| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpsurface BlogLentor allows Stored XSS.This issue affects BlogLentor: from n/a through 1.0.8.
|
| Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack that provides the attacker the unlockKey field. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in trinhtuantai Viet Affiliate Link allows Stored XSS.This issue affects Viet Affiliate Link: from n/a through 1.2.
|
| The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' shortcode in all versions up to, and including, 1.8.5.5 due to insufficient input sanitization and output escaping on the 'tag' user supplied attribute. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iePlexus Featured Content Gallery allows Stored XSS.This issue affects Featured Content Gallery: from n/a through 3.2.0.
|
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sizam Rehub rehub-theme allows Stored XSS.This issue affects Rehub: from n/a through < 19.9.9.1. |
| The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect to Force HTTPS, SSL Score plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.0 via exposed Private key files. This makes it possible for unauthenticated attackers to extract sensitive data including TLS Certificate Private Keys |
| The affected applications contain an out of bounds read past the end of
an allocated structure while parsing specially crafted PDF files. This
could allow an attacker to execute code in the context of the current
process. |
| The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.1.7 via the upload_to_library AJAX action. This makes it possible for authenticated attackers, with author-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Orchestrated Corona Virus (COVID-19) Banner & Live Data allows Stored XSS.This issue affects Corona Virus (COVID-19) Banner & Live Data: from n/a through 1.8.0.2.
|
| Privilege Escalation in WRSA.EXE in Webroot Antivirus 8.0.1X- 9.0.35.12 on
Windows64 bit and 32 bit allows malicious software to abuse WRSA.EXE to delete arbitrary and protected files.
|
| ** DISPUTED ** A vulnerability was found in zzdevelop lenosp up to 20230831. It has been classified as problematic. This affects an unknown part of the component Adduser Page. The manipulation of the argument username with the input <script>alert(1)</script> leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The associated identifier of this vulnerability is VDB-266127. NOTE: The vendor rejected the issue because he claims that XSS which require administrative privileges are not of any use for attackers. |
| NVIDIA HGX and DGX contain a vulnerability where a misconfiguration of the VBIOS could enable an attacker to set an unsafe debug access level. A successful exploit of this vulnerability might lead to denial of service. |
| Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign. |
| A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process. |
| SmartBI V8, V9, and V10 contain an unrestricted file upload vulnerability via the RMIServlet request handling logic. Under certain configurations or usage patterns, attackers can send specially crafted requests that cause the application to perform sensitive operations or execute arbitrary code on the host. The vendor released a fix in July 2023 to address the underlying flaw. VulnCheck has observed this vulnerability being exploited in the wild. |
| The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rashed Latif TT Custom Post Type Creator allows Stored XSS.This issue affects TT Custom Post Type Creator: from n/a through 1.0.
|
| Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19. |
| Cross-Site Request Forgery (CSRF) vulnerability in divSpot DS Site Message.This issue affects DS Site Message: from n/a through 1.14.4.
|
