bounds Write vulnerability in Tenda W9 Firmware 1.0.0.7(4456)

A vulnerability has been found in Tenda W9 1.0.0.7(4456) and classified as critical.

9.8
2024-01-15 CVE-2024-0552 Intumit Injection vulnerability in Intumit Smartrobot Firmware

Intumit inc.

9.8
2024-01-15 CVE-2024-0535 Tendacn Stack-based Buffer Overflow vulnerability in Tendacn PA6 Firmware 1.0.1.21

A vulnerability classified as critical was found in Tenda PA6 1.0.1.21.

9.8
2024-01-15 CVE-2024-0529 Cxbsoft SQL Injection vulnerability in Cxbsoft Post-Office 1.0

A vulnerability has been found in CXBSoft Post-Office up to 1.0 and classified as critical.

9.8
2024-01-15 CVE-2024-0530 Cxbsoft SQL Injection vulnerability in Cxbsoft Post-Office 1.0

A vulnerability was found in CXBSoft Post-Office up to 1.0 and classified as critical.

9.8
2024-01-15 CVE-2024-0527 Cxbsoft SQL Injection vulnerability in Cxbsoft Url-Shorting

A vulnerability, which was classified as critical, has been found in CXBSoft Url-shorting up to 1.3.1.

9.8
2024-01-15 CVE-2024-0528 Cxbsoft SQL Injection vulnerability in Cxbsoft Post-Office 1.0

A vulnerability, which was classified as critical, was found in CXBSoft Post-Office 1.0.

9.8
2024-01-15 CVE-2024-0524 Cxbsoft SQL Injection vulnerability in Cxbsoft Url-Shorting

A vulnerability was found in CXBSoft Url-shorting up to 1.3.1.

9.8
2024-01-15 CVE-2024-0525 Cxbsoft SQL Injection vulnerability in Cxbsoft Url-Shorting

A vulnerability classified as critical has been found in CXBSoft Url-shorting up to 1.3.1.

9.8
2024-01-15 CVE-2024-0526 Cxbsoft SQL Injection vulnerability in Cxbsoft Url-Shorting

A vulnerability classified as critical was found in CXBSoft Url-shorting up to 1.3.1.

9.8
2024-01-19 CVE-2024-23687 Openlibraryfoundation Use of Hard-coded Credentials vulnerability in Openlibraryfoundation Mod-Data-Export-Spring

Hard-coded credentials in FOLIO mod-data-export-spring versions before 1.5.4 and from 2.0.0 to 2.0.2 allows unauthenticated users to access critical APIs, modify user data, modify configurations including single-sign-on, and manipulate fees/fines.

9.1
2024-01-19 CVE-2023-51947 Actidata Missing Authentication for Critical Function vulnerability in Actidata Actinas SL 2U-8 RDX Firmware 3.2.03

Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication.

9.1
2024-01-18 CVE-2024-22317 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM APP Connect Enterprise

IBM App Connect Enterprise 11.0.0.1 through 11.0.0.24 and 12.0.1.0 through 12.0.11.0 could allow a remote attacker to obtain sensitive information or cause a denial of service due to improper restriction of excessive authentication attempts.

9.1
2024-01-16 CVE-2024-0570 Totolink Missing Authorization vulnerability in Totolink N350Rt Firmware 9.3.5U.6265

A vulnerability classified as critical was found in Totolink N350RT 9.3.5u.6265.

9.1
2024-01-16 CVE-2024-0569 Totolink Missing Authorization vulnerability in Totolink T8 Firmware 4.1.5Cu.83320220905

A vulnerability classified as problematic has been found in Totolink T8 4.1.5cu.833_20220905.

9.1
2024-01-16 CVE-2023-52101 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Component exposure vulnerability in the Wi-Fi module.

9.1
2024-01-16 CVE-2023-52106 Huawei Unspecified vulnerability in Huawei Harmonyos 4.0.0

The DownloadProviderMain module has a vulnerability in API permission verification.

9.1

219 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-21 CVE-2024-23726 Ubeeinteractive Use of Hard-coded Credentials vulnerability in Ubeeinteractive Ddw365 Firmware

Ubee DDW365 XCNDDW365 devices have predictable default WPA2 PSKs that could lead to unauthorized remote access.

8.8
2024-01-20 CVE-2023-47024 Ncratleos Cross-Site Request Forgery (CSRF) vulnerability in Ncratleos Terminal Handler 1.5.1

Cross-Site Request Forgery (CSRF) in NCR Terminal Handler v.1.5.1 leads to a one-click account takeover.

8.8
2024-01-19 CVE-2024-23689 Clickhouse Information Exposure Through an Error Message vulnerability in Clickhouse Java Libraries

Exposure of sensitive information in exceptions in ClichHouse's clickhouse-r2dbc, com.clickhouse:clickhouse-jdbc, and com.clickhouse:clickhouse-client versions less than 0.4.6 allows unauthorized users to gain access to client certificate passwords via client exception logs.

8.8
2024-01-19 CVE-2022-45845 Nextendweb Deserialization of Untrusted Data vulnerability in Nextendweb Smart Slider 3

Deserialization of Untrusted Data vulnerability in Nextend Smart Slider 3.This issue affects Smart Slider 3: from n/a through 3.5.1.9.

8.8
2024-01-19 CVE-2024-0713 Monitorr Unrestricted Upload of File with Dangerous Type vulnerability in Monitorr 1.7.6M

A vulnerability was found in Monitorr 1.7.6m.

8.8
2024-01-19 CVE-2023-47718 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Maximo Application Suite and Maximo Asset Management

IBM Maximo Asset Management 7.6.1.3 and Manage Component 8.10 through 8.11 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

8.8
2024-01-19 CVE-2023-40683 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Openpages With Watson 9.0

IBM OpenPages with Watson 8.3 and 9.0 could allow remote attacker to bypass security restrictions, caused by insufficient authorization checks.

8.8
2024-01-18 CVE-2023-5130 Deltaww Classic Buffer Overflow vulnerability in Deltaww Wplsoft 2.42.11

A buffer overflow vulnerability exists in Delta Electronics WPLSoft.

8.8
2024-01-18 CVE-2023-5131 Deltaww Out-of-bounds Write vulnerability in Deltaww Ispsoft 3.02.11

A heap buffer-overflow exists in Delta Electronics ISPSoft.

8.8
2024-01-18 CVE-2023-51217 Tenhot OS Command Injection vulnerability in Tenhot Tws-200 Firmware 4.0201809201424

An issue discovered in TenghuTOS TWS-200 firmware version:V4.0-201809201424 allows a remote attacker to execute arbitrary code via crafted command on the ping page component.

8.8
2024-01-18 CVE-2024-22601 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/scorerule_save

8.8
2024-01-18 CVE-2024-22603 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/links/add_link

8.8
2024-01-18 CVE-2024-22817 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/email/email_conf_updagte

8.8
2024-01-18 CVE-2024-22818 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerbility via /system/site/filterKeyword_save

8.8
2024-01-18 CVE-2024-22819 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/email/email_templets_update.

8.8
2024-01-18 CVE-2024-22699 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/update_group_save.

8.8
2024-01-18 CVE-2024-22568 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/score/del.

8.8
2024-01-18 CVE-2024-22591 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_save.

8.8
2024-01-18 CVE-2024-22592 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/user/group_update

8.8
2024-01-18 CVE-2024-22593 Flycms Project Cross-Site Request Forgery (CSRF) vulnerability in Flycms Project Flycms 1.0

FlyCms v1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability via /system/admin/add_group_save

8.8
2024-01-18 CVE-2024-22416 Pyload NG Project Cross-Site Request Forgery (CSRF) vulnerability in Pyload-Ng Project Pyload-Ng

pyLoad is a free and open-source Download Manager written in pure Python.

8.8
2024-01-17 CVE-2023-6548 Citrix Code Injection vulnerability in Citrix products

Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface.

8.8
2024-01-17 CVE-2022-42884 Themeinprogress Missing Authorization vulnerability in Themeinprogress WIP Custom Login

Missing Authorization vulnerability in ThemeinProgress WIP Custom Login.This issue affects WIP Custom Login: from n/a through 1.2.7.

8.8
2024-01-17 CVE-2022-41790 Codepeople Missing Authorization vulnerability in Codepeople WP Time Slots Booking Form

Missing Authorization vulnerability in CodePeople WP Time Slots Booking Form.This issue affects WP Time Slots Booking Form: from n/a through 1.1.76.

8.8
2024-01-17 CVE-2024-22715 Codelyfe Cross-Site Request Forgery (CSRF) vulnerability in Codelyfe Stupid Simple CMS

Stupid Simple CMS <=1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin-edit.php.

8.8
2024-01-17 CVE-2022-41990 Cardozatechnologies Cross-Site Request Forgery (CSRF) vulnerability in Cardozatechnologies Cardoza-3D-Tag-Cloud

Cross-Site Request Forgery (CSRF) vulnerability in Vinoj Cardoza 3D Tag Cloud allows Stored XSS.This issue affects 3D Tag Cloud: from n/a through 3.8.

8.8
2024-01-17 CVE-2023-23896 Mythemeshop Missing Authorization vulnerability in Mythemeshop URL Shortener

Missing Authorization vulnerability in MyThemeShop URL Shortener by MyThemeShop.This issue affects URL Shortener by MyThemeShop: from n/a through 1.0.17.

8.8
2024-01-17 CVE-2022-40203 Algolplus Missing Authorization vulnerability in Algolplus Advanced Dynamic Pricing for Woocommerce

Missing Authorization vulnerability in AlgolPlus Advanced Dynamic Pricing for WooCommerce.This issue affects Advanced Dynamic Pricing for WooCommerce: from n/a through 4.1.5.

8.8
2024-01-17 CVE-2023-5041 Tracktheclick SQL Injection vulnerability in Tracktheclick Track the Click

The Track The Click WordPress plugin before 0.3.12 does not properly sanitize query parameters to the stats REST endpoint before using them in a database query, allowing a logged in user with an author role or higher to perform time based blind SQLi attacks on the database.

8.8
2024-01-16 CVE-2024-22409 Datahub Project Incorrect Default Permissions vulnerability in Datahub Project Datahub

DataHub is an open-source metadata platform.

8.8
2024-01-16 CVE-2024-0517 Google
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

Out of bounds write in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-16 CVE-2024-0518 Google
Fedoraproject
Type Confusion vulnerability in multiple products

Type confusion in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-16 CVE-2024-0519 Google Out-of-bounds Write vulnerability in Google Chrome

Out of bounds memory access in V8 in Google Chrome prior to 120.0.6099.224 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-16 CVE-2024-0507 Github Command Injection vulnerability in Github Enterprise Server

An attacker with access to a Management Console user account with the editor role could escalate privileges through a command injection vulnerability in the Management Console.

8.8
2024-01-16 CVE-2021-24566 Pluginus Unspecified vulnerability in Pluginus FOX - Currency Switcher Professional for Woocommerce

The WooCommerce Currency Switcher FOX WordPress plugin before 1.3.7 was vulnerable to LFI attacks via the "woocs" shortcode.

8.8
2024-01-16 CVE-2021-24869 Wpfastestcache SQL Injection vulnerability in Wpfastestcache WP Fastest Cache

The WP Fastest Cache WordPress plugin before 0.9.5 does not escape user input in the set_urls_with_terms method before using it in a SQL statement, leading to an SQL injection exploitable by low privilege users such as subscriber

8.8
2024-01-16 CVE-2023-45230 Tianocore Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client.

8.8
2024-01-16 CVE-2023-45234 Tianocore Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message.

8.8
2024-01-16 CVE-2023-45235 Tianocore Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message.

8.8
2024-01-16 CVE-2023-4536 Koalaapps Unrestricted Upload of File with Dangerous Type vulnerability in Koalaapps MY Account Page Editor

The My Account Page Editor WordPress plugin before 1.3.2 does not validate the profile picture to be uploaded, allowing any authenticated users, such as subscriber to upload arbitrary files to the server, leading to RCE

8.8
2024-01-16 CVE-2023-6373 Artplacer SQL Injection vulnerability in Artplacer Widget

The ArtPlacer Widget WordPress plugin before 2.20.7 does not sanitize and escape the "id" parameter before submitting the query, leading to a SQLI exploitable by editors and above.

8.8
2024-01-16 CVE-2011-10005 Easyftp Server Project Classic Buffer Overflow vulnerability in Easyftp Server Project Easyftp Server 1.7.0.2

A vulnerability, which was classified as critical, was found in EasyFTP 1.7.0.2.

8.8
2024-01-16 CVE-2023-22526 Atlassian Code Injection vulnerability in Atlassian Confluence Data Center and Confluence Server

This High severity RCE (Remote Code Execution) vulnerability was introduced in version 7.19.0 of Confluence Data Center. This RCE (Remote Code Execution) vulnerability, with a CVSS Score of 7.2, allows an authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Confluence Data Center customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: Confluence Data Center and Server 7.19: Upgrade to a release 7.19.17, or any higher 7.19.x release Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes ([https://confluence.atlassian.com/doc/confluence-release-notes-327.html]).

8.8
2024-01-16 CVE-2024-21672 Atlassian Code Injection vulnerability in Atlassian Confluence Data Center and Confluence Server

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 2.1.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.3 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H allows an unauthenticated attacker to remotely expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ).

8.8
2024-01-16 CVE-2024-21673 Atlassian Code Injection vulnerability in Atlassian Confluence Data Center and Confluence Server

This High severity Remote Code Execution (RCE) vulnerability was introduced in versions 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.0 and a CVSS Vector of CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H allows an authenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, high impact to integrity, high impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ).

8.8
2024-01-16 CVE-2023-43449 Hummerrisk Code Injection vulnerability in Hummerrisk

An issue in HummerRisk HummerRisk v.1.10 thru 1.4.1 allows an authenticated attacker to execute arbitrary code via a crafted request to the service/LicenseService component.

8.8
2024-01-16 CVE-2023-51059 Mokosmart Unspecified vulnerability in Mokosmart Mkgw1 Gateway Firmware

An issue in MOKO TECHNOLOGY LTD MOKOSmart MKGW1 BLE Gateway v.1.1.1 and before allows a remote attacker to escalate privileges via the session management component of the administrative web interface.

8.8
2024-01-16 CVE-2023-47460 Knovos SQL Injection vulnerability in Knovos Discovery 22.67.0

SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a remote attacker to execute arbitrary code via the /DiscoveryProcess/Service/Admin.svc/getGridColumnStructure component.

8.8
2024-01-15 CVE-2023-6991 Surniaulula Server-Side Request Forgery (SSRF) vulnerability in Surniaulula JSM File GET Contents() Shortcode

The JSM file_get_contents() Shortcode WordPress plugin before 2.7.1 does not validate one of its shortcode's parameters before making a request to it, which could allow users with contributor role and above to perform SSRF attacks.

8.8
2024-01-19 CVE-2024-22424 Linuxfoundation Cross-Site Request Forgery (CSRF) vulnerability in Linuxfoundation Argo-Cd

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes.

8.3
2024-01-16 CVE-2024-20916 Oracle Unspecified vulnerability in Oracle Enterprise Manager 13.5.0.0

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management).

8.3
2024-01-16 CVE-2023-34063 Vmware Missing Authorization vulnerability in VMWare Aria Automation and Cloud Foundation

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

8.3
2024-01-19 CVE-2024-23681 Ls1Intum Unspecified vulnerability in Ls1Intum Artemis Java Test Sandbox

Artemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary.

8.2
2024-01-19 CVE-2024-23682 Ls1Intum Unspecified vulnerability in Ls1Intum Artemis Java Test Sandbox

Artemis Java Test Sandbox versions before 1.8.0 are vulnerable to a sandbox escape when an attacker includes class files in a package that Ares trusts.

8.2
2024-01-19 CVE-2024-23683 Ls1Intum Unspecified vulnerability in Ls1Intum Artemis Java Test Sandbox

Artemis Java Test Sandbox versions less than 1.7.6 are vulnerable to a sandbox escape when an attacker crafts a special subclass of InvocationTargetException.

8.2
2024-01-19 CVE-2023-50447 Python
Debian
Code Injection vulnerability in multiple products

Pillow through 10.1.0 allows PIL.ImageMath.eval Arbitrary Code Execution via the environment parameter, a different vulnerability than CVE-2022-22817 (which was about the expression parameter).

8.1
2024-01-19 CVE-2023-38738 IBM Storing Passwords in a Recoverable Format vulnerability in IBM Openpages With Watson 9.0

IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in a OpenPages environment using Native authentication.

8.1
2024-01-16 CVE-2024-22408 Shopware Server-Side Request Forgery (SSRF) vulnerability in Shopware

Shopware is an open headless commerce platform.

8.1
2024-01-16 CVE-2024-21670 Hyperledger Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hyperledger Ursa 0.1.0

Ursa is a cryptographic library for use with blockchains.

8.1
2024-01-16 CVE-2022-3899 3Dprint Project Cross-Site Request Forgery (CSRF) vulnerability in 3Dprint Project 3Dprint

The 3dprint WordPress plugin before 3.5.6.9 does not protect against CSRF attacks in the modified version of Tiny File Manager included with the plugin, allowing an attacker to craft a malicious request that will delete any number of files or directories on the target server by tricking a logged in admin into submitting a form.

8.1
2024-01-15 CVE-2023-5905 Demomentsomtres Missing Authorization vulnerability in Demomentsomtres Export Posts With Images

The DeMomentSomTres WordPress Export Posts With Images WordPress plugin through 20220825 does not check authorization of requests to export the blog data, allowing any logged in user, such as subscribers to export the contents of the blog, including restricted and unpublished posts, as well as passwords of protected posts.

8.1
2024-01-17 CVE-2024-20277 Cisco Unspecified vulnerability in Cisco Thousandeyes Enterprise Agent

A vulnerability in the web-based management interface of Cisco ThousandEyes Enterprise Agent, Virtual Appliance installation type, could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root.

8.0
2024-01-16 CVE-2024-0555 Xantech Cross-Site Request Forgery (CSRF) vulnerability in Xantech Wic1200 Firmware 1.1

A Cross-Site Request Forgery (CSRF) vulnerability has been found on WIC1200, affecting version 1.1.

8.0
2024-01-20 CVE-2024-0521 Paddlepaddle Code Injection vulnerability in Paddlepaddle Paddle

Code Injection in paddlepaddle/paddle

7.8
2024-01-19 CVE-2023-28722 Intel Unspecified vulnerability in Intel products

Improper buffer restrictions for some Intel NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-28738 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel NUC BIOS firmware before version JY0070 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-28743 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel NUC BIOS firmware before version QN0073 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-29244 Intel Incorrect Default Permissions vulnerability in Intel NUC P14E Laptop Element 1.0.0.156/1.1.44/1.1.45

Incorrect default permissions in some Intel Integrated Sensor Hub (ISH) driver for Windows 10 for Intel NUC P14E Laptop Element software installers before version 5.4.1.4479 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-29495 Intel Improper Input Validation vulnerability in Intel products

Improper input validation for some Intel NUC BIOS firmware before version IN0048 may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-38541 Intel Incorrect Permission Assignment for Critical Resource vulnerability in Intel HID Event Filter Driver 2.2.1.372/2.2.2.1

Insecure inherited permissions in some Intel HID Event Filter drivers for Windows 10 for some Intel NUC laptop software installers before version 2.2.2.1 may allow an authenticated user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-38587 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in some Intel NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-42429 Intel Unspecified vulnerability in Intel products

Improper buffer restrictions in some Intel NUC BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-42766 Intel Improper Input Validation vulnerability in Intel products

Improper input validation in some Intel NUC 8 Compute Element BIOS firmware may allow a privileged user to potentially enable escalation of privilege via local access.

7.8
2024-01-19 CVE-2023-5080 Lenovo Unspecified vulnerability in Lenovo products

A privilege escalation vulnerability was reported in some Lenovo tablet products that could allow local applications access to device identifiers and system commands.

7.8
2024-01-19 CVE-2023-6043 Lenovo Improper Certificate Validation vulnerability in Lenovo Vantage

A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker to bypass integrity checks and execute arbitrary code with elevated privileges.

7.8
2024-01-19 CVE-2024-22911 Swftools Out-of-bounds Write vulnerability in Swftools 0.9.2

A stack-buffer-underflow vulnerability was found in SWFTools v0.9.2, in the function parseExpression at src/swfc.c:2602.

7.8
2024-01-19 CVE-2024-22912 Swftools Classic Buffer Overflow vulnerability in Swftools 0.9.2

A global-buffer-overflow was found in SWFTools v0.9.2, in the function countline at swf5compiler.flex:327.

7.8
2024-01-19 CVE-2024-22913 Swftools Out-of-bounds Write vulnerability in Swftools 0.9.2

A heap-buffer-overflow was found in SWFTools v0.9.2, in the function swf5lex at lex.swf5.c:1321.

7.8
2024-01-19 CVE-2024-22915 Swftools Use After Free vulnerability in Swftools 0.9.2

A heap-use-after-free was found in SWFTools v0.9.2, in the function swf_DeleteTag at rfxswf.c:1193.

7.8
2024-01-19 CVE-2024-22919 Swftools Classic Buffer Overflow vulnerability in Swftools 0.9.2

swftools0.9.2 was discovered to contain a global-buffer-overflow vulnerability via the function parseExpression at swftools/src/swfc.c:2587.

7.8
2024-01-19 CVE-2024-22955 Swftools Out-of-bounds Write vulnerability in Swftools 0.9.2

swftools 0.9.2 was discovered to contain a stack-buffer-underflow vulnerability via the function parseExpression at swftools/src/swfc.c:2576.

7.8
2024-01-19 CVE-2024-22956 Swftools Use After Free vulnerability in Swftools 0.9.2

swftools 0.9.2 was discovered to contain a heap-use-after-free vulnerability via the function removeFromTo at swftools/src/swfc.c:838

7.8
2024-01-19 CVE-2024-22562 Swftools Out-of-bounds Write vulnerability in Swftools 0.9.2

swftools 0.9.2 was discovered to contain a Stack Buffer Underflow via the function dict_foreach_keyvalue at swftools/lib/q.c.

7.8
2024-01-19 CVE-2024-22920 Swftools Use After Free vulnerability in Swftools 0.9.2

swftools 0.9.2 was discovered to contain a heap-use-after-free via the function bufferWriteData in swftools/lib/action/compile.c.

7.8
2024-01-18 CVE-2023-43815 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A buffer overflow vulnerability exists in Delta Electronics Delta Industrial Automation DOPSoft version 2 when parsing the wScreenDESCTextLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43816 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A buffer overflow vulnerability exists in Delta Electronics Delta Industrial Automation DOPSoft version 2 when parsing the wKPFStringLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43817 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft version 2 when parsing the wMailContentLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43818 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft.

7.8
2024-01-18 CVE-2023-43819 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the InitialMacroLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43820 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the wLogTitlesPrevValueLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43821 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the wLogTitlesActionLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43822 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the wLogTitlesTimeLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43823 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the wTTitleLen field of a DPS file.

7.8
2024-01-18 CVE-2023-43824 Deltaww Classic Buffer Overflow vulnerability in Deltaww Dopsoft 2.00.07

A stack based buffer overflow exists in Delta Electronics Delta Industrial Automation DOPSoft when parsing the wTitleTextLen field of a DPS file.

7.8
2024-01-18 CVE-2024-0409 X ORG
Tigervnc
Redhat
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A flaw was found in the X.Org server.

7.8
2024-01-18 CVE-2021-33631 Huawei Integer Overflow or Wraparound vulnerability in Huawei Openeuler 4.19.90/5.10.060.18.0

Integer Overflow or Wraparound vulnerability in openEuler kernel on Linux (filesystem modules) allows Forced Integer Overflow.This issue affects openEuler kernel: from 4.19.90 before 4.19.90-2401.3, from 5.10.0-60.18.0 before 5.10.0-183.0.0.

7.8
2024-01-18 CVE-2024-0654 Iperov Deserialization of Untrusted Data vulnerability in Iperov Deepfacelab Df.Wf.288Res.384.92.72.22

A vulnerability, which was classified as problematic, was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22.

7.8
2024-01-17 CVE-2024-22410 Gluwa Untrusted Search Path vulnerability in Gluwa Creditcoin

Creditcoin is a network that enables cross-blockchain credit transactions.

7.8
2024-01-17 CVE-2024-0646 Linux
Redhat
Out-of-bounds Write vulnerability in multiple products

An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination.

7.8
2024-01-17 CVE-2024-0645 Explorerplusplus Classic Buffer Overflow vulnerability in Explorerplusplus Explorer++ 1.3.5.531

Buffer overflow vulnerability in Explorer++ affecting version 1.3.5.531.

7.8
2024-01-16 CVE-2023-6334 Hypr Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hypr Workforce Access

Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in HYPR Workforce Access on Windows allows Overflow Buffers.This issue affects Workforce Access: before 8.7.

7.8
2024-01-16 CVE-2023-6335 Hypr Link Following vulnerability in Hypr Workforce Access

Improper Link Resolution Before File Access ('Link Following') vulnerability in HYPR Workforce Access on Windows allows User-Controlled Filename.This issue affects Workforce Access: before 8.7.

7.8
2024-01-16 CVE-2023-6336 Hypr Link Following vulnerability in Hypr Workforce Access

Improper Link Resolution Before File Access ('Link Following') vulnerability in HYPR Workforce Access on MacOS allows User-Controlled Filename.This issue affects Workforce Access: before 8.7.

7.8
2024-01-16 CVE-2024-23347 Facebook Unspecified vulnerability in Facebook Meta Spark Studio

Prior to v176, when opening a new project Meta Spark Studio would execute scripts defined inside of a package.json file included as part of that project.

7.8
2024-01-16 CVE-2022-3604 Crmperks Improper Neutralization of Formula Elements in a CSV File vulnerability in Crmperks Database for Contact Form 7, Wpforms, Elementor Forms

The Contact Form Entries WordPress plugin before 1.3.0 does not validate data when its output in a CSV file, which could lead to CSV injection.

7.8
2024-01-16 CVE-2024-0582 Linux Use After Free vulnerability in Linux Kernel

A memory leak flaw was found in the Linux kernel’s io_uring functionality in how a user registers a buffer ring with IORING_REGISTER_PBUF_RING, mmap() it, and then frees it.

7.8
2024-01-16 CVE-2024-22428 Dell Incorrect Default Permissions vulnerability in Dell EMC Idrac Service Module

Dell iDRAC Service Module, versions 5.2.0.0 and prior, contain an Incorrect Default Permissions vulnerability. It may allow a local unprivileged user to escalate privileges and execute arbitrary code on the affected system.

7.8
2024-01-16 CVE-2023-51257 Jasper Project Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Jasper Project Jasper

An invalid memory write issue in Jasper-Software Jasper v.4.1.1 and before allows a local attacker to execute arbitrary code.

7.8
2024-01-15 CVE-2023-7206 Hornerautomation Out-of-bounds Write vulnerability in Hornerautomation Cscape

In Horner Automation Cscape versions 9.90 SP10 and prior, local attackers are able to exploit this vulnerability if a user opens a malicious CSP file, which would result in execution of arbitrary code on affected installations of Cscape.

7.8
2024-01-15 CVE-2024-0562 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux Kernel.

7.8
2024-01-15 CVE-2024-0315 Fireeye PHP Remote File Inclusion vulnerability in Fireeye Central Management 9.1.1.956704

Remote file inclusion vulnerability in FireEye Central Management affecting version 9.1.1.956704.

7.8
2024-01-15 CVE-2023-42136 Paxtechnology Injection vulnerability in Paxtechnology Paydroid

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word. The attacker must have shell access to the device in order to exploit this vulnerability.

7.8
2024-01-15 CVE-2023-42137 Paxtechnology Link Following vulnerability in Paxtechnology Paydroid

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow for command execution with high privileges by using malicious symlinks. The attacker must have shell access to the device in order to exploit this vulnerability.

7.8
2024-01-16 CVE-2024-20924 Oracle Unspecified vulnerability in Oracle Audit Vault and Database Firewall

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall).

7.6
2024-01-15 CVE-2023-4818 Paxtechnology Injection vulnerability in Paxtechnology Paydroid 7.1.2Aquarius11.1.5020230614

PAX A920 device allows to downgrade bootloader due to a bug in its version check.

7.6
2024-01-21 CVE-2023-52353 ARM Session Fixation vulnerability in ARM Mbed TLS

An issue was discovered in Mbed TLS through 3.5.1.

7.5
2024-01-21 CVE-2024-23744 ARM Unspecified vulnerability in ARM Mbed TLS 3.5.0/3.5.1

An issue was discovered in Mbed TLS 3.5.1.

7.5
2024-01-21 CVE-2024-23732 Embedchain Unspecified vulnerability in Embedchain

The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py.

7.5
2024-01-20 CVE-2023-51926 Yonyou Unspecified vulnerability in Yonyou Yonbip 323.05

YonBIP v3_23.05 was discovered to contain an arbitrary file read vulnerability via the nc.bs.framework.comn.serv.CommonServletDispatcher component.

7.5
2024-01-19 CVE-2024-0737 Xlightftpd Improper Resource Shutdown or Release vulnerability in Xlightftpd Xlight FTP Server 1.1

A vulnerability classified as problematic was found in Xlightftpd Xlight FTP Server 1.1.

7.5
2024-01-19 CVE-2024-0736 Easy File Sharing FTP Server Project Improper Resource Shutdown or Release vulnerability in Easy File Sharing FTP Server Project Easy File Sharing FTP Server 3.6

A vulnerability classified as problematic has been found in EFS Easy File Sharing FTP 3.6.

7.5
2024-01-19 CVE-2024-23684 Peteroupc Algorithmic Complexity vulnerability in Peteroupc Cbor

Inefficient algorithmic complexity in DecodeFromBytes function in com.upokecenter.cbor Java implementation of Concise Binary Object Representation (CBOR) versions 4.0.0 to 4.5.1 allows an attacker to cause a denial of service by passing a maliciously crafted input.

7.5
2024-01-19 CVE-2023-47035 Etherscan Unspecified vulnerability in Etherscan Reptilian Coin

RPTC 0x3b08c was discovered to not conduct status checks on the parameter tradingOpen.

7.5
2024-01-19 CVE-2024-0731 Pcman FTP Server Project Classic Buffer Overflow vulnerability in Pcman FTP Server Project Pcman FTP Server 2.0.7

A vulnerability has been found in PCMan FTP Server 2.0.7 and classified as problematic.

7.5
2024-01-19 CVE-2024-0732 Pcman FTP Server Project Classic Buffer Overflow vulnerability in Pcman FTP Server Project Pcman FTP Server 2.0.7

A vulnerability was found in PCMan FTP Server 2.0.7 and classified as problematic.

7.5
2024-01-19 CVE-2024-23331 Vitejs Improper Handling of Case Sensitivity vulnerability in Vitejs Vite

Vite is a frontend tooling framework for javascript.

7.5
2024-01-19 CVE-2024-0725 Prosshd Improper Resource Shutdown or Release vulnerability in Prosshd 1.220090726

A vulnerability was found in ProSSHD 1.2 on Windows.

7.5
2024-01-19 CVE-2023-47033 Multisigwallet Project Unspecified vulnerability in Multisigwallet Project Multisigwallet

MultiSigWallet 0xF0C99 was discovered to contain a reentrancy vulnerability via the function executeTransaction.

7.5
2024-01-19 CVE-2023-47034 Uniswapfrontrunbot Project Unspecified vulnerability in Uniswapfrontrunbot Project Uniswapfrontrunbot

A vulnerability in UniswapFrontRunBot 0xdB94c allows attackers to cause financial losses via unspecified vectors.

7.5
2024-01-19 CVE-2024-0723 Freesshd Improper Resource Shutdown or Release vulnerability in Freesshd 1.0.9

A vulnerability was found in freeSSHd 1.0.9 on Windows.

7.5
2024-01-19 CVE-2024-22563 Openvswitch Memory Leak vulnerability in Openvswitch 2.17.8

openvswitch 2.17.8 was discovered to contain a memory leak via the function xmalloc__ in openvswitch-2.17.8/lib/util.c.

7.5
2024-01-19 CVE-2023-51948 Actidata Unspecified vulnerability in Actidata Actinas SL 2U-8 RDX Firmware 3.2.03

A Site-wide directory listing vulnerability in /fm in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to list the files hosted by the web application.

7.5
2024-01-19 CVE-2024-0705 Webtoffee SQL Injection vulnerability in Webtoffee Stripe Payment Plugin for Woocommerce

The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

7.5
2024-01-19 CVE-2024-22422 Mintplexlabs Improper Check for Unusual or Exceptional Conditions vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0

AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during chatting.

7.5
2024-01-18 CVE-2024-0693 Easy File Sharing FTP Server Project Improper Resource Shutdown or Release vulnerability in Easy File Sharing FTP Server Project Easy File Sharing FTP Server 2.0

A vulnerability classified as problematic was found in EFS Easy File Sharing FTP 2.0.

7.5
2024-01-18 CVE-2023-50614 Cdebyte Cleartext Transmission of Sensitive Information vulnerability in Cdebyte E880-Ir01 Firmware 1.1

An issue discovereed in EBYTE E880-IR01-V1.1 allows an attacker to obtain sensitive information via crafted POST request to /cgi-bin/luci.

7.5
2024-01-18 CVE-2023-34348 Aveva Improper Handling of Exceptional Conditions vulnerability in Aveva PI Server 2018/2023

AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to remotely crash the PI Message Subsystem of a PI Server, resulting in a denial-of-service condition.

7.5
2024-01-18 CVE-2023-40052 Progress Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Progress Openedge and Openedge Innovation

This issue affects Progress Application Server (PAS) for OpenEdge in versions 11.7 prior to 11.7.18, 12.2 prior to 12.2.13, and innovation releases prior to 12.8.0 .  An attacker who can produce a malformed web request may cause the crash of a PASOE agent potentially disrupting the thread activities of many web application clients.

7.5
2024-01-18 CVE-2024-0580 Idmsistemas Authorization Bypass Through User-Controlled Key vulnerability in Idmsistemas Sinergia 2.0

Omission of user-controlled key authorization in the IDMSistemas platform, affecting the QSige product.

7.5
2024-01-18 CVE-2021-4433 Karjasoft Improper Resource Shutdown or Release vulnerability in Karjasoft Sami Http Server 2.0

A vulnerability was found in Karjasoft Sami HTTP Server 2.0.

7.5
2024-01-17 CVE-2023-6549 Citrix Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix products

Improper Restriction of Operations within the Bounds of a Memory Buffer in NetScaler ADC and NetScaler Gateway allows Unauthenticated Denial of Service and Out-Of-Bounds Memory Read

7.5
2024-01-17 CVE-2023-51740 Skyworthdigital Cleartext Transmission of Sensitive Information vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network.

7.5
2024-01-17 CVE-2023-51741 Skyworthdigital Cleartext Transmission of Sensitive Information vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to transmission of authentication credentials in plaintext over the network.

7.5
2024-01-17 CVE-2023-51742 Skyworthdigital Out-of-bounds Write vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Add Downstream Frequency parameter at its web interface.

7.5
2024-01-17 CVE-2023-51743 Skyworthdigital Out-of-bounds Write vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Set Upstream Channel ID (UCID) parameter at its web interface.

7.5
2024-01-17 CVE-2023-52285 Lrx0014 SQL Injection vulnerability in Lrx0014 Examsys 9150244

ExamSys 9150244 allows SQL Injection via the /Support/action/Pages.php s_score2 parameter.

7.5
2024-01-16 CVE-2024-20932 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).
7.5
2024-01-16 CVE-2023-1405 Strategy11 Deserialization of Untrusted Data vulnerability in Strategy11 Formidable Forms

The Formidable Forms WordPress plugin before 6.2 unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.

7.5
2024-01-16 CVE-2023-45232 Tianocore Infinite Loop vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6.

7.5
2024-01-16 CVE-2023-45233 Tianocore Infinite Loop vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to an infinite lop vulnerability when parsing a PadN option in the Destination Options header of IPv6.

7.5
2024-01-16 CVE-2023-45236 Tianocore Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number.

7.5
2024-01-16 CVE-2023-45237 Tianocore Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number.

7.5
2024-01-16 CVE-2023-4703 ALL IN ONE B2B FOR Woocommerce Project Unspecified vulnerability in ALL in ONE B2B for Woocommerce Project ALL in ONE B2B for Woocommerce 1.0.3

The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user.

7.5
2024-01-16 CVE-2023-5922 Royal Elementor Addons Unspecified vulnerability in Royal-Elementor-Addons Royal Elementor Addons

The Royal Elementor Addons and Templates WordPress plugin before 1.3.81 does not ensure that users accessing posts via an AJAX action (and REST endpoint, currently disabled in the plugin) have the right to do so, allowing unauthenticated users to access arbitrary draft, private and password protected posts/pages content

7.5
2024-01-16 CVE-2021-4432 Pcman FTP Server Project Improper Resource Shutdown or Release vulnerability in Pcman FTP Server Project Pcman FTP Server 2.0.7

A vulnerability was found in PCMan FTP Server 2.0.7.

7.5
2024-01-16 CVE-2024-0567 GNU
Fedoraproject
Netapp
Debian
Improper Verification of Cryptographic Signature vulnerability in multiple products

A vulnerability was found in GnuTLS, where a cockpit (which uses gnuTLS) rejects a certificate chain with distributed trust.

7.5
2024-01-16 CVE-2024-0553 GNU
Fedoraproject
Redhat
Information Exposure Through Discrepancy vulnerability in multiple products

A vulnerability was found in GnuTLS.

7.5
2024-01-16 CVE-2023-52099 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of foreground service restrictions being bypassed in the NMS module.

7.5
2024-01-16 CVE-2023-52100 Huawei Unspecified vulnerability in Huawei Harmonyos 4.0.0

The Celia Keyboard module has a vulnerability in access control.

7.5
2024-01-16 CVE-2023-52102 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of parameters being not verified in the WMS module.

7.5
2024-01-16 CVE-2023-52104 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of parameters being not verified in the WMS module.

7.5
2024-01-16 CVE-2023-52105 Huawei Improper Privilege Management vulnerability in Huawei Harmonyos 4.0.0

The nearby module has a privilege escalation vulnerability.

7.5
2024-01-16 CVE-2023-52098 Huawei Resource Exhaustion vulnerability in Huawei Emui and Harmonyos

Denial of Service (DoS) vulnerability in the DMS module.

7.5
2024-01-16 CVE-2023-52107 Huawei Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Emui and Harmonyos

Vulnerability of permissions being not strictly verified in the WMS module.

7.5
2024-01-16 CVE-2023-52108 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of process priorities being raised in the ActivityManagerService module.

7.5
2024-01-16 CVE-2023-52114 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Data confidentiality vulnerability in the ScreenReader module.

7.5
2024-01-16 CVE-2023-52115 Huawei Use After Free vulnerability in Huawei Harmonyos 4.0.0

The iaware module has a Use-After-Free (UAF) vulnerability.

7.5
2024-01-16 CVE-2023-52116 Huawei Incorrect Permission Assignment for Critical Resource vulnerability in Huawei Emui and Harmonyos

Permission management vulnerability in the multi-screen interaction module.

7.5
2024-01-16 CVE-2023-44112 Huawei Out-of-bounds Read vulnerability in Huawei Emui and Harmonyos

Out-of-bounds access vulnerability in the device authentication module.

7.5
2024-01-16 CVE-2023-44117 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of trust relationships being inaccurate in distributed scenarios.

7.5
2024-01-16 CVE-2023-4566 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of trust relationships being inaccurate in distributed scenarios.

7.5
2024-01-16 CVE-2023-52109 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

Vulnerability of trust relationships being inaccurate in distributed scenarios.

7.5
2024-01-16 CVE-2023-52110 Huawei Out-of-bounds Write vulnerability in Huawei Harmonyos 4.0.0

The sensor module has an out-of-bounds access vulnerability.Successful exploitation of this vulnerability may affect availability.

7.5
2024-01-16 CVE-2023-52111 Huawei Incorrect Authorization vulnerability in Huawei Emui and Harmonyos

Authorization vulnerability in the BootLoader module.

7.5
2024-01-16 CVE-2023-52113 Huawei Unspecified vulnerability in Huawei Emui and Harmonyos

launchAnyWhere vulnerability in the ActivityManagerService module.

7.5
2024-01-16 CVE-2024-21674 Atlassian Code Injection vulnerability in Atlassian Confluence Data Center and Confluence Server

This High severity Remote Code Execution (RCE) vulnerability was introduced in version 7.13.0 of Confluence Data Center and Server. Remote Code Execution (RCE) vulnerability, with a CVSS Score of 8.6 and a CVSS Vector of CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N allows an unauthenticated attacker to expose assets in your environment susceptible to exploitation which has high impact to confidentiality, no impact to integrity, no impact to availability, and does not require user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release 7.19.18, or any higher 7.19.x release * Confluence Data Center and Server 8.5: Upgrade to a release 8.5.5 or any higher 8.5.x release * Confluence Data Center and Server 8.7: Upgrade to a release 8.7.2 or any higher release See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html ).

7.5
2024-01-16 CVE-2024-22362 Drupal Unspecified vulnerability in Drupal 9.3.6

Drupal contains a vulnerability with improper handling of structural elements.

7.5
2024-01-16 CVE-2023-51282 Mingsoft Code Injection vulnerability in Mingsoft Mcms 5.2.4

An issue in mingSoft MCMS v.5.2.4 allows a a remote attacker to obtain sensitive information via a crafted script to the password parameter.

7.5
2024-01-16 CVE-2023-49106 Hitachi Insufficiently Protected Credentials vulnerability in Hitachi Device Manager

Missing Password Field Masking vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent component).This issue affects Hitachi Device Manager: before 8.8.5-04.

7.5
2024-01-16 CVE-2023-49107 Hitachi Information Exposure Through an Error Message vulnerability in Hitachi Device Manager

Generation of Error Message Containing Sensitive Information vulnerability in Hitachi Device Manager on Windows, Linux (Device Manager Agent modules).This issue affects Hitachi Device Manager: before 8.8.5-04.

7.5
2024-01-16 CVE-2023-51810 Stackideas SQL Injection vulnerability in Stackideas Easydiscuss

SQL injection vulnerability in StackIdeas EasyDiscuss v.5.0.5 and fixed in v.5.0.10 allows a remote attacker to obtain sensitive information via a crafted request to the search parameter in the Users module.

7.5
2024-01-15 CVE-2023-6029 Spider Themes Missing Authorization vulnerability in Spider-Themes Eazydocs

The EazyDocs WordPress plugin before 2.3.6 does not have authorization and CSRF checks when handling documents and does not ensure that they are documents from the plugin, allowing unauthenticated users to delete arbitrary posts, as well as add and delete documents/sections.

7.5
2024-01-15 CVE-2024-0316 Fireeye Improper Cleanup on Thrown Exception vulnerability in Fireeye Endpoint Security 5.2.0.958244

Improper cleanup vulnerability in exceptions thrown in FireEye Endpoint Security, affecting version 5.2.0.958244.

7.5
2024-01-15 CVE-2023-5253 Nozominetworks Missing Authentication for Critical Function vulnerability in Nozominetworks CMC and Guardian

A missing authentication check in the WebSocket channel used for the Check Point IoT integration in Nozomi Networks Guardian and CMC, may allow an unauthenticated attacker to obtain assets data without authentication. Malicious unauthenticated users with knowledge on the underlying system may be able to extract asset information.

7.5
2024-01-15 CVE-2024-0547 Codecrafters Improper Resource Shutdown or Release vulnerability in Codecrafters Ability FTP Server 2.34

A vulnerability has been found in Ability FTP Server 2.34 and classified as problematic.

7.5
2024-01-15 CVE-2024-0548 Freefloat FTP Server Project Improper Resource Shutdown or Release vulnerability in Freefloat FTP Server Project Freefloat FTP Server 1.0

A vulnerability was found in FreeFloat FTP Server 1.0 and classified as problematic.

7.5
2024-01-15 CVE-2024-0543 Codeastro SQL Injection vulnerability in Codeastro Real Estate Management System

A vulnerability classified as critical has been found in CodeAstro Real Estate Management System up to 1.0.

7.5
2024-01-15 CVE-2024-0546 Easyftp Improper Resource Shutdown or Release vulnerability in Easyftp 1.7.0

A vulnerability, which was classified as problematic, has been found in EasyFTP 1.7.0.

7.5
2024-01-15 CVE-2023-48383 Netvision Path Traversal vulnerability in Netvision Airpass 2.9.0.200703

NetVision Information airPASS has a path traversal vulnerability within its parameter in a specific URL.

7.5
2024-01-16 CVE-2023-21901 Oracle Unspecified vulnerability in Oracle Financial Services Analytical Applications Infrastructure

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Infrastructure).

7.4
2024-01-16 CVE-2024-20918 Oracle
Debian
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot).
7.4
2024-01-16 CVE-2024-20952 Oracle
Netapp
Debian
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security).
7.4
2024-01-15 CVE-2024-0565 Linux
Netapp
Integer Underflow (Wrap or Wraparound) vulnerability in multiple products

An out-of-bounds memory read flaw was found in receive_encrypted_standard in fs/smb/client/smb2ops.c in the SMB Client sub-component in the Linux Kernel.

7.4
2024-01-19 CVE-2023-49329 Anomali OS Command Injection vulnerability in Anomali Match 4.3/4.5.0/4.6.0

Anomali Match before 4.6.2 allows OS Command Injection.

7.2
2024-01-19 CVE-2022-45083 Properfraction Deserialization of Untrusted Data vulnerability in Properfraction Profilepress

Deserialization of Untrusted Data vulnerability in ProfilePress Membership Team Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress.This issue affects Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress: from n/a through 4.3.2.

7.2
2024-01-18 CVE-2023-6184 Citrix Cross-site Scripting vulnerability in Citrix Virtual Apps and Desktops

Cross SiteScripting vulnerability in Citrix Session Recording allows attacker to perform Cross Site Scripting

7.2
2024-01-18 CVE-2024-0651 Phpgurukul SQL Injection vulnerability in PHPgurukul Company Visitor Management System 1.0

A vulnerability was found in PHPGurukul Company Visitor Management System 1.0.

7.2
2024-01-17 CVE-2023-20258 Cisco Unspecified vulnerability in Cisco Prime Infrastructure

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system.

7.2
2024-01-17 CVE-2024-20287 Cisco Command Injection vulnerability in Cisco Wap371 Firmware

A vulnerability in the web-based management interface of the Cisco WAP371 Wireless-AC/N Dual Radio Access Point (AP) with Single Point Setup could allow an authenticated, remote attacker to perform command injection attacks against an affected device.

7.2
2024-01-16 CVE-2024-22625 Campcodes SQL Injection vulnerability in Campcodes Supplier Management System 1.0

Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_category.php?id=.

7.2
2024-01-16 CVE-2024-22626 Campcodes SQL Injection vulnerability in Campcodes Supplier Management System 1.0

Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_retailer.php?id=.

7.2
2024-01-16 CVE-2024-22627 Campcodes SQL Injection vulnerability in Campcodes Supplier Management System 1.0

Complete Supplier Management System v1.0 is vulnerable to SQL Injection via /Supply_Management_System/admin/edit_distributor.php?id=.

7.2
2024-01-16 CVE-2024-22628 Oretnom23 SQL Injection vulnerability in Oretnom23 Budget and Expense Tracker System 1.0

Budget and Expense Tracker System v1.0 is vulnerable to SQL Injection via /expense_budget/admin/?page=reports/budget&date_start=2023-12-28&date_end=

7.2
2024-01-16 CVE-2021-24151 Benjaminrojas SQL Injection vulnerability in Benjaminrojas WP Editor

The WP Editor WordPress plugin before 1.2.7 did not sanitise or validate its setting fields leading to an authenticated (admin+) blind SQL injection issue via an arbitrary parameter when making a request to save the settings.

7.2
2024-01-16 CVE-2022-1538 Themely Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import

Theme Demo Import WordPress plugin before 1.1.1 does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files (such as PHP) even when FILE_MODS and FILE_EDIT are disallowed.

7.2
2024-01-16 CVE-2022-3764 Wpvibes SQL Injection vulnerability in Wpvibes Form Vibes

The plugin does not filter the "delete_entries" parameter from user requests, leading to an SQL Injection vulnerability.

7.2
2024-01-16 CVE-2023-2655 WEB Dorado SQL Injection vulnerability in Web-Dorado Contact Form Maker

The Contact Form by WD WordPress plugin through 1.13.23 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin

7.2
2024-01-16 CVE-2023-4797 Tribulant Command Injection vulnerability in Tribulant Newsletters

The Newsletters WordPress plugin before 4.9.3 does not properly escape user-controlled parameters when they are appended to SQL queries and shell commands, which could enable an administrator to run arbitrary commands on the server.

7.2
2024-01-15 CVE-2024-0558 Dedebiz SQL Injection vulnerability in Dedebiz 6.3.0

A vulnerability has been found in DedeBIZ 6.3.0 and classified as critical.

7.2
2024-01-15 CVE-2023-6620 Wpexperts SQL Injection vulnerability in Wpexperts Post Smtp Mailer

The POST SMTP Mailer WordPress plugin before 2.8.7 does not properly sanitise and escape several parameters before using them in SQL statements, leading to a SQL injection exploitable by high privilege users such as admin.

7.2
2024-01-15 CVE-2024-0533 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

A vulnerability was found in Tenda A15 15.13.07.13.

7.2
2024-01-15 CVE-2024-0534 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

A vulnerability classified as critical has been found in Tenda A15 15.13.07.13.

7.2
2024-01-15 CVE-2024-0531 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

A vulnerability was found in Tenda A15 15.13.07.13.

7.2
2024-01-15 CVE-2024-0532 Tenda Out-of-bounds Write vulnerability in Tenda A15 Firmware 15.13.07.13

A vulnerability was found in Tenda A15 15.13.07.13.

7.2
2024-01-21 CVE-2024-0770 Echa Europa Incorrect Default Permissions vulnerability in Echa.Europa Iuclid 7.10.3

A vulnerability, which was classified as critical, was found in European Chemicals Agency IUCLID 7.10.3 on Windows.

7.1
2024-01-18 CVE-2024-0669 Plone Improper Restriction of Rendered UI Layers or Frames vulnerability in Plone

A Cross-Frame Scripting vulnerability has been found on Plone CMS affecting verssion below 6.0.5.

7.1
2024-01-17 CVE-2024-0396 Progress Unspecified vulnerability in Progress Moveit Transfer

In Progress MOVEit Transfer versions released before 2022.0.10 (14.0.10), 2022.1.11 (14.1.11), 2023.0.8 (15.0.8), 2023.1.3 (15.1.3), an input validation issue was discovered.

7.1
2024-01-16 CVE-2023-6457 Hitachi Incorrect Default Permissions vulnerability in Hitachi Tuning Manager

Incorrect Default Permissions vulnerability in Hitachi Tuning Manager on Windows (Hitachi Tuning Manager server component) allows local users to read and write specific files.This issue affects Hitachi Tuning Manager: before 8.8.5-04.

7.1
2024-01-21 CVE-2023-6531 Linux
Redhat
Use After Free vulnerability in multiple products

A use-after-free flaw was found in the Linux Kernel due to a race problem in the unix garbage collector's deletion of SKB races with unix_stream_read_generic() on the socket that the SKB is queued on.

7.0

268 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-19 CVE-2024-23332 Notaryproject Operation on a Resource after Expiration or Release vulnerability in Notaryproject Notation-Go

The Notary Project is a set of specifications and tools intended to provide a cross-industry standard for securing software supply chains by using authentic container images and other OCI artifacts.

6.8
2024-01-19 CVE-2023-6044 Lenovo Authentication Bypass by Spoofing vulnerability in Lenovo Vantage

A privilege escalation vulnerability was reported in Lenovo Vantage that could allow a local attacker with physical access to impersonate Lenovo Vantage Service and execute arbitrary code with elevated privileges.

6.8
2024-01-15 CVE-2023-42134 Paxtechnology Unspecified vulnerability in Paxtechnology Paydroid

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or earlier can allow the signed partition overwrite and subsequently local code execution via hidden command. The attacker must have physical USB access to the device in order to exploit this vulnerability.

6.8
2024-01-15 CVE-2023-42135 Paxtechnology Injection vulnerability in Paxtechnology Paydroid

PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition.

6.8
2024-01-15 CVE-2023-4001 GNU
Redhat
Fedoraproject
Authentication Bypass by Spoofing vulnerability in multiple products

An authentication bypass flaw was found in GRUB due to the way that GRUB uses the UUID of a device to search for the configuration file that contains the password hash for the GRUB password protection feature.

6.8
2024-01-17 CVE-2023-20260 Cisco Argument Injection or Modification vulnerability in Cisco Prime Infrastructure

A vulnerability in the application CLI of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager could allow an authenticated, local attacker to gain escalated privileges.

6.7
2024-01-18 CVE-2024-0607 Linux
Fedoraproject
Redhat
A flaw was found in the Netfilter subsystem in the Linux kernel.
6.6
2024-01-20 CVE-2024-0679 Themegrill Missing Authorization vulnerability in Themegrill Colormag

The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, and including, 3.1.2.

6.5
2024-01-19 CVE-2024-22421 Jupyter
Fedoraproject
Relative Path Traversal vulnerability in multiple products

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture.

6.5
2024-01-19 CVE-2023-33295 Cohesity Unspecified vulnerability in Cohesity Dataplatform

Cohesity DataProtect prior to 6.8.1_u5 or 7.1 was discovered to have a incorrect access control vulnerability due to a lack of TLS Certificate Validation.

6.5
2024-01-19 CVE-2022-47160 Wpmet Unspecified vulnerability in Wpmet WP Social Login and Register Social Counter

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wpmet Wp Social Login and Register Social Counter.This issue affects Wp Social Login and Register Social Counter: from n/a through 1.9.0.

6.5
2024-01-18 CVE-2024-23525 Tozt XXE vulnerability in Tozt Spreadsheet::Parsexlsx

The Spreadsheet::ParseXLSX package before 0.30 for Perl allows XXE attacks because it neglects to use the no_xxe option of XML::Twig.

6.5
2024-01-17 CVE-2022-41619 Sedlex Missing Authorization vulnerability in Sedlex Image Zoom

Missing Authorization vulnerability in SedLex Image Zoom.This issue affects Image Zoom: from n/a through 1.8.8.

6.5
2024-01-17 CVE-2022-41695 Sedlex Missing Authorization vulnerability in Sedlex Traffic Manager 1.4.5

Missing Authorization vulnerability in SedLex Traffic Manager.This issue affects Traffic Manager: from n/a through 1.4.5.

6.5
2024-01-17 CVE-2023-20271 Cisco SQL Injection vulnerability in Cisco Prime Infrastructure

A vulnerability in the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.

6.5
2024-01-17 CVE-2022-38141 Zorem Missing Authorization vulnerability in Zorem Sales Report Email for Woocommerce

Missing Authorization vulnerability in Zorem Sales Report Email for WooCommerce.This issue affects Sales Report Email for WooCommerce: from n/a through 2.8.

6.5
2024-01-17 CVE-2023-5006 Sarveshmrao Cross-Site Request Forgery (CSRF) vulnerability in Sarveshmrao WP Discord Invite

The WP Discord Invite WordPress plugin before 2.5.1 does not protect some of its actions against CSRF attacks, allowing an unauthenticated attacker to perform actions on their behalf by tricking a logged in administrator to submit a crafted request.

6.5
2024-01-17 CVE-2024-0405 Burst Statistics SQL Injection vulnerability in Burst-Statistics Burst Statistics

The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin, version 1.5.3, is vulnerable to Post-Authenticated SQL Injection via multiple JSON parameters in the /wp-json/burst/v1/data/compare endpoint.

6.5
2024-01-17 CVE-2023-36235 Webkul Authorization Bypass Through User-Controlled Key vulnerability in Webkul Qloapps

An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter.

6.5
2024-01-16 CVE-2024-22407 Shopware Improper Access Control vulnerability in Shopware

Shopware is an open headless commerce platform.

6.5
2024-01-16 CVE-2024-0601 Zhongfucheng3Y Server-Side Request Forgery (SSRF) vulnerability in Zhongfucheng3Y Austin 1.0

A vulnerability was found in ZhongFuCheng3y Austin 1.0.

6.5
2024-01-16 CVE-2024-20961 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2024-01-16 CVE-2024-20963 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).
6.5
2024-01-16 CVE-2024-20973 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2024-01-16 CVE-2024-20975 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2024-01-16 CVE-2024-20977 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
6.5
2024-01-16 CVE-2024-20985 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: UDF).
6.5
2024-01-16 CVE-2024-22192 Hyperledger Use of a Broken or Risky Cryptographic Algorithm vulnerability in Hyperledger Ursa 0.1.0

Ursa is a cryptographic library for use with blockchains.

6.5
2024-01-16 CVE-2023-4969 Khronos
Imaginationtech
AMD
Memory Leak vulnerability in multiple products

A GPU kernel can read sensitive data from another GPU kernel (even from another user or app) through an optimized GPU memory region called _local memory_ on various architectures.

6.5
2024-01-16 CVE-2023-0824 Wpuserplus Cross-Site Request Forgery (CSRF) vulnerability in Wpuserplus Userplus

The User registration & user profile WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged-in admin add Stored XSS payloads via a CSRF attack.

6.5
2024-01-16 CVE-2023-45229 Tianocore Out-of-bounds Read vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message.

6.5
2024-01-16 CVE-2023-45231 Tianocore Out-of-bounds Read vulnerability in Tianocore Edk2

EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing  Neighbor Discovery Redirect message.

6.5
2024-01-16 CVE-2023-6824 Marvinlabs Unspecified vulnerability in Marvinlabs WP Customer Area

The WP Customer Area WordPress plugin before 8.2.1 does not properly validates user capabilities in some of its AJAX actions, allowing any users to retrieve other user's account address.

6.5
2024-01-16 CVE-2024-0556 Xantech Weak Cryptography for Passwords vulnerability in Xantech Wic1200 Firmware 1.1

A Weak Cryptography for Passwords vulnerability has been detected on WIC200 affecting version 1.1.

6.5
2024-01-16 CVE-2023-47459 Knovos Unspecified vulnerability in Knovos Discovery 22.67.0

An issue in Knovos Discovery v.22.67.0 allows a remote attacker to obtain sensitive information via the /DiscoveryReview/Service/CaseManagement.svc/GetProductSiteName component.

6.5
2024-01-15 CVE-2023-6048 Estatik Missing Authorization vulnerability in Estatik

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset

6.5
2024-01-15 CVE-2023-46749 Apache Path Traversal vulnerability in Apache Shiro

Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure `blockSemicolon` is enabled (this is the default).

6.5
2024-01-15 CVE-2023-50290 Apache Unspecified vulnerability in Apache Solr

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance.

6.5
2024-01-16 CVE-2024-20930 Oracle Unspecified vulnerability in Oracle Outside in Technology 8.5.6

Vulnerability in the Oracle Outside In Technology product of Oracle Fusion Middleware (component: Content Access SDK, Image Export SDK, PDF Export SDK, HTML Export SDK).

6.3
2024-01-21 CVE-2016-15037 Go4Rayyan Cross-site Scripting vulnerability in Go4Rayyan Scumblr

A vulnerability, which was classified as problematic, has been found in go4rayyan Scumblr up to 2.0.1a.

6.1
2024-01-21 CVE-2024-23725 Ghost Cross-site Scripting vulnerability in Ghost

Ghost before 5.76.0 allows XSS via a post excerpt in excerpt.js.

6.1
2024-01-20 CVE-2023-7063 Wpforms Cross-site Scripting vulnerability in Wpforms

The WPForms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission parameters in all versions up to, and including, 1.8.5.3 due to insufficient input sanitization and output escaping.

6.1
2024-01-19 CVE-2024-0758 IPB Halle Cross-site Scripting vulnerability in Ipb-Halle Molecularfaces

MolecularFaces before 0.3.0 is vulnerable to cross site scripting.

6.1
2024-01-19 CVE-2024-22420 Jupyter
Fedoraproject
Cross-site Scripting vulnerability in multiple products

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture.

6.1
2024-01-19 CVE-2024-0726 Yugeshverma Cross-site Scripting vulnerability in Yugeshverma Student Project Allocation System 1.0

A vulnerability was found in Project Worlds Student Project Allocation System 1.0.

6.1
2024-01-19 CVE-2024-0720 Factominer Cross-site Scripting vulnerability in Factominer Factoinvestigate 1.9

A vulnerability, which was classified as problematic, was found in FactoMineR FactoInvestigate up to 1.9.

6.1
2024-01-19 CVE-2024-0721 Jspxcms Cross-site Scripting vulnerability in Jspxcms 10.2.0

A vulnerability has been found in Jspxcms 10.2.0 and classified as problematic.

6.1
2024-01-19 CVE-2023-51946 Actidata Cross-site Scripting vulnerability in Actidata Actinas SL 2U-8 RDX Firmware 3.2.03

Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.

6.1
2024-01-19 CVE-2024-23659 Spip Cross-site Scripting vulnerability in Spip

SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file.

6.1
2024-01-18 CVE-2024-0696 Atrocore Cross-site Scripting vulnerability in Atrocore Atropim 1.8.4

A vulnerability, which was classified as problematic, was found in AtroCore AtroPIM 1.8.4.

6.1
2024-01-18 CVE-2024-22400 Nextcloud Open Redirect vulnerability in Nextcloud SSO & Saml Authentication

Nextcloud User Saml is an app for authenticating Nextcloud users using SAML.

6.1
2024-01-18 CVE-2023-7153 Macroturk Cross-site Scripting vulnerability in Macroturk Macro-Bel

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Macroturk Software and Internet Technologies Macro-Bel allows Reflected XSS.This issue affects Macro-Bel: before V.1.0.1.

6.1
2024-01-18 CVE-2023-6970 Bootstrapped Cross-site Scripting vulnerability in Bootstrapped WP Recipe Maker

The WP Recipe Maker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘Referer' header in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping.

6.1
2024-01-18 CVE-2024-0650 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Visitor Management System 1.0

A vulnerability was found in Project Worlds Visitor Management System 1.0.

6.1
2024-01-17 CVE-2023-5914 Cloud Cross-site Scripting vulnerability in Cloud Citrix Storefront 1912

  Cross-site scripting (XSS)

6.1
2024-01-17 CVE-2023-48858 Abocms Cross-site Scripting vulnerability in Abocms Abo.Cms 5.9

A Cross-site scripting (XSS) vulnerability in login page php code in Armex ABO.CMS 5.9 allows remote attackers to inject arbitrary web script or HTML via the login.php? URL part.

6.1
2024-01-17 CVE-2024-0647 Sparksuite Cross-site Scripting vulnerability in Sparksuite Simplemde

A vulnerability, which was classified as problematic, was found in Sparksuite SimpleMDE up to 1.11.2.

6.1
2024-01-17 CVE-2024-22714 Codelyfe Cross-site Scripting vulnerability in Codelyfe Stupid Simple CMS

Stupid Simple CMS <=1.2.4 is vulnerable to Cross Site Scripting (XSS) in the editing section of the article content.

6.1
2024-01-17 CVE-2023-25295 Gruen Cross-site Scripting vulnerability in Gruen Evewa3 31/53

A Cross Site Scripting (XSS) vulnerability in evewa3ajax.php in GRUEN eVEWA3 Community 31 through 53 allows attackers to obtain escalated privileges via a crafted request to the login panel.

6.1
2024-01-17 CVE-2023-46952 Abocms Cross-site Scripting vulnerability in Abocms Abo.Cms 5.9.3

Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header.

6.1
2024-01-16 CVE-2023-52068 Kodcloud Cross-site Scripting vulnerability in Kodcloud Kodbox 1.43

kodbox v1.43 was discovered to contain a cross-site scripting (XSS) vulnerability via the operation and login logs.

6.1
2024-01-16 CVE-2024-20908 Oracle Unspecified vulnerability in Oracle Webcenter Sites 12.2.1.4.0

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: Advanced UI).

6.1
2024-01-16 CVE-2024-20928 Oracle Unspecified vulnerability in Oracle Webcenter Content 12.2.1.4.0

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server).

6.1
2024-01-16 CVE-2024-20934 Oracle Unspecified vulnerability in Oracle Installed Base

Vulnerability in the Oracle Installed Base product of Oracle E-Business Suite (component: Engineering Change Order).

6.1
2024-01-16 CVE-2024-20936 Oracle Unspecified vulnerability in Oracle One-To-One Fulfillment

Vulnerability in the Oracle One-to-One Fulfillment product of Oracle E-Business Suite (component: Documents).

6.1
2024-01-16 CVE-2024-20938 Oracle Unspecified vulnerability in Oracle Istore

Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: ECC).

6.1
2024-01-16 CVE-2024-20940 Oracle Unspecified vulnerability in Oracle Knowledge Management

Vulnerability in the Oracle Knowledge Management product of Oracle E-Business Suite (component: Create, Update, Authoring Flow).

6.1
2024-01-16 CVE-2024-20942 Oracle Unspecified vulnerability in Oracle Complex Maintenance, Repair, and Overhaul 11.5/12.1/12.2

Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle Supply Chain (component: LOV).

6.1
2024-01-16 CVE-2024-20948 Oracle Unspecified vulnerability in Oracle Knowledge Management

Vulnerability in the Oracle Knowledge Management product of Oracle E-Business Suite (component: Setup, Admin).

6.1
2024-01-16 CVE-2024-20950 Oracle Unspecified vulnerability in Oracle Customer Interaction History

Vulnerability in the Oracle Customer Interaction History product of Oracle E-Business Suite (component: Outcome-Result).

6.1
2024-01-16 CVE-2021-24432 Berocket Cross-site Scripting vulnerability in Berocket Advanced Ajax Product Filters

The Advanced AJAX Product Filters WordPress plugin does not sanitise the 'term_id' POST parameter before outputting it in the page, leading to reflected Cross-Site Scripting issue.

6.1
2024-01-16 CVE-2021-24870 Wpfastestcache Cross-Site Request Forgery (CSRF) vulnerability in Wpfastestcache WP Fastest Cache

The WP Fastest Cache WordPress plugin before 0.9.5 is lacking a CSRF check in its wpfc_save_cdn_integration AJAX action, and does not sanitise and escape some the options available via the action, which could allow attackers to make logged in high privilege users call it and set a Cross-Site Scripting payload

6.1
2024-01-16 CVE-2022-0402 Super Forms Cross-site Scripting vulnerability in Super-Forms Super Forms

The Super Forms - Drag & Drop Form Builder WordPress plugin before 6.0.4 does not escape the bob_czy_panstwa_sprawa_zostala_rozwiazana parameter before outputting it back in an attribute via the super_language_switcher AJAX action, leading to a Reflected Cross-Site Scripting.

6.1
2024-01-16 CVE-2022-1617 Usabilitydynamics Cross-Site Request Forgery (CSRF) vulnerability in Usabilitydynamics Wp-Invoice

The WP-Invoice WordPress plugin through 4.3.1 does not have CSRF check in place when updating its settings, and is lacking sanitisation as well as escaping in some of them, allowing attacker to make a logged in admin change them and add XSS payload in them

6.1
2024-01-16 CVE-2022-1618 Marcorulicke Cross-Site Request Forgery (CSRF) vulnerability in Marcorulicke Coru Lfmember 1.0.2

The Coru LFMember WordPress plugin through 1.0.2 does not have CSRF check in place when adding a new game, and is lacking sanitisation as well as escaping in their settings, allowing attacker to make a logged in admin add an arbitrary game with XSS payloads

6.1
2024-01-16 CVE-2023-0479 Tychesoftwares Cross-site Scripting vulnerability in Tychesoftwares Print Invoice & Delivery Notes for Woocommerce

The Print Invoice & Delivery Notes for WooCommerce WordPress plugin before 4.7.2 is vulnerable to reflected XSS by echoing a GET value in an admin note within the WooCommerce orders page.

6.1
2024-01-16 CVE-2023-0769 Hiweb Cross-site Scripting vulnerability in Hiweb Migration Simple

The hiWeb Migration Simple WordPress plugin through 2.0.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admins.

6.1
2024-01-16 CVE-2023-3771 T1 Project Open Redirect vulnerability in T1 Project T1

The T1 WordPress theme through 19.0 is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites.

6.1
2024-01-16 CVE-2023-5558 Thimpress Cross-site Scripting vulnerability in Thimpress Learnpress

The LearnPress WordPress plugin before 4.2.5.5 does not sanitise and escape user input before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.

6.1
2024-01-16 CVE-2023-7151 Piwebsolution Cross-site Scripting vulnerability in Piwebsolution Product Enquiry for Woocommerce 2.2.13/2.2.7

The Product Enquiry for WooCommerce WordPress plugin before 3.2 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-16 CVE-2024-0187 Peepso Cross-site Scripting vulnerability in Peepso

The Community by PeepSo WordPress plugin before 6.3.1.2 does not sanitise and escape various parameters and generated URLs before outputting them back attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-16 CVE-2024-0233 Myeventon Improper Encoding or Escaping of Output vulnerability in Myeventon Eventon

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not properly sanitise and escape a parameter before outputting it back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-16 CVE-2024-0238 Myeventon Missing Authorization vulnerability in Myeventon Eventon

The EventON Premium WordPress plugin before 4.5.6, EventON WordPress plugin before 2.2.8 do not have authorisation in an AJAX action, and does not ensure that the post to be updated belong to the plugin, allowing unauthenticated users to update arbitrary post metadata.

6.1
2024-01-16 CVE-2024-0239 ARI Soft Cross-site Scripting vulnerability in Ari-Soft Contact Form 7 Connector

The Contact Form 7 Connector WordPress plugin before 1.2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against administrators.

6.1
2024-01-16 CVE-2023-41619 Emlog Cross-site Scripting vulnerability in Emlog 2.1.14

Emlog Pro v2.1.14 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/article.php?action=write.

6.1
2024-01-16 CVE-2023-48104 Alinto Cross-site Scripting vulnerability in Alinto Sogo

Alinto SOGo before 5.9.1 is vulnerable to HTML Injection.

6.1
2024-01-15 CVE-2024-0317 Fireeye Cross-site Scripting vulnerability in Fireeye products

Cross-Site Scripting in FireEye EX, affecting version 9.0.3.936727.

6.1
2024-01-15 CVE-2024-0318 Fireeye Cross-site Scripting vulnerability in Fireeye Hxtool 4.6

Cross-Site Scripting in FireEye HXTool affecting version 4.6.

6.1
2024-01-15 CVE-2024-0319 Fireeye Open Redirect vulnerability in Fireeye Hxtool 4.6

Open Redirect vulnerability in FireEye HXTool affecting version 4.6, the exploitation of which could allow an attacker to redirect a legitimate user to a malicious page by changing the 'redirect_uri' parameter.

6.1
2024-01-15 CVE-2024-0320 Fireeye Cross-site Scripting vulnerability in Fireeye Malware Analysis 9.0.3.936530

Cross-Site Scripting in FireEye Malware Analysis (AX) affecting version 9.0.3.936530.

6.1
2024-01-15 CVE-2023-6050 Estatik Cross-site Scripting vulnerability in Estatik

The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-15 CVE-2024-0314 Fireeye Cross-site Scripting vulnerability in Fireeye Central Management 9.1.1.956704

XSS vulnerability in FireEye Central Management affecting version 9.1.1.956704, which could allow an attacker to modify special HTML elements in the application and cause a reflected XSS, leading to a session hijacking.

6.1
2024-01-15 CVE-2024-0545 Fairsketch Open Redirect vulnerability in Fairsketch Rise Ultimate Project Manager 3.5.3

A vulnerability classified as problematic was found in CodeCanyon RISE Rise Ultimate Project Manager 3.5.3.

6.1
2024-01-16 CVE-2024-20926 Oracle
Netapp
Debian
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting).
5.9
2024-01-21 CVE-2024-0771 Nsasoft Out-of-bounds Write vulnerability in Nsasoft Product KEY Explorer 4.0.9

A vulnerability has been found in Nsasoft Product Key Explorer 4.0.9 and classified as problematic.

5.5
2024-01-19 CVE-2023-32272 Intel Uncontrolled Search Path Element vulnerability in Intel NUC PRO Software Suite 2.0.0.3/2.0.0.9/3.0.0.6

Uncontrolled search path in some Intel NUC Pro Software Suite Configuration Tool software installers before version 3.0.0.6 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2024-01-19 CVE-2023-32544 Intel Unspecified vulnerability in Intel NUC P14E Laptop Element 1.0.0.156/1.1.44

Improper access control in some Intel HotKey Services for Windows 10 for Intel NUC P14E Laptop Element software installers before version 1.1.45 may allow an authenticated user to potentially enable denial of service via local access.

5.5
2024-01-19 CVE-2023-6450 Lenovo Unspecified vulnerability in Lenovo APP Store

An incorrect permissions vulnerability was reported in the Lenovo App Store app that could allow an attacker to use system resources, resulting in a denial of service.

5.5
2024-01-19 CVE-2024-22914 Swftools Use After Free vulnerability in Swftools 0.9.2

A heap-use-after-free was found in SWFTools v0.9.2, in the function input at lex.swf5.c:2620.

5.5
2024-01-19 CVE-2024-22957 Swftools Out-of-bounds Read vulnerability in Swftools 0.9.2

swftools 0.9.2 was discovered to contain an Out-of-bounds Read vulnerability via the function dict_do_lookup in swftools/lib/q.c:1190.

5.5
2024-01-18 CVE-2023-51258 Tortall Memory Leak vulnerability in Tortall Yasm 1.3.0

A memory leak issue discovered in YASM v.1.3.0 allows a local attacker to cause a denial of service via the new_Token function in the modules/preprocs/nasm/nasm-pp:1512.

5.5
2024-01-18 CVE-2024-0408 X ORG
Tigervnc
Redhat
Fedoraproject
A flaw was found in the X.Org server.
5.5
2024-01-18 CVE-2021-33630 Huawei NULL Pointer Dereference vulnerability in Huawei Openeuler 4.19.90

NULL Pointer Dereference vulnerability in openEuler kernel on Linux (network modules) allows Pointer Manipulation.

5.5
2024-01-18 CVE-2023-48340 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to improper input validation.

5.5
2024-01-18 CVE-2023-48341 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds read due to improper input validation.

5.5
2024-01-18 CVE-2023-48343 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to improper input validation.

5.5
2024-01-18 CVE-2023-48344 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds read due to improper input validation.

5.5
2024-01-18 CVE-2023-48345 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds read due to improper input validation.

5.5
2024-01-18 CVE-2023-48346 Google Unspecified vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible improper input validation.

5.5
2024-01-18 CVE-2023-48347 Google Out-of-bounds Read vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds read due to improper input validation.

5.5
2024-01-18 CVE-2023-48348 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to improper input validation.

5.5
2024-01-18 CVE-2023-48349 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to a missing bounds check.

5.5
2024-01-18 CVE-2023-48350 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to a missing bounds check.

5.5
2024-01-18 CVE-2023-48351 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0

In video decoder, there is a possible out of bounds write due to a missing bounds check.

5.5
2024-01-18 CVE-2023-48352 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In phasecheckserver, there is a possible out of bounds write due to a missing bounds check.

5.5
2024-01-18 CVE-2023-48354 Google Unspecified vulnerability in Google Android 11.0/12.0/13.0

In telephone service, there is a possible improper input validation.

5.5
2024-01-18 CVE-2023-6340 Sonicwall Out-of-bounds Write vulnerability in Sonicwall Capture Client and Netextender

SonicWall Capture Client version 3.7.10, NetExtender client version 10.2.337 and earlier versions are installed with sfpmonitor.sys driver.

5.5
2024-01-17 CVE-2024-0639 Linux
Redhat
Improper Locking vulnerability in multiple products

A denial of service vulnerability due to a deadlock was found in sctp_auto_asconf_init in net/sctp/socket.c in the Linux kernel’s SCTP subsystem.

5.5
2024-01-17 CVE-2024-0641 Linux
Redhat
Improper Locking vulnerability in multiple products

A denial of service vulnerability was found in tipc_crypto_key_revoke in net/tipc/crypto.c in the Linux kernel’s TIPC subsystem.

5.5
2024-01-16 CVE-2024-20946 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel).

5.5
2024-01-16 CVE-2024-20967 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication).
5.5
2024-01-16 CVE-2024-20969 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
5.5
2024-01-16 CVE-2023-5097 Hypr Improper Input Validation vulnerability in Hypr Workforce Access

Improper Input Validation vulnerability in HYPR Workforce Access on Windows allows Path Traversal.This issue affects Workforce Access: before 8.7.

5.5
2024-01-16 CVE-2024-0232 Sqlite
Redhat
Fedoraproject
Use After Free vulnerability in multiple products

A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c.

5.5
2024-01-16 CVE-2024-0581 Sandsprite Resource Exhaustion vulnerability in Sandsprite Scdbg 1.0

An Uncontrolled Resource Consumption vulnerability has been found on Sandsprite Scdbg.exe, affecting version 1.0.

5.5
2024-01-15 CVE-2024-20709 Microsoft
Adobe
Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are affected by an Improper Input Validation vulnerability.
5.5
2024-01-15 CVE-2024-20721 Microsoft
Adobe
Acrobat Reader T5 (MSFT Edge) versions 120.0.2210.91 and earlier are affected by an Improper Input Validation vulnerability.
5.5
2024-01-15 CVE-2023-6915 Linux
Redhat
NULL Pointer Dereference vulnerability in multiple products

A Null pointer dereference problem was found in ida_free in lib/idr.c in the Linux Kernel.

5.5
2024-01-19 CVE-2024-0722 Code Projects Cross-site Scripting vulnerability in Code-Projects Social Networking Site 1.0

A vulnerability was found in code-projects Social Networking Site 1.0 and classified as problematic.

5.4
2024-01-19 CVE-2024-22876 Strangebee Cross-site Scripting vulnerability in Strangebee Thehive

StrangeBee TheHive 5.1.0 to 5.1.9 and 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting (XSS) in the case attachment functionality which enables an attacker to upload a malicious HTML file with Javascript code that will be executed in the context of the The Hive application using a specific URL.

5.4
2024-01-19 CVE-2024-22877 Strangebee Cross-site Scripting vulnerability in Strangebee Thehive

StrangeBee TheHive 5.2.0 to 5.2.8 is vulnerable to Cross Site Scripting (XSS) in the case reporting functionality.

5.4
2024-01-19 CVE-2023-32337 IBM Server-Side Request Forgery (SSRF) vulnerability in IBM Maximo Application Suite and Maximo Asset Management

IBM Maximo Spatial Asset Management 8.10 is vulnerable to server-side request forgery (SSRF).

5.4
2024-01-19 CVE-2023-50963 IBM Open Redirect vulnerability in IBM Storage Defender Data Protect

IBM Storage Defender - Data Protect 1.0.0 through 1.4.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

5.4
2024-01-18 CVE-2024-22402 Nextcloud Improper Preservation of Permissions vulnerability in Nextcloud Guests 2.5.0/3.0.0

Nextcloud guests app is a utility to create guest users which can only see files shared with them.

5.4
2024-01-18 CVE-2024-22418 Group Office Cross-site Scripting vulnerability in Group-Office Group Office

Group-Office is an enterprise CRM and groupware tool.

5.4
2024-01-18 CVE-2024-22213 Nextcloud Cross-site Scripting vulnerability in Nextcloud Deck

Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud.

5.4
2024-01-18 CVE-2023-49943 Zohocorp Cross-site Scripting vulnerability in Zohocorp Manageengine Servicedesk Plus MSP

Zoho ManageEngine ServiceDesk Plus MSP before 14504 allows stored XSS (by a low-privileged technician) via a task's name in a time sheet.

5.4
2024-01-18 CVE-2024-22548 Flycms Project Cross-site Scripting vulnerability in Flycms Project Flycms 1.0

FlyCms 1.0 is vulnerable to Cross Site Scripting (XSS) in the system website settings website name section.

5.4
2024-01-18 CVE-2024-22549 Flycms Project Cross-site Scripting vulnerability in Flycms Project Flycms 1.0

FlyCms 1.0 is vulnerable to Cross Site Scripting (XSS) in the email settings of the website settings section.

5.4
2024-01-18 CVE-2023-51463 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability.

5.4
2024-01-18 CVE-2023-51464 Adobe Cross-site Scripting vulnerability in Adobe Experience Manager

Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields.

5.4
2024-01-18 CVE-2023-6958 Bootstrapped Cross-site Scripting vulnerability in Bootstrapped WP Recipe Maker

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 9.1.0 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2024-01-18 CVE-2024-0381 Bootstrapped Cross-site Scripting vulnerability in Bootstrapped WP Recipe Maker

The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of the 'tag' attribute in the wprm-recipe-name, wprm-recipe-date, and wprm-recipe-counter shortcodes in all versions up to, and including, 9.1.0.

5.4
2024-01-17 CVE-2024-22414 Dogukanurker Cross-site Scripting vulnerability in Dogukanurker Flaskblog

flaskBlog is a simple blog app built with Flask.

5.4
2024-01-17 CVE-2024-20251 Cisco Cross-site Scripting vulnerability in Cisco Identity Services Engine

A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack against a user of the interface on an affected device.

5.4
2024-01-17 CVE-2024-20270 Cisco Cross-site Scripting vulnerability in Cisco products

A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input.

5.4
2024-01-17 CVE-2023-51733 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Identity parameter under Local endpoint settings at its web interface.

5.4
2024-01-17 CVE-2023-51734 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Identity parameter under Remote endpoint settings at its web interface.

5.4
2024-01-17 CVE-2023-51735 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Pre-shared key parameter at its web interface.

5.4
2024-01-17 CVE-2023-51736 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the L2TP/PPTP Username parameter at its web interface.

5.4
2024-01-17 CVE-2023-51737 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Preshared Phrase parameter at its web interface.

5.4
2024-01-17 CVE-2023-51738 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Network Name (SSID) parameter at its web interface.

5.4
2024-01-17 CVE-2023-51739 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Device Name parameter at its web interface.

5.4
2024-01-17 CVE-2023-51719 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Traceroute parameter at its web interface.

5.4
2024-01-17 CVE-2023-51720 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 1 parameter at its web interface.

5.4
2024-01-17 CVE-2023-51721 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 2 parameter at its web interface.

5.4
2024-01-17 CVE-2023-51722 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Time Server 3 parameter at its web interface.

5.4
2024-01-17 CVE-2023-51723 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Description parameter at its web interface.

5.4
2024-01-17 CVE-2023-51724 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the URL parameter at its web interface.

5.4
2024-01-17 CVE-2023-51725 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Contact Email Address parameter at its web interface.

5.4
2024-01-17 CVE-2023-51726 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Server Name parameter at its web interface.

5.4
2024-01-17 CVE-2023-51727 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Username parameter at its web interface.

5.4
2024-01-17 CVE-2023-51728 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the SMTP Password parameter at its web interface.

5.4
2024-01-17 CVE-2023-51729 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the DDNS Username parameter at its web interface.

5.4
2024-01-17 CVE-2023-51730 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the DDNS Password parameter at its web interface.

5.4
2024-01-17 CVE-2023-51731 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the Hostname parameter at its web interface.

5.4
2024-01-17 CVE-2023-51732 Skyworthdigital Cross-site Scripting vulnerability in Skyworthdigital Cm5100 Firmware 4.1.1.24

This vulnerability exist in Skyworth Router CM5100, version 4.1.1.24, due to insufficient validation of user supplied input for the IPsec Tunnel Name parameter at its web interface.

5.4
2024-01-17 CVE-2023-52069 Kodcloud Cross-site Scripting vulnerability in Kodcloud Kodbox 1.49.04

kodbox v1.49.04 was discovered to contain a cross-site scripting (XSS) vulnerability via the URL parameter.

5.4
2024-01-16 CVE-2023-51807 Ofcms Project Cross-site Scripting vulnerability in Ofcms Project Ofcms 1.1.4

Cross Site Scripting vulnerability in OFCMS v.1.14 allows a remote attacker to obtain sensitive information via a crafted payload to the title addition component.

5.4
2024-01-16 CVE-2024-20944 Oracle Unspecified vulnerability in Oracle Isupport

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations).

5.4
2024-01-16 CVE-2024-20979 Oracle Unspecified vulnerability in Oracle BI Publisher 12.2.1.4.0/6.4.0.0.0/7.0.0.0.0

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server).

5.4
2024-01-16 CVE-2024-20987 Oracle Unspecified vulnerability in Oracle BI Publisher 12.2.1.4.0

Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server).

5.4
2024-01-16 CVE-2024-22191 Avohq Cross-site Scripting vulnerability in Avohq AVO

Avo is a framework to create admin panels for Ruby on Rails apps.

5.4
2024-01-16 CVE-2024-22411 Avohq Cross-site Scripting vulnerability in Avohq AVO

Avo is a framework to create admin panels for Ruby on Rails apps.

5.4
2024-01-16 CVE-2024-0599 Ujcms Cross-site Scripting vulnerability in Ujcms Jspxcms 10.2.0

A vulnerability was found in Jspxcms 10.2.0.

5.4
2024-01-16 CVE-2024-22491 Beetl BBS Project Cross-site Scripting vulnerability in Beetl-Bbs Project Beetl-Bbs 2.0

A Stored Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the post/save content parameter.

5.4
2024-01-16 CVE-2021-24433 Yukimichi Cross-site Scripting vulnerability in Yukimichi Simple Sort&Search 0.0.3

The simple sort&search WordPress plugin through 0.0.3 does not make sure that the indexurl parameter of the shortcodes "category_sims", "order_sims", "orderby_sims", "period_sims", and "tag_sims" use allowed URL protocols, which can lead to stored cross-site scripting by users with a role as low as Contributor

5.4
2024-01-16 CVE-2021-24559 Patrickposner Cross-site Scripting vulnerability in Patrickposner Qyrr 0.5/0.6

The Qyrr WordPress plugin before 0.7 does not escape the data-uri of the QR Code when outputting it in a src attribute, allowing for Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2021-24567 Nickmomrik Cross-site Scripting vulnerability in Nickmomrik Simple Post

The Simple Post WordPress plugin through 1.1 does not sanitize user input when an authenticated user Text value, then it does not escape these values when outputting to the browser leading to an Authenticated Stored XSS Cross-Site Scripting issue.

5.4
2024-01-16 CVE-2022-2413 Simonpedge Cross-site Scripting vulnerability in Simonpedge Slide Anything

The Slide Anything WordPress plugin before 2.3.47 does not properly sanitize or escape the slide title before outputting it in the admin pages, allowing a logged in user with roles as low as Author to inject a javascript payload into the slide title even when the unfiltered_html capability is disabled.

5.4
2024-01-16 CVE-2022-3194 Wedevs Cross-site Scripting vulnerability in Wedevs Dokan

The Dokan WordPress plugin before 3.6.4 allows vendors to inject arbitrary javascript in product reviews, which may allow them to run stored XSS attacks against other users like site administrators.

5.4
2024-01-16 CVE-2022-3739 Subina Cross-site Scripting vulnerability in Subina WP Best Quiz 1.0

The WP Best Quiz WordPress plugin through 1.0 does not sanitize and escape some parameters, which could allow users with a role as low as Author to perform Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2023-0079 Cusrev Cross-site Scripting vulnerability in Cusrev Customer Reviews for Woocommerce

The Customer Reviews for WooCommerce WordPress plugin before 5.17.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2023-0094 Qoders Cross-site Scripting vulnerability in Qoders Upqode Google Maps

The UpQode Google Maps WordPress plugin through 1.0.5 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2023-0376 Themeum Cross-site Scripting vulnerability in Themeum Qubely

The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2023-3372 Lana Cross-site Scripting vulnerability in Lana Shortcodes

The Lana Shortcodes WordPress plugin before 1.2.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which allows users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2024-01-16 CVE-2023-4757 Miniorange Cross-site Scripting vulnerability in Miniorange Staff / Employee Business Directory for Active Directory

The Staff / Employee Business Directory for Active Directory WordPress plugin before 1.2.3 does not sanitize and escape data returned from the LDAP server before rendering it in the page, allowing users who can control their entries in the LDAP directory to inject malicious javascript which could be used against high-privilege users such as a site admin.

5.4
2024-01-16 CVE-2023-7083 Davidjmiller Cross-Site Request Forgery (CSRF) vulnerability in Davidjmiller Voting Record

The Voting Record WordPress plugin through 2.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

5.4
2024-01-16 CVE-2023-7084 Davidjmiller Cross-site Scripting vulnerability in Davidjmiller Voting Record

The Voting Record WordPress plugin through 2.0 is missing sanitisation as well as escaping, which could allow any authenticated users, such as subscriber to perform Stored XSS attacks

5.4
2024-01-16 CVE-2024-0554 Xantech Cross-site Scripting vulnerability in Xantech Wic1200 Firmware 1.1

A Cross-site scripting (XSS) vulnerability has been found on WIC1200, affecting version 1.1.

5.4
2024-01-15 CVE-2024-0557 Dedebiz Cross-site Scripting vulnerability in Dedebiz 6.3.0

A vulnerability, which was classified as problematic, was found in DedeBIZ 6.3.0.

5.4
2024-01-19 CVE-2024-23686 Owasp Information Exposure Through Log Files vulnerability in Owasp Dependency-Check

DependencyCheck for Maven 9.0.0 to 9.0.6, for CLI version 9.0.0 to 9.0.5, and for Ant versions 9.0.0 to 9.0.5, when used in debug mode, allows an attacker to recover the NVD API Key from a log file.

5.3
2024-01-19 CVE-2024-23688 Consensys Use of Insufficiently Random Values vulnerability in Consensys Discovery

Consensys Discovery versions less than 0.4.5 uses the same AES/GCM nonce for the entire session.

5.3
2024-01-19 CVE-2024-23680 Amazon Improper Verification of Cryptographic Signature vulnerability in Amazon AWS Encryption SDK

AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures.

5.3
2024-01-19 CVE-2024-23685 Openlibraryfoundation Use of Hard-coded Credentials vulnerability in Openlibraryfoundation Mod-Remote-Storage

Hard-coded credentials in mod-remote-storage versions under 1.7.2 and from 2.0.0 to 2.0.3 allows unauthorized users to gain read access to mod-inventory-storage records including instances, holdings, items, contributor-types, and identifier-types.

5.3
2024-01-19 CVE-2024-0717 Dlink Unspecified vulnerability in Dlink products

A vulnerability classified as critical was found in D-Link DAP-1360, DIR-300, DIR-615, DIR-615GF, DIR-615S, DIR-615T, DIR-620, DIR-620S, DIR-806A, DIR-815, DIR-815AC, DIR-815S, DIR-816, DIR-820, DIR-822, DIR-825, DIR-825AC, DIR-825ACF, DIR-825ACG1, DIR-841, DIR-842, DIR-842S, DIR-843, DIR-853, DIR-878, DIR-882, DIR-1210, DIR-1260, DIR-2150, DIR-X1530, DIR-X1860, DSL-224, DSL-245GR, DSL-2640U, DSL-2750U, DSL-G2452GR, DVG-5402G, DVG-5402G, DVG-5402GFRU, DVG-N5402G, DVG-N5402G-IL, DWM-312W, DWM-321, DWR-921, DWR-953 and Good Line Router v2 up to 20240112.

5.3
2024-01-19 CVE-2024-0716 Byzoro Unspecified vulnerability in Byzoro Smart S150 Firmware 31R02B15

A vulnerability classified as problematic has been found in Byzoro Smart S150 Management Platform V31R02B15.

5.3
2024-01-19 CVE-2024-21733 Apache Information Exposure Through an Error Message vulnerability in Apache Tomcat

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

5.3
2024-01-19 CVE-2023-35020 IBM Path Traversal vulnerability in IBM Sterling Control Center 6.3.0

IBM Sterling Control Center 6.3.0 could allow a remote attacker to traverse directories on the system.

5.3
2024-01-18 CVE-2024-0695 Easy Chat Server Project Improper Resource Shutdown or Release vulnerability in Easy Chat Server Project Easy Chat Server 3.1

A vulnerability, which was classified as problematic, has been found in EFS Easy Chat Server 3.1.

5.3
2024-01-18 CVE-2023-31274 Aveva Missing Release of Resource after Effective Lifetime vulnerability in Aveva PI Server 2018/2023

AVEVA PI Server versions 2023 and 2018 SP3 P05 and prior contain a vulnerability that could allow an unauthenticated user to cause the PI Message Subsystem of a PI Server to consume available memory resulting in throttled processing of new PI Data Archive events and a partial denial-of-service condition.

5.3
2024-01-18 CVE-2023-28900 Skoda Auto Unspecified vulnerability in Skoda-Auto Skoda Connect

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing to obtain nicknames and other user identifiers of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

5.3
2024-01-18 CVE-2023-28901 Skoda Auto Unspecified vulnerability in Skoda-Auto Skoda Connect

The Skoda Automotive cloud contains a Broken Access Control vulnerability, allowing remote attackers to obtain recent trip data, vehicle mileage, fuel consumption, average and maximum speed, and other information of Skoda Connect service users by specifying an arbitrary vehicle VIN number.

5.3
2024-01-17 CVE-2023-50950 IBM Unspecified vulnerability in IBM Qradar Security Information and Event Manager 7.5.0

IBM QRadar SIEM 7.5 could disclose sensitive email information in responses from offense rules.

5.3
2024-01-16 CVE-2022-31021 Hyperledger Inclusion of Functionality from Untrusted Control Sphere vulnerability in Hyperledger Ursa

Ursa is a cryptographic library for use with blockchains.

5.3
2024-01-16 CVE-2023-48926 Prestashop Missing Authorization vulnerability in Prestashop Advanced Loyalty Program

An issue in 202 ecommerce Advanced Loyalty Program: Loyalty Points before v2.3.4 for PrestaShop allows unauthenticated attackers to arbitrarily change an order status.

5.3
2024-01-16 CVE-2023-7234 Integrationobjects Improper Encoding or Escaping of Output vulnerability in Integrationobjects OPC UA Server Toolkit

OPCUAServerToolkit will write a log message once an OPC UA client has successfully connected containing the client's self-defined description field.

5.3
2024-01-16 CVE-2021-4227 OBG Injection vulnerability in OBG ARK Wysiwyg Comment Editor

The ark-commenteditor WordPress plugin through 2.15.6 does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section

5.3
2024-01-16 CVE-2022-1563 Wpengine Unspecified vulnerability in Wpengine Wpgraphql

The WPGraphQL WooCommerce WordPress plugin before 0.12.4 does not prevent unauthenticated attackers from enumerating a shop's coupon codes and values via GraphQL.

5.3
2024-01-16 CVE-2023-37521 Hcltechsw Unspecified vulnerability in Hcltechsw Bigfix Bare OSD Metal Server Webui

HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower can sometimes include sensitive information in a query string which could allow an attacker to execute a malicious attack.

5.3
2024-01-16 CVE-2023-6592 Ninjateam Unspecified vulnerability in Ninjateam Fastdup

The FastDup WordPress plugin before 2.2 does not prevent directory listing in sensitive directories containing export files.

5.3
2024-01-16 CVE-2024-0235 Myeventon Missing Authorization vulnerability in Myeventon Eventon

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog

5.3
2024-01-16 CVE-2024-0236 Myeventon Missing Authorization vulnerability in Myeventon Eventon

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve the settings of arbitrary virtual events, including any meeting password set (for example for Zoom)

5.3
2024-01-16 CVE-2024-0237 Myeventon Missing Authorization vulnerability in Myeventon Eventon

The EventON WordPress plugin through 4.5.8, EventON WordPress plugin before 2.2.7 do not have authorisation in some AJAX actions, allowing unauthenticated users to update virtual events settings, such as meeting URL, moderator, access details etc

5.3
2024-01-16 CVE-2023-52112 Huawei Files or Directories Accessible to External Parties vulnerability in Huawei Emui and Harmonyos

Unauthorized file access vulnerability in the wallpaper service module.

5.3
2024-01-15 CVE-2024-22207 Smartbear Insecure Default Initialization of Resource vulnerability in Smartbear Swagger UI 2.0.0/2.0.1

fastify-swagger-ui is a Fastify plugin for serving Swagger UI.

5.3
2024-01-16 CVE-2024-20904 Oracle Unspecified vulnerability in Oracle Business Intelligence 12.2.1.4.0/6.4.0.0.0

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Pod Admin).

5.0
2024-01-16 CVE-2024-20965 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2024-01-16 CVE-2024-20971 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer).
4.9
2024-01-16 CVE-2024-20981 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL).
4.9
2024-01-16 CVE-2024-20983 Oracle
Netapp
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML).
4.9
2024-01-19 CVE-2024-0718 Liuwy Dlsdys Cross-site Scripting vulnerability in Liuwy-Dlsdys Zhglxt 4.7.7

A vulnerability, which was classified as problematic, has been found in liuwy-dlsdys zhglxt 4.7.7.

4.8
2024-01-19 CVE-2024-23387 Fusionpbx Cross-site Scripting vulnerability in Fusionpbx

FusionPBX prior to 5.1.0 contains a cross-site scripting vulnerability.

4.8
2024-01-18 CVE-2024-0652 Phpgurukul Cross-site Scripting vulnerability in PHPgurukul Company Visitor Management System 1.0

A vulnerability was found in PHPGurukul Company Visitor Management System 1.0.

4.8
2024-01-17 CVE-2023-20257 Cisco Cross-site Scripting vulnerability in Cisco Prime Infrastructure

A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct cross-site scripting attacks.

4.8
2024-01-16 CVE-2023-36236 Webkul Cross-site Scripting vulnerability in Webkul Bagisto

Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad.

4.8
2024-01-16 CVE-2024-20906 Oracle Unspecified vulnerability in Oracle Integrated Lights OUT Manager Firmware 3.0.0/4.0.0/5.0.0

Vulnerability in the Integrated Lights Out Manager (ILOM) product of Oracle Systems (component: System Management).

4.8
2024-01-16 CVE-2021-25117 Lesterchan Cross-Site Request Forgery (CSRF) vulnerability in Lesterchan Wp-Postratings

The WP-PostRatings WordPress plugin before 1.86.1 does not sanitise the postratings_image parameter from its options page (wp-admin/admin.php?page=wp-postratings/postratings-options.php).

4.8
2024-01-16 CVE-2022-23179 Themehunk Cross-site Scripting vulnerability in Themehunk Contact Form & Lead Form Elementor Builder

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

4.8
2024-01-16 CVE-2022-3829 Newnine Cross-site Scripting vulnerability in Newnine Font Awesome 4 Menus 4.7.0

The Font Awesome 4 Menus WordPress plugin through 4.7.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2024-01-16 CVE-2022-3836 Seedwebs Cross-site Scripting vulnerability in Seedwebs Seed Social

The Seed Social WordPress plugin before 2.0.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2024-01-16 CVE-2023-0389 Codepeople Cross-site Scripting vulnerability in Codepeople Calculated Fields Form

The Calculated Fields Form WordPress plugin before 1.1.151 does not sanitise and escape some of its form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-16 CVE-2023-3647 Indigitall Cross-site Scripting vulnerability in Indigitall Iurny

The IURNY by INDIGITALL WordPress plugin before 3.2.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-16 CVE-2023-6005 Myeventon Improper Encoding or Escaping of Output vulnerability in Myeventon Eventon

The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2024-01-16 CVE-2023-6046 Myeventon Cross-site Scripting vulnerability in Myeventon Eventon

The EventON WordPress plugin before 2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored HTML Injection attacks even when the unfiltered_html capability is disallowed.

4.8
2024-01-16 CVE-2023-6732 Supsystic Cross-site Scripting vulnerability in Supsystic Ultimate Maps

The Ultimate Maps by Supsystic WordPress plugin before 1.2.16 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2024-01-16 CVE-2023-7154 Morehubbub Cross-site Scripting vulnerability in Morehubbub Hubbub Lite

The Hubbub Lite (formerly Grow Social) WordPress plugin before 1.32.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-15 CVE-2023-4925 Yikesinc Cross-site Scripting vulnerability in Yikesinc Easy Forms for Mailchimp

The Easy Forms for Mailchimp WordPress plugin through 6.8.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2024-01-15 CVE-2023-6163 Themeum Cross-site Scripting vulnerability in Themeum WP Crowdfunding

The WP Crowdfunding WordPress plugin before 2.1.10 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

4.8
2024-01-15 CVE-2023-6941 Keap Cross-site Scripting vulnerability in Keap Official Opt-In Forms

The Keap Official Opt-in Forms WordPress plugin through 1.0.11 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example, in multisite setup).

4.8
2024-01-17 CVE-2023-49515 TP Link Unspecified vulnerability in Tp-Link Tapo C200 Firmware and Tapo Tc70 Firmware

Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components.

4.6
2024-01-15 CVE-2024-22028 3Rrr Btob Unspecified vulnerability in 3Rrr-Btob products

Insufficient technical documentation issue exists in thermal camera TMC series all firmware versions.

4.6
2024-01-18 CVE-2023-48339 Google Missing Authorization vulnerability in Google Android 11.0/12.0/13.0

In jpg driver, there is a possible missing permission check.

4.4
2024-01-18 CVE-2023-48342 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In media service, there is a possible out of bounds write due to a missing bounds check.

4.4
2024-01-18 CVE-2023-48353 Google Use After Free vulnerability in Google Android 11.0/12.0/13.0

In vsp driver, there is a possible use after free due to a logic error.

4.4
2024-01-18 CVE-2023-48355 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In jpg driver, there is a possible out of bounds write due to a missing bounds check.

4.4
2024-01-18 CVE-2023-48356 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In jpg driver, there is a possible out of bounds write due to a missing bounds check.

4.4
2024-01-18 CVE-2023-48357 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In vsp driver, there is a possible out of bounds write due to a missing bounds check.

4.4
2024-01-18 CVE-2023-48358 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In drm driver, there is a possible out of bounds write due to a missing bounds check.

4.4
2024-01-18 CVE-2023-48359 Google Out-of-bounds Write vulnerability in Google Android 11.0/12.0/13.0

In autotest driver, there is a possible out of bounds write due to improper input validation.

4.4
2024-01-16 CVE-2024-20959 Oracle Unspecified vulnerability in Oracle ZFS Storage Appliance KIT 8.8

Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Core).

4.4
2024-01-20 CVE-2024-0623 Vektor INC Cross-Site Request Forgery (CSRF) vulnerability in Vektor-Inc VK Block Patterns

The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1.

4.3
2024-01-20 CVE-2023-46447 Popsdiabetes Cleartext Transmission of Sensitive Information vulnerability in Popsdiabetes Rebel 5.0

The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE.

4.3
2024-01-18 CVE-2024-22401 Nextcloud Improper Preservation of Permissions vulnerability in Nextcloud Guests 2.5.0/3.0.0

Nextcloud guests app is a utility to create guest users which can only see files shared with them.

4.3
2024-01-18 CVE-2024-22404 Nextcloud Improper Preservation of Permissions vulnerability in Nextcloud Zipper

Nextcloud files Zip app is a tool to create zip archives from one or multiple files from within Nextcloud.

4.3
2024-01-17 CVE-2023-7031 Avaya Authorization Bypass Through User-Controlled Key vulnerability in Avaya Aura Experience Portal

Insecure Direct Object Reference vulnerabilities were discovered in the Avaya Aura Experience Portal Manager which may allow partial information disclosure to an authenticated non-privileged user.

4.3
2024-01-17 CVE-2022-40702 Zorem Missing Authorization vulnerability in Zorem Advanced Local Pickup for Woocommerce

Missing Authorization vulnerability in Zorem Advanced Local Pickup for WooCommerce.This issue affects Advanced Local Pickup for WooCommerce: from n/a through 1.5.2.

4.3
2024-01-17 CVE-2023-23882 Brainstormforce Missing Authorization vulnerability in Brainstormforce Ultimate Addons for Beaver Builder

Missing Authorization vulnerability in Brainstorm Force Ultimate Addons for Beaver Builder – Lite.This issue affects Ultimate Addons for Beaver Builder – Lite: from n/a through 1.5.5.

4.3
2024-01-17 CVE-2023-34379 Magneticone Missing Authorization vulnerability in Magneticone Magento to Woocommerce Migration

Missing Authorization vulnerability in MagneticOne Cart2Cart: Magento to WooCommerce Migration.This issue affects Cart2Cart: Magento to WooCommerce Migration: from n/a through 2.0.0.

4.3
2024-01-16 CVE-2022-0775 Woocommerce Incorrect Authorization vulnerability in Woocommerce

The WooCommerce WordPress plugin before 6.2.1 does not have proper authorisation check when deleting reviews, which could allow any authenticated users, such as subscriber to delete arbitrary comment

4.3
2024-01-16 CVE-2022-1760 Dd32 Cross-Site Request Forgery (CSRF) vulnerability in Dd32 Core Control

The Core Control WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

4.3
2024-01-16 CVE-2022-23180 Themehunk Missing Authorization vulnerability in Themehunk Contact Form & Lead Form Elementor Builder

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings

4.3
2024-01-16 CVE-2023-3178 Wpexperts Cross-Site Request Forgery (CSRF) vulnerability in Wpexperts Post Smtp

The POST SMTP Mailer WordPress plugin before 2.5.7 does not have proper CSRF checks in some AJAX actions, which could allow attackers to make logged in users with the manage_postman_smtp capability delete arbitrary logs via a CSRF attack.

4.3
2024-01-16 CVE-2023-6292 Lightspeedhq Cross-Site Request Forgery (CSRF) vulnerability in Lightspeedhq Ecwid Ecommerce Shopping Cart

The Ecwid Ecommerce Shopping Cart WordPress plugin before 6.12.5 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

4.3
2024-01-16 CVE-2023-6741 Marvinlabs Unspecified vulnerability in Marvinlabs WP Customer Area

The WP Customer Area WordPress plugin before 8.2.1 does not properly validate users capabilities in some of its AJAX actions, allowing malicious users to edit other users' account address.

4.3
2024-01-16 CVE-2023-7125 Peepso Cross-Site Request Forgery (CSRF) vulnerability in Peepso

The Community by PeepSo WordPress plugin before 6.3.1.2 does not have CSRF check when creating a user post (visible on their wall in their profile page), which could allow attackers to make logged in users perform such action via a CSRF attack

4.3
2024-01-15 CVE-2023-6066 Kishorkhambu Missing Authorization vulnerability in Kishorkhambu WP Custom Widget Area

The WP Custom Widget area WordPress plugin through 1.2.5 does not properly apply capability and nonce checks on any of its AJAX action callback functions, which could allow attackers with subscriber+ privilege to create, delete or modify menus on the site.

4.3
2024-01-15 CVE-2023-6843 Easy Jobs Unspecified vulnerability in Easy.Jobs

The easy.jobs- Best Recruitment Plugin for Job Board Listing, Manager, Career Page for Elementor & Gutenberg WordPress plugin before 2.4.7 does not properly secure some of its AJAX actions, allowing any logged-in users to modify its settings.

4.3

11 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-16 CVE-2024-20920 Oracle Unspecified vulnerability in Oracle Solaris 11

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystem).

3.8
2024-01-19 CVE-2024-23329 Changedetection Incorrect Authorization vulnerability in Changedetection

changedetection.io is an open source tool designed to monitor websites for content changes.

3.7
2024-01-18 CVE-2024-22403 Nextcloud Insufficient Session Expiration vulnerability in Nextcloud Server

Nextcloud server is a self hosted personal cloud system.

3.7
2024-01-16 CVE-2024-20955 Oracle Unspecified vulnerability in Oracle Graalvm and Graalvm for JDK

Vulnerability in the Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Compiler).

3.7
2024-01-19 CVE-2023-5081 Lenovo Unspecified vulnerability in Lenovo products

An information disclosure vulnerability was reported in the Lenovo Tab M8 HD that could allow a local application to gather a non-resettable device identifier.

3.3
2024-01-16 CVE-2024-20910 Oracle Unspecified vulnerability in Oracle Audit Vault and Database Firewall

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall).

3.0
2024-01-16 CVE-2024-20912 Oracle Unspecified vulnerability in Oracle Audit Vault and Database Firewall

Vulnerability in Oracle Audit Vault and Database Firewall (component: Firewall).

2.7
2024-01-16 CVE-2024-20957 Oracle Unspecified vulnerability in Oracle JD Edwards Enterpriseone Tools

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Package Build SEC).

2.7
2024-01-16 CVE-2023-2252 Wpwax Path Traversal vulnerability in Wpwax Directorist

The Directorist WordPress plugin before 7.5.4 is vulnerable to Local File Inclusion as it does not validate the file parameter when importing CSV files.

2.7
2024-01-16 CVE-2024-20922 Oracle
Netapp
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JavaFX).
2.5
2024-01-16 CVE-2024-20914 Oracle Unspecified vulnerability in Oracle ZFS Storage Appliance KIT 8.8

Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Core).

2.3