| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Some endpoints in vulnerability-lookup that modified
application state (e.g. changing database entries, user data,
configurations, or other privileged actions) may have been accessible
via HTTP GET requests without requiring a CSRF token. This flaw leaves
the application vulnerable to Cross-Site Request Forgery (CSRF) attacks:
an attacker who tricks a logged-in user into visiting a malicious
website could cause the user’s browser to issue GET requests that
perform unintended state-changing operations in the context of their
authenticated session.
Because the server would treat these GET requests as valid (since no
CSRF protection or POST method enforcement was in place), the attacker
could exploit this to escalate privileges, change settings, or carry out
other unauthorized actions without needing the user’s explicit consent
or awareness.
The fix ensures that all state-changing endpoints now require HTTP POST
requests and include a valid CSRF token. This enforces that state
changes cannot be triggered by arbitrary cross-site GET requests. This issue affects Vulnerability-Lookup: before 2.18.0. |
| Lack of TLS certificate verification in log transmission of a financial module within LINE client for iOS prior to 13.16.0. |
| SQL injection vulnerability in /php/api_patient_schedule.php in SourceCodester Patients Waiting Area Queue Management System v1 allows attackers to execute arbitrary SQL commands via the appointmentID parameter. |
| Cacti is an open source performance and fault management framework. Prior to 1.2.29, there is an input-validation flaw in the SNMP device configuration functionality. An authenticated Cacti user can supply crafted SNMP community strings containing control characters (including newlines) that are accepted, stored verbatim in the database, and later embedded into backend SNMP operations. In environments where downstream SNMP tooling or wrappers interpret newline-separated tokens as command boundaries, this can lead to unintended command execution with the privileges of the Cacti process. This vulnerability is fixed in 1.2.29. |
| The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. |
| ParcelMismatch vulnerability in attribute deserialization.
Impact: Successful exploitation of this vulnerability may cause playback control screen display exceptions. |
| Iterator failure vulnerability in the card management module.
Impact: Successful exploitation of this vulnerability may affect function stability. |
| Iterator failure vulnerability in the card management module.
Impact: Successful exploitation of this vulnerability may affect function stability. |
| Iterator failure issue in the WantAgent module.
Impact: Successful exploitation of this vulnerability may cause memory release failures. |
| Pointer dangling vulnerability in the cjwindow module.
Impact: Successful exploitation of this vulnerability may affect function stability. |
| In isValidMediaUri of SettingsProvider.java, there is a possible cross user media read due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. |
| In multiple locations, there is a possible permanent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. |
| Inappropriate implementation in WebRTC in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: Low) |
| Race condition issue occurring in the physical page import process of the memory management module.
Impact: Successful exploitation of this vulnerability may affect service integrity. |
| EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. |
| EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. |
| EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. |
| Race condition vulnerability in the network module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Multi-thread race condition vulnerability in the network management module. Impact: Successful exploitation of this vulnerability may affect availability. |
| The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks. |
