| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Kunena before 5.0.4 does not restrict avatar file extensions to gif, jpeg, jpg, and png. This can lead to XSS and remote code execution. |
| An issue was discovered in the Huge-IT gallery-images plugin before 1.9.0 for WordPress. The headers Client-Ip and X-Forwarded-For are prone to unauthenticated SQL injection. The affected file is gallery-images.php. The affected function is huge_it_image_gallery_ajax_callback(). |
| The application login page in AKIPS Network Monitor 15.37 through 16.5 allows a remote unauthenticated attacker to execute arbitrary OS commands via shell metacharacters in the username parameter (a failed login attempt returns the command-injection output to a limited login failure field). This is fixed in 16.6. |
| NETGEAR JNR1010 devices before 1.0.0.32 allow webproc?getpage= XSS. |
| NETGEAR JNR1010 devices before 1.0.0.32 allow cgi-bin/webproc CSRF via the :InternetGatewayDevice.X_TWSZ-COM_URL_Filter.BlackList.1.URL parameter. |
| NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case. |
| The wp-listings plugin before 2.0.2 for WordPress has includes/views/single-listing.php XSS. |
| The sola-support-tickets plugin before 3.13 for WordPress has incorrect access control for /wp-admin with resultant XSS. |
| The wp-invoice plugin before 4.1.1 for WordPress has wpi_update_user_option privilege escalation. |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_twocheckout payer metadata updates. |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_interkassa payer metadata updates. |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_paypal payer metadata updates. |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control over wpi_user_id for invoice retrieval. |
| The wp-invoice plugin before 4.1.1 for WordPress has incorrect access control for admin_init settings changes. |
| The instalinker plugin before 1.1.2 for WordPress has includes/instalinker-admin-preview.php?client_id= XSS. |
| The Elegant Themes Monarch plugin before 1.2.7 for WordPress has privilege escalation. |
| The Elegant Themes Bloom plugin before 1.1.1 for WordPress has privilege escalation. |
| The Elegant Themes Extra theme before 1.2.4 for WordPress has privilege escalation. |
| The user-submitted-posts plugin before 20160215 for WordPress has XSS via the user-submitted-content field. |
| The wp-ultimate-exporter plugin through 1.1 for WordPress has SQL injection via the export_type_name parameter. |
