Search Results (366859 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2021-31711 1 Responsivefilemanager 1 Responsivefilemanager 2025-01-29 5.4 Medium
Cross Site Scripting vulnerability found in Trippo ResponsiveFilemanager v.9.14.0 and before allows a remote attacker to execute arbitrary code via the sort_by parameter in the dialog.php file.
CVE-2021-31240 1 Libming 1 Libming 2025-01-29 7.8 High
An issue found in libming v.0.4.8 allows a local attacker to execute arbitrary code via the parseSWF_IMPORTASSETS function in the parser.c file.
CVE-2021-28998 1 Cmsmadesimple 1 Cms Made Simple 2025-01-29 7.2 High
File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.
CVE-2020-23363 1 Verydows 1 Verydows 2025-01-29 8.8 High
Cross Site Request Forgery (CSRF) vulnerability found in Verytops Verydows all versions that allows an attacker to execute arbitrary code via a crafted script.
CVE-2020-23362 1 Yershop Project 1 Yershop 2025-01-29 7.1 High
Insecure Permissons vulnerability found in Shop_CMS YerShop all versions allows a remote attacker to escalate privileges via the cover_id parameter.
CVE-2020-18280 1 Md Project 1 Md 2025-01-29 6.1 Medium
Cross Site Scripting vulnerability found in Phodal CMD v.1.0 allows a local attacker to execute arbitrary code via the EMBED SRC function.
CVE-2023-30855 1 Pimcore 1 Pimcore 2025-01-29 6.5 Medium
Pimcore is an open source data and experience management platform. Versions of Pimcore prior to 10.5.18 are vulnerable to path traversal. The impact of this path traversal and arbitrary extension is limited to creation of arbitrary files and appending data to existing files. When combined with the SQL Injection, the exported data `RESTRICTED DIFFUSION 9 / 9` can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. Users may upgrade to version 10.5.18 to receive a patch or, as a workaround, apply the patch manually.
CVE-2023-31123 1 Effectindex 1 Tripreporter 2025-01-29 9.1 Critical
`effectindex/tripreporter` is a community-powered, universal platform for submitting and analyzing trip reports. Prior to commit bd80ba833b9023d39ca22e29874296c8729dd53b, any user with an account on an instance of `effectindex/tripreporter`, e.g. `subjective.report`, may be affected by an improper password verification vulnerability. The vulnerability allows any user with a password matching the password requirements to log in as any user. This allows access to accounts / data loss of the user. This issue is patched in commit bd80ba833b9023d39ca22e29874296c8729dd53b. No action necessary for users of `subjective.report`, and anyone running their own instance should update to this commit or newer as soon as possible. As a workaround, someone running their own instance may apply the patch manually.
CVE-2023-31140 1 Openproject 1 Openproject 2025-01-29 4.8 Medium
OpenProject is open source project management software. Starting with version 7.4.0 and prior to version 12.5.4, when a user registers and confirms their first two-factor authentication (2FA) device for an account, existing logged in sessions for that user account are not terminated. Likewise, if an administrators creates a mobile phone 2FA device on behalf of a user, their existing sessions are not terminated. The issue has been resolved in OpenProject version 12.5.4 by actively terminating sessions of user accounts having registered and confirmed a 2FA device. As a workaround, users who register the first 2FA device on their account can manually log out to terminate all other active sessions. This is the default behavior of OpenProject but might be disabled through a configuration option. Double check that this option is not overridden if one plans to employ the workaround.
CVE-2023-31141 1 Amazon 2 Opensearch, Opensearch Security 2025-01-29 4.8 Medium
OpenSearch is open-source software suite for search, analytics, and observability applications. Prior to versions 1.3.10 and 2.7.0, there is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the queries during extremely rare race conditions potentially leading to incorrect access authorization. For this issue to be triggered, two concurrent requests need to land on the same instance exactly when query cache eviction happens, once every four hours. OpenSearch 1.3.10 and 2.7.0 contain a fix for this issue.
CVE-2023-31133 1 Ghost 1 Ghost 2025-01-29 7.5 High
Ghost is an app for new-media creators with tools to build a website, publish content, send newsletters, and offer paid subscriptions to members. Prior to version 5.46.1, due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. Maintainers can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. v5.46.1 contains a fix for this issue. As a workaround, add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`.
CVE-2023-22813 1 Westerndigital 4 My Cloud, My Cloud Home, My Cloud Os 5 and 1 more 2025-01-29 3.3 Low
A device API endpoint was missing access controls on Western Digital My Cloud OS 5 iOS and Anroid Mobile Apps, My Cloud Home iOS and Android Mobile Apps, SanDisk ibi iOS and Android Mobile Apps, My Cloud OS 5 Web App, My Cloud Home Web App and the SanDisk ibi Web App. Due to a permissive CORS policy and missing authentication requirement for private IPs, a remote attacker on the same network as the device could obtain device information by convincing a victim user to visit an attacker-controlled server and issue a cross-site request. This issue affects My Cloud OS 5 Mobile App: before 4.21.0; My Cloud Home Mobile App: before 4.21.0; ibi Mobile App: before 4.21.0; My Cloud OS 5 Web App: before 4.26.0-6126; My Cloud Home Web App: before 4.26.0-6126; ibi Web App: before 4.26.0-6126.
CVE-2023-31129 1 Contiki-ng 1 Contiki-ng 2025-01-29 7.5 High
The Contiki-NG operating system versions 4.8 and prior can be triggered to dereference a NULL pointer in the message handling code for IPv6 router solicitiations. Contiki-NG contains an implementation of IPv6 Neighbor Discovery (ND) in the module `os/net/ipv6/uip-nd6.c`. The ND protocol includes a message type called Router Solicitation (RS), which is used to locate routers and update their address information via the SLLAO (Source Link-Layer Address Option). If the indicated source address changes, a given neighbor entry is set to the STALE state. The message handler does not check for RS messages with an SLLAO that indicates a link-layer address change that a neighbor entry can actually be created for the indicated address. The resulting pointer is used without a check, leading to the dereference of a NULL pointer of type `uip_ds6_nbr_t`. The problem has been patched in the `develop` branch of Contiki-NG, and will be included in the upcoming 4.9 release. As a workaround, users can apply Contiki-NG pull request #2271 to patch the problem directly.
CVE-2024-57328 1 Projectworlds 1 Online Food Ordering System 2025-01-29 9.8 Critical
A SQL Injection vulnerability exists in the login form of Online Food Ordering System v1.0. The vulnerability arises because the input fields username and password are not properly sanitized, allowing attackers to inject malicious SQL queries to bypass authentication and gain unauthorized access.
CVE-2024-3913 1 Phoenixcontact 12 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 9 more 2025-01-29 5.9 Medium
An unauthenticated remote attacker can use this vulnerability to change the device configuration due to a file writeable for short time after system startup.
CVE-2025-24166 2025-01-28 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2022-48233 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-28 5.5 Medium
In FM service , there is a possible missing params check. This could lead to local denial of service in FM service .
CVE-2022-48232 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-28 5.5 Medium
In FM service , there is a possible missing params check. This could lead to local denial of service in FM service .
CVE-2022-48231 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-28 5.5 Medium
In soter service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.
CVE-2022-47493 2 Google, Unisoc 14 Android, S8000, Sc7731e and 11 more 2025-01-28 5.5 Medium
In soter service, there is a possible missing permission check. This could lead to local denial of service with no additional execution privileges.