| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Thirty Bees Core v1.4.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the backup_pagination parameter at /controller/AdminController.php. This vulnerability allows attackers to execute arbitrary JavaScript in the web browser of a user via a crafted payload. |
| A stored cross-site scripting (XSS) vulnerability in the component admin/AdminRequestSqlController.php of thirty bees before 1.5.0 allows attackers to execute arbitrary web script or HTML via $e->getMessage() error mishandling. |
| An issue discovered in Govee LED Strip v3.00.42 allows attackers to cause a denial of service via crafted Move and MoveWithOnoff commands. |
| An issue discovered in Nanoleaf Light strip v3.5.10 allows attackers to cause a denial of service via crafted write binding attribute commands. |
| An arbitrary file upload vulnerability in the component ajax_link.php of lylme_spage v1.7.0 allows attackers to execute arbitrary code via uploading a crafted file. |
| lylme_spage v1.7.0 was discovered to contain a SQL injection vulnerability via the $userip parameter at function.php. |
| zzzcms v2.2.0 was discovered to contain an open redirect vulnerability. |
| An issue in the component SuperUserSetuserModuleFrontController:init() of idnovate superuser before v2.4.2 allows attackers to bypass authentication via a crafted HTTP call. |
| exfatprogs before 1.2.2 allows out-of-bounds memory access, such as in read_file_dentry_set. |
| The Remote Application Server in Parallels RAS before 19.2.23975 does not segment virtualized applications from the server, which allows a remote attacker to achieve remote code execution via standard kiosk breakout techniques. |
| An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. |
| DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message. |
| The BGP daemon (bgpd) in IP Infusion ZebOS through 7.10.6 allow remote attackers to cause a denial of service by sending crafted BGP update messages containing a malformed attribute. |
| Cross Site Scripting (XSS) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to run arbitrary code via the new component feature in the flexibleLayout plugin. |
| Cross Site Request Forgery (CSRF) vulnerability in NASA Open MCT (aka openmct) through 3.1.0 allows attackers to view sensitive information via the flexibleLayout plugin. |
| A privilege escalation vulnerability exists within the Qumu Multicast Extension v2 before 2.0.63 for Windows. When a standard user triggers a repair of the software, a pop-up window opens with SYSTEM privileges. Standard users may use this to gain arbitrary code execution as SYSTEM. |
| GibbonEdu Gibbon through version 25.0.0 allows /modules/Planner/resources_addQuick_ajaxProcess.php file upload with resultant XSS. The imageAsLinks parameter must be set to Y to return HTML code. The filename attribute of the bodyfile1 parameter is reflected in the response. |
| GibbonEdu Gibbon through version 25.0.0 allows Directory Traversal via the report template builder. An attacker can create a new Asset Component. The templateFileDestination parameter can be set to an arbitrary pathname (and extension). This allows creation of PHP files outside of the uploads directory, directly in the webroot. |
| GibbonEdu Gibbon version 25.0.0 allows HTML Injection via an IFRAME element to the Messager component. |
| An issue was discovered in Couchbase Server 7.2.0. There is a private key leak in debug.log while adding a pre-7.0 node to a 7.2 cluster. |