CVE-2023-22618

If Security Hardening guide rules are not followed, then Nokia WaveLite products allow a local user to create new users with administrative privileges by manipulating a web request. This affects for example WaveLite Metro 200 and Fan, WaveLite Metro 200 OPS and Fans, WaveLite Metro 200 and F2B...

CVE-2023-0999

A vulnerability classified as problematic was found in SourceCodester Sales Tracker Management System 1.0. This vulnerability affects unknown code of the file admin/?page=user/list. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been...

CVE-2023-5956

The Wp-Adv-Quiz WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-27526

A non Admin authenticated user could incorrectly create resources using the import charts feature, on Apache Superset up to and including 2.1.0...

CVE-2023-37199

A CWE-94: Improper Control of Generation of Code 'Code Injection' vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored...

CVE-2023-6222

IThe Quttera Web Malware Scanner WordPress plugin before 3.4.2.1 does not validate user input used in a path, which could allow users with an admin role to perform path traversal attacks...

CVE-2023-39121

emlog v2.1.9 was discovered to contain a SQL injection vulnerability via the component /admin/user.php...

CVE-2023-3292

The grid-kit-premium WordPress plugin before 2.2.0 does not escape some parameters as well as generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-28340

Zoho ManageEngine Applications Manager through 16320 allows the admin user to conduct an XXE attack...

CVE-2023-2224

The SEO by 10Web WordPress plugin before 1.2.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-1465

The WP EasyPay WordPress plugin before 4.1 does not escape some generated URLs before outputting them back in pages, leading to Reflected Cross-Site Scripting issues which could be used against high privilege users such as admin...

CVE-2023-0605

The Auto Rename Media On Upload WordPress plugin before 1.1.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2023-1096

SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could allow a remote unauthenticated attacker to gain access as an admin user...

CVE-2023-21172

In multiple functions of WifiCallingSettings.java, there is a possible way to change calling preferences for the admin user due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for...

Tenable Network Monitor 安全漏洞

Tenable Network Monitor is an open source system vulnerability scanner developed by Tenable Holdings, Inc. in the United States, mainly used for security assessment of network devices. Tenable Network Monitor suffers from an elevation of privilege vulnerability that originates from a...

CVE-2022-4266

The Bulk Delete Users by Email WordPress plugin through 1.2 does not have CSRF check when deleting users, which could allow attackers to make a logged in admin delete non admin users by knowing their email via a CSRF attack...

CVE-2022-40489

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery CSRF vulnerability that allows a Super Administrator user to be injected into administrative users...

CVE-2022-1542

The HPB Dashboard WordPress plugin through 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed...

CVE-2022-1094

The amr users WordPress plugin before 4.59.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2022-43179

Online Leave Management System v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/?page=user/manageuser=...