| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. |
| yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected. This vulnerability is fixed in 1.10.1. |
| DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes.
This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm.
This issue affects DBIx::Class::EncodedColumn until 0.00032. |
| SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability. |
| The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains a Server-Side Request Forgery vulnerability that allows an authenticated user to relay HTTP requests from the Protection server to otherwise private network addresses. |
| A vulnerability, which was classified as problematic, has been found in SIAM Industria de Automação e Monitoramento SIAM 2.0. This issue affects some unknown processing of the file /qrcode.jsp. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| The Google Doc Embedder plugin for WordPress is vulnerable to Server Side Request Forgery via the 'gview' shortcode in versions up to, and including, 2.6.4. This can allow authenticated attackers with contributor-level permissions or above to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. |
| Maple versions up to and including 13's Maplet framework allows embedded commands to be executed automatically when a .maplet file is opened. This behavior bypasses standard security restrictions that normally prevent code execution in regular Maple worksheets. The vulnerability enables attackers to craft malicious .maplet files that execute arbitrary code without user interaction. |
| The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the com.bluesky.browser.ui.BrowserMainActivity component. |
| Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0. |
| CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of
confidentiality and integrity of controllers. To be successful, the attacker needs to inject themself inside the
logical network while a valid user uploads or downloads a project file into the controller. |
| An issue in Termius Version 9.9.0 through v.9.16.0 allows a physically proximate attacker to execute arbitrary code via the insecure Electron Fuses configuration. |
| On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. |
| Applications that use Wget to access a remote resource using shorthand URLs and pass arbitrary user credentials in the URL are vulnerable. In these cases attackers can enter crafted credentials which will cause Wget to access an arbitrary host. |
| Infinix devices contain a pre-loaded "com.transsion.agingfunction" application, that exposes an unsecured broadcast receiver. An attacker can communicate with the receiver and force the device to perform a factory reset without any Android system permissions.
After multiple attempts to contact the vendor we did not receive any answer. We suppose this issue affects all Infinix Mobile devices. |
| The Free Responsive Testimonials, Social Proof Reviews, and Customer Reviews – Stars Testimonials plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.3 via the 'stars-testimonials-with-slider-and-masonry-grid' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. |
| Mullvad VPN through 2024.1 on Android does not set a DNS server in the blocking state (after a hard failure to create a tunnel), and thus DNS traffic can leave the device. Data showing that the affected device was the origin of sensitive DNS requests may be observed and logged by operators of unintended DNS servers. |
| A vulnerability classified as problematic was found in Datacom DM955 5GT 1200 825.8010.00. Affected by this vulnerability is an unknown functionality of the component Wireless Basic Settings. The manipulation of the argument SSID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |