CVE-2024-23734

Cross Site Request Forgery vulnerability in in the upload functionality of the User Profile pages in savignano S/Notify before 2.0.1 for Bitbucket allow attackers to replace S/MIME certificate or PGP keys for arbitrary users via crafted link...

PT-2024-26648 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: anything-llm affected versions not specified Description: A stored Cross-Site Scripting XSS vulnerability exists in the chat functionality, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating...

CVE-2024-2112

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive...

CVE-2023-6777

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's...

CVE-2024-2112 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive...

CVE-2024-2112 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.22 - Sensitive Information Exposure

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.15.22 via the signature functionality. This makes it possible for unauthenticated attackers to extract sensitive...

CVE-2024-2261 Event Tickets and Registration <= 5.8.2 - Improper Authorization to Information Disclosure

The Event Tickets and Registration plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.8.2 via the RSVP functionality. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data includin...

CVE-2023-49910

A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point EAP225 V3 v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an...

CVE-2023-49074

A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point EAP225 V3 v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated...

CVE-2023-49074

A denial of service vulnerability exists in the TDDP functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point EAP225 V3 v5.1.0 Build 20220926. A specially crafted series of network requests can lead to reset to factory settings. An attacker can send a sequence of unauthenticated...

CVE-2023-49074

CVE-2023-49074 affects TP-Link AC1350 Omada Giga APs (EAP225 V3) running v5.1.0 Build 20220926. A TDDP-based vulnerability (V2 ENC_CMD_OPT subtype 0x49) allows an unauthenticated attacker to reset device settings to factory defaults by sending a crafted network request; a related TDDP_SPECIAL_CMD...

CVE-2023-49910

A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point EAP225 V3 v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an...

Mars: Sqli on ██████ search functionality

A SQL injection vulnerability was reported on the search functionality of the ██████ website. The vulnerability allowed an attacker to inject malicious SQL code into the search query...

CVE-2024-30688

CVE-2024-30688 is rejected/not used and does not represent an active vulnerability entry.

CVE-2024-3320

A vulnerability was found in SourceCodester eLearning System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality. The manipulation of the argument page leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability ...

PT-2024-25317 · Sourcecodester · Aplaya Beach Resort Online Reservation System

Name of the Vulnerable Software and Affected Versions: SourceCodester Aplaya Beach Resort Online Reservation System version 1.0 Description: A critical issue has been found in the system, affecting an unknown functionality of the file admin/mod users/controller.php?action=add. The manipulation of...

Mars: sqli on █████████ search functionality

A SQL injection vulnerability was found in the search functionality of the █████████ website...

Mars: CSRF in Delete Pet Function

The Delete Pet functionality on the ████████ platform was found to be vulnerable to Cross-Site Request Forgery CSRF. The vulnerability was discovered in the pet deletion endpoint, where the pet ID parameter could be manipulated to force authenticated users to delete their pets without their...

CVE-2023-51571 Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability

Voltronic Power ViewPower Pro SocketService Missing Authentication Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Voltronic Power ViewPower Pro. Authentication is not required to exploit this...

In Astro-Shield, setting a correct `integrity` attribute to injected code allows to bypass the allow-lists

Impact Versions from 1.2.0 to 1.3.1 of Astro-Shield allow to bypass the allow-lists for cross-origin resources by introducing valid integrity attributes to the injected code. This implies that the injected SRI hash would be added to the generated CSP header, which would lead the browser to believ...