| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter. |
| The The Uix Slideshow plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. |
| A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. |
| A security flaw has been discovered in Rebuild up to 4.1.3. Affected by this issue is some unknown functionality of the component Comment/Guestbook. Performing manipulation results in cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.1.4 can resolve this issue. It is suggested to upgrade the affected component. According to the researcher the vendor has confirmed the flaw and fix in a private issue response. |
| A security vulnerability has been detected in AllStarLink Supermon up to 6.2. This vulnerability affects unknown code of the component AllMon2. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. This vulnerability only affects products that are no longer supported by the maintainer. |
| A vulnerability, which was classified as problematic, was found in Demtec Graphytics 5.0.7. This affects an unknown part of the file /visualization of the component HTTP GET Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| An issue was discovered in mipjz 5.0.5. In the push method of app\tag\controller\ApiAdminTag.php the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and output, resulting in Server-side request forgery (SSRF) vulnerability that can read server files. |
| Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging. |
| Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an attacker. |
| The XML Sitemap & Google News plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.4.8 via the 'feed' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. |
| Improper conditions check in the Intel(R) Data Center GPU Max Series 1100 and 1550 products may allow an privileged user to potentially enable denial of service via local access. |
| A vulnerability, which was classified as problematic, was found in mirweiye Seven Bears Library CMS 2023. This affects an unknown part of the component Background Management Page. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |
| SAP NetWeaver Administrator(System Overview) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in Server-Side Request Forgery (SSRF) which could have a low impact on integrity and confidentiality of data. It has no impact on availability of the application. |
| Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. The vulnerability exists due to insufficient validation of user-supplied input when processing template strings, which can lead to arbitrary JavaScript execution in the context of the application. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Hamed Naderfar Compute Links allows PHP Remote File Inclusion.This issue affects Compute Links: from n/a through 1.2.1. |
| ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability. |
| A vulnerability was found in songquanpeng one-api up to 0.6.10. It has been classified as problematic. This affects an unknown part of the component System Setting Handler. The manipulation of the argument Homepage Content/About System/Footer leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |
| An unauthenticated remote attacker can trick a high privileged user into uploading a malicious payload via the config-upload endpoint, leading to code injection as root. This results in a total loss of confidentiality, availability and integrity due to improper control of code generation ('Code Injection’). |
| An low privileged remote attacker with an account for the Web-based management can change the system configuration to perform a command injection as root, resulting in a total loss of confidentiality, availability and integrity due to improper control of generation of code ('Code Injection'). |
| luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter. |