Search Results (367033 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-2336 1 Pimcore 1 Pimcore 2025-01-31 6.5 Medium
Path Traversal in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2022-2937 1 Oxilab 1 Image Hover Effects Ultimate 2025-01-31 6.4 Medium
The Image Hover Effects Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Title & Description values that can be added to an Image Hover in versions up to, and including, 9.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. By default, the plugin only allows administrators access to edit Image Hovers, however, if a site admin makes the plugin's features available to lower privileged users through the 'Who Can Edit?' setting then this can be exploited by those users.
CVE-2022-2864 1 Superwhite 1 Demon Image Annotation 2025-01-31 8.8 High
The demon image annotation plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.7. This is due to missing nonce validation in the ~/includes/settings.php file. This makes it possible for unauthenticated attackers to modify the plugin's settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVE-2022-3400 1 Bricksbuilder 1 Bricks 2025-01-31 6.5 Medium
The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.
CVE-2022-3401 1 Bricksbuilder 1 Bricks 2025-01-31 8.8 High
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.
CVE-2023-28769 1 Zyxel 2 Dx5401-b0, Dx5401-b0 Firmware 2025-01-31 9.8 Critical
The buffer overflow vulnerability in the library “libclinkc.so” of the web server “zhttpd” in Zyxel DX5401-B0 firmware versions prior to V5.17(ABYO.1)C0 could allow a remote unauthenticated attacker to execute some OS commands or to cause denial-of-service (DoS) conditions on a vulnerable device.
CVE-2023-2322 1 Pimcore 1 Pimcore 2025-01-31 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2323 1 Pimcore 1 Pimcore 2025-01-31 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2327 1 Pimcore 1 Pimcore 2025-01-31 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2340 1 Pimcore 1 Pimcore 2025-01-31 5.4 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2341 1 Pimcore 1 Pimcore 2025-01-31 6.1 Medium
Cross-site Scripting (XSS) - Generic in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-2342 1 Pimcore 1 Pimcore 2025-01-31 5.4 Medium
Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.
CVE-2023-30849 1 Pimcore 1 Pimcore 2025-01-31 8.8 High
Pimcore is an open source data and experience management platform. Prior to version 10.5.21, A SQL injection vulnerability exists in the translation export API. Users should update to version 10.5.21 to receive a patch or, as a workaround, or apply the patch manually.
CVE-2023-35685 1 Google 1 Android 2025-01-31 7.8 High
In DevmemIntMapPages of devicemem_server.c, there is a possible physical page uaf due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2023-33751 1 Mipjz Project 1 Mipjz 2025-01-31 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.
CVE-2023-33750 1 Mipjz Project 1 Mipjz 2025-01-31 5.4 Medium
A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd.
CVE-2023-33617 1 Eparks 2 Fiberlink 210, Fiberlink 210 Firmware 2025-01-31 7.2 High
An OS Command Injection vulnerability in Parks Fiberlink 210 firmware version V2.1.14_X000 was found via the /boaform/admin/formPing target_addr parameter.
CVE-2023-33599 1 Easyimages2.0 Project 1 Easyimages2.0 2025-01-31 6.1 Medium
EasyImages2.0 ≤ 2.8.1 is vulnerable to Cross Site Scripting (XSS) via viewlog.php.
CVE-2023-33359 1 Piwigo 1 Piwigo 2025-01-31 4.3 Medium
Piwigo 13.6.0 is vulnerable to Cross Site Request Forgery (CSRF) in the "add tags" function.
CVE-2023-33244 1 Obsidian 1 Obsidian 2025-01-31 8.2 High
Obsidian before 1.2.2 allows calls to unintended APIs (for microphone access, camera access, and desktop notification) via an embedded web page.