| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in unFocus Projects Scripts n Styles plugin <= 3.5.7 versions. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in David Artiss Plugins List plugin <= 2.5 versions. |
| There is broken access control during authentication in Jamf Pro Server before 10.46.1. |
| Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Ransom Christofferson PDQ CSV plugin <= 1.0.0 versions. |
| Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) vulnerability in realmag777 WOLF – WordPress Posts Bulk Editor and Manager Professional plugin <= 1.0.6 versions. |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in MyTechTalky User Location and IP plugin <= 1.6 versions. |
| Cross-Site Request Forgery (CSRF) vulnerability in Ultimate Member plugin <= 2.6.0 versions. |
| Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in WPBakery Page Builder plugin <= 6.13.0 versions. |
| Improper neutralization of active check command arguments in Checkmk < 2.1.0p32, < 2.0.0p38, < 2.2.0p4 leads to arbitrary command execution for authenticated users. |
| Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.
[1] https://cveprocess.apache.org/cve5/[1]%C2%A0https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891
|
| Improper input validation in some OpenVINO Model Server software before version 2022.3 for Intel Distribution of OpenVINO toolkit may allow an unauthenticated user to potentially enable denial of service via network access. |
| DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an information loss vulnerability through traffic injection.
An attacker can exploit this vulnerability by injecting, on carefully selected channels, high power spoofed Open Drone ID (ODID) messages which force the DroneScout ds230 Remote ID receiver to drop real Remote ID (RID) information and, instead, generate and transmit JSON encoded MQTT messages containing crafted RID information. Consequently, the MQTT broker, typically operated by a system integrator, will have no access to the drones’ real RID information.
This issue affects the adjacent channel suppression algorithm present in DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042. |
| DroneScout ds230 Remote ID receiver from BlueMark Innovations is affected by an Improper Authentication vulnerability during the firmware update procedure.
Specifically, the firmware update procedure ignores and does not check the validity of the TLS certificate of the HTTPS endpoint from which the firmware update package (.tar.bz2 file) is downloaded.
An attacker with the ability to put himself in a Man-in-the-Middle situation (e.g., DNS poisoning, ARP poisoning, control of a node on the route to the endpoint, etc.) can trick the DroneScout ds230 to install a crafted malicious firmware update containing arbitrary files (e.g., executable and configuration) and gain administrative (root) privileges on the underlying Linux operating system.
This issue affects DroneScout ds230 firmware from version 20211210-1627 through 20230329-1042. |
| Multiple TP-LINK products allow a network-adjacent authenticated attacker to execute arbitrary OS commands. Affected products/versions are as follows: Archer C50 firmware versions prior to 'Archer C50(JP)_V3_230505', Archer C55 firmware versions prior to 'Archer C55(JP)_V1_230506', and Archer C20 firmware versions prior to 'Archer C20(JP)_V1_230616'. |
| An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system.
See product Instruction Manual Appendix A dated 20230830 for more details.
|
| An Insufficient Entropy vulnerability in the Schweitzer Engineering Laboratories SEL-451 could allow an unauthenticated remote attacker to brute-force session tokens and bypass authentication.
See product Instruction Manual Appendix A dated 20230830 for more details.
|
|
An Execution with Unnecessary Privileges vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to run system commands with the highest level privilege on the system.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.
|
|
A Cross-Site Request Forgery (CSRF) vulnerability in the Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator could allow an attacker to embed instructions that could be executed by an authorized device operator.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.
|
| Use of Hard-coded Credentials vulnerability in Schweitzer Engineering Laboratories SEL-5037 SEL Grid Configurator on Windows allows Authentication Bypass.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5037 SEL Grid Configurator: before 4.5.0.20.
|
|
An Incomplete Filtering of Special Elements vulnerability in the Schweitzer Engineering Laboratories SEL-5030 acSELerator QuickSet Software could allow an attacker to embed instructions that could be executed by an authorized device operator.
See Instruction Manual Appendix A and Appendix E dated 20230615 for more details.
This issue affects SEL-5030 acSELerator QuickSet Software: through 7.1.3.0.
|
