Design/Logic Flaw

Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for...

CVE-2023-22522

This Template Injection vulnerability allows an authenticated attacker, including one with anonymous access, to inject unsafe user input into a Confluence page. Using this approach, an attacker is able to achieve Remote Code Execution RCE on an affected instance. Publicly accessible Confluence Da...

Image horizontal reel scroll slideshow < 13.3 - Authenticated (Subscriber+) SQL Injection via Shortcode

Description The Image horizontal reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 13.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. Th...

Up down image slideshow gallery < 12.1 - Authenticated (Subscriber+) SQL Injection via Shortcode

Description The Up down image slideshow gallery plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 12.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This make...

ANAC XML Bandi di Gara <= 7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Description The ANAC XML Bandi di Gara plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2023-22516

This High severity RCE Remote Code Execution vulnerability was introduced in versions 8.1.0, 8.2.0, 9.0.0, 9.1.0, 9.2.0, and 9.3.0 of Bamboo Data Center and Server. This RCE Remote Code Execution vulnerability, with a CVSS Score of 8.5, allows an authenticated attacker to execute arbitrary code...

CVE-2023-44320

CVE-2023-44320 affects Siemens SCALANCE and RUGGEDCOM devices (e.g., RM1224 LTE EU/NAM, SCALANCE M8xx/MUm/WM/ S-series) with all versions before V7.2.2. The issue is improper authentication validation in the web interface, allowing an authenticated attacker to influence the administrator’s UI. Ex...

Aruba Networks ArubaOS and InstantOS Security Vulnerabilities

Aruba Networks ArubaOS is an operating system for Aruba Mobility-Defined Networks, including Mobility Controllers and Mobility Access Switches from Aruba Networks, Inc. A security vulnerability exists in Aruba Networks ArubaOS and InstantOS that originates from an authenticated denial of service...

CVE-2023-43284

D-Link Wireless MU-MIMO Gigabit AC1200 Router DIR-846 100A53DBR-Retail devices allow an authenticated remote attacker to execute arbitrary code via an unspecified manipulation of the QoS POST parameter...

CVE-2022-47555

CVE-2022-47555 affects Ormazabal ekorCCP and ekorRCI and is described as an operating system command injection. Multiple sources confirm an authenticated attacker could execute commands, create users with elevated privileges, or backdoor the system. The NVD metrics show a high/critical impact (CV...

PT-2023-4964 · Cisco · Cisco Small Business Rv130W +3

Name of the Vulnerable Software and Affected Versions: Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers affected versions not specified Description: A vulnerability in the web-based management interface could allow an authenticated, remote attacker to execute arbitrary code on an...

CVE-2023-40535

Stored cross-site scripting vulnerability in View setting page of VI Web Client prior to 7.9.6 allows a remote authenticated attacker to inject an arbitrary script...

CVE-2023-4718 Font Awesome 4 Menus <= 4.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Font Awesome 4 Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fa' and 'fa-stack' shortcodes in versions up to, and including, 4.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Atlos 安全漏洞

Atlos is an Atlos open source, non-profit platform used by investigators for large-scale cataloging and verification of eyewitness media. A security vulnerability exists in Atlos version v.1.0 that stems from a vulnerability that allows an authenticated attacker to execute arbitrary code in the...

CVE-2023-38843

An issue in Atlos v.1.0 allows an authenticated attacker to execute arbitrary code via a crafted payload into the description field in the incident function...

CVE-2021-25857

An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the fonttype parameter to setup.php...

CVE-2021-25857

An issue was discovered in pcmt superMicro-CMS version 3.11, allows authenticated attackers to execute arbitrary code via the fonttype parameter to setup.php...

CVE-2023-23574

A blind SQL Injection vulnerability in Nozomi Networks Guardian and CMC, due to improper input validation in the alertscount component, allows an authenticated attacker to execute arbitrary SQL statements on the DBMS used by the web application. Authenticated users may be able to extract arbitrar...

Information disclosure

An issue in the delete function in the UserController class of jeesite v1.2.6 allows authenticated attackers to arbitrarily delete the Administrator's role information...

CVE-2023-25840

Affected software: ArcGIS Server 10.8.1 through 11.1. Vulnerability: Cross-site Scripting via crafted links that trigger onmouseover; an remote, authenticated attacker with high privileges could render an image in the victim’s browser. Root cause: XSS in the ArcGIS Server REST/HTML surface allowi...