176 matches found
CVE-2023-6964
The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.26 via the 'kadenceimportgetnewconnectiondata' AJAX action. This makes it possible for authenticated attackers, with...
CVE-2024-30215
SAP Business Connector is affected by CVE-2024-30215, a cross-site scripting (XSS) vulnerability on the Resource Settings page. The issue allows a high-privilege attacker to load an exploitable payload that is stored and reflected when users visit the page, with potential information disclosure o...
Delta Electronics DIAEnergie DIAE_tagHandler. ashx Script SQL Injection Vulnerability
Delta Electronics DIAEnergie is an industrial energy management system from Delta Electronics, Taiwan, China. An SQL injection vulnerability exists in the Delta Electronics DIAEnergie DIAEtagHandler. ashx script, which can be exploited by an attacker to view, add, modify, or delete information in...
CVE-2023-3958
The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notifypingremote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locatio...
CVE-2023-3958 WP Remote Users Sync <= 1.2.12 - Authenticated (Subscriber+) Server Side Request Forgery
The WP Remote Users Sync plugin for WordPress is vulnerable to Server Side Request Forgery via the 'notifypingremote' AJAX function in versions up to, and including, 1.2.12. This can allow authenticated attackers with subscriber-level permissions or above to make web requests to arbitrary locatio...
CVE-2023-36918
In SAP Enable Now - versions WPBMANAGER 1.0, WPBMANAGERCE 10, WPBMANAGERHANA 10, ENABLENOWCONSUMPDEL 1704, the X-Content-Type-Options response header is not implemented, allowing an unauthenticated attacker to trigger MIME type sniffing, which leads to Cross-Site Scripting, which could result in...
CVE-2023-33988
CVE-2023-33988 affects SAP Enable Now components: WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704. The vulnerability stems from the absence of implemented Content-Security-Policy and X-XSS-Protection headers, enabling an unauthenticated attacker to attempt ref...
CVE-2023-33988 Cross-Site Scripting vulnerability in SAP Enable Now
In SAP Enable Now - versions WPBMANAGER 1.0, WPBMANAGERCE 10, WPBMANAGERHANA 10, ENABLENOWCONSUMPDEL 1704, the Content-Security-Policy and X-XSS-Protection response headers are not implemented, allowing an unauthenticated attacker to attempt reflected cross-site scripting, which could result in...
Cross site request forgery (csrf)
An cross site request forgery CSRF vulnerability discovered in Jymusic v2.0.0.,that allows attackers to execute arbitrary code via /admin.php?s=/addons/config.html&id=6 to modify payment information...
CVE-2020-18416
An cross site request forgery CSRF vulnerability discovered in Jymusic v2.0.0.,that allows attackers to execute arbitrary code via /admin.php?s=/addons/config.html&id=6 to modify payment information...
CVE-2020-18416
An cross site request forgery CSRF vulnerability discovered in Jymusic v2.0.0.,that allows attackers to execute arbitrary code via /admin.php?s=/addons/config.html&id=6 to modify payment information...
PT-2023-11501 · Jymusic · Jymusic
Name of the Vulnerable Software and Affected Versions: Jymusic version 2.0.0 Description: A cross-site request forgery CSRF issue allows attackers to execute arbitrary code via the "/admin.php?s=/addons/config.html&id=6" API endpoint to modify payment information. This can be achieved by exploiti...
CVE-2023-33991 Stored Cross-Site Scripting (Stored XSS) vulnerability in SAP UI5 Variant Management
SAP UI5 Variant Management - versions SAPUI 750, SAPUI 754, SAPUI 755, SAPUI 756, SAPUI 757, UI700 200, does not sufficiently encode user-controlled inputs on reading data from the server, resulting in Stored Cross-Site Scripting Stored XSS vulnerability. After successful exploitation, an attacke...
CVE-2023-31406
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited...
Input validation
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited...
CVE-2023-30741 Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform
Due to insufficient input validation, SAP BusinessObjects Business Intelligence Platform - versions 420, 430, allows an unauthenticated attacker to redirect users to untrusted site using a malicious link. On successful exploitation, an attacker can view or modify information causing a limited...
CVE-2023-25618
SAP NetWeaver Application Server for ABAP and ABAP Platform - versions 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 791, has multiple vulnerabilities in an unused class for error handling in which an attacker authenticated as a non-administrative user can craft a request with...
Design/Logic Flaw
In SAP Solution Manager Enterprise Search - versions 740, and 750, an unauthenticated attacker can generate a link that, if clicked by a logged-in user, can be redirected to a malicious page that could read or modify sensitive information, or expose the user to a phishing attack, with little impa...
Sql injection
An unauthenticated user can attach to an open interface exposed through JNDI by the Messaging System of SAP NetWeaver Process Integration PI - version 7.50. This user can make use of an open naming and directory API to access services that could perform unauthorized operations. The vulnerability...
Input validation
Due to insufficient input validation, SAP NetWeaver AS Java HTTP Provider Service - version 7.50, allows an unauthenticated attacker to inject a script into a web request header. On successful exploitation, an attacker can view or modify information causing a limited impact on the confidentiality...