Weekly Vulnerabilities Reports > January 29 to February 4, 2024

Overview

523 new vulnerabilities reported during this period, including 96 critical vulnerabilities and 185 high severity vulnerabilities. This weekly summary report vulnerabilities in 378 products from 282 vendors including IBM, Qnap, Totolink, Fedoraproject, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "Path Traversal", "Cross-Site Request Forgery (CSRF)", "SQL Injection", and "OS Command Injection".

  • 451 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 248 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 292 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 35 reported vulnerabilities.
  • Totolink has the most reported critical vulnerabilities, with 11 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

96 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-02-04 CVE-2024-25089 Malwarebytes Unspecified vulnerability in Malwarebytes Binisoft Windows Firewall Control

Malwarebytes Binisoft Windows Firewall Control before 6.9.9.2 allows remote attackers to execute arbitrary code via gRPC named pipes.

9.8
2024-02-04 CVE-2020-36773 Artifex Use After Free vulnerability in Artifex Ghostscript

Artifex Ghostscript before 9.53.0 has an out-of-bounds write and use-after-free in devices/vector/gdevtxtw.c (for txtwrite) because a single character code in a PDF document can map to more than one Unicode code point (e.g., for a ligature).

9.8
2024-02-04 CVE-2019-25159 Mpedraza2020 SQL Injection vulnerability in Mpedraza2020 Intranet DEL Monterroso

A vulnerability was found in mpedraza2020 Intranet del Monterroso up to 4.50.0.

9.8
2024-02-03 CVE-2024-1198 Openbi Deserialization of Untrusted Data vulnerability in Openbi

A vulnerability, which was classified as critical, was found in openBI up to 6.0.3.

9.8
2024-02-02 CVE-2024-1197 Remyandrade SQL Injection vulnerability in Remyandrade Testimonial Page Manager 1.0

A vulnerability, which was classified as critical, has been found in SourceCodester Testimonial Page Manager 1.0.

9.8
2024-02-02 CVE-2020-29504 Dell Improper Certificate Validation vulnerability in Dell products

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain a Missing Required Cryptographic Step Vulnerability.

9.8
2024-02-02 CVE-2021-21575 Dell Information Exposure Through Discrepancy vulnerability in Dell Bsafe Micro-Edition-Suite

Dell BSAFE Micro Edition Suite, versions before 4.5.2, contain an Observable Timing Discrepancy Vulnerability.

9.8
2024-02-02 CVE-2022-34381 Dell Unspecified vulnerability in Dell Bsafe Crypto-J and Bsafe Ssl-J

Dell BSAFE SSL-J version 7.0 and all versions prior to 6.5, and Dell BSAFE Crypto-J versions prior to 6.2.6.1 contain an unmaintained third-party component vulnerability.

9.8
2024-02-02 CVE-2023-39303 Qnap Improper Authentication vulnerability in Qnap Qts, Quts Hero and Qutscloud

An improper authentication vulnerability has been reported to affect several QNAP operating system versions.

9.8
2024-02-02 CVE-2023-45025 Qnap Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

9.8
2024-02-02 CVE-2024-22108 Gttb SQL Injection vulnerability in Gttb GTB Central Console 15.17.130814.Ng

An issue was discovered in GTB Central Console 15.17.1-30814.NG.

9.8
2024-02-02 CVE-2024-24029 Jfinalcms Project SQL Injection vulnerability in Jfinalcms Project Jfinalcms 5.0.0

JFinalCMS 5.0.0 is vulnerable to SQL injection via /admin/content/data.

9.8
2024-02-02 CVE-2024-24757 Degamisu Unspecified vulnerability in Degamisu Open-Irs

open-irs is an issue response robot that reponds to issues in the installed repository.

9.8
2024-02-02 CVE-2023-47143 IBM Improper Encoding or Escaping of Output vulnerability in IBM Tivoli Application Dependency Discovery Manager

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers.

9.8
2024-02-02 CVE-2023-6675 Nationalkeep Unrestricted Upload of File with Dangerous Type vulnerability in Nationalkeep Cybermath 1.4

Unrestricted Upload of File with Dangerous Type vulnerability in National Keep Cyber Security Services CyberMath allows Upload a Web Shell to a Web Server.This issue affects CyberMath: from v.1.4 before v.1.5.

9.8
2024-02-02 CVE-2023-50488 Blurams Code Injection vulnerability in Blurams Lumi Security Camera A31C Firmware 23.0406.435.412

An issue in Blurams Lumi Security Camera (A31C) v23.0406.435.4120 allows attackers to execute arbitrary code.

9.8
2024-02-02 CVE-2024-0338 Apachefriends Classic Buffer Overflow vulnerability in Apachefriends Xampp

A buffer overflow vulnerability has been found in XAMPP affecting version 8.2.4 and earlier.

9.8
2024-02-02 CVE-2024-23978 Kddi Out-of-bounds Write vulnerability in Kddi Home Spot Cube 2 Firmware V102

Heap-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier.

9.8
2024-02-02 CVE-2024-0685 Ninjaforms SQL Injection vulnerability in Ninjaforms Ninja Forms

The Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Second Order SQL Injection via the email address value submitted through forms in all versions up to, and including, 3.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.

9.8
2024-02-02 CVE-2024-24482 Apktool Path Traversal vulnerability in Apktool

Aprktool before 2.9.3 on Windows allows ../ and /..

9.8
2024-02-02 CVE-2024-22319 IBM Injection vulnerability in IBM Operational Decision Manager

IBM Operational Decision Manager 8.10.3, 8.10.4, 8.10.5.1, 8.11, 8.11.0.1, 8.11.1 and 8.12.0.1 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API.

9.8
2024-02-02 CVE-2024-22533 Xiandafu Code Injection vulnerability in Xiandafu Beetl 3.15.12

Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability.

9.8
2024-02-02 CVE-2023-32333 IBM Improper Access Control vulnerability in IBM Maximo Asset Management 7.6.1.3

IBM Maximo Asset Management 7.6.1.3 could allow a remote attacker to log into the admin panel due to improper access controls.

9.8
2024-02-02 CVE-2023-48792 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus

Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.

9.8
2024-02-02 CVE-2023-48793 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

9.8
2024-02-02 CVE-2024-22779 Kihron Path Traversal vulnerability in Kihron Serverrpexposer

Directory Traversal vulnerability in Kihron ServerRPExposer v.1.0.2 and before allows a remote attacker to execute arbitrary code via the loadServerPack in ServerResourcePackProviderMixin.java.

9.8
2024-02-02 CVE-2024-22901 Vinchin Unspecified vulnerability in Vinchin Backup and Recovery

Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials.

9.8
2024-02-02 CVE-2024-22902 Vinchin Unspecified vulnerability in Vinchin Backup and Recovery

Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials.

9.8
2024-02-02 CVE-2024-23746 Miro Code Injection vulnerability in Miro 0.8.18

Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).

9.8
2024-02-02 CVE-2023-50940 IBM Incorrect Comparison vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.

9.8
2024-02-02 CVE-2024-21764 Rapidscada Use of Hard-coded Credentials vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port.

9.8
2024-02-01 CVE-2023-46706 Machinesense Use of Hard-coded Credentials vulnerability in Machinesense Feverwarn Firmware

Multiple MachineSense devices have credentials unable to be changed by the user or administrator.

9.8
2024-02-01 CVE-2023-4472 Objectplanet Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in Objectplanet Opinio

Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.

9.8
2024-02-01 CVE-2024-1039 Gesslergmbh Improper Authentication vulnerability in Gesslergmbh Web-Master Firmware 7.9

Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

9.8
2024-02-01 CVE-2024-23832 Joinmastodon Authentication Bypass by Spoofing vulnerability in Joinmastodon Mastodon

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication.

9.8
2024-02-01 CVE-2024-24561 Vyperlang Out-of-bounds Write vulnerability in Vyperlang Vyper

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine.

9.8
2024-02-01 CVE-2024-24754 Mnapoli Interpretation Conflict vulnerability in Mnapoli Bref

Bref enable serverless PHP on AWS Lambda.

9.8
2024-02-01 CVE-2023-6078 3DS OS Command Injection vulnerability in 3DS Biovia Materials Studio 2021/2023

An OS Command Injection vulnerability exists in BIOVIA Materials Studio products from Release BIOVIA 2021 through Release BIOVIA 2023.

9.8
2024-01-31 CVE-2024-23653 Mobyproject Incorrect Authorization vulnerability in Mobyproject Buildkit

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.

9.8
2024-01-31 CVE-2022-47072 Sparxsystems SQL Injection vulnerability in Sparxsystems Enterprise Architect 16.0.1605

SQL injection vulnerability in Enterprise Architect 16.0.1605 32-bit allows attackers to run arbitrary SQL commands via the Find parameter in the Select Classifier dialog box..

9.8
2024-01-31 CVE-2024-1117 Openbi Code Injection vulnerability in Openbi

A vulnerability was found in openBI up to 1.0.8.

9.8
2024-01-31 CVE-2024-1113 Openbi Unrestricted Upload of File with Dangerous Type vulnerability in Openbi

A vulnerability, which was classified as critical, was found in openBI up to 1.0.8.

9.8
2024-01-31 CVE-2024-1114 Openbi Unspecified vulnerability in Openbi

A vulnerability has been found in openBI up to 1.0.8 and classified as critical.

9.8
2024-01-31 CVE-2024-1115 Openbi OS Command Injection vulnerability in Openbi

A vulnerability was found in openBI up to 1.0.8 and classified as critical.

9.8
2024-01-31 CVE-2024-1116 Openbi Unrestricted Upload of File with Dangerous Type vulnerability in Openbi

A vulnerability was found in openBI up to 1.0.8.

9.8
2024-01-31 CVE-2024-24579 Anchore Path Traversal vulnerability in Anchore Stereoscope

stereoscope is a go library for processing container images and simulating a squash filesystem.

9.8
2024-01-31 CVE-2024-1112 Angusj Out-of-bounds Write vulnerability in Angusj Resource Hacker 3.6.0.92

Heap-based buffer overflow vulnerability in Resource Hacker, developed by Angus Johnson, affecting version 3.6.0.92.

9.8
2024-01-31 CVE-2024-1012 Whir SQL Injection vulnerability in Whir Ezoffice 11.1.0

A vulnerability, which was classified as critical, has been found in Wanhu ezOFFICE 11.1.0.

9.8
2024-01-31 CVE-2024-23745 Notion Command Injection vulnerability in Notion web Clipper 1.0.3(7)

In Notion Web Clipper 1.0.3(7), a .nib file is susceptible to the Dirty NIB attack.

9.8
2024-01-30 CVE-2024-1036 Openbi Unrestricted Upload of File with Dangerous Type vulnerability in Openbi

A vulnerability was found in openBI up to 1.0.8 and classified as critical.

9.8
2024-01-30 CVE-2024-1035 Openbi Project Unrestricted Upload of File with Dangerous Type vulnerability in Openbi Project Openbi

A vulnerability has been found in openBI up to 1.0.8 and classified as critical.

9.8
2024-01-30 CVE-2024-21653 Vantage6 Unspecified vulnerability in Vantage6

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).

9.8
2024-01-30 CVE-2024-1034 Openbi Project Unrestricted Upload of File with Dangerous Type vulnerability in Openbi Project Openbi

A vulnerability, which was classified as critical, was found in openBI up to 1.0.8.

9.8
2024-01-30 CVE-2024-24324 Totolink Use of Hard-coded Credentials vulnerability in Totolink A8000Ru Firmware 7.1Cu.643B20200521

TOTOLINK A8000RU v7.1cu.643_B20200521 was discovered to contain a hardcoded password for root stored in /etc/shadow.

9.8
2024-01-30 CVE-2024-24325 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setParentalRules function.

9.8
2024-01-30 CVE-2024-24326 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.

9.8
2024-01-30 CVE-2024-24327 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the pppoePass parameter in the setIpv6Cfg function.

9.8
2024-01-30 CVE-2024-24328 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.

9.8
2024-01-30 CVE-2024-24329 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setPortForwardRules function.

9.8
2024-01-30 CVE-2024-24330 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the port or enable parameter in the setRemoteCfg function.

9.8
2024-01-30 CVE-2024-24331 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setWiFiScheduleCfg function.

9.8
2024-01-30 CVE-2024-24332 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the url parameter in the setUrlFilterRules function.

9.8
2024-01-30 CVE-2024-24333 Totolink OS Command Injection vulnerability in Totolink A3300R Firmware 17.0.0Cu.557B20221024

TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the desc parameter in the setWiFiAclRules function.

9.8
2024-01-30 CVE-2024-1032 Openbi Project Deserialization of Untrusted Data vulnerability in Openbi Project Openbi

A vulnerability classified as critical was found in openBI up to 1.0.8.

9.8
2024-01-30 CVE-2023-6943 Mitsubishielectric Unsafe Reflection vulnerability in Mitsubishielectric products

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to execute a malicious code by RPC with a path to a malicious library while connected to the products.

9.8
2024-01-30 CVE-2024-1061 Bplugins SQL Injection vulnerability in Bplugins Html5 Video Player

The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the  'get_view' function.

9.8
2024-01-30 CVE-2024-21488 Forkhq Command Injection vulnerability in Forkhq Network

Versions of the package network before 0.7.0 are vulnerable to Arbitrary Command Injection due to use of the child_process exec function without input sanitization.

9.8
2024-01-30 CVE-2024-1027 Oretnom23 Unrestricted Upload of File with Dangerous Type vulnerability in Oretnom23 Facebook News Feed Like 1.0

A vulnerability, which was classified as critical, was found in SourceCodester Facebook News Feed Like 1.0.

9.8
2024-01-30 CVE-2023-51837 Meshcentral Improper Certificate Validation vulnerability in Meshcentral 1.1.16

Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.

9.8
2024-01-30 CVE-2023-51982 Cratedb Improper Authentication vulnerability in Cratedb 5.5.1

CrateDB 5.5.1 is contains an authentication bypass vulnerability in the Admin UI component.

9.8
2024-01-29 CVE-2024-1021 Ruifang Tech Server-Side Request Forgery (SSRF) vulnerability in Ruifang-Tech Rebuild

A vulnerability, which was classified as critical, has been found in Rebuild up to 3.5.5.

9.8
2024-01-29 CVE-2023-51840 Html JS Use of Hard-coded Credentials vulnerability in Html-Js Doracms 2.1.8

DoraCMS 2.1.8 is vulnerable to Use of Hard-coded Cryptographic Key.

9.8
2024-01-29 CVE-2024-24141 Remyandrade SQL Injection vulnerability in Remyandrade School Task Manager 1.0

Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter.

9.8
2024-01-29 CVE-2024-1009 Employee Management System Project SQL Injection vulnerability in Employee Management System Project Employee Management System 1.0

A vulnerability was found in SourceCodester Employee Management System 1.0.

9.8
2024-01-29 CVE-2024-23822 Thruk Path Traversal vulnerability in Thruk

Thruk is a multibackend monitoring webinterface.

9.8
2024-01-29 CVE-2024-23827 Nginxui Path Traversal vulnerability in Nginxui Nginx UI

Nginx-UI is a web interface to manage Nginx configurations.

9.8
2024-01-29 CVE-2024-1001 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability classified as critical has been found in Totolink N200RE 9.3.5u.6139_B20201216.

9.8
2024-01-29 CVE-2024-1015 SE Elektronicgmbh Code Injection vulnerability in Se-Elektronicgmbh E-Ddc3.3 Firmware 03.07.03

Remote command execution vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher.

9.8
2024-01-29 CVE-2024-23790 Otrs Improper Validation of Integrity Check Value vulnerability in Otrs

Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.

9.8
2024-01-29 CVE-2024-0996 Tenda Out-of-bounds Write vulnerability in Tenda I9 Firmware 1.0.0.6(1020)

A vulnerability classified as critical has been found in Tenda i9 1.0.0.9(4122).

9.8
2024-01-29 CVE-2024-0993 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.9(3857)

A vulnerability was found in Tenda i6 1.0.0.9(3857).

9.8
2024-01-29 CVE-2024-0994 Tenda Out-of-bounds Write vulnerability in Tenda W6 Firmware 1.0.0.9(4122)

A vulnerability was found in Tenda W6 1.0.0.9(4122).

9.8
2024-01-29 CVE-2024-0995 Tenda Out-of-bounds Write vulnerability in Tenda W6 Firmware 1.0.0.9(4122)

A vulnerability was found in Tenda W6 1.0.0.9(4122).

9.8
2024-01-29 CVE-2024-0989 Kuerp Project Path Traversal vulnerability in Kuerp Project Kuerp 1.0.4

A vulnerability, which was classified as problematic, has been found in Sichuan Yougou Technology KuERP up to 1.0.4.

9.8
2024-01-29 CVE-2024-0990 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.9(3857)

A vulnerability, which was classified as critical, was found in Tenda i6 1.0.0.9(3857).

9.8
2024-01-29 CVE-2024-0991 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.9(3857)

A vulnerability has been found in Tenda i6 1.0.0.9(3857) and classified as critical.

9.8
2024-01-29 CVE-2024-0992 Tenda Out-of-bounds Write vulnerability in Tenda I6 Firmware 1.0.0.9(3857)

A vulnerability was found in Tenda i6 1.0.0.9(3857) and classified as critical.

9.8
2024-01-29 CVE-2024-0986 Issabel OS Command Injection vulnerability in Issabel PBX 4.0.0

A vulnerability was found in Issabel PBX 4.0.0.

9.8
2024-01-29 CVE-2024-0987 Kuerp Project Improper Encoding or Escaping of Output vulnerability in Kuerp Project Kuerp 1.0.4

A vulnerability classified as critical has been found in Sichuan Yougou Technology KuERP up to 1.0.4.

9.8
2024-01-29 CVE-2024-0988 Kuerp Project Improper Authentication vulnerability in Kuerp Project Kuerp 1.0.4

A vulnerability classified as critical was found in Sichuan Yougou Technology KuERP up to 1.0.4.

9.8
2024-02-01 CVE-2023-49617 Machinesense Missing Authentication for Critical Function vulnerability in Machinesense Feverwarn Firmware

The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication.

9.1
2024-02-01 CVE-2023-5841 Openexr Out-of-bounds Write vulnerability in Openexr

Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

9.1
2024-01-31 CVE-2024-23652 Mobyproject Path Traversal vulnerability in Mobyproject Buildkit

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.

9.1
2024-01-31 CVE-2024-21917 Rockwellautomation Improper Verification of Cryptographic Signature vulnerability in Rockwellautomation Factorytalk Services Platform

A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the service token and use it for authentication on another FTSP directory.

9.1
2024-01-29 CVE-2023-51839 Devicefarmer Use of a Broken or Risky Cryptographic Algorithm vulnerability in Devicefarmer Smartphone Test Farm 3.6.6

DeviceFarmer stf v3.6.6 suffers from Use of a Broken or Risky Cryptographic Algorithm.

9.1
2024-02-03 CVE-2023-31004 IBM Man-in-the-Middle vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote attacker to gain access to the underlying system using man in the middle techniques.

9.0

185 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-02-03 CVE-2023-43183 Reprise Unspecified vulnerability in Reprise License Manager 15.1

Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows read-only users to arbitrarily change the password of an admin and hijack their account.

8.8
2024-02-02 CVE-2023-39297 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

8.8
2024-02-02 CVE-2023-47562 Qnap Command Injection vulnerability in Qnap Photo Station

An OS command injection vulnerability has been reported to affect Photo Station.

8.8
2024-02-02 CVE-2023-47568 Qnap SQL Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

A SQL injection vulnerability has been reported to affect several QNAP operating system versions.

8.8
2024-02-02 CVE-2024-24470 Flusity Cross-Site Request Forgery (CSRF) vulnerability in Flusity 2.33

Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the update_post.php component.

8.8
2024-02-02 CVE-2023-47142 IBM Incorrect Authorization vulnerability in IBM Tivoli Application Dependency Discovery Manager

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 could allow an attacker on the organization's local network to escalate their privileges due to unauthorized API access.

8.8
2024-02-02 CVE-2023-6676 Nationalkeep Cross-Site Request Forgery (CSRF) vulnerability in Nationalkeep Cybermath 1.4

Cross-Site Request Forgery (CSRF) vulnerability in National Keep Cyber Security Services CyberMath allows Cross Site Request Forgery.This issue affects CyberMath: from v1.4 before v1.5.

8.8
2024-02-02 CVE-2024-0253 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in home Graph-Data.

8.8
2024-02-02 CVE-2024-0269 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Adaudit Plus

ManageEngine ADAudit Plus versions 7270 and below are vulnerable to the Authenticated SQL injection in File-Summary DrillDown.

8.8
2024-02-02 CVE-2024-24524 Flusity Cross-Site Request Forgery (CSRF) vulnerability in Flusity 2.33

Cross Site Request Forgery (CSRF) vulnerability in flusity-CMS v.2.33, allows remote attackers to execute arbitrary code via the add_menu.php component.

8.8
2024-02-02 CVE-2020-24681 BR Automation Incorrect Permission Assignment for Critical Resource vulnerability in Br-Automation Automation Studio

Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP.

8.8
2024-02-02 CVE-2023-45734 Openatom Out-of-bounds Write vulnerability in Openatom Openharmony

in OpenHarmony v3.2.4 and prior versions allow an adjacent attacker arbitrary code execution through out-of-bounds write.

8.8
2024-02-02 CVE-2024-21860 Openatom Use After Free vulnerability in Openatom Openharmony

in OpenHarmony v4.0.0 and prior versions allow an adjacent attacker arbitrary code execution in any apps through use after free.

8.8
2024-02-02 CVE-2023-38263 IBM Improper Access Control vulnerability in IBM Soar Qradar Plugin APP

IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to perform unauthorized actions due to improper access controls.

8.8
2024-02-02 CVE-2024-22320 IBM Deserialization of Untrusted Data vulnerability in IBM Operational Decision Manager

IBM Operational Decision Manager 8.10.3 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization.

8.8
2024-02-02 CVE-2024-22899 Vinchin Unspecified vulnerability in Vinchin Backup and Recovery

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function.

8.8
2024-02-02 CVE-2024-22900 Vinchin Command Injection vulnerability in Vinchin Backup and Recovery

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the setNetworkCardInfo function.

8.8
2024-02-02 CVE-2024-22903 Vinchin Command Injection vulnerability in Vinchin Backup and Recovery

Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the deleteUpdateAPK function.

8.8
2024-02-02 CVE-2023-50936 IBM Insufficient Session Expiration vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

8.8
2024-02-01 CVE-2023-36496 Pingidentity Unspecified vulnerability in Pingidentity Pingdirectory

Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server.

8.8
2024-02-01 CVE-2023-47867 Machinesense Unspecified vulnerability in Machinesense Feverwarn Firmware

MachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device's web services and compromise the device.

8.8
2024-02-01 CVE-2024-21852 Rapidscada Path Traversal vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can supply a malicious configuration file by utilizing a Zip Slip vulnerability in the unpacking routine to achieve remote code execution.

8.8
2024-02-01 CVE-2023-51939 Relic Project Injection vulnerability in Relic Project Relic 0.6.0

An issue in the cp_bbs_sig function in relic/src/cp/relic_cp_bbs.c of Relic relic-toolkit 0.6.0 allows a remote attacker to obtain sensitive information and escalate privileges via the cp_bbs_sig function.

8.8
2024-02-01 CVE-2024-22859 Laravel Cross-Site Request Forgery (CSRF) vulnerability in Laravel Livewire

Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function.

8.8
2024-01-31 CVE-2024-24573 Facilemanager Incorrect Authorization vulnerability in Facilemanager

facileManager is a modular suite of web apps built with the sysadmin in mind.

8.8
2024-01-31 CVE-2024-24747 Minio Improper Privilege Management vulnerability in Minio 20240131T202033Z

MinIO is a High Performance Object Storage.

8.8
2024-01-31 CVE-2024-21888 Ivanti Unspecified vulnerability in Ivanti Connect Secure and Policy Secure

A privilege escalation vulnerability in web component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows a user to elevate privileges to that of an administrator.

8.8
2024-01-31 CVE-2024-22136 Droitthemes Cross-Site Request Forgery (CSRF) vulnerability in Droitthemes Droit Elementor Addons

Cross-Site Request Forgery (CSRF) vulnerability in DroitThemes Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder.This issue affects Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder: from n/a through 3.1.5.

8.8
2024-01-31 CVE-2024-22140 Cozmoslabs Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder

Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0.

8.8
2024-01-31 CVE-2024-22143 Wpspellcheck Cross-Site Request Forgery (CSRF) vulnerability in Wpspellcheck

Cross-Site Request Forgery (CSRF) vulnerability in WP Spell Check.This issue affects WP Spell Check: from n/a through 9.17.

8.8
2024-01-31 CVE-2024-22285 Elisebosse Cross-Site Request Forgery (CSRF) vulnerability in Elisebosse Frontpage Manager 1.3

Cross-Site Request Forgery (CSRF) vulnerability in Elise Bosse Frontpage Manager.This issue affects Frontpage Manager: from n/a through 1.3.

8.8
2024-01-31 CVE-2024-22291 Marcomilesi Cross-Site Request Forgery (CSRF) vulnerability in Marcomilesi Browser Theme Color 1.3

Cross-Site Request Forgery (CSRF) vulnerability in Marco Milesi Browser Theme Color.This issue affects Browser Theme Color: from n/a through 1.3.

8.8
2024-01-31 CVE-2024-22304 Borbis Cross-Site Request Forgery (CSRF) vulnerability in Borbis Freshmail for Wordpress 2.3.2

Cross-Site Request Forgery (CSRF) vulnerability in Borbis Media FreshMail For WordPress.This issue affects FreshMail For WordPress: from n/a through 2.3.2.

8.8
2024-01-31 CVE-2024-22290 Custom Dashboard Widgets Project Cross-Site Request Forgery (CSRF) vulnerability in Custom Dashboard Widgets Project Custom Dashboard Widgets 1.3.1

Cross-Site Request Forgery (CSRF) vulnerability in AboZain,O7abeeb,UnitOne Custom Dashboard Widgets allows Cross-Site Scripting (XSS).This issue affects Custom Dashboard Widgets: from n/a through 1.3.1.

8.8
2024-01-31 CVE-2024-23507 Instawp SQL Injection vulnerability in Instawp Connect

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9.

8.8
2024-01-30 CVE-2024-1059 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Peer Connection in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit stack corruption via a crafted HTML page.

8.8
2024-01-30 CVE-2024-1060 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Canvas in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8.8
2024-01-30 CVE-2024-1077 Google
Fedoraproject
Use After Free vulnerability in multiple products

Use after free in Network in Google Chrome prior to 121.0.6167.139 allowed a remote attacker to potentially exploit heap corruption via a malicious file.

8.8
2024-01-30 CVE-2024-23647 Goauthentik Improper Authentication vulnerability in Goauthentik Authentik

Authentik is an open-source Identity Provider.

8.8
2024-01-30 CVE-2023-37518 Hcltech Code Injection vulnerability in Hcltech Bigfix Servicenow Data Flow 1.2

HCL BigFix ServiceNow is vulnerable to arbitrary code injection.

8.8
2024-01-30 CVE-2024-21649 Vantage6 Code Injection vulnerability in Vantage6

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).

8.8
2024-01-29 CVE-2023-4551 Opentext Unspecified vulnerability in Opentext Appbuilder 21.2

Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows OS Command Injection. The AppBuilder's Scheduler functionality that facilitates creation of scheduled tasks is vulnerable to command injection.

8.8
2024-01-29 CVE-2024-1011 Employee Management System Project Unspecified vulnerability in Employee Management System Project Employee Management System 1.0

A vulnerability classified as problematic was found in SourceCodester Employee Management System 1.0.

8.8
2024-01-29 CVE-2024-23828 Nginxui Injection vulnerability in Nginxui Nginx UI

Nginx-UI is a web interface to manage Nginx configurations.

8.8
2024-01-29 CVE-2023-6390 Jonathonkemp Cross-Site Request Forgery (CSRF) vulnerability in Jonathonkemp Wordpress Users 1.4.0

The WordPress Users WordPress plugin through 1.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

8.8
2024-01-29 CVE-2023-6391 Jeremiahorem Cross-Site Request Forgery (CSRF) vulnerability in Jeremiahorem Custom User CSS 0.2

The Custom User CSS WordPress plugin through 0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

8.8
2024-01-29 CVE-2023-6946 Unalignedcode Cross-Site Request Forgery (CSRF) vulnerability in Unalignedcode Autotitle 1.0.3

The Autotitle for WordPress plugin through 1.0.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

8.8
2024-01-29 CVE-2023-7074 Giovambattistafazioli Cross-Site Request Forgery (CSRF) vulnerability in Giovambattistafazioli WP Social Bookmark Menu 1.2

The WP SOCIAL BOOKMARK MENU WordPress plugin through 1.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack.

8.8
2024-01-29 CVE-2024-1003 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability, which was classified as critical, has been found in Totolink N200RE 9.3.5u.6139_B20201216.

8.8
2024-01-29 CVE-2024-1000 Totolink Out-of-bounds Write vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216.

8.8
2024-01-29 CVE-2024-1002 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability classified as critical was found in Totolink N200RE 9.3.5u.6139_B20201216.

8.8
2024-01-29 CVE-2024-0997 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216 and classified as critical.

8.8
2024-01-29 CVE-2024-0998 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216.

8.8
2024-01-29 CVE-2024-0999 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability was found in Totolink N200RE 9.3.5u.6139_B20201216.

8.8
2024-01-31 CVE-2024-21626 Linuxfoundation
Fedoraproject
Exposure of Resource to Wrong Sphere vulnerability in multiple products

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification.

8.6
2024-01-31 CVE-2023-50165 Pega Server-Side Request Forgery (SSRF) vulnerability in Pega Platform

Pega Platform versions 8.2.1 to Infinity 23.1.0 are affected by an Generated PDF issue that could expose file contents.

8.6
2024-01-30 CVE-2024-1019 Trustwave Unspecified vulnerability in Trustwave Modsecurity

ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs.

8.6
2024-02-02 CVE-2024-21399 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

8.3
2024-01-31 CVE-2024-21893 Ivanti Server-Side Request Forgery (SSRF) vulnerability in Ivanti Connect Secure and Policy Secure

A server-side request forgery vulnerability in the SAML component of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) and Ivanti Neurons for ZTA allows an attacker to access certain restricted resources without authentication.

8.2
2024-01-30 CVE-2023-51843 Flatlogic Cross-site Scripting vulnerability in Flatlogic React Dashboard 1.4.0

react-dashboard 1.4.0 is vulnerable to Cross Site Scripting (XSS) as httpOnly is not set.

8.2
2024-02-02 CVE-2023-47564 Qnap Incorrect Permission Assignment for Critical Resource vulnerability in Qnap Qsync Central

An incorrect permission assignment for critical resource vulnerability has been reported to affect Qsync Central.

8.1
2024-02-01 CVE-2023-49610 Machinesense Unspecified vulnerability in Machinesense Feverwarn Firmware

MachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack.

8.1
2024-02-01 CVE-2023-47257 Connectwise Code Injection vulnerability in Connectwise Automate and Screenconnect

ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.

8.1
2024-02-01 CVE-2023-51446 Glpi Project LDAP Injection vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package.

8.1
2024-01-31 CVE-2024-22305 Kaliforms Authorization Bypass Through User-Controlled Key vulnerability in Kaliforms Kali Forms

Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.

8.1
2024-01-30 CVE-2023-6258 Latchset Information Exposure Through Discrepancy vulnerability in Latchset Pkcs11-Provider 0.1

A security vulnerability has been identified in the pkcs11-provider, which is associated with Public-Key Cryptography Standards (PKCS#11).

8.1
2024-02-04 CVE-2021-4435 Yarnpkg Untrusted Search Path vulnerability in Yarnpkg Yarn

An untrusted search path vulnerability was found in Yarn.

7.8
2024-02-03 CVE-2023-31005 IBM Improper Privilege Management vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a local user to escalate their privileges due to an improper security configuration.

7.8
2024-02-02 CVE-2024-1201 Panterasoft Unquoted Search Path or Element vulnerability in Panterasoft HDD Health 4.2.0.112

Search path or unquoted item vulnerability in HDD Health affecting versions 4.2.0.112 and earlier.

7.8
2024-02-02 CVE-2023-48645 Eptura SQL Injection vulnerability in Eptura Archibus 4.0.3

An issue was discovered in the Archibus app 4.0.3 for iOS.

7.8
2024-02-02 CVE-2020-24682 BR Automation Unquoted Search Path or Element vulnerability in Br-Automation Automation Studio

Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.0 through 4.6, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0 before 4.9.4 SP; NET/PVI: from 4.0 through 4.6, from 4.7.0 before 4.7.7, from 4.8.0 before 4.8.6, from 4.9.0 before 4.9.4.

7.8
2024-02-02 CVE-2021-22282 BR Automation Code Injection vulnerability in Br-Automation Automation Studio

Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.

7.8
2024-02-02 CVE-2024-21845 Openatom Integer Overflow or Wraparound vulnerability in Openatom Openharmony

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause heap overflow through integer overflow.

7.8
2024-02-02 CVE-2024-21851 Openatom Integer Overflow or Wraparound vulnerability in Openatom Openharmony

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause heap overflow through integer overflow.

7.8
2024-02-02 CVE-2023-46045 Graphviz Out-of-bounds Read vulnerability in Graphviz

Graphviz 2.36.0 through 9.x before 10.0.1 has an out-of-bounds read via a crafted config6a file.

7.8
2024-02-02 CVE-2024-22016 Rapidscada Incorrect Permission Assignment for Critical Resource vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory.

7.8
2024-02-01 CVE-2024-0325 Perforce Command Injection vulnerability in Perforce Helix Sync

In Helix Sync versions prior to 2024.1, a local command injection was identified.

7.8
2024-02-01 CVE-2024-24557 Mobyproject Origin Validation Error vulnerability in Mobyproject Moby

Moby is an open-source project created by Docker to enable software containerization.

7.8
2024-02-01 CVE-2024-22449 Dell Missing Authentication for Critical Function vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability.

7.8
2024-01-31 CVE-2024-0219 Progress Unspecified vulnerability in Progress Telerik Justdecompile

In Telerik JustDecompile versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik JustDecompile install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

7.8
2024-01-31 CVE-2024-0832 Progress Unspecified vulnerability in Progress Telerik Reporting

In Telerik Reporting versions prior to 2024 R1, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik Reporting install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

7.8
2024-01-31 CVE-2024-0833 Progress Unspecified vulnerability in Progress Telerik Test Studio 2023.3.1115

In Telerik Test Studio versions prior to v2023.3.1330, a privilege elevation vulnerability has been identified in the applications installer component.  In an environment where an existing Telerik Test Studio install is present, a lower privileged user has the ability to manipulate the installation package to elevate their privileges on the underlying operating system.

7.8
2024-01-31 CVE-2023-6246 GNU
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library.

7.8
2024-01-31 CVE-2024-1085 Linux Use After Free vulnerability in Linux Kernel

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability. We recommend upgrading past commit b1db244ffd041a49ecc9618e8feb6b5c1afcdaa7.

7.8
2024-01-31 CVE-2024-1086 Linux
Fedoraproject
Redhat
Debian
Netapp
Use After Free vulnerability in multiple products

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

7.8
2024-01-30 CVE-2024-0674 Lamassu Improper Preservation of Permissions vulnerability in Lamassu Douro Firmware and Douro II Firmware

Privilege escalation vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, which could allow a local user to acquire root permissions by modifying the updatescript.js, inserting special code inside the script and creating the done.txt file.

7.8
2024-01-30 CVE-2024-21803 Linux Use After Free vulnerability in Linux Kernel

Use After Free vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (bluetooth modules) allows Local Execution of Code.

7.8
2024-01-30 CVE-2024-22938 Bosscms Incorrect Authorization vulnerability in Bosscms 1.3.0

Insecure Permissions vulnerability in BossCMS v.1.3.0 allows a local attacker to execute arbitrary code and escalate privileges via the init function in admin.class.php component.

7.8
2024-01-29 CVE-2024-23940 Trendmicro Uncontrolled Search Path Element vulnerability in Trendmicro products

Trend Micro uiAirSupport, included in the Trend Micro Security 2023 family of consumer products, version 6.0.2092 and below is vulnerable to a DLL hijacking/proxying vulnerability, which if exploited could allow an attacker to impersonate and modify a library to execute code on the system and ultimately escalate privileges on an affected system.

7.8
2024-01-29 CVE-2023-1705 Forcepoint Missing Authorization vulnerability in Forcepoint ONE Smartedge Agent

Missing Authorization vulnerability in Forcepoint F|One SmartEdge Agent on Windows (bgAutoinstaller service modules) allows Privilege Escalation, Functionality Bypass.This issue affects F|One SmartEdge Agent: before 1.7.0.230330-554.

7.8
2024-02-04 CVE-2023-52425 Libexpat Project Resource Exhaustion vulnerability in Libexpat Project Libexpat

libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed.

7.5
2024-02-04 CVE-2018-25098 Blockmason Operation on a Resource after Expiration or Release vulnerability in Blockmason Credit-Protocol

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in blockmason credit-protocol.

7.5
2024-02-04 CVE-2024-25062 Xmlsoft Use After Free vulnerability in Xmlsoft Libxml2

An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5.

7.5
2024-02-03 CVE-2023-44031 Reprise Unspecified vulnerability in Reprise License Manager 15.1

Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows attackers to arbitrarily save sensitive files in insecure locations via a crafted POST request.

7.5
2024-02-03 CVE-2024-1064 Craftycontrol Improper Encoding or Escaping of Output vulnerability in Craftycontrol Crafty Controller

A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header

7.5
2024-02-03 CVE-2024-0909 Tarassych Unspecified vulnerability in Tarassych Anonymous Restricted Content

The Anonymous Restricted Content plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.6.2.

7.5
2024-02-03 CVE-2023-30999 IBM Resource Exhaustion vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow an attacker to cause a denial of service due to uncontrolled resource consumption.

7.5
2024-02-03 CVE-2023-31006 IBM Unspecified vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to a denial of service attacks on the DSC server.

7.5
2024-02-03 CVE-2024-1199 Employee Task Management System Project Unspecified vulnerability in Employee Task Management System Project Employee Task Management System 1.0

A vulnerability has been found in CodeAstro Employee Task Management System 1.0 and classified as problematic.

7.5
2024-02-02 CVE-2024-1189 Softaculous Improper Resource Shutdown or Release vulnerability in Softaculous Ampps

A vulnerability has been found in AMPPS 2.7 and classified as problematic.

7.5
2024-02-02 CVE-2023-51838 Meshcentral Use of a Broken or Risky Cryptographic Algorithm vulnerability in Meshcentral 1.1.16

Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.

7.5
2024-02-02 CVE-2023-6387 Silabs Incorrect Calculation of Buffer Size vulnerability in Silabs Gecko Software Development KIT

A potential buffer overflow exists in the Bluetooth LE HCI CPC sample application in the Gecko SDK which may result in a denial of service or remote code execution

7.5
2024-02-02 CVE-2024-23831 Ledgersmb Cross-Site Request Forgery (CSRF) vulnerability in Ledgersmb

LedgerSMB is a free web-based double-entry accounting system.

7.5
2024-02-02 CVE-2024-24161 Mrcms Files or Directories Accessible to External Parties vulnerability in Mrcms 3.0

MRCMS 3.0 contains an Arbitrary File Read vulnerability in /admin/file/edit.do as the incoming path parameter is not filtered.

7.5
2024-02-02 CVE-2023-38273 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Cloud PAK System

IBM Cloud Pak System 2.3.1.1, 2.3.2.0, and 2.3.3.7 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

7.5
2024-02-02 CVE-2023-47148 IBM Missing Authorization vulnerability in IBM Spectrum Protect Plus

IBM Storage Protect Plus Server 10.1.0 through 10.1.15.2 Admin Console could allow a remote attacker to obtain sensitive information due to improper validation of unsecured endpoints which could be used in further attacks against the system.

7.5
2024-02-02 CVE-2023-39611 Softwarefx Path Traversal vulnerability in Softwarefx Chart FX 7.0.4962.20829

An issue in Software FX Chart FX 7 version 7.0.4962.20829 allows attackers to enumerate and read files from the local filesystem by sending crafted web requests.

7.5
2024-02-02 CVE-2024-22851 Liveconfig Path Traversal vulnerability in Liveconfig

Directory Traversal Vulnerability in LiveConfig before v.2.5.2 allows a remote attacker to obtain sensitive information via a crafted request to the /static/ endpoint.

7.5
2024-02-02 CVE-2021-22281 BR Automation Path Traversal vulnerability in Br-Automation Automation Studio

: Relative Path Traversal vulnerability in B&R Industrial Automation Automation Studio allows Relative Path Traversal.This issue affects Automation Studio: from 4.0 through 4.12.

7.5
2024-02-02 CVE-2024-21780 Kddi Out-of-bounds Write vulnerability in Kddi Home Spot Cube 2 Firmware V102

Stack-based buffer overflow vulnerability exists in HOME SPOT CUBE2 V102 and earlier.

7.5
2024-02-02 CVE-2023-50962 IBM Cleartext Transmission of Sensitive Information vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 MFA does not implement the "HTTP Strict Transport Security" (HSTS) web security policy mechanism.

7.5
2024-02-02 CVE-2023-50326 IBM Improper Restriction of Excessive Authentication Attempts vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

7.5
2024-02-02 CVE-2023-50937 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2024-02-02 CVE-2023-50939 IBM Use of a Broken or Risky Cryptographic Algorithm vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

7.5
2024-02-01 CVE-2023-49115 Machinesense Missing Authentication for Critical Function vulnerability in Machinesense Feverwarn Firmware

MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users.

7.5
2024-02-01 CVE-2024-24756 Crafatar Path Traversal vulnerability in Crafatar

Crafatar serves Minecraft avatars based on the skin for use in external applications.

7.5
2024-02-01 CVE-2024-1167 Seweurodrive XXE vulnerability in Seweurodrive Movitools Motionstudio 6.5.0.2

When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.

7.5
2024-02-01 CVE-2024-0935 3DS Information Exposure Through Log Files vulnerability in 3DS Delmia Apriso 2019/2022/2024

Insertion of Sensitive Information into Log File vulnerabilities are affecting DELMIA Apriso Release 2019 through Release 2024

7.5
2024-01-31 CVE-2023-28807 Zscaler Improper Certificate Validation vulnerability in Zscaler Secure Internet and Saas Access

In Zscaler Internet Access (ZIA) a mismatch between Connect Host and Client Hello's Server Name Indication (SNI) enables attackers to evade network security controls by hiding their communications within legitimate traffic.

7.5
2024-01-31 CVE-2024-21916 Rockwellautomation Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Rockwellautomation products

A denial-of-service vulnerability exists in specific Rockwell Automation ControlLogix ang GuardLogix controllers.

7.5
2024-01-31 CVE-2023-6779 GNU
Fedoraproject
Out-of-bounds Write vulnerability in multiple products

An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library.

7.5
2024-01-31 CVE-2024-1098 Ruifang Tech Unspecified vulnerability in Ruifang-Tech Rebuild

A vulnerability was found in Rebuild up to 3.5.5 and classified as problematic.

7.5
2024-01-31 CVE-2023-44312 Apache Unspecified vulnerability in Apache Servicecomb

Exposure of Sensitive Information to an Unauthorized Actor in Apache ServiceComb Service-Center.This issue affects Apache ServiceComb Service-Center before 2.1.0 (include). Users are recommended to upgrade to version 2.2.0, which fixes the issue.

7.5
2024-01-31 CVE-2023-44313 Apache Server-Side Request Forgery (SSRF) vulnerability in Apache Servicecomb

Server-Side Request Forgery (SSRF) vulnerability in Apache ServiceComb Service-Center.

7.5
2024-01-31 CVE-2024-23775 ARM Integer Overflow or Wraparound vulnerability in ARM Mbed TLS

Integer Overflow vulnerability in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2, allows attackers to cause a denial of service (DoS) via mbedtls_x509_set_extension().

7.5
2024-01-30 CVE-2023-5389 Honeywell Unspecified vulnerability in Honeywell products

An attacker could potentially exploit this vulnerability, leading to the ability to modify files on Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC .

7.5
2024-01-30 CVE-2024-23838 Truelayer Server-Side Request Forgery (SSRF) vulnerability in Truelayer Truelayer.Net

TrueLayer.NET is the .Net client for TrueLayer.

7.5
2024-01-30 CVE-2024-1033 Openbi Project Unspecified vulnerability in Openbi Project Openbi

A vulnerability, which was classified as problematic, has been found in openBI up to 1.0.8.

7.5
2024-01-30 CVE-2024-1063 Appwrite Server-Side Request Forgery (SSRF) vulnerability in Appwrite

Appwrite <= v1.4.13 is affected by a Server-Side Request Forgery (SSRF) via the '/v1/avatars/favicon' endpoint due to an incomplete fix of CVE-2023-27159.

7.5
2024-01-30 CVE-2023-36260 Craftcms Injection vulnerability in Craftcms Craft CMS

An issue was discovered in the Feed Me plugin 4.6.1 for Craft CMS.

7.5
2024-01-30 CVE-2023-6374 Mitsubishielectric Authentication Bypass by Capture-replay vulnerability in Mitsubishielectric Melsec Ws0-Geth00200 Firmware

Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 all serial numbers allows a remote unauthenticated attacker to bypass authentication by capture-replay attack and illegally login to the affected module.

7.5
2024-01-30 CVE-2023-6942 Mitsubishielectric Missing Authentication for Critical Function vulnerability in Mitsubishielectric products

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.

7.5
2024-01-30 CVE-2024-22523 Fuwushe Path Traversal vulnerability in Fuwushe Ifair 23.8Ad0

Directory Traversal vulnerability in Qiyu iFair version 23.8_ad0 and before, allows remote attackers to obtain sensitive information via uploadimage component.

7.5
2024-01-29 CVE-2024-23334 Aiohttp
Fedoraproject
Path Traversal vulnerability in multiple products

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

7.5
2024-01-29 CVE-2023-4550 Opentext Files or Directories Accessible to External Parties vulnerability in Opentext Appbuilder 21.2

Improper Input Validation, Files or Directories Accessible to External Parties vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files. An unauthenticated or authenticated user can abuse a page of AppBuilder to read arbitrary files on the server on which it is hosted.

7.5
2024-01-29 CVE-2023-51842 Meshcentral Unspecified vulnerability in Meshcentral 1.1.16

An algorithm-downgrade issue was discovered in Ylianst MeshCentral 1.1.16.

7.5
2024-01-29 CVE-2024-1017 Gabriels FTP Server Project Improper Resource Shutdown or Release vulnerability in Gabriels FTP Server Project Gabriels FTP Server 1.2

A vulnerability was found in Gabriels FTP Server 1.2.

7.5
2024-01-29 CVE-2024-1016 Flexbyte Improper Resource Shutdown or Release vulnerability in Flexbyte Solar FTP Server 2.1.1/2.1.2

A vulnerability was found in Solar FTP Server 2.1.1/2.1.2.

7.5
2024-01-29 CVE-2023-7204 WP Staging Exposure of Resource to Wrong Sphere vulnerability in Wp-Staging WP Staging

The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides

7.5
2024-01-29 CVE-2024-1005 Shanxi Tianneng Technology Files or Directories Accessible to External Parties vulnerability in Shanxi Tianneng Technology Noderp

A vulnerability has been found in Shanxi Diankeyun Technology NODERP up to 6.0.2 and classified as critical.

7.5
2024-01-29 CVE-2024-1014 SE Elektronicgmbh Resource Exhaustion vulnerability in Se-Elektronicgmbh E-Ddc3.3 Firmware 03.07.03

Uncontrolled resource consumption vulnerability in SE-elektronic GmbH E-DDC3.3 affecting versions 03.07.03 and higher.

7.5
2024-01-29 CVE-2024-23747 Modernasistemas Authorization Bypass Through User-Controlled Key vulnerability in Modernasistemas Modernanet Hospital Management System 2024

The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability.

7.5
2024-01-29 CVE-2023-29055 Apache Insufficiently Protected Credentials vulnerability in Apache Kylin

In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials.

7.5
2024-01-29 CVE-2023-46838 Linux
Fedoraproject
Debian
NULL Pointer Dereference vulnerability in multiple products

Transmit requests in Xen's virtual network protocol can consist of multiple parts.

7.5
2024-01-29 CVE-2024-23791 Otrs Information Exposure Through Log Files vulnerability in Otrs

Insertion of debug information into log file during building the elastic search index allows reading of sensitive information from articles.This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1.

7.5
2024-01-29 CVE-2024-24736 Ypopsemail Unspecified vulnerability in Ypopsemail Ypops! 1.6

The POP3 service in YahooPOPs (aka YPOPs!) 1.6 allows a remote denial of service (reboot) via a long string to TCP port 110, a related issue to CVE-2004-1558.

7.5
2024-01-31 CVE-2024-23651 Mobyproject Race Condition vulnerability in Mobyproject Buildkit

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.

7.4
2024-01-29 CVE-2023-40548 Redhat
Fedoraproject
Integer Overflow or Wraparound vulnerability in multiple products

A buffer overflow was found in Shim in the 32-bit system.

7.4
2024-02-03 CVE-2023-43016 IBM Weak Password Requirements vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a remote user to log into the server due to a user account with an empty password.

7.3
2024-02-02 CVE-2024-24760 Mailcow Externally Controlled Reference to a Resource in Another Sphere vulnerability in Mailcow Mailcow: Dockerized

mailcow is a dockerized email package, with multiple containers linked in one bridged network.

7.3
2024-02-04 CVE-2021-46902 Meinbergglobal Unspecified vulnerability in Meinbergglobal Lantime Firmware

An issue was discovered in LTOS-Web-Interface in Meinberg LANTIME-Firmware before 6.24.029 MBGID-9343 and 7 before 7.04.008 MBGID-6303.

7.2
2024-02-02 CVE-2023-39302 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41273 Qnap Out-of-bounds Write vulnerability in Qnap Qts, Quts Hero and Qutscloud

A heap-based buffer overflow vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41275 Qnap Heap-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41276 Qnap Heap-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41277 Qnap Stack-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41278 Qnap Stack-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41279 Qnap Stack-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41280 Qnap Stack-based Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41281 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41282 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41283 Qnap Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-41292 Qnap Classic Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-45035 Qnap Classic Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-45036 Qnap Classic Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-45037 Qnap Classic Buffer Overflow vulnerability in Qnap Qts, Quts Hero and Qutscloud

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-47566 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2023-47567 Qnap OS Command Injection vulnerability in Qnap Qts, Quts Hero and Qutscloud

An OS command injection vulnerability has been reported to affect several QNAP operating system versions.

7.2
2024-02-02 CVE-2024-22107 Gttb Command Injection vulnerability in Gttb GTB Central Console 15.17.130814.Ng

An issue was discovered in GTB Central Console 15.17.1-30814.NG.

7.2
2024-02-02 CVE-2024-0844 Felixmoira Path Traversal vulnerability in Felixmoira Popup More Popups, Lightboxes, and More Popup Modules

The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress is vulnerable to Local File Inclusion in version 2.1.6 via the ycfChangeElementData() function.

7.2
2024-01-31 CVE-2023-31505 Schlix Unrestricted Upload of File with Dangerous Type vulnerability in Schlix CMS 2.2.81

An arbitrary file upload vulnerability in Schlix CMS v2.2.8-1, allows remote authenticated attackers to execute arbitrary code and obtain sensitive information via a crafted .phtml file.

7.2
2024-01-31 CVE-2024-1069 Crmperks Unrestricted Upload of File with Dangerous Type vulnerability in Crmperks Database for Contact Form 7, Wpforms, Elementor Forms

The Contact Form Entries plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file validation on the 'view_page' function in versions up to, and including, 1.3.2.

7.2
2024-01-30 CVE-2023-46231 Splunk Information Exposure Through Log Files vulnerability in Splunk Add-On Builder 4.1.0/4.1.1/4.1.2

In Splunk Add-on Builder versions below 4.1.4, the application writes user session tokens to its internal log files when you visit the Splunk Add-on Builder or when you build or edit a custom app or add-on.

7.2
2024-01-30 CVE-2023-5372 Zyxel OS Command Injection vulnerability in Zyxel Nas326 Firmware and Nas542 Firmware

The post-authentication command injection vulnerability in Zyxel NAS326 firmware versions through V5.21(AAZF.15)C0 and NAS542 firmware versions through V5.21(ABAG.12)C0 could allow an authenticated attacker with administrator privileges to execute some operating system (OS) commands by sending a crafted query parameter attached to the URL of an affected device’s web management interface.

7.2
2024-01-29 CVE-2023-49038 Buffalo OS Command Injection vulnerability in Buffalo Ls210D Firmware 1.780.03

Command injection in the ping utility on Buffalo LS210D 1.78-0.03 allows a remote authenticated attacker to inject arbitrary commands onto the NAS as root.

7.2
2024-01-29 CVE-2024-24139 Remyandrade SQL Injection vulnerability in Remyandrade Login System With Email Verification 1.0

Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter.

7.2
2024-01-29 CVE-2024-24140 Remyandrade SQL Injection vulnerability in Remyandrade Daily Habit Tracker 1.0

Sourcecodester Daily Habit Tracker App 1.0 allows SQL Injection via the parameter 'tracker.'

7.2
2024-01-29 CVE-2024-1007 Razormist SQL Injection vulnerability in Razormist Employee Management System 1.0

A vulnerability was found in SourceCodester Employee Management System 1.0.

7.2
2024-01-29 CVE-2024-1008 Razormist Unrestricted Upload of File with Dangerous Type vulnerability in Razormist Employee Management System 1.0

A vulnerability was found in SourceCodester Employee Management System 1.0.

7.2
2024-01-29 CVE-2024-1004 Totolink Stack-based Buffer Overflow vulnerability in Totolink N200Re Firmware 9.3.5U.6139B20201216

A vulnerability, which was classified as critical, was found in Totolink N200RE 9.3.5u.6139_B20201216.

7.2
2024-02-03 CVE-2023-32327 IBM XXE vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data.

7.1
2024-01-30 CVE-2024-0676 Lamassu Weak Password Requirements vulnerability in Lamassu Douro Firmware and Douro II Firmware

Weak password requirement vulnerability in Lamassu Bitcoin ATM Douro machines, in its 7.1 version , which allows a local user to interact with the machine where the application is installed, retrieve stored hashes from the machine and crack long 4-character passwords using a dictionary attack.

7.1
2024-01-30 CVE-2024-21840 Hitachi Incorrect Default Permissions vulnerability in Hitachi Storage Plug-In 04.8.0/04.9.0

Incorrect Default Permissions vulnerability in Hitachi Storage Plug-in for VMware vCenter allows local users to read and write specific files. This issue affects Hitachi Storage Plug-in for VMware vCenter: from 04.0.0 through 04.9.2.

7.1
2024-01-29 CVE-2023-4552 Opentext Unspecified vulnerability in Opentext Appbuilder 21.2

Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files. An authenticated AppBuilder user with the ability to create or manage existing databases can leverage them to exploit the AppBuilder server - including access to its local file system. This issue affects AppBuilder: from 21.2 before 23.2.

7.1
2024-01-29 CVE-2023-6279 Wootsify Missing Authorization vulnerability in Wootsify Sites Library

The Woostify Sites Library WordPress plugin before 1.4.8 does not have authorisation in an AJAX action, allowing any authenticated users, such as subscriber to update arbitrary blog options and set them to 'activated' which could lead to DoS when using a specific option name

7.1

240 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-02-02 CVE-2023-51820 Blurams Code Injection vulnerability in Blurams Lumi Security Camera A31C Firmware 2.3.38.12558

An issue in Blurams Lumi Security Camera (A31C) v.2.3.38.12558 allows a physically proximate attackers to execute arbitrary code.

6.8
2024-01-30 CVE-2024-0675 Lamassu Improper Check for Unusual or Exceptional Conditions vulnerability in Lamassu Douro Firmware and Douro II Firmware

Vulnerability of improper checking for unusual or exceptional conditions in Lamassu Bitcoin ATM Douro machines, in its 7.1 version, the exploitation of which could allow an attacker with physical access to the ATM to escape kiosk mode, access the underlying Xwindow interface and execute arbitrary commands as an unprivileged user.

6.8
2024-01-30 CVE-2024-22894 Alpha Innotec
Novelan
Inadequate Encryption Strength vulnerability in multiple products

An issue fixed in AIT-Deutschland Alpha Innotec Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later and Novelan Heatpumps V2.88.3 or later, V3.89.0 or later, V4.81.3 or later, allows remote attackers to execute arbitrary code via the password component in the shadow file.

6.8
2024-02-02 CVE-2023-50359 Qnap Unchecked Return Value vulnerability in Qnap Qts, Quts Hero and Qutscloud

An unchecked return value vulnerability has been reported to affect several QNAP operating system versions.

6.7
2024-02-04 CVE-2021-46903 Meinbergglobal Unspecified vulnerability in Meinbergglobal Lantime Firmware

An issue was discovered in LTOS-Web-Interface in Meinberg LANTIME-Firmware before 6.24.029 MBGID-9343 and 7 before 7.04.008 MBGID-6303.

6.5
2024-02-04 CVE-2023-6240 Linux
Redhat
Information Exposure Through Discrepancy vulnerability in multiple products

A Marvin vulnerability side-channel leakage was found in the RSA decryption operation in the Linux Kernel.

6.5
2024-02-03 CVE-2024-1200 Jspxcms Unspecified vulnerability in Jspxcms 10.2.0

A vulnerability was found in Jspxcms 10.2.0 and classified as problematic.

6.5
2024-02-02 CVE-2023-32967 Qnap Incorrect Authorization vulnerability in Qnap QTS and Qutscloud

An incorrect authorization vulnerability has been reported to affect several QNAP operating system versions.

6.5
2024-02-02 CVE-2023-38019 IBM Path Traversal vulnerability in IBM Soar Qradar Plugin APP

IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow a remote attacker to traverse directories on the system.

6.5
2024-02-02 CVE-2023-46159 IBM Improper Input Validation vulnerability in IBM Storage Ceph 5.3Z1/5.3Z5/6.1Z1

IBM Storage Ceph 5.3z1, 5.3z5, and 6.1z1 could allow an authenticated user on the network to cause a denial of service from RGW.

6.5
2024-02-02 CVE-2023-50935 IBM Forced Browsing vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 fails to properly restrict access to a URL or resource, which may allow a remote attacker to obtain unauthorized access to application functionality and/or resources.

6.5
2024-02-02 CVE-2024-22096 Rapidscada Path Traversal vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can append path traversal characters to the filename when using a specific command, allowing them to read arbitrary files from the system.

6.5
2024-02-01 CVE-2023-6221 Machinesense Missing Authentication for Critical Function vulnerability in Machinesense Feverwarn Firmware

The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access.

6.5
2024-02-01 CVE-2024-24752 Mnapoli Resource Exhaustion vulnerability in Mnapoli Bref

Bref enable serverless PHP on AWS Lambda.

6.5
2024-02-01 CVE-2024-24753 Mnapoli Interpretation Conflict vulnerability in Mnapoli Bref

Bref enable serverless PHP on AWS Lambda.

6.5
2024-02-01 CVE-2024-24548 Estore WSS Unspecified vulnerability in Estore-Wss Payment EX

Payment EX Ver1.1.5b and earlier allows a remote unauthenticated attacker to obtain the information of the user who purchases merchandise using Payment EX.

6.5
2024-02-01 CVE-2024-0831 Hashicorp Information Exposure Through Log Files vulnerability in Hashicorp Vault 1.15.0/1.15.2

Vault and Vault Enterprise (“Vault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

6.5
2024-01-31 CVE-2024-24572 Facilemanager SQL Injection vulnerability in Facilemanager

facileManager is a modular suite of web apps built with the sysadmin in mind.

6.5
2024-01-31 CVE-2023-50356 Areal Topkapi Improper Certificate Validation vulnerability in Areal-Topkapi Vision Server 6.2.4718

SSL connections to some LDAP servers are vulnerable to a man-in-the-middle attack due to improper certificate validation in AREAL Topkapi Vision (Server).

6.5
2024-01-30 CVE-2024-21388 Microsoft Unspecified vulnerability in Microsoft Edge Chromium

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

6.5
2024-01-30 CVE-2024-24565 Cratedb Path Traversal vulnerability in Cratedb

CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time.

6.5
2024-01-30 CVE-2024-0564 Linux
Redhat
Resource Injection vulnerability in multiple products

A flaw was found in the Linux kernel's memory deduplication mechanism.

6.5
2024-01-30 CVE-2024-22643 Seopanel Cross-Site Request Forgery (CSRF) vulnerability in Seopanel SEO Panel 4.10.0

A Cross-Site Request Forgery (CSRF) vulnerability in SEO Panel version 4.10.0 allows remote attackers to perform unauthorized user password resets.

6.5
2024-01-30 CVE-2023-51813 Free AND Open Source Inventory Management System Project Cross-Site Request Forgery (CSRF) vulnerability in Free and Open Source Inventory Management System Project Free and Open Source Inventory Management System 1.0

Cross Site Request Forgery (CSRF) vulnerability in Free Open-Source Inventory Management System v.1.0 allows a remote attacker to execute arbitrary code via the staff_list parameter in the index.php component.

6.5
2024-01-29 CVE-2024-23829 Aiohttp
Fedoraproject
HTTP Request Smuggling vulnerability in multiple products

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python.

6.5
2024-01-29 CVE-2023-4554 Opentext XXE vulnerability in Opentext Appbuilder 21.2

Improper Restriction of XML External Entity Reference vulnerability in OpenText AppBuilder on Windows, Linux allows Server Side Request Forgery, Probe System Files. AppBuilder's XML processor is vulnerable to XML External Entity Processing (XXE), allowing an authenticated user to upload specially crafted XML files to induce server-side request forgery, disclose files local to the server that processes them. This issue affects AppBuilder: from 21.2 before 23.2.

6.5
2024-01-29 CVE-2023-30970 Palantir Path Traversal vulnerability in Palantir products

Gotham Table service and Forward App were found to be vulnerable to a Path traversal issue allowing an authenticated user to read arbitrary files on the file system.

6.5
2024-01-29 CVE-2024-0212 Cloudflare Unspecified vulnerability in Cloudflare

The Cloudflare Wordpress plugin was found to be vulnerable to improper authentication.

6.5
2024-01-29 CVE-2024-23792 Otrs Improper Authentication vulnerability in Otrs

When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user.

6.5
2024-02-02 CVE-2024-21863 Openatom Unspecified vulnerability in Openatom Openharmony

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input.

6.2
2024-02-03 CVE-2024-1215 Crud Without Page Reload Project Cross-site Scripting vulnerability in Crud Without Page Reload Project Crud Without Page Reload 1.0

A vulnerability was found in SourceCodester CRUD without Page Reload 1.0.

6.1
2024-02-03 CVE-2023-37528 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

6.1
2024-02-02 CVE-2024-1196 Remyandrade Cross-site Scripting vulnerability in Remyandrade Testimonial Page Manager 1.0

A vulnerability classified as problematic was found in SourceCodester Testimonial Page Manager 1.0.

6.1
2024-02-02 CVE-2023-37527 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Platform

A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.

6.1
2024-02-02 CVE-2024-23635 Antisamy Project Cross-site Scripting vulnerability in Antisamy Project Antisamy

AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.

6.1
2024-02-02 CVE-2023-47144 IBM Cross-site Scripting vulnerability in IBM Tivoli Application Dependency Discovery Manager

IBM Tivoli Application Dependency Discovery Manager 7.3.0.0 through 7.3.0.10 is vulnerable to cross-site scripting.

6.1
2024-02-02 CVE-2023-6673 Nationalkeep Cross-site Scripting vulnerability in Nationalkeep Cybermath 1.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in National Keep Cyber Security Services CyberMath allows Reflected XSS.This issue affects CyberMath: from v.1.4 before v.1.5.

6.1
2024-02-02 CVE-2024-23895 Ajaysharma Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0

A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationcreate.php, in the locationid parameter.

6.1
2024-02-02 CVE-2024-24388 Xunruicms Cross-site Scripting vulnerability in Xunruicms

Cross-site scripting (XSS) vulnerability in XunRuiCMS versions v4.6.2 and before, allows remote attackers to obtain sensitive information via crafted malicious requests to the background login.

6.1
2024-02-02 CVE-2024-1143 Linecorp Cross-site Scripting vulnerability in Linecorp Central Dogma

Central Dogma versions prior to 0.64.1 is vulnerable to Cross-Site Scripting (XSS), which could allow for the leakage of user sessions and subsequent authentication bypass.

6.1
2024-02-02 CVE-2023-50933 IBM Cross-site Scripting vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 is vulnerable to HTML injection.

6.1
2024-02-01 CVE-2024-22927 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.5

Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

6.1
2024-02-01 CVE-2024-23031 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.5

Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

6.1
2024-02-01 CVE-2024-23032 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.5

Cross Site Scripting vulnerability in num parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

6.1
2024-02-01 CVE-2024-23033 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.5

Cross Site Scripting vulnerability in the path parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

6.1
2024-02-01 CVE-2024-23034 Eyoucms Cross-site Scripting vulnerability in Eyoucms 1.6.5

Cross Site Scripting vulnerability in the input parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

6.1
2024-02-01 CVE-2024-24041 Remyandrade Cross-site Scripting vulnerability in Remyandrade Travel Journal Using PHP and Mysql With Source Code 1.0

A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the location parameter at /travel-journal/write-journal.php.

6.1
2024-02-01 CVE-2024-24945 Remyandrade Cross-site Scripting vulnerability in Remyandrade Travel Journal Using PHP and Mysql With Source Code 1.0

A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Share Your Moments parameter at /travel-journal/write-journal.php.

6.1
2024-02-01 CVE-2024-23645 Glpi Project Cross-site Scripting vulnerability in Glpi-Project Glpi

GLPI is a Free Asset and IT Management Software package.

6.1
2024-02-01 CVE-2024-24570 Statamic Cross-site Scripting vulnerability in Statamic

Statamic is a Laravel and Git powered CMS.

6.1
2024-02-01 CVE-2023-51509 Metagauss Cross-site Scripting vulnerability in Metagauss Registrationmagic

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Reflected XSS.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.1.

6.1
2024-02-01 CVE-2023-51540 Kunalnagar Cross-site Scripting vulnerability in Kunalnagar Custom 404 PRO

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Stored XSS.This issue affects Custom 404 Pro: from n/a through 3.10.0.

6.1
2024-02-01 CVE-2024-21750 Scribit Cross-site Scripting vulnerability in Scribit Shortcodes Finder 1.5.3

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scribit Shortcodes Finder allows Reflected XSS.This issue affects Shortcodes Finder: from n/a through 1.5.5.

6.1
2024-02-01 CVE-2024-22148 Joomunited Cross-site Scripting vulnerability in Joomunited Wp-Smart-Editor 1.3.3

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Smart Editor JoomUnited allows Reflected XSS.This issue affects JoomUnited: from n/a through 1.3.3.

6.1
2024-01-31 CVE-2024-1111 Rems Cross-site Scripting vulnerability in Rems QR Code Login System 1.0

A vulnerability, which was classified as problematic, has been found in SourceCodester QR Code Login System 1.0.

6.1
2024-01-31 CVE-2024-22159 Pluginus Cross-site Scripting vulnerability in Pluginus Wolf - Wordpress Posts Bulk Editor and products Manager Professional

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional allows Reflected XSS.This issue affects WOLF – WordPress Posts Bulk Editor and Manager Professional: from n/a through 1.0.8.

6.1
2024-01-31 CVE-2023-50166 Pega Cross-site Scripting vulnerability in Pega Platform

Pega Platform from 8.5.4 to 8.8.3 is affected by an XSS issue with an unauthenticated user and the redirect parameter.

6.1
2024-01-31 CVE-2024-22160 Bradleybdalina Cross-site Scripting vulnerability in Bradleybdalina Image TAG Manager 1.5

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bradley B.

6.1
2024-01-31 CVE-2024-22162 Wpzoom Cross-site Scripting vulnerability in Wpzoom Shortcodes 1.0/1.0.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Shortcodes allows Reflected XSS.This issue affects WPZOOM Shortcodes: from n/a through 1.0.3.

6.1
2024-01-31 CVE-2024-22163 Getshieldsecurity Cross-site Scripting vulnerability in Getshieldsecurity Shield Security

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shield Security Shield Security – Smart Bot Blocking & Intrusion Prevention Security allows Stored XSS.This issue affects Shield Security – Smart Bot Blocking & Intrusion Prevention Security: from n/a through 18.5.7.

6.1
2024-01-31 CVE-2024-22282 Simplemap Plugin Cross-site Scripting vulnerability in Simplemap-Plugin Simplemap Store Locator

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Torbert SimpleMap Store Locator allows Reflected XSS.This issue affects SimpleMap Store Locator: from n/a through 2.6.1.

6.1
2024-01-31 CVE-2024-22286 Aluka Cross-site Scripting vulnerability in Aluka BA Plus

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aluka BA Plus – Before & After Image Slider FREE allows Reflected XSS.This issue affects BA Plus – Before & After Image Slider FREE: from n/a through 1.0.3.

6.1
2024-01-31 CVE-2024-22289 Cybernetikz Cross-site Scripting vulnerability in Cybernetikz Post Views Stats 1.3

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cybernetikz Post views Stats allows Reflected XSS.This issue affects Post views Stats: from n/a through 1.3.

6.1
2024-01-31 CVE-2024-22293 Dontdream Cross-site Scripting vulnerability in Dontdream BP Profile Search

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Andrea Tarantini BP Profile Search allows Reflected XSS.This issue affects BP Profile Search: from n/a through 5.5.

6.1
2024-01-31 CVE-2024-22307 Wplab Cross-site Scripting vulnerability in Wplab Wp-Lister Lite for Ebay

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for eBay allows Reflected XSS.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.7.

6.1
2024-01-31 CVE-2024-23508 Bplugins Cross-site Scripting vulnerability in Bplugins PDF Poster

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins PDF Poster – PDF Embedder Plugin for WordPress allows Reflected XSS.This issue affects PDF Poster – PDF Embedder Plugin for WordPress: from n/a through 2.1.17.

6.1
2024-01-31 CVE-2024-22287 Ludek Cross-Site Request Forgery (CSRF) vulnerability in Ludek Better Anchor Links

Cross-Site Request Forgery (CSRF) vulnerability in Ludek Melichar Better Anchor Links allows Cross-Site Scripting (XSS).This issue affects Better Anchor Links: from n/a through 1.7.5.

6.1
2024-01-30 CVE-2024-23834 Discourse Cross-site Scripting vulnerability in Discourse

Discourse is an open-source discussion platform.

6.1
2024-01-30 CVE-2024-24558 Tanstack Cross-site Scripting vulnerability in Tanstack React-Query-Next-Experimental

TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web.

6.1
2024-01-30 CVE-2024-23841 Apollographql Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apollographql Apollo Client

apollo-client-nextjs is the Apollo Client support for the Next.js App Router.

6.1
2024-01-30 CVE-2024-24556 Nearform Cross-site Scripting vulnerability in Nearform Urql

urql is a GraphQL client that exposes a set of helpers for several frameworks.

6.1
2024-01-30 CVE-2024-1031 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Expense Management System 1.0

A vulnerability was found in CodeAstro Expense Management System 1.0.

6.1
2024-01-30 CVE-2024-1029 Cogites Cross-site Scripting vulnerability in Cogites Ereserv 7.7.58

A vulnerability was found in Cogites eReserv 7.7.58 and classified as problematic.

6.1
2024-01-30 CVE-2024-1028 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Facebook News Feed Like 1.0

A vulnerability has been found in SourceCodester Facebook News Feed Like 1.0 and classified as problematic.

6.1
2024-01-30 CVE-2023-37571 Softing Cross-site Scripting vulnerability in Softing TH Scope 3.5

Softing TH SCOPE through 3.70 allows XSS.

6.1
2024-01-30 CVE-2024-1024 Oretnom23 Cross-site Scripting vulnerability in Oretnom23 Facebook News Feed Like 1.0

A vulnerability has been found in SourceCodester Facebook News Feed Like 1.0 and classified as problematic.

6.1
2024-01-30 CVE-2024-1026 Cogites Cross-site Scripting vulnerability in Cogites Ereserv 7.7.58

A vulnerability was found in Cogites eReserv 7.7.58 and classified as problematic.

6.1
2024-01-29 CVE-2024-1020 Ruifang Tech Cross-site Scripting vulnerability in Ruifang-Tech Rebuild

A vulnerability classified as problematic was found in Rebuild up to 3.5.5.

6.1
2024-01-29 CVE-2024-1018 Pbootcms Cross-site Scripting vulnerability in Pbootcms 3.2.5

A vulnerability classified as problematic has been found in PbootCMS 3.2.5-20230421.

6.1
2024-01-29 CVE-2024-24136 Remyandrade Cross-site Scripting vulnerability in Remyandrade Math Game 1.0

The 'Your Name' field in the Submit Score section of Sourcecodester Math Game with Leaderboard v1.0 is vulnerable to Cross-Site Scripting (XSS) attacks.

6.1
2024-01-29 CVE-2024-24135 Remyandrade Cross-site Scripting vulnerability in Remyandrade Product Inventory With Export to Excel 1.0

Product Name and Product Code in the 'Add Product' section of Sourcecodester Product Inventory with Export to Excel 1.0 are vulnerable to XSS attacks.

6.1
2024-01-29 CVE-2023-6278 Biteship Cross-site Scripting vulnerability in Biteship

The Biteship: Plugin Ongkos Kirim Kurir Instant, Reguler, Kargo WordPress plugin before 2.2.25 does not sanitise and escape the biteship_error and biteship_message parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-01-29 CVE-2023-6389 Abhinavsingh Open Redirect vulnerability in Abhinavsingh Wordpress Toolbar 2.2.6

The WordPress Toolbar WordPress plugin through 2.2.6 redirects to any URL via the "wptbto" parameter.

6.1
2024-01-29 CVE-2023-7200 Myeventon Cross-site Scripting vulnerability in Myeventon Eventon

The EventON WordPress plugin before 4.4.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

6.1
2024-02-04 CVE-2015-10129 Samwilson Incorrect Comparison vulnerability in Samwilson Planet-Freo

A vulnerability was found in planet-freo up to 20150116 and classified as problematic.

5.9
2024-01-31 CVE-2023-5992 Opensc Project
Redhat
Information Exposure Through Discrepancy vulnerability in multiple products

A vulnerability was found in OpenSC where PKCS#1 encryption padding removal is not implemented as side-channel resistant.

5.9
2024-01-31 CVE-2024-0914 Opencryptoki Project
Redhat
Information Exposure Through Discrepancy vulnerability in multiple products

A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts.

5.9
2024-01-29 CVE-2024-23826 SE Math Spbu Allocation of Resources Without Limits or Throttling vulnerability in Se.Math.Spbu Spbu SE Site

spbu_se_site is the website of the Department of System Programming of St.

5.7
2024-02-04 CVE-2023-52426 Libexpat Project XML Entity Expansion vulnerability in Libexpat Project Libexpat

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

5.5
2024-02-03 CVE-2024-23550 Hcltechsw Unspecified vulnerability in Hcltechsw HCL Devops Deploy and HCL Launch

HCL DevOps Deploy / HCL Launch (UCD) could disclose sensitive user information when installing the Windows agent.

5.5
2024-02-03 CVE-2023-32329 IBM Insufficient Verification of Data Authenticity vulnerability in IBM products

IBM Security Access Manager Container (IBM Security Verify Access Appliance 10.0.0.0 through 10.0.6.1 and IBM Security Verify Access Docker 10.0.0.0 through 10.0.6.1) could allow a user to download files from an incorrect repository due to improper file validation.

5.5
2024-02-02 CVE-2024-1195 Iobit Unspecified vulnerability in Iobit Itop VPN 3.2/4.0.0.1

A vulnerability classified as critical was found in iTop VPN up to 4.0.0.1.

5.5
2024-02-02 CVE-2024-1193 Navicat Improper Resource Shutdown or Release vulnerability in Navicat 12.0.29

A vulnerability was found in Navicat 12.0.29.

5.5
2024-02-02 CVE-2024-1194 Armcode Unspecified vulnerability in Armcode Alienip 2.41

A vulnerability classified as problematic has been found in Armcode AlienIP 2.41.

5.5
2024-02-02 CVE-2024-1190 Globalscape Improper Resource Shutdown or Release vulnerability in Globalscape Cuteftp 9.3.0.3

A vulnerability was found in Global Scape CuteFTP 9.3.0.3 and classified as problematic.

5.5
2024-02-02 CVE-2024-1187 Munsoft Improper Resource Shutdown or Release vulnerability in Munsoft Easy Outlook Express Recovery 2.0

A vulnerability, which was classified as problematic, has been found in Munsoft Easy Outlook Express Recovery 2.0.

5.5
2024-02-02 CVE-2024-1188 Rizonesoft Improper Resource Shutdown or Release vulnerability in Rizonesoft Notepad3 1.0.2.350

A vulnerability, which was classified as problematic, was found in Rizone Soft Notepad3 1.0.2.350.

5.5
2024-02-02 CVE-2024-1186 Munsoft Improper Resource Shutdown or Release vulnerability in Munsoft Easy Archive Recovery 2.0

A vulnerability classified as problematic was found in Munsoft Easy Archive Recovery 2.0.

5.5
2024-02-02 CVE-2024-1185 Nsasoft Improper Resource Shutdown or Release vulnerability in Nsasoft Network Bandwidth Monitor 1.6.5.0

A vulnerability classified as problematic has been found in Nsasoft NBMonitor Network Bandwidth Monitor 1.6.5.0.

5.5
2024-02-02 CVE-2024-1184 Nsasoft Improper Resource Shutdown or Release vulnerability in Nsasoft Network Sleuth 3.0.0.0

A vulnerability was found in Nsasoft Network Sleuth 3.0.0.0.

5.5
2024-02-02 CVE-2023-43756 Openatom Out-of-bounds Read vulnerability in Openatom Openharmony

in OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.

5.5
2024-02-02 CVE-2023-49118 Openatom Out-of-bounds Read vulnerability in Openatom Openharmony

in OpenHarmony v3.2.4 and prior versions allow a local attacker causes information leak through out-of-bounds Read.

5.5
2024-02-02 CVE-2024-0285 Openatom Unspecified vulnerability in Openatom Openharmony

in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input.

5.5
2024-02-02 CVE-2024-21869 Rapidscada Insufficiently Protected Credentials vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product stores plaintext credentials in various places.

5.5
2024-02-01 CVE-2023-47256 Connectwise Improper Authentication vulnerability in Connectwise Automate and Screenconnect

ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings

5.5
2024-02-01 CVE-2024-1141 Openstack Unspecified vulnerability in Openstack Glance-Store

A vulnerability was found in python-glance-store.

5.5
2024-02-01 CVE-2024-22430 Dell Incorrect Default Permissions vulnerability in Dell Powerscale Onefs

Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability.

5.5
2024-01-31 CVE-2023-7043 Eset Unquoted Search Path or Element vulnerability in Eset products

Unquoted service path in ESET products allows to drop a prepared program to a specific location and run on boot with the NT AUTHORITY\NetworkService permissions.

5.5
2024-01-31 CVE-2024-23170 ARM Information Exposure Through Discrepancy vulnerability in ARM Mbed TLS

An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2.

5.5
2024-01-31 CVE-2024-22236 Vmware Incorrect Permission Assignment for Critical Resource vulnerability in VMWare Spring Cloud Contract

In Spring Cloud Contract, versions 4.1.x prior to 4.1.1, versions 4.0.x prior to 4.0.5, and versions 3.1.x prior to 3.1.10, test execution is vulnerable to local information disclosure via temporary directory created with unsafe permissions through the shaded com.google.guava:guava dependency in the org.springframework.cloud:spring-cloud-contract-shade dependency.

5.5
2024-01-30 CVE-2024-23840 Goreleaser Information Exposure Through Log Files vulnerability in Goreleaser 1.23.0

GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository.

5.5
2024-01-29 CVE-2023-40546 Redhat
Fedoraproject
NULL Pointer Dereference vulnerability in multiple products

A flaw was found in Shim when an error happened while creating a new ESL variable.

5.5
2024-01-29 CVE-2023-40549 Redhat
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read flaw was found in Shim due to the lack of proper boundary verification during the load of a PE binary.

5.5
2024-01-29 CVE-2023-40550 Redhat
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

An out-of-bounds read flaw was found in Shim when it tried to validate the SBAT information.

5.5
2024-01-29 CVE-2024-0788 Realdefen Unspecified vulnerability in Realdefen Superantispyware 10.0.1260

SUPERAntiSpyware Pro X v10.0.1260 is vulnerable to kernel-level API parameters manipulation and Denial of Service vulnerabilities by triggering the 0x9C402140 IOCTL code of the saskutil64.sys driver.

5.5
2024-01-29 CVE-2024-23441 Anti Virus Out-of-bounds Read vulnerability in Anti-Virus Vba32 3.36.0

Vba32 Antivirus v3.36.0 is vulnerable to a Denial of Service vulnerability by triggering the 0x2220A7 IOCTL code of the Vba32m64.sys driver.

5.5
2024-02-04 CVE-2023-50947 IBM Cross-site Scripting vulnerability in IBM products

IBM Business Automation Workflow 22.0.2, 23.0.1, and 23.0.2 is vulnerable to cross-site scripting.

5.4
2024-02-03 CVE-2023-49950 Logpoint Cross-site Scripting vulnerability in Logpoint Siem

The Jinja templating in Logpoint SIEM 6.10.0 through 7.x before 7.3.0 does not correctly sanitize log data being displayed when using a custom Jinja template in the Alert view.

5.4
2024-02-03 CVE-2024-0895 Dearhive Cross-site Scripting vulnerability in Dearhive PDF Flipbook, 3D Flipbook

The PDF Flipbook, 3D Flipbook – DearFlip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via outline settings in all versions up to, and including, 2.2.26 due to insufficient input sanitization and output escaping on user supplied data.

5.4
2024-02-02 CVE-2024-23553 Hcltech Cross-site Scripting vulnerability in Hcltech Bigfix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

5.4
2024-02-02 CVE-2023-47561 Qnap Cross-site Scripting vulnerability in Qnap Photo Station

A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station.

5.4
2024-02-02 CVE-2024-24160 Mrcms Cross-site Scripting vulnerability in Mrcms 3.0

MRCMS 3.0 contains a Cross-Site Scripting (XSS) vulnerability via /admin/system/saveinfo.do.

5.4
2024-02-02 CVE-2023-6672 Nationalkeep Cross-site Scripting vulnerability in Nationalkeep Cybermath 1.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in National Keep Cyber Security Services CyberMath allows Stored XSS.This issue affects CyberMath: from v1.4 before v1.5.

5.4
2024-02-02 CVE-2024-0963 Codepeople Cross-site Scripting vulnerability in Codepeople Calculated Fields Form

The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's CP_CALCULATED_FIELDS shortcode in all versions up to, and including, 1.2.52 due to insufficient input sanitization and output escaping on user supplied 'location' attribute.

5.4
2024-02-02 CVE-2023-51072 Nagios Cross-site Scripting vulnerability in Nagios XI

A stored cross-site scripting (XSS) vulnerability in the NOC component of Nagios XI version up to and including 2024R1 allows low-privileged users to execute malicious HTML or JavaScript code via the audio file upload functionality from the Operation Center section.

5.4
2024-02-02 CVE-2024-1073 WP Slimstat Cross-site Scripting vulnerability in Wp-Slimstat Slimstat Analytics

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filter_array' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping.

5.4
2024-02-02 CVE-2024-21485 Plotly Cross-site Scripting vulnerability in Plotly Dash

Versions of the package dash-core-components before 2.13.0; versions of the package dash-core-components before 2.0.0; versions of the package dash before 2.15.0; versions of the package dash-html-components before 2.0.0; versions of the package dash-html-components before 2.0.16 are vulnerable to Cross-site Scripting (XSS) when the href of the a tag is controlled by an adversary.

5.4
2024-02-02 CVE-2022-40744 IBM Cross-site Scripting vulnerability in IBM Aspera Faspex

IBM Aspera Faspex 5.0.6 is vulnerable to stored cross-site scripting.

5.4
2024-02-02 CVE-2023-46344 Solar LOG Cross-site Scripting vulnerability in Solar-Log 2000 Pm+ Firmware 15.10.2019

A vulnerability in Solar-Log Base 15 Firmware 6.0.1 Build 161, and possibly other Solar-Log Base products, allows an attacker to escalate their privileges by exploiting a stored cross-site scripting (XSS) vulnerability in the switch group function under /#ilang=DE&b=c_smartenergy_swgroups in the web portal.

5.4
2024-02-02 CVE-2023-50941 IBM Session Fixation vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 does not provide logout functionality, which could allow an authenticated user to gain access to an unauthorized user using session fixation.

5.4
2024-02-02 CVE-2024-21794 Rapidscada Open Redirect vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can redirect users to malicious pages through the login page.

5.4
2024-02-01 CVE-2024-24059 Aitangbao Cross-site Scripting vulnerability in Aitangbao Springboot-Manager 1.6

springboot-manager v1.6 is vulnerable to Arbitrary File Upload.

5.4
2024-02-01 CVE-2024-24060 Aitangbao Cross-site Scripting vulnerability in Aitangbao Springboot-Manager 1.6

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user.

5.4
2024-02-01 CVE-2024-24061 Aitangbao Cross-site Scripting vulnerability in Aitangbao Springboot-Manager 1.6

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sysContent/add.

5.4
2024-02-01 CVE-2024-24062 Aitangbao Cross-site Scripting vulnerability in Aitangbao Springboot-Manager 1.6

springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role.

5.4
2024-02-01 CVE-2023-51506 Pluginus Cross-site Scripting vulnerability in Pluginus Wordpress Currency Switcher

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WPCS – WordPress Currency Switcher Professional allows Stored XSS.This issue affects WPCS – WordPress Currency Switcher Professional: from n/a through 1.2.0.

5.4
2024-02-01 CVE-2023-51514 Codeboxr Cross-site Scripting vulnerability in Codeboxr CBX Bookmark & Favorite

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeboxr Team CBX Bookmark & Favorite allows Stored XSS.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.13.

5.4
2024-02-01 CVE-2023-51520 Wpbookingcalendar Cross-site Scripting vulnerability in Wpbookingcalendar Booking Calendar

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4.

5.4
2024-02-01 CVE-2023-51532 Icegram Cross-site Scripting vulnerability in Icegram Engage

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.

5.4
2024-02-01 CVE-2023-51666 Pickplugins Cross-site Scripting vulnerability in Pickplugins Related Post

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Related Post allows Stored XSS.This issue affects Related Post: from n/a through 2.0.53.

5.4
2024-02-01 CVE-2023-51669 Artiosmedia Cross-site Scripting vulnerability in Artiosmedia Product Code for Woocommerce

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artios Media Product Code for WooCommerce allows Stored XSS.This issue affects Product Code for WooCommerce: from n/a through 1.4.4.

5.4
2024-02-01 CVE-2023-51674 Vasyltech Cross-site Scripting vulnerability in Vasyltech Advanced Access Manager

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.18.

5.4
2024-02-01 CVE-2023-51677 Structured Data FOR WP Cross-site Scripting vulnerability in Structured-Data-For-Wp Download Schema & Structured Data for WP & AMP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magazine3 Schema & Structured Data for WP & AMP allows Stored XSS.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.23.

5.4
2024-02-01 CVE-2023-51684 Sandhillsdev Cross-site Scripting vulnerability in Sandhillsdev Easy Digital Downloads

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5.

5.4
2024-02-01 CVE-2023-51689 Noorsplugin Cross-site Scripting vulnerability in Noorsplugin Easy Video Player

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Easy Video Player allows Stored XSS.This issue affects Easy Video Player: from n/a through 1.2.2.10.

5.4
2024-02-01 CVE-2023-51690 Tinywebgallery Cross-site Scripting vulnerability in Tinywebgallery Advanced Iframe

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.8.

5.4
2024-02-01 CVE-2023-51693 Themify Cross-site Scripting vulnerability in Themify Icons

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Icons allows Stored XSS.This issue affects Themify Icons: from n/a through 2.0.1.

5.4
2024-02-01 CVE-2023-51694 Epiph Cross-site Scripting vulnerability in Epiph Embed Privacy

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Epiphyt Embed Privacy allows Stored XSS.This issue affects Embed Privacy: from n/a through 1.8.0.

5.4
2024-02-01 CVE-2023-52118 WP Eventmanager Cross-site Scripting vulnerability in Wp-Eventmanager WP Event Manager 1.0

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Event Manager WP User Profile Avatar allows Stored XSS.This issue affects WP User Profile Avatar: from n/a through 1.0.

5.4
2024-02-01 CVE-2023-52175 Michaeluno Cross-site Scripting vulnerability in Michaeluno Auto Amazon Links

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Uno (miunosoft) Auto Amazon Links – Amazon Associates Affiliate Plugin allows Stored XSS.This issue affects Auto Amazon Links – Amazon Associates Affiliate Plugin: from n/a through 5.1.1.

5.4
2024-02-01 CVE-2023-52188 Russelljamieson Cross-site Scripting vulnerability in Russelljamieson Footer Putter

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson Footer Putter allows Stored XSS.This issue affects Footer Putter: from n/a through 1.17.

5.4
2024-02-01 CVE-2023-52189 Jhayghost Cross-site Scripting vulnerability in Jhayghost Ideal Interactive MAP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jhayghost Ideal Interactive Map allows Stored XSS.This issue affects Ideal Interactive Map: from n/a through 1.2.4.

5.4
2024-02-01 CVE-2023-52191 Torbjon Cross-site Scripting vulnerability in Torbjon Infogram

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Torbjon Infogram – Add charts, maps and infographics allows Stored XSS.This issue affects Infogram – Add charts, maps and infographics: from n/a through 1.6.1.

5.4
2024-02-01 CVE-2023-52192 Keap Cross-site Scripting vulnerability in Keap Official Opt-In Forms 1.0.11

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 1.0.11.

5.4
2024-02-01 CVE-2023-52193 Livecomposerplugin Cross-site Scripting vulnerability in Livecomposerplugin Live-Composer-Page-Builder

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.23.

5.4
2024-02-01 CVE-2023-52194 Takayukimiyauchi Cross-site Scripting vulnerability in Takayukimiyauchi Oembed Gist

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takayuki Miyauchi oEmbed Gist allows Stored XSS.This issue affects oEmbed Gist: from n/a through 4.9.1.

5.4
2024-02-01 CVE-2023-52195 Kerryjames Cross-site Scripting vulnerability in Kerryjames Posts to Page

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Posts to Page Kerry James allows Stored XSS.This issue affects Kerry James: from n/a through 1.7.

5.4
2024-02-01 CVE-2023-7069 Tinywebgallery Cross-site Scripting vulnerability in Tinywebgallery Advanced Iframe

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2024-02-01 CVE-2024-23941 Group Office Cross-site Scripting vulnerability in Group-Office Group Office

Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

5.4
2024-01-31 CVE-2024-24571 Facilemanager Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Facilemanager

facileManager is a modular suite of web apps built with the sysadmin in mind.

5.4
2024-01-31 CVE-2024-22146 Magazine3 Cross-site Scripting vulnerability in Magazine3 Schema & Structured Data for WP & AMP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magazine3 Schema & Structured Data for WP & AMP allows Stored XSS.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.25.

5.4
2024-01-31 CVE-2024-22150 Pwrplugins Cross-site Scripting vulnerability in Pwrplugins Powerfolio

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PWR Plugins Portfolio & Image Gallery for WordPress | PowerFolio allows Stored XSS.This issue affects Portfolio & Image Gallery for WordPress | PowerFolio: from n/a through 3.1.

5.4
2024-01-31 CVE-2024-22158 Peepso Cross-site Scripting vulnerability in Peepso

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PeepSo Community by PeepSo – Social Network, Membership, Registration, User Profiles allows Stored XSS.This issue affects Community by PeepSo – Social Network, Membership, Registration, User Profiles: from n/a before 6.3.1.0.

5.4
2024-01-31 CVE-2024-22292 Delower Cross-site Scripting vulnerability in Delower WP to DO

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Delower WP To Do allows Stored XSS.This issue affects WP To Do: from n/a through 1.2.8.

5.4
2024-01-31 CVE-2024-22295 Robogallery Cross-site Scripting vulnerability in Robogallery Robo Gallery

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RoboSoft Photo Gallery, Images, Slider in Rbs Image Gallery allows Stored XSS.This issue affects Photo Gallery, Images, Slider in Rbs Image Gallery: from n/a through 3.2.17.

5.4
2024-01-31 CVE-2024-22297 Codeboxr Cross-site Scripting vulnerability in Codeboxr CBX MAP 1.1.11

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeboxr CBX Map for Google Map & OpenStreetMap allows Stored XSS.This issue affects CBX Map for Google Map & OpenStreetMap: from n/a through 1.1.11.

5.4
2024-01-31 CVE-2024-22302 Albo Pretorio ON Line Project Cross-site Scripting vulnerability in Albo Pretorio on Line Project Albo Pretorio on Line

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ignazio Scimone Albo Pretorio On line allows Stored XSS.This issue affects Albo Pretorio On line: from n/a through 4.6.6.

5.4
2024-01-31 CVE-2024-22310 Formzu Cross-site Scripting vulnerability in Formzu WP

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Formzu Inc.

5.4
2024-01-31 CVE-2024-23502 Infornweb Cross-site Scripting vulnerability in Infornweb Posts List Designer BY Category

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in InfornWeb Posts List Designer by Category – List Category Posts Or Recent Posts allows Stored XSS.This issue affects Posts List Designer by Category – List Category Posts Or Recent Posts: from n/a through 3.3.2.

5.4
2024-01-31 CVE-2024-23505 Dearhive Cross-site Scripting vulnerability in Dearhive Dearpdf

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DearHive PDF Viewer & 3D PDF Flipbook – DearPDF allows Stored XSS.This issue affects PDF Viewer & 3D PDF Flipbook – DearPDF: from n/a through 2.0.38.

5.4
2024-01-31 CVE-2024-1103 Surajkumarvishwakarma Cross-site Scripting vulnerability in Surajkumarvishwakarma Real Estate Management System 1.0

A vulnerability was found in CodeAstro Real Estate Management System 1.0.

5.4
2024-01-31 CVE-2024-0589 Devolutions Cross-site Scripting vulnerability in Devolutions Remote Desktop Manager

Cross-site scripting (XSS) vulnerability in the entry overview tab in Devolutions Remote Desktop Manager 2023.3.36 and earlier on Windows allows an attacker with access to a data source to inject a malicious script via a specially crafted input in an entry.

5.4
2024-01-31 CVE-2024-1099 Ruifang Tech Cross-site Scripting vulnerability in Ruifang-Tech Rebuild

A vulnerability was found in Rebuild up to 3.5.5.

5.4
2024-01-31 CVE-2023-50357 Areal Topkapi Cross-site Scripting vulnerability in Areal-Topkapi Webserv1 6.1

A cross site scripting vulnerability in the AREAL SAS Websrv1 ASP website allows a remote low-privileged attacker to gain escalated privileges of other non-admin users.

5.4
2024-01-31 CVE-2023-2439 Userproplugin Cross-site Scripting vulnerability in Userproplugin Userpro

The UserPro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userpro' shortcode in versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping on user supplied attributes.

5.4
2024-01-31 CVE-2024-22569 Poscms Cross-site Scripting vulnerability in Poscms 4.6.2

Stored Cross-Site Scripting (XSS) vulnerability in POSCMS v4.6.2, allows attackers to execute arbitrary code via a crafted payload to /index.php?c=install&m=index&step=2&is_install_db=0.

5.4
2024-01-30 CVE-2024-1030 Cogites Cross-site Scripting vulnerability in Cogites Ereserv 7.7.58

A vulnerability was found in Cogites eReserv 7.7.58.

5.4
2024-01-30 CVE-2023-36259 Craftcms Cross-site Scripting vulnerability in Craftcms Craft CMS

Cross Site Scripting (XSS) vulnerability in Craft CMS Audit Plugin before version 3.0.2 allows attackers to execute arbitrary code during user creation.

5.4
2024-01-30 CVE-2023-7225 Mappresspro Cross-site Scripting vulnerability in Mappresspro Mappress Maps for Wordpress

The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the width and height parameters in all versions up to, and including, 2.88.16 due to insufficient input sanitization and output escaping.

5.4
2024-01-29 CVE-2024-22570 Njtech Cross-site Scripting vulnerability in Njtech Greencms 2.3

A stored cross-site scripting (XSS) vulnerability in /install.php?m=install&c=index&a=step3 of GreenCMS v2.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

5.4
2024-01-29 CVE-2023-22836 Guardiansoft Unspecified vulnerability in Guardiansoft Guardian

In cases where a multi-tenant stack user is operating Foundry’s Linter service, and the user changes a group name from the default value, the renamed value may be visible to the rest of the stack’s tenants.

5.4
2024-01-29 CVE-2024-1010 Employee Management System Project Cross-site Scripting vulnerability in Employee Management System Project Employee Management System 1.0

A vulnerability classified as problematic has been found in SourceCodester Employee Management System 1.0.

5.4
2024-01-29 CVE-2023-6503 Paulgriffinpetty Cross-Site Request Forgery (CSRF) vulnerability in Paulgriffinpetty WP Plugin Lister 2.1.0

The WP Plugin Lister WordPress plugin through 2.1.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

5.4
2024-01-29 CVE-2023-6530 Theme Junkie Cross-site Scripting vulnerability in Theme-Junkie TJ Shortcodes

The TJ Shortcodes WordPress plugin through 0.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

5.4
2024-01-29 CVE-2023-7089 Benjaminzekavica Cross-site Scripting vulnerability in Benjaminzekavica Easy SVG Support 1.0

The Easy SVG Allow WordPress plugin through 1.0 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads.

5.4
2024-01-29 CVE-2024-22559 Lightcms Project Cross-site Scripting vulnerability in Lightcms Project Lightcms 2.0

LightCMS v2.0 is vulnerable to Cross Site Scripting (XSS) in the Content Management - Articles field.

5.4
2024-01-29 CVE-2023-5378 Megabip
Smod
Cross-site Scripting vulnerability in multiple products

Improper Input Validation vulnerability in MegaBIP and already unsupported SmodBIP software allows for Stored XSS.This issue affects SmodBIP in all versions and MegaBIP in versions up to 4.36.2. MegaBIP 5.08 was tested and is not vulnerable.

5.4
2024-02-03 CVE-2024-0853 Haxx Improper Certificate Validation vulnerability in Haxx Curl 8.5.0

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status (*OCSP stapling*) test failed.

5.3
2024-02-02 CVE-2024-24560 Vyperlang Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Vyperlang Vyper

Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine.

5.3
2024-02-02 CVE-2024-1047 Themeisle Missing Authorization vulnerability in Themeisle Orbit FOX

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28.

5.3
2024-02-02 CVE-2023-50328 IBM Exposure of Resource to Wrong Sphere vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 may allow a remote attacker to view session identifiers passed via URL query strings.

5.3
2024-02-02 CVE-2023-50934 IBM Improper Authentication vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme.

5.3
2024-02-02 CVE-2023-50327 IBM Interpretation Conflict vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 uses insecure HTTP methods which could allow a remote attacker to perform unauthorized file request modification.

5.3
2024-02-02 CVE-2024-21866 Rapidscada Information Exposure Through an Error Message vulnerability in Rapidscada Rapid Scada

In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request.

5.3
2024-02-01 CVE-2024-24755 Discourse Unspecified vulnerability in Discourse Group Membership IP Blocks

discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address.

5.3
2024-01-31 CVE-2024-23650 Mobyproject Improper Check for Unusual or Exceptional Conditions vulnerability in Mobyproject Buildkit

BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner.

5.3
2024-01-31 CVE-2023-5390 Honeywell Path Traversal vulnerability in Honeywell products

An attacker could potentially exploit this vulnerability, leading to files being read from the Honeywell Experion ControlEdge VirtualUOC and ControlEdge UOC.

5.3
2024-01-31 CVE-2023-47116 Humansignal Server-Side Request Forgery (SSRF) vulnerability in Humansignal Label Studio

Label Studio is a popular open source data labeling tool.

5.3
2024-01-31 CVE-2024-24566 Lobehub Unspecified vulnerability in Lobehub Lobe Chat

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system.

5.3
2024-01-31 CVE-2023-6780 GNU
Fedoraproject
Incorrect Calculation of Buffer Size vulnerability in multiple products

An integer overflow was found in the __vsyslog_internal function of the glibc library.

5.3
2024-01-30 CVE-2024-24567 Vyperlang Improper Check for Unusual or Exceptional Conditions vulnerability in Vyperlang Vyper 0.1.0

Vyper is a pythonic Smart Contract Language for the ethereum virtual machine.

5.3
2024-01-30 CVE-2024-22200 Vantage6 Unspecified vulnerability in Vantage6 Vantage6-Ui

vantage6-UI is the User Interface for vantage6.

5.3
2024-01-30 CVE-2024-22646 Seopanel Information Exposure Through an Error Message vulnerability in Seopanel SEO Panel 4.10.0

An email address enumeration vulnerability exists in the password reset function of SEO Panel version 4.10.0.

5.3
2024-01-30 CVE-2024-22647 Seopanel Information Exposure Through Discrepancy vulnerability in Seopanel SEO Panel 4.10.0

An user enumeration vulnerability was found in SEO Panel 4.10.0.

5.3
2024-01-30 CVE-2024-22648 Seopanel Server-Side Request Forgery (SSRF) vulnerability in Seopanel SEO Panel 4.10.0

A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality of SEO Panel version 4.10.0.

5.3
2024-01-29 CVE-2023-4553 Opentext Unspecified vulnerability in Opentext Appbuilder 21.2

Improper Input Validation vulnerability in OpenText AppBuilder on Windows, Linux allows Probe System Files. AppBuilder configuration files are viewable by unauthenticated users. This issue affects AppBuilder: from 21.2 before 23.2.

5.3
2024-01-29 CVE-2024-1006 Shanxi Tianneng Technology Improper Authentication vulnerability in Shanxi Tianneng Technology Noderp

A vulnerability was found in Shanxi Diankeyun Technology NODERP up to 6.0.2 and classified as critical.

5.3
2024-01-29 CVE-2023-7199 Relevanssi Authorization Bypass Through User-Controlled Key vulnerability in Relevanssi

The Relevanssi WordPress plugin before 4.22.0, Relevanssi Premium WordPress plugin before 2.25.0 allows any unauthenticated user to read draft and private posts via a crafted request

5.3
2024-01-29 CVE-2023-40551 Redhat
Fedoraproject
Out-of-bounds Read vulnerability in multiple products

A flaw was found in the MZ binary format in Shim.

5.1
2024-02-04 CVE-2023-33851 IBM Unspecified vulnerability in IBM Powervm Hypervisor

IBM PowerVM Hypervisor FW950.00 through FW950.90, FW1020.00 through FW1020.40, and FW1030.00 through FW1030.30 could reveal sensitive partition data to a system administrator.

4.9
2024-02-02 CVE-2023-41274 Qnap NULL Pointer Dereference vulnerability in Qnap Qts, Quts Hero and Qutscloud

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions.

4.9
2024-02-02 CVE-2023-45026 Qnap Path Traversal vulnerability in Qnap Qts, Quts Hero and Qutscloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions.

4.9
2024-02-02 CVE-2023-45027 Qnap Path Traversal vulnerability in Qnap Qts, Quts Hero and Qutscloud

A path traversal vulnerability has been reported to affect several QNAP operating system versions.

4.9
2024-02-02 CVE-2023-45028 Qnap Allocation of Resources Without Limits or Throttling vulnerability in Qnap Qts, Quts Hero and Qutscloud

An uncontrolled resource consumption vulnerability has been reported to affect several QNAP operating system versions.

4.9
2024-01-31 CVE-2024-23637 Octoprint Improper Authentication vulnerability in Octoprint 1.2.18

OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password.

4.9
2024-01-30 CVE-2023-46230 Splunk Information Exposure Through Log Files vulnerability in Splunk Add-On Builder 4.1.0/4.1.1/4.1.2

In Splunk Add-on Builder versions below 4.1.4, the app writes sensitive information to internal log files.

4.9
2024-01-30 CVE-2024-23825 Tablepress Server-Side Request Forgery (SSRF) vulnerability in Tablepress

TablePress is a table plugin for Wordpress.

4.9
2024-02-01 CVE-2024-24569 Pixee Path Traversal vulnerability in Pixee Java Code Security Toolkit

The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code.

4.8
2024-02-01 CVE-2023-51534 Getbrave Cross-site Scripting vulnerability in Getbrave Brave

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content allows Stored XSS.This issue affects Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content: from n/a through 0.6.2.

4.8
2024-02-01 CVE-2023-51536 Crmperks Cross-site Scripting vulnerability in Crmperks CRM Perks Forms 1.1.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2.

4.8
2024-02-01 CVE-2023-51548 Wpbeaches Cross-site Scripting vulnerability in Wpbeaches Slicknav Mobile Menu

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neil Gee SlickNav Mobile Menu allows Stored XSS.This issue affects SlickNav Mobile Menu: from n/a through 1.9.2.

4.8
2024-02-01 CVE-2023-51685 Ljapps Cross-site Scripting vulnerability in Ljapps WP Review Slider

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LJ Apps WP Review Slider allows Stored XSS.This issue affects WP Review Slider: from n/a through 12.7.

4.8
2024-02-01 CVE-2023-51691 Gvectors Cross-site Scripting vulnerability in Gvectors Wpdiscuz

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through 7.6.12.

4.8
2024-02-01 CVE-2023-51695 Wpeverest Cross-site Scripting vulnerability in Wpeverest Everest Forms

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1.

4.8
2024-01-31 CVE-2024-22153 Fahadmahmood8 Cross-site Scripting vulnerability in Fahadmahmood8 Stock Locations for Woocommerce

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood & Alexandre Faustino Stock Locations for WooCommerce allows Stored XSS.This issue affects Stock Locations for WooCommerce: from n/a through 2.5.9.

4.8
2024-01-31 CVE-2024-22161 Harmonicdesign Cross-site Scripting vulnerability in Harmonicdesign HD Quiz

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Harmonic Design HD Quiz allows Stored XSS.This issue affects HD Quiz: from n/a through 1.8.11.

4.8
2024-01-31 CVE-2024-22306 Mangboard Cross-site Scripting vulnerability in Mangboard Mang Board

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hometory Mang Board WP allows Stored XSS.This issue affects Mang Board WP: from n/a through 1.7.7.

4.8
2024-01-29 CVE-2024-1022 Farahkharrat Cross-site Scripting vulnerability in Farahkharrat Simple Student Result Management System 5.6

A vulnerability, which was classified as problematic, was found in CodeAstro Simple Student Result Management System 5.6.

4.8
2024-01-29 CVE-2024-24134 Remyandrade Cross-site Scripting vulnerability in Remyandrade Online Food Menu 1.0

Sourcecodester Online Food Menu 1.0 is vulnerable to Cross Site Scripting (XSS) via the 'Menu Name' and 'Description' fields in the Update Menu section.

4.8
2024-01-29 CVE-2023-5124 Pagelayer Cross-site Scripting vulnerability in Pagelayer

The Page Builder: Pagelayer WordPress plugin before 1.8.0 doesn't prevent attackers with administrator privileges from inserting malicious JavaScript inside a post's header or footer code, even when unfiltered_html is disallowed, such as in multi-site WordPress configurations.

4.8
2024-01-29 CVE-2023-5943 Markusbegerow Cross-site Scripting vulnerability in Markusbegerow Wp-Adv-Quiz 1.0.2

The Wp-Adv-Quiz WordPress plugin before 1.0.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

4.8
2024-01-29 CVE-2023-5956 Markusbegerow Cross-site Scripting vulnerability in Markusbegerow Wp-Adv-Quiz 1.0.2

The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

4.8
2024-01-29 CVE-2023-6165 Benaceur PHP Cross-site Scripting vulnerability in Benaceur-PHP Restrict Usernames Emails Characters

The Restrict Usernames Emails Characters WordPress plugin before 3.1.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

4.8
2024-02-01 CVE-2024-1040 Gesslergmbh Use of a Broken or Risky Cryptographic Algorithm vulnerability in Gesslergmbh Web-Master Firmware 7.9

Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm.

4.4
2024-02-02 CVE-2024-1162 Themeisle Cross-Site Request Forgery (CSRF) vulnerability in Themeisle Orbit FOX

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29.

4.3
2024-02-02 CVE-2023-38020 IBM Improper Output Neutralization for Logs vulnerability in IBM Soar Qradar Plugin APP

IBM SOAR QRadar Plugin App 1.0 through 5.0.3 could allow an authenticated user to manipulate output written to log files.

4.3
2024-02-02 CVE-2023-50938 IBM User Interface (UI) Misrepresentation of Critical Information vulnerability in IBM Powersc 1.3/2.0/2.1

IBM PowerSC 1.3, 2.0, and 2.1 could allow a remote attacker to hijack the clicking action of the victim.

4.3
2024-01-31 CVE-2024-0836 Radiustheme Missing Authorization vulnerability in Radiustheme Review Schema

The WordPress Review & Structure Data Schema Plugin – Review Schema plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the rtrs_review_edit() function in all versions up to, and including, 2.1.14.

4.3
2024-01-30 CVE-2024-22193 Vantage6 Insecure Storage of Sensitive Information vulnerability in Vantage6

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).

4.3
2024-01-29 CVE-2023-6633 Sidenotesproject Cross-Site Request Forgery (CSRF) vulnerability in Sidenotesproject Side Notes 2.0.0

The Site Notes WordPress plugin through 2.0.0 does not have CSRF checks in some of its functionalities, which could allow attackers to make logged in users perform unwanted actions, such as deleting administration notes, via CSRF attacks

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2024-01-30 CVE-2024-21671 Vantage6 Information Exposure Through Discrepancy vulnerability in Vantage6

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC).

3.7
2024-02-02 CVE-2024-23824 Mailcow Unspecified vulnerability in Mailcow Mailcow: Dockerized

mailcow is a dockerized email package, with multiple containers linked in one bridged network.

2.7