| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A lack of cascading deletes in GitLab CE/EE affecting all versions starting from 13.0 before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1 allows a malicious Group Owner to retain a usable Group Access Token even after the Group is deleted, though the APIs usable by that token are limited. |
| Old session tokens can be used to authenticate to the application and send authenticated requests. |
| The WordPress Popup WordPress plugin through 1.9.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) |
| An issue has been discovered in GitLab CE/EE affecting all versions before 15.0.5, all versions starting from 15.1 before 15.1.4, all versions starting from 15.2 before 15.2.1. It may be possible for group members to bypass 2FA enforcement enabled at the group level by using Resource Owner Password Credentials grant to obtain an access token without using 2FA. |
| Multiple Lenze products of the cabinet series skip the password verification upon second login. After a user has been logged on to the device once, a remote attacker can get full access without knowledge of the password. |
| Buffer Over-read in GitHub repository hpjansson/chafa prior to 1.10.3. |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. |
| The Allow SVG Files WordPress plugin through 1.1 does not sanitise uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads |
| Use after free in Chrome OS Shell in Google Chrome on Chrome OS prior to 103.0.5060.114 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via direct UI interactions. |
| Type confusion in V8 in Google Chrome prior to 103.0.5060.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
| Use After Free in GitHub repository vim/vim prior to 9.0. |
| Out-of-bounds Write in GitHub repository vim/vim prior to 9.0. |
| Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. |
| Out-of-bounds Read in GitHub repository vim/vim prior to 9.0. |
| Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0. |
| Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0. |
| An information disclosure vulnerability in GitLab EE affecting all versions from 12.5 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1, allows disclosure of release titles if group milestones are associated with any project releases. |
| Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19. |
| NULL Pointer Dereference in GitHub repository bfabiszewski/libmobi prior to 0.11. |
| The Featured Image from URL (FIFU) WordPress plugin before 4.0.1 does not validate, sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup) |