304098 matches found
CVE-2026-11896
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...
Powertek Firmware <3.30.30 - Authorization Bypass
Powertek firmware multiple brands before 3.30.30 running Power Distribution Units are vulnerable to authorization bypass in the web interface. To exploit the vulnerability, an attacker must send an HTTP packet to the data retrieval interface /cgi/getparam.cgi with the tmpToken cookie set to an...
NextGen Healthcare Mirth Connect - Remote Code Execution
Unauthenticated remote code execution vulnerability in NextGen Healthcare Mirth Connect before version 4.4.1. id: CVE-2023-43208 info: name: NextGen Healthcare Mirth Connect - Remote Code Execution author: princechaddha severity: critical description: Unauthenticated remote code execution...
Moodle LTI module Reflected - Cross-Site Scripting
A reflected XSS issue was identified in the LTI module of Moodle. The vulnerability exists due to insufficient sanitization of user-supplied data in the LTI module. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's brows...
Spotweb <= 1.5.1 - Cross Site Scripting
Cross-site scripting XSS vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter. id: CVE-2021-40973 info: name: Spotweb = 1.5.1 - Cross Site Scripting author: theamanrawat severity:...
ChurchCRM 4.5.3 - Cross-Site Scripting
A reflected cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. id: CVE-2023-25346 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium...
ChurchCRM 4.5.3 - Cross-Site Scripting
A stored Cross-site scripting XSS vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. id: CVE-2023-26843 info: name: ChurchCRM 4.5.3 - Cross-Site Scripting author: Harsh severity: medium description: | A stored Cross-site scripti...
Quttera Web Malware Scanner <= 3.4.1.48 - Sensitive Data Exposure
The Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 doesn't restrict access to detailed scan logs, which allows a malicious actor to discover local paths and portions of the site's code id: CVE-2023-6065 info: name: Quttera Web Malware Scanner = 3.4.1.48 - Sensitive Data Exposure...
Old Age Home Management System v1.0 - SQL Injection
Old Age Home Management 1.0 is vulnerable to SQL Injection via the username parameter. id: CVE-2023-33338 info: name: Old Age Home Management System v1.0 - SQL Injection author: Harsh severity: critical description: | Old Age Home Management 1.0 is vulnerable to SQL Injection via the username...
SonicWall GMS and Analytics Web Services - Shell Injection
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions id: CVE-2023-34124 info: name: SonicWall GMS and Analytics Web...
Hoteldruid 3.0.5 - Cross-Site Scripting
A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data. id: CVE-2023-34537 info: name: Hoteldruid 3.0.5 - Cross-Site Scripting author: Harsh severity: medium...
Dolibarr Unauthenticated Contacts Database Theft
An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. id: CVE-2023-33568 info: name: Dolibarr Unauthenticated Contacts Database Theft...
Magento - SQL Injection
An unauthenticated user can execute SQL statements that allow arbitrary read access to the underlying database, which causes sensitive data leakage. id: CVE-2019-7139 info: name: Magento - SQL Injection author: MaStErChO severity: critical description: | An unauthenticated user can execute SQL...
Academy LMS 6.0 - Cross-Site Scripting
Creative Item Academy LMS 6.0 was discovered to contain a cross-site scripting XSS vulnerability through query parameter. id: CVE-2023-38964 info: name: Academy LMS 6.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Creative Item Academy LMS 6.0 was discovered to...
CData RSB Connect v22.0.8336 - Server Side Request Forgery
CData RSB Connect v22.0.8336 was discovered to contain a Server-Side Request Forgery SSRF. id: CVE-2023-24243 info: name: CData RSB Connect v22.0.8336 - Server Side Request Forgery author: ritikchaddha severity: high description: | CData RSB Connect v22.0.8336 was discovered to contain a...
Aajoda Testimonials < 2.2.2 - Cross-Site Scripting
The plugin does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup. id: CVE-2023-2178 info: name: Aajoda Testimonials...
Imgproxy < 3.14.0 - Cross-site Scripting (XSS)
Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. id: CVE-2023-1496 info: name: Imgproxy 3.14.0 - Cross-site Scripting XSS author: pdteam severity: medium description: Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to...
Membership Database <= 1.0 - Cross-Site Scripting
Membership Database before 1.0 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...
rConfig 3.9.4 - SQL Injection
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because nodes' passwords are stored by default in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices. id: CVE-2020-10547 info: nam...
MinIO Browser API - Server-Side Request Forgery
MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability. id: CVE-2021-21287 info: name: MinIO Browser API - Server-Side Request Forgery author: pikpikcu severity: high description: MinIO Browser API before version...