| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV. |
| Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.3-DEV. |
| NULL Pointer Dereference in GitHub repository gpac/gpac prior to 2.3-DEV. |
| HashiCorp Vault and Vault Enterprise transit secrets engine allowed authorized users to specify arbitrary nonces, even with convergent encryption disabled. The encrypt endpoint, in combination with an offline attack, could be used to decrypt arbitrary ciphertext and potentially derive the authentication subkey when using transit secrets engine without convergent encryption. Introduced in 1.6.0 and fixed in 1.14.3, 1.13.7, and 1.12.11. |
| Divide By Zero in GitHub repository gpac/gpac prior to 2.3-DEV. |
|
The web interface of the PAC Device allows the device administrator user profile to store malicious scripts in some fields. The stored malicious script is then executed when the GUI is opened by any users of the webserver administration interface.
The root cause of the vulnerability is inadequate input validation and output encoding in the web administration interface component of the firmware.
This could lead to unauthorized access and data leakage
|
| Cross-Site Request Forgery vulnerability, whose exploitation could allow an attacker to perform different actions on the platform as an administrator, simply by changing the token value to "admin". It is also possible to perform POST, GET and DELETE requests without any token value. Therefore, an unprivileged remote user is able to create, delete and modify users within theapplication. |
| Cross-site Scripting (XSS) - Reflected in GitHub repository instantsoft/icms2 prior to 2.16.1. |
| Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1. |
| Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git. |
| Cross-site Scripting (XSS) - Stored in GitHub repository instantsoft/icms2 prior to 2.16.1-git. |
| Server-Side Request Forgery (SSRF) in GitHub repository instantsoft/icms2 prior to 2.16.1. |
| Improper Access Control in GitHub repository instantsoft/icms2 prior to 2.16.1-git. |
| Session Fixation in GitHub repository instantsoft/icms2 prior to 2.16.1. |
| The kk Star Ratings WordPress plugin before 5.4.6 does not implement atomic operations, allowing one user vote multiple times on a poll due to a Race Condition. |
| The controller responsible for setting the logging level does not include any authorization
checks to ensure the user is authenticated. This can be seen by noting that it extends
Controller rather than AuthenticatedController and includes no further checks. This issue affects YugabyteDB Anywhere: from 2.0.0 through 2.17.3
|
| An uncontrolled search path vulnerability was reported in Lenovo System Update that could allow an attacker with local access to execute code with elevated privileges. |
| Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08. |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/thumbnail endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. |
| This vulnerability allows remote attackers to disclose sensitive information on affected installations of LG LED Assistant. Authentication is not required to exploit this vulnerability. The specific flaw exists within the /api/download/updateFile endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of the current user. |
