| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion. |
| The feature-comments plugin before 1.2.5 for WordPress has CSRF for featuring or burying a comment. |
| The user-domain-whitelist plugin before 1.5 for WordPress has CSRF. |
| The profile-builder plugin before 1.1.66 for WordPress has multiple XSS issues in forms. |
| The duplicate-post plugin before 2.6 for WordPress has SQL injection. |
| The duplicate-post plugin before 2.6 for WordPress has XSS. |
| The cforms2 plugin before 13.2 for WordPress has XSS in lib_ajax.php. |
| The i-recommend-this plugin before 3.7.3 for WordPress has SQL injection. |
| handle_messages in eXtl_tls.c in eXosip before 5.0.0 mishandles a negative value in a content-length header. |
| On Fitbit activity-tracker devices, certain addresses never change. According to the popets-2019-0036.pdf document, this leads to "permanent trackability" and "considerable privacy concerns" without a user-accessible anonymization feature. The devices, such as Charge 2, transmit Bluetooth Low Energy (BLE) advertising packets with a TxAdd flag indicating random addresses, but the addresses remain constant. If devices come within BLE range at one or more locations where an adversary has set up passive sniffing, the adversary can determine whether the same device has entered one of these locations. |
| In Vembu StoreGrid 4.4.x, the front page of the server web interface leaks the private IP address in the "ipaddress" hidden form value of the HTML source code, which is disclosed because of incorrect processing of an index.php/ trailing slash. |
| Vembu StoreGrid 4.4.x has XSS in interface/registercustomer/onlineregsuccess.php, interface/registerreseller/onlineregfailure.php, interface/registerclient/onlineregfailure.php, and interface/registercustomer/onlineregfailure.php. |
| Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash. |
| The wp-db-backup plugin 2.2.4 for WordPress relies on a five-character string for access control, which makes it easier for remote attackers to read backup archives via a brute-force attack. |
| The karo gem 2.3.8 for Ruby allows Remote command injection via the host field. |
| Umbraco before 7.2.0 has a remote PHP code execution vulnerability because Umbraco.Web.UI/config/umbracoSettings.Release.config does not block the upload of .php files. |
| The create_response function in server/server.c in Psensor before 1.1.4 allows Directory Traversal because it lacks a check for whether a file is under the webserver directory. |
| In utils.c in zsh before 5.0.6, there is a buffer overflow when scanning very long directory paths for symbolic links. |
| In exec.c in zsh before 5.0.7, there is a buffer overflow for very long fds in the ">& fd" syntax. |
| zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation, under some specific and atypical conditions where zsh is being invoked in privilege-elevation contexts when the environment has not been properly sanitized, such as when zsh is invoked by sudo on systems where "env_reset" has been disabled. |
