| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8. |
| Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, the toc plugin and TableOfContents directive generate heading IDs as predictable toc_N values without slugifying the heading text, allowing attacker-controlled id="toc_N" content to collide with generated anchors and redirect same-page navigation, CSS selectors, or JavaScript handlers. This issue is fixed in version 3.3.0. |
| BLF file parser in Wireshark 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows possible information disclosure |
| The IP phone might use malicious input stored in configuration parameters and render it as content for the WebUI’s webpage. |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.5 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to create a repository where the content displayed in the web interface differed from the content available for download, due to improper handling of Git reference name resolution. |
| A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown function of the component Web Management Interface. This manipulation of the argument suffix-rate-up causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The impacted element is an unknown function of the component Web Management Interface. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit is now public and may be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The affected element is an unknown function of the component Web Management Interface. The manipulation of the argument dpi leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. There are still doubts about whether this vulnerability truly exists. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Impacted is an unknown function of the component Web Management Interface. Executing a manipulation of the argument src can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| Malicious use of a stolen cookie might allow modifications to the contents of the IP phone’s webpage. |
| A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This issue affects some unknown processing of the component Web Management Interface. Performing a manipulation of the argument ecn-down results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The existence of this vulnerability is still disputed at present. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This vulnerability affects unknown code of the component Web Management Interface. Such manipulation of the argument ecn-up leads to command injection. The attack may be performed from remote. The exploit is publicly available and might be used. The actual existence of this vulnerability is currently in question. The vendor position is that post-authentication issues are not accepted as vulnerabilities. |
| The Blocksy Companion plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.1.46 via the save_attachments function. This is due to the Custom Fonts extension registering a wp_check_filetype_and_ext filter that approves any filename containing .woff2 or .ttf as a substring via strpos() rather than validating that those strings appear as the final extension via PATHINFO_EXTENSION — allowing double-extension filenames such as shell.woff2.php to pass MIME validation and be handled as permitted font files. This makes it possible for unauthenticated attackers to upload files that may be executable, which makes remote code execution possible. This vulnerability is only exploitable when the premium version of the plugin (blocksy-companion-pro) is installed with both the WooCommerce Extra (Advanced Reviews) and Custom Fonts extensions active; the free blocksy-companion plugin does not contain the vulnerable code paths. |
| DBI versions before 1.650 for Perl are vulnerable to code injection via caller-influenced Profile.
When a string is assigned to a DBI handle's Profile attribute, DBI splits it into path, package and arguments, and interpolates the package part in a string eval with no validation of the package name.
Any caller-influenced value that reaches the Profile attribute is therefore arbitrary Perl code execution, including calls to run system commands.
The Profile attribute can be set from three different sources that can carry untrusted data: the DBI_PROFILE environment variable, a direct attribute assignment, and a DSN driver-attribute clause dbi:Driver(Profile=>SPEC):db.
An attacker controlling any of those inputs runs arbitrary Perl in the host process. The strongest remote position is a network-exposed DBI::Gofer / DBI::ProxyServer whose per-request DSN reaches the Profile attribute, letting a client execute code on the broker host. |
| The Easy Invoice plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.19. This is due to the plugin registering the easy_invoice_accept_quote and easy_invoice_decline_quote AJAX actions via wp_ajax_nopriv_ hooks and relying solely on a quote-scoped nonce that is rendered into the publicly accessible single quote template, combined with an ownership check that is gated behind an off-by-default Pro option (easy_invoice_pro_restrict_quote_to_client). This makes it possible for unauthenticated attackers to accept or decline arbitrary published quotes — and, depending on the configured accept action, automatically convert them into invoices (and even email them to the client) — by harvesting the per-quote nonce from the public quote page and submitting it to admin-ajax. |
| Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware or application logic that depends on the complete X-Forwarded-For chain, rate limiting, audit logging, or proxy-chain validation can receive incomplete data. This issue is fixed in version 4.12.27. |
| Imager versions before 1.033 for Perl treat unsigned EXIF IFD entry counts as signed.
Imager mishandled large EXIF IFD entry count values, treating them as negative numbers. This could lead to an attempt to allocate a block nearly the size of the address space, which fails and kills the process.
An attacker could craft an image with EXIF data that terminates a worker process. |
| A heap buffer overflow vulnerability was found in GStreamer's rfbsrc plugin. When a client connects to a malicious RFB/VNC server that advertises a 16bpp framebuffer and sends Hextile-encoded updates, the Hextile background fill path writes 32-bit pixel values into a buffer allocated for 16-bit pixels. This type mismatch causes an out-of-bounds heap write that can lead to denial of service (process crash) and potential memory corruption. |
| Crash in ciscodump 4.6.0 to 4.6.6 and 4.4.0 to 4.4.16 allows denial of service |
| Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix matching to domains such as 192.168.0.1, [::1], or 1, allowing cross-host cookie disclosure, cookie injection, or session fixation. This issue is fixed in version 7.12.3. |