| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. |
| Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions. |
| Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Werkstatt <= 4.7.2 versions. |
| Contributor Local File Inclusion in Shopify <= 1.0.0 versions. |
| Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. |
| Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions. |
| Contributor Cross Site Scripting (XSS) in Mosaic Gallery – Advanced Gallery <= 1.2.0 versions. |
| Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions. |
| Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions. |
| Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions. |
| Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions. |
| Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Sendcloud Shipping: from n/a through 1.0.29. |
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. |
| The Minifilter communication port for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to access privileged driver functionality via a communication interface that lacks appropriate access restrictions. |
| A NULL pointer dereference vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to cause a denial of service via crafted requests that trigger a system crash. |
| An improper validation vulnerability for driver `GFAC_Sys_x64.sys` in Little Orbit GFAC allows a local attacker to escalate privileges to SYSTEM and execute arbitrary code in kernel mode via crafted messages sent through a Minifilter communication port. |