CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

7203 matches found

Cvelist•added 2023/06/20 12:0 a.m.•15 views

CVE-2020-20918

An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page...

7.2AI score0.00321EPSS

Exploits1References1

Hacker One•added 2023/06/19 9:3 p.m.•16 views

Invision Power Services, Inc.: XSS with Visual Language Editor tags

A security vulnerability allowed an attacker to execute arbitrary code on a website by exploiting the Visual Language Editor tags. By injecting malicious code into a post or comment, the attacker could gain full control of the website and its data. The vulnerability has been patched...

8.2AI score

Exploits0

NVD•added 2023/06/17 10:15 p.m.•11 views

CVE-2023-35808

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. An Unrestricted File Upload vulnerability has been identified in the Notes module. By using crafted requests, custom PHP code can be injected and executed through the Notes module because of missing input...

8.8CVSS8.7AI score0.00353EPSS

Exploits2References3

NVD•added 2023/06/17 10:15 p.m.•6 views

CVE-2023-35809

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API because of missing input validation. Regular user privileges...

8.8CVSS8.7AI score0.00459EPSS

Exploits2References3

Prion•added 2023/06/17 10:15 p.m.•9 views

Input validation

6.5CVSS8.6AI score0.00459EPSS

Exploits2References3Affected Software1

Prion•added 2023/06/17 10:15 p.m.•10 views

Unrestricted file upload

6.5CVSS8.7AI score0.00353EPSS

Exploits2References3Affected Software1

Cvelist•added 2023/06/17 12:0 a.m.•12 views

CVE-2023-35809

8.8AI score0.00459EPSS

Exploits2References3

Vulnrichment•added 2023/06/17 12:0 a.m.•10 views

CVE-2023-35810

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Second-Order PHP Object Injection vulnerability has been identified in the DocuSign module. By using crafted requests, custom PHP code can be injected and executed through the DocuSign module because of missing...

7.3AI score0.00337EPSS

Exploits2References3

CVE•added 2023/06/17 12:0 a.m.•43 views

CVE-2023-35808

SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3 contains an Unrestricted File Upload flaw in the Notes module due to missing input validation. Crafted requests can inject and execute PHP code with regular user privileges. Affected editions include non-Enterprise as well. Technical detail...

8.8CVSS8.7AI score0.00353EPSS

Exploits2References3Affected Software1

Cvelist•added 2023/06/17 12:0 a.m.•17 views

CVE-2023-35808

9AI score0.00353EPSS

Exploits2References3

Vulnrichment•added 2023/06/17 12:0 a.m.•8 views

CVE-2023-35809

7AI score0.00459EPSS

Exploits2References3

OSV•added 2023/06/16 7:35 p.m.•21 views

GHSA-F9JF-4CP4-4FQ5 Grav Server Side Template Injection (SSTI) vulnerability

Summary I found an RCERemote Code Execution by SSTI in the admin screen. Details Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. PoC 1. Log in to the administrator screen and access the edit screen of the defaul...

9.1CVSS8.8AI score0.02554EPSS

Exploits1References8

Github Security Blog•added 2023/06/16 7:35 p.m.•41 views

Grav Server Side Template Injection (SSTI) vulnerability

9.9CVSS7.6AI score0.02554EPSS

Exploits1References8Affected Software1

NVD•added 2023/06/14 10:15 p.m.•11 views

CVE-2023-34251

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this...

9.9CVSS9.9AI score0.02554EPSS

Exploits1References3

Prion•added 2023/06/14 10:15 p.m.•16 views

Design/Logic Flaw

5.8CVSS7.4AI score0.02554EPSS

Exploits1References3Affected Software1

OSV•added 2023/06/14 9:31 p.m.•12 views

CVE-2023-34251 Grav Server Side Template Injection vulnerability

9.9CVSS8AI score0.02554EPSS

Exploits1References5

Cvelist•added 2023/06/14 9:31 p.m.•13 views

CVE-2023-34251 Grav Server Side Template Injection vulnerability

9.9CVSS10AI score0.02554EPSS

Exploits1References3

Prion•added 2023/06/13 2:15 a.m.•17 views

Design/Logic Flaw

The WP Directory Kit plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.1.9 via the 'wdkpublicaction' function. This allows unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those...

7.5CVSS9.8AI score0.00778EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2023/06/13 1:48 a.m.•9 views

CVE-2023-2278 WP Directory Kit <= 1.1.9 - Unauthenticated Local File Inclusion via wdk_public_action

9.8CVSS7.8AI score0.00778EPSS

Exploits1References3

NVD•added 2023/05/31 3:15 a.m.•11 views

CVE-2023-2435

The Blog-in-Blog plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.0 via a shortcode attribute. This allows editor-level, and above, attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files...

7.2CVSS7.4AI score0.01461EPSS

Exploits0References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by