| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The webp-express plugin before 0.14.11 for WordPress has insufficient protection against arbitrary file reading. |
| The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has CSRF. |
| The import-users-from-csv-with-meta plugin before 1.14.0.3 for WordPress has XSS. |
| The import-users-from-csv-with-meta plugin before 1.14.1.3 for WordPress has XSS via imported data. |
| The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal. |
| In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not. |
| The ad-inserter plugin before 2.4.22 for WordPress has remote code execution. |
| The ad-inserter plugin before 2.4.20 for WordPress has path traversal. |
| The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion. |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled. |
| The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled. |
| The option-tree plugin before 2.7.0 for WordPress has Object Injection by leveraging a valid nonce. |
| The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. |
| The give plugin before 2.4.7 for WordPress has XSS via a donor name. |
| Valve Steam Client for Windows through 2019-08-20 has weak folder permissions, leading to privilege escalation (to NT AUTHORITY\SYSTEM) via crafted use of CreateMountPoint.exe and SetOpLock.exe to leverage a TOCTOU race condition. |
| Valve Steam Client for Windows through 2019-08-16 allows privilege escalation (to NT AUTHORITY\SYSTEM) because local users can replace the current versions of SteamService.exe and SteamService.dll with older versions that lack the CVE-2019-14743 patch. |
| tiki/tiki-upload_file.php in Tiki 18.4 allows remote attackers to upload JavaScript code that is executed upon visiting a tiki/tiki-download_file.php?display&fileId= URI. |
| In Zimbra Collaboration before 8.8.15 Patch 1, there is a non-persistent XSS vulnerability. |
| An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is a Zolo Halo DNS rebinding attack. The device was found to be vulnerable to DNS rebinding. Combined with one of the many /httpapi.asp endpoint command-execution security issues, the DNS rebinding attack could allow an attacker to compromise the victim device from the Internet. |
| An issue was discovered on Zolo Halo devices via the Linkplay firmware. There is Zolo Halo LAN remote code execution. The Zolo Halo Bluetooth speaker had a GoAhead web server listening on the port 80. The /httpapi.asp endpoint of the GoAhead web server was also vulnerable to multiple command execution vulnerabilities. |
