Search Results (364098 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-37899 1 Feathersjs 1 Feathers 2024-11-21 7.5 High
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
CVE-2023-37897 1 Getgrav 1 Grav 2024-11-21 7.2 High
Grav is a file-based Web-platform built in PHP. Grav is subject to a server side template injection (SSTI) vulnerability. The fix for another SSTI vulnerability using `|map`, `|filter` and `|reduce` twigs implemented in the commit `71bbed1` introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`). The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`. This vulnerability can be exploited if the attacker has access to: 1. an Administrator account, or 2. a non-administrator, user account that has Admin panel access and Create/Update page permissions. A fix for this vulnerability has been introduced in commit `b4c6210` and is included in release version `1.7.42.2`. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-37896 1 Projectdiscovery 1 Nuclei 2024-11-21 7.5 High
Nuclei is a vulnerability scanner. Prior to version 2.9.9, a security issue in the Nuclei project affected users utilizing Nuclei as Go code (SDK) running custom templates. This issue did not affect CLI users. The problem was related to sanitization issues with payload loading in sandbox mode. There was a potential risk with payloads loading in sandbox mode. The issue occurred due to relative paths not being converted to absolute paths before doing the check for `sandbox` flag allowing arbitrary files to be read on the filesystem in certain cases when using Nuclei from `Go` SDK implementation. This issue has been fixed in version 2.9.9. The maintainers have also enabled sandbox by default for filesystem loading. This can be optionally disabled if required. The `-sandbox` option has been deprecated and is now divided into two new options: `-lfa` (allow local file access) which is enabled by default and `-lna` (restrict local network access) which can be enabled by users optionally. The `-lfa` allows file (payload) access anywhere on the system (disabling sandbox effectively), and `-lna` blocks connections to the local/private network.
CVE-2023-37894 1 Radiustheme 1 Variation Images Gallery For Woocommerce 2024-11-21 7.1 High
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions.
CVE-2023-37893 1 Chop-chop 1 Coming Soon Chop Chop 2024-11-21 7.1 High
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Chop-Chop Coming Soon Chop Chop plugin <= 2.2.4 versions.
CVE-2023-37892 1 Pluginpress 1 Shortcode Imdb 2024-11-21 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in Kemal YAZICI - PluginPress Shortcode IMDB plugin <= 6.0.8 versions.
CVE-2023-37891 1 Optimonk 1 Optimonk\ 2024-11-21 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in OptiMonk OptiMonk: Popups, Personalization & A/B Testing plugin <= 2.0.4 versions.
CVE-2023-37889 1 Wpadmin 1 Aws Cdn 2024-11-21 4.3 Medium
Cross-Site Request Forgery (CSRF) vulnerability in WPAdmin WPAdmin AWS CDN plugin <= 2.0.13 versions.
CVE-2023-37881 1 Wftpserver 1 Wing Ftp Server 2024-11-21 4.9 Medium
Weak access control in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
CVE-2023-37879 1 Wftpserver 1 Wing Ftp Server 2024-11-21 6.5 Medium
Insecure storage of sensitive information in Wing FTP Server (User Web Client) allows information elicitation.This issue affects Wing FTP Server: <= 7.2.0.
CVE-2023-37878 1 Wftpserver 1 Wing Ftp Server 2024-11-21 6.1 Medium
Insecure default permissions in Wing FTP Server (Admin Web Client) allows for privilege escalation.This issue affects Wing FTP Server: <= 7.2.0.
CVE-2023-37875 1 Wftpserver 1 Wing Ftp Server 2024-11-21 3 Low
Improper encoding or escaping of output in Wing FTP Server (User Web Client) allows Cross-Site Scripting (XSS).This issue affects Wing FTP Server: <= 7.2.0.
CVE-2023-37874 1 Riverside 1 Http Headers 2024-11-21 5.9 Medium
Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Dimitar Ivanov HTTP Headers plugin <= 1.18.11 versions.
CVE-2023-37873 1 Woocommerce 1 Shipping Multiple Addresses 2024-11-21 7.1 High
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WooCommerce Shipping Multiple Addresses plugin <= 3.8.5 versions.
CVE-2023-37864 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 7.2 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with SNMPv2 write privileges may use an a special SNMP request to gain full access to the device.
CVE-2023-37863 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 7.2 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with SNMPv2 write privileges may use an a special SNMP request to gain full access to the device.
CVE-2023-37862 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 8.2 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an unauthenticated remote attacker can access upload-functions of the HTTP API. This might cause certificate errors for SSL-connections and might result in a partial denial-of-service.
CVE-2023-37861 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 8.8 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 an authenticated remote attacker can execute code with root permissions with a specially crafted HTTP POST when uploading a certificate to the device.
CVE-2023-37860 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 7.5 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote unauthenticated attacker can obtain the r/w community string of the SNMPv2 daemon.
CVE-2023-37859 1 Phoenixcontact 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more 2024-11-21 7.2 High
In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 the SNMP daemon is running with root privileges allowing a remote attacker with knowledge of the SNMPv2 r/w community string to execute system commands as root.