The vulnerability in the web interface for managing D-Link DIR-2640-US microprogramming software allows a hacker to bypass security restrictions.

The vulnerability of the web interface for managing D-Link DIR-2640-US microprogramming software is related to deficiencies in the authentication process when processing the LoginPassword parameter. Exploiting this vulnerability allows a malicious actor to bypass security restrictions by sending ...

PT-2023-19164 · Formilla · Formilla Live Chat

Name of the Vulnerable Software and Affected Versions: Formilla Live Chat by Formilla plugin versions prior to 1.3 Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. Recommendations: For Formilla Live Chat by...

CVE-2023-32081 Vert.x STOMP server process client frames that would not send initially a connect frame

Vert.x STOMP is a vert.x implementation of the STOMP specification that provides a STOMP server and client. From versions 3.1.0 until 3.9.16 and 4.0.0 until 4.4.2, a Vert.x STOMP server processes client STOMP frames without checking that the client send an initial CONNECT frame replied with a...

PT-2023-3024 · WordPress · Essential Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Essential Addons for Elementor versions 5.4.0 through 5.7.1 Description: An improper authentication issue exists in Essential Addons for Elementor. Exploitation of this issue may allow a remote attacker to escalate their privileges. Real-worl...

CVE-2022-41610

Improper authorization in IntelR EMA Configuration Tool before version 1.0.4 and IntelR MC before version 2.4 software may allow an authenticated user to potentially enable denial of service via local access...

CVE-2023-23906

Missing authentication for critical function exists in SkyBridge MB-A100/110 firmware Ver. 4.2.0 and earlier, which may allow a remote unauthenticated attacker to execute some critical functions without authentication, e.g., rebooting the product...

PT-2023-19292 · Unknown · Skybridge Mb-A100/110

Name of the Vulnerable Software and Affected Versions: SkyBridge MB-A100/110 firmware versions 4.2.0 and earlier Description: The issue concerns missing authentication for a critical function, potentially allowing a remote unauthenticated attacker to execute certain critical functions without...

CVE-2023-25452

CVE-2023-25452 corresponds to a Stored Cross-Site Scripting (XSS) vulnerability in the CMS Press WordPress plugin (CMS Press) versions <= 0.2.3, with admin+ authentication required to exploit. Public sources consistently describe the vulnerability as an authenticated XSS issue affecting CMS Pr...

CVE-2023-1861 Limit Login Attempts < 1.7.2 - Subscriber+ Stored XSS

The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as subscriber to perform Stored Cross-Site Scripting attacks...

About the security content of AirPods and Beats firmware updates

About the security content of AirPods and Beats firmware updates This document describes the security content of AirPods and Beats firmware updates. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has...

Lenovo XClarity Controller 安全漏洞

Lenovo XClarity Controller XCC is a server-embedded management engine from Lenovo China that is used to standardize and automate basic server management tasks. A security vulnerability exists in Lenovo XClarity Controller that stems from the fact that under certain conditions, valid LDAP users wi...

Apache DolphinScheduler 授权问题漏洞

Apache DolphinScheduler is a distributed DAG visualization-based workflow task scheduling system from the Apache Apache Foundation in the United States. Apache DolphinScheduler suffers from an authorization problem vulnerability that stems from the presence of incorrect authentication, which can ...

Schneider Electric StruxureWare Data Center Expert 授权问题漏洞

Schneider Electric StruxureWare Data Center Expert StruxureWare Data Center Management Expert is a monitoring software from the French company Schneider Electric Schneider Electric. It is suitable for a variety of organizations to monitor their company-wide power, cooling, security,...

CVE-2023-27497 Multiple vulnerabilities in SAP Diagnostics Agent (EventLogServiceCollector)

Due to missing authentication and input sanitization of code the EventLogServiceCollector of SAP Diagnostics Agent - version 720, allows an attacker to execute malicious scripts on all connected Diagnostics Agents running on Windows. On successful exploitation, the attacker can completely...

About the security content of AirPods and Beats firmware updates

About the security content of AirPods and Beats firmware updates This document describes the security content of AirPods and Beats firmware updates. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has...

Citrix Hypervisor - Unable to join server to existing pool

Unable to join the server to pool. Error from xencenter: "The server was unable to contact your domain server to enable external authentication. Check that your settings are correct and a route to the server exists."...

PT-2023-19186 · Github · Github Enterprise Server

Name of the Vulnerable Software and Affected Versions: GitHub Enterprise Server versions prior to 3.9 Description: An improper authentication issue was identified that allowed unauthorized modification of other users' secret gists by authenticating through an SSH certificate authority, provided t...

CVE-2023-28853 Mastodon's blind LDAP injection in login allows the attacker to leak arbitrary attributes from LDAP database

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Starting in version 2.5.0 and prior to versions 3.5.8, 4.0.4, and 4.1.2, the LDAP query made during login is insecure and the attacker can perform LDAP injection...

PT-2023-15314 · Unknown · Wpdevart Booking Calendar +1

Name of the Vulnerable Software and Affected Versions: WpDevArt Booking calendar, Appointment Booking System plugin versions 3.2.3 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability. This vulnerability can be exploited by authenticated users with edit...

PT-2023-14723 · Megafeis +1 · Megafeis +1

Name of the Vulnerable Software and Affected Versions: MEGAFEIS, BOFEI DBD+ Application for IOS & Android version 1.4.4 Description: An issue in the MEGAFEIS, BOFEI DBD+ Application allows an authenticated attacker to gain access to sensitive account information. Recommendations: For version 1.4....