Lucene search
+L

1397202 matches found

nuclei
nuclei
added yesterday20 views

Microsoft Exchange - Pre-Auth SSRF / ACL Bypass (ProxyNotFound)

Microsoft Exchange Server contains a remote code execution caused by improper input validation in the server component, letting remote attackers execute arbitrary code, exploit requires network access to the server. id: CVE-2021-28480 info: name: Microsoft Exchange - Pre-Auth SSRF / ACL Bypass...

10CVSS7.6AI score0.83214EPSS
Exploits4References5
nuclei
nuclei
added yesterday86 views

EPrints 3.4.2 - Cross-Site Scripting

EPrints 3.4.2 contains a reflected cross-site scripting vulnerability in the dataset parameter to the cgi/dataset dictionary URI. id: CVE-2021-26702 info: name: EPrints 3.4.2 - Cross-Site Scripting author: ritikchaddha severity: medium description: EPrints 3.4.2 contains a reflected cross-site...

6.1CVSS6.7AI score0.03072EPSS
Exploits1References5
nuclei
nuclei
added yesterday83 views

Wordpress Polls Widget < 1.5.3 - SQL Injection

The Poll, Survey, Questionnaire and Voting system WordPress plugin before 1.5.3 did not sanitise, escape or validate the dateanswers POST parameter before using it in a SQL statement when sending a Poll result, allowing unauthenticated users to perform SQL Injection attacks id: CVE-2021-24442 inf...

9.8CVSS7.1AI score0.46921EPSS
Exploits2References3
nuclei
nuclei
added yesterday54 views

Eclipse Jetty - Information Disclosure

Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224 is susceptible to improper authorization. The default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can access sensitive information regarding...

5.3CVSS6.7AI score0.82371EPSS
Exploits7References5
nuclei
nuclei
added yesterday33 views

WordPress Download Manager < 3.2.44 - Authenticated Cross-Site Scripting

The WordPress Download Manager plugin before version 3.2.44 does not properly sanitize and escape the userids parameter in the stats history dashboard. This allows authenticated attackers to perform Cross-Site Scripting attacks by injecting malicious JavaScript code. id: CVE-2022-2168 info: name:...

6.1CVSS6.4AI score0.0128EPSS
Exploits2References2
nuclei
nuclei
added yesterday267 views

Node.js Embedded JavaScript 3.1.6 - Template Injection

Node.js Embedded JavaScript 3.1.6 is susceptible to server-side template injection via settingsview optionsoutputFunctionName, which is parsed as an internal option and overwrites the outputFunctionName option with an arbitrary OS command, which is then executed upon template compilation. id:...

9.8CVSS6.8AI score0.32808EPSS
Exploits7References5
nuclei
nuclei
added yesterday70 views

WordPress CDI <5.1.9 - Cross Site Scripting

WordPress CDI plugin prior to 5.1.9 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the response of an AJAX action. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...

6.1CVSS6.5AI score0.01566EPSS
Exploits2References5
nuclei
nuclei
added yesterday89 views

Open Automation Software OAS Platform V16.00.0121 - Missing Authentication

An improper authentication vulnerability exists in the REST API functionality of Open Automation Software OAS Platform V16.00.0121. A specially-crafted series of HTTP requests can lead to unauthenticated use of the REST API. An attacker can send a series of HTTP requests to trigger this...

9.4CVSS7AI score0.37606EPSS
Exploits1References4
nuclei
nuclei
added yesterday72 views

Alt-n/MDaemon Security Gateway <=8.5.0 - XML Injection

Alt-n/MDaemon Security Gateway through 8.5.0 is susceptible to XML injection via SecurityGateway.dll?view=login. An attacker can inject an arbitrary XML argument by adding a new parameter in the HTTP request URL. As a result, the XML parser fails the validation process and discloses information...

5.3CVSS6.3AI score0.05879EPSS
Exploits1References5
nuclei
nuclei
added yesterday72 views

WBCE CMS v1.5.4 - Cross Site Scripting (Stored)

A cross-site scripting XSS vulnerability in /admin/users/index.php of WBCE CMS v1.5.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name field. id: CVE-2022-45037 info: name: WBCE CMS v1.5.4 - Cross Site Scripting Stored author:...

5.4CVSS6.3AI score0.01024EPSS
Exploits1References3
nuclei
nuclei
added yesterday76 views

FreeIPA - XML Entity Injection

Access to external entities when parsing XML documents can lead to XML external entity XXE attacks. This flaw allows a remote attacker to potentially retrieve the content of arbitrary files by sending specially crafted HTTP requests. id: CVE-2022-2414 info: name: FreeIPA - XML Entity Injection...

7.5CVSS7.1AI score0.85323EPSS
Exploits3References3
nuclei
nuclei
added yesterday70 views

Cryptocurrency Widgets Pack < 2.0 - SQL Injection

The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2022-4059 info: name: Cryptocurrency Widgets Pack 2.0 - SQL Injection author: r3Y3r53 severity: critical description...

9.8CVSS7.1AI score0.04756EPSS
Exploits1References3
nuclei
nuclei
added yesterday90 views

Cartadis Gespage 8.2.1 - Directory Traversal

Cartadis Gespage through 8.2.1 allows Directory Traversal in gespage/doDownloadData and gespage/webapp/doDownloadData. id: CVE-2021-33807 info: name: Cartadis Gespage 8.2.1 - Directory Traversal author: daffainfo severity: high description: Cartadis Gespage through 8.2.1 allows Directory Traversa...

7.5CVSS7AI score0.16139EPSS
Exploits1References5
nuclei
nuclei
added yesterday112 views

IceWarp Mail Server - Open Redirect

IceWarp Mail Server contains an open redirect via the referer parameter. This can lead to phishing attacks or other unintended redirects. id: CVE-2021-36580 info: name: IceWarp Mail Server - Open Redirect author: DhiyaneshDk severity: medium description: | IceWarp Mail Server contains an open...

6.1CVSS6.4AI score0.01529EPSS
Exploits0References5
nuclei
nuclei
added yesterday486 views

Codoforum 5.1 - Arbitrary File Upload

Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain...

7.2CVSS7.1AI score0.32233EPSS
Exploits4References5
nuclei
nuclei
added yesterday30 views

Helmet Store Showroom - Cross Site Scripting

Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting XSS. id: CVE-2022-46073 info: name: Helmet Store Showroom - Cross Site Scripting author: Harsh severity: medium description: | Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting XSS. impact: | Successful exploitation of...

6.1CVSS6.4AI score0.01235EPSS
Exploits1References3
nuclei
nuclei
added yesterday68 views

Apache Tomcat Examples Web Application - Cross-Site Scripting

Apache Tomcat 8.5.50 to 8.5.81, 9.0.30 to 9.0.64, 10.0.0-M1 to 10.0.22, and 10.1.0-M1 to 10.1.0-M16 contain a reflected cross-site scripting caused by displaying unfiltered user data in the Form authentication example, letting attackers execute scripts in victim browsers, exploit requires attacke...

6.1CVSS6.8AI score0.06156EPSS
Exploits0References4
nuclei
nuclei
added yesterday52 views

Microweber Information Disclosure

Microweber contains a vulnerability that allows exposure of sensitive information to an unauthorized actor in Packagist microweber/microweber prior to 1.2.11. id: CVE-2022-0281 info: name: Microweber Information Disclosure author: pikpikcu severity: high description: Microweber contains a...

7.5CVSS7AI score0.1201EPSS
Exploits1References5
nuclei
nuclei
added yesterday71 views

Liferay Portal - Cross-site Scripting

A Cross-site scripting XSS vulnerability in the Portal Search module in Liferay Portal 7.1.0 through 7.4.2, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 15, and 7.3 before service pack 3 allows remote attackers to inject arbitrary web script or HTML via the tag parameter. id:...

6.1CVSS6.5AI score0.00897EPSS
Exploits0References3
nuclei
nuclei
added yesterday97 views

WordPress Contact Form 7 <1.3.6.3 - Stored Cross-Site Scripting

WordPress Contact Form 7 before 1.3.6.3 contains an unauthenticated stored cross-site scripting vulnerability in the Drag and Drop Multiple File Upload plugin. SVG files can be uploaded by default via the dndcodedropzupload AJAX action. id: CVE-2022-0595 info: name: WordPress Contact Form 7 1.3.6...

5.4CVSS6.1AI score0.13575EPSS
Exploits2References4
Rows per page
Query Builder