| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| An issue was discovered in the Comments plugin before 1.5.6 for Craft CMS. There is stored XSS via a guest name. |
| WinGate v9.4.1.5998 has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse. |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes. |
| The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links. |
| The SAS portal of Mitel MiCollab before 9.1.3 could allow an attacker to access user data by performing a header injection in HTTP responses, due to the improper handling of input parameters. A successful exploit could allow an attacker to access user information. |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 4.0.8-std devices. A format error in /etc/shadow, coupled with a logic bug in the LuCI - OpenWrt Configuration Interface framework, allows the undocumented system account mofidev to login to the cgi-bin/luci/quick/wizard management interface without a password by abusing a forgotten-password feature. |
| An issue was discovered on Mofi Network MOFI4500-4GXeLTE 3.6.1-std and 4.0.8-std devices. They contain two undocumented administrator accounts. The sftp and mofidev accounts are defined in /etc/passwd and the password is not unique across installations. |
| Artica Pandora FMS 7.44 has persistent XSS in the Messages feature. |
| Artica Pandora FMS 7.44 allows remote command execution via the events feature. |
| Dolibarr 11.0.4 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities that could allow remote authenticated attackers to inject arbitrary web script or HTML via ticket/card.php?action=create with the subject, message, or address parameter; adherents/card.php with the societe or address parameter; product/card.php with the label or customcode parameter; or societe/card.php with the alias or barcode parameter. |
| phpList before 3.5.4 allows XSS via /lists/admin/user.php and /lists/admin/users.php. |
| A cross-site scripting (XSS) vulnerability in i-doit 1.14.2 allows remote attackers to inject arbitrary web script or HTML via the viewMode, tvMode, tvType, objID, catgID, objTypeID, or editMode parameter. |
| An issue was discovered in HiveMQ Broker Control Center 4.3.2. A crafted clientid parameter in an MQTT packet (sent to the Broker) is reflected in the client section of the management console. The attacker's JavaScript is loaded in a browser, which can lead to theft of the session and cookie of the administrator's account of the Broker. |
| Extreme Management Center 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. |
| Extreme EAC Appliance 8.4.1.24 allows unauthenticated reflected XSS via a parameter in a GET request. |
| An issue was discovered in Foxit Studio Photo before 3.6.6.922. It has an out-of-bounds write via a crafted TIFF file. |
| An issue was discovered in Foxit Reader and PhantomPDF before 9.7.2. It allows information disclosure of a hardcoded username and password in the DocuSign plugin. |
| Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification. |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/feeds/feed.class.php. |
| An issue was discovered in Navigate CMS through 2.8.7. It allows XSS because of a lack of purify calls in lib/packages/websites/website.class.php. |