CVE-2023-49076

Customer-data-framework allows management of customer data within Pimcore. There are no tokens or headers to prevent CSRF attacks from occurring, therefore an attacker could abuse this vulnerability to create new customers. This issue has been patched in version 4.0.5...

CVE-2023-4919

The iframe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the iframe shortcode in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permission and above, ...

CVE-2023-4100

Allows an attacker to perform XSS attacks stored on certain resources. Exploiting this vulnerability can lead to a DoS condition, among other actions...

CVE-2021-41138

Frontier is Substrate's Ethereum compatibility layer. In the newly introduced signed Frontier-specific extrinsic for pallet-ethereum, a large part of transaction validation logic was only called in transaction pool validation, but not in block execution. Malicious validators can take advantage of...

CVE-2021-27615

SAP Manufacturing Execution versions - 15.1, 1.5.2, 15.3, 15.4, does not contain some HTTP security headers in their HTTP response. The lack of these headers in response can be exploited by the attacker to execute Cross-Site Scripting XSS attacks...

CVE-2025-23168

The Versa Director SD-WAN orchestration platform implements Two-Factor Authentication 2FA using One-Time Passcodes OTP delivered via email or SMS. Versa Director accepts untrusted user input when dispatching 2FA codes, allowing an attacker who knows a valid username and password to redirect the O...

CVE-2022-23438

An improper neutralization of input during web page generation 'Cross-site Scripting' CWE-79 vulnerability in FortiOS version 7.0.5 and prior and 6.4.9 and prior may allow an unauthenticated remote attacker to perform a reflected cross site scripting XSS attack in the captive portal authenticatio...

CVE-2022-23548

Discourse is an option source discussion platform. Prior to version 2.8.14 on the stable branch and version 2.9.0.beta16 on the beta and tests-passed branches, parsing posts can be susceptible to regular expression denial of service ReDoS attacks. This issue is patched in versions 2.8.14 and...

CVE-2022-0123

An issue has been discovered affecting GitLab versions prior to 14.4.5, between 14.5.0 and 14.5.3, and between 14.6.0 and 14.6.1. GitLab does not validate SSL certificates for some of external CI services which makes it possible to perform MitM attacks on connections to these external services...

CVE-2022-26115

A use of password hash with insufficient computational effort vulnerability CWE-916 in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords...

CVE-2022-26950

Archer 6.x through 6.9 P2 6.9.0.2 is affected by an open redirect vulnerability. A remote unprivileged attacker may potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The attacker could then steal the victims' credentials and silently authenticate them to t...

CVE-2022-35925

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf file that was...

CVE-2017-18713

Certain NETGEAR devices are affected by an attacker's ability to read arbitrary files. This affects D7800 before 1.0.1.28, R6700 before 1.0.1.36, R6900 before 1.0.1.34, R7500v2 before 1.0.3.20, R7800 before 1.0.2.40, R9000 before 1.0.2.52, WNDR4300v2 before 1.0.0.48, and WNDR4500v3 before 1.0.0.4...

CVE-2020-24591

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0...

CVE-2024-34418

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tech9logy Creators WPCS WordPress Custom Search allows Stored XSS.This issue affects WPCS WordPress Custom Search : from n/a through 1.1...

CVE-2024-41682

A vulnerability has been identified in Location Intelligence family All versions V4.4. Affected products do not properly enforce restriction of excessive authentication attempts. This could allow an unauthenticated remote attacker to conduct brute force attacks against legitimate user passwords...

CVE-2024-41805

Tracks, a Getting Things Done GTD web application, is vulnerable to reflected cross-site scripting in versions prior to 2.7.1. Reflected cross-site scripting enables execution of malicious JavaScript in the context of a user’s browser if that user clicks on a malicious link, allowing phishing...

CVE-2024-41795

A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager All versions. The web interface of affected devices is vulnerable to Cross-Site Request Forgery CSRF attacks. This could allow an unauthenticated attacker to change arbitrary device settings by tricking a legitimate device...

CVE-2023-43650

JumpServer is an open source bastion host. The verification code for resetting user's password is vulnerable to brute-force attacks due to the absence of rate limiting. JumpServer provides a feature allowing users to reset forgotten passwords. Affected users are sent a 6-digit verification code,...

CVE-2023-31412

The LMS5xx uses weak hash generation methods, resulting in the creation of insecure hashs. If an attacker manages to retrieve the hash, it could lead to collision attacks and the potential retrieval of the password...