| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability has been found in SourceCodester Food Ordering System 1.0. This affects an unknown function of the file /purchase.php of the component Parameter Handler. The manipulation of the argument custom leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
| The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site. |
| Cryptomator for Android offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 1.12.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault config without host authenticity checks, which could allow token exfiltration by mixing a legitimate auth endpoint with a malicious API endpoint. Impacted are users unlocking Hub-backed vaults with affected client versions in environments where an attacker can alter the vault.cryptomator file. This issue has been patched in version 1.12.3. |
| Local File Inclusion in Contact Plan, E-Mail, SMS and Fax components in Asseco SEE Live 2.0 allows remote authenticated users to access files on the host via "path" parameter in the downloadAttachment and downloadAttachmentFromPath API calls. |
| A vulnerability allowing a low-privileged user to extract saved SSH credentials. |
| A vulnerability allowing an authenticated domain user to perform remote code execution (RCE) on the Backup Server. |
| A vulnerability allowing an authenticated domain user to bypass restrictions and manipulate arbitrary files on a Backup Repository. |
| A vulnerability allowing local privilege escalation on Windows-based Veeam Backup & Replication servers. |
| A vulnerability allowing a Backup Viewer to perform remote code execution (RCE) as the postgres user. |
| AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network. |
| Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information. |
| URL redirection in Samsung Account prior to version 15.5.01.1 allows remote attackers to potentially get access token. |
| Exposure of sensitive functionality to an unauthorized actor in Smart Switch prior to version 3.7.69.15 allows remote attackers to set a specific configuration. |
| Use of a broken or risky cryptographic algorithm in Smart Switch prior to version 3.7.69.15 allows remote attackers to configure a downgraded scheme for authentication. |
| Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication. |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication. |
| Authentication bypass by replay in Smart Switch prior to version 3.7.69.15 allows remote attackers to trigger privileged functions. |
| Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege. |
| Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application. |
| Improper authentication in Smart Switch prior to version 3.7.69.15 allows adjacent attackers to trigger a denial of service. |
