Lucene search
K

155 matches found

Cvelist
Cvelist
added 2024/12/25 4:22 a.m.61 views

CVE-2024-12428 WP Data Access – App, Table, Form and Chart Builder plugin <= 5.5.22 - Unauthenticated SQL Injection

The WP Data Access – App, Table, Form and Chart Builder plugin plugin for WordPress is vulnerable to SQL Injection via the 'orderuserlogindir' parameter in all versions up to, and including, 5.5.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

7.5CVSS0.0047EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/12/18 11:9 a.m.7 views

CVE-2024-11912 Traveler <= 3.1.6 - Unauthenticated SQL Injection via order_id

The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘orderid’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

7.5CVSS7.6AI score0.00453EPSS
Exploits0References2
CVE
CVE
added 2024/12/14 6:45 a.m.56 views

CVE-2024-11711

CVE-2024-11711 affects the WP Job Portal – A Complete Recruitment System for WordPress plugin. Connected sources document an unauthenticated SQL Injection via the resumeid parameter in all versions up to 2.2.1 due to insufficient escaping and lack of proper SQL query preparation, enabling an atta...

7.5CVSS7.7AI score0.0051EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2024/12/14 4:23 a.m.6 views

CVE-2024-12578 Tickera – WordPress Event Ticketing <= 3.5.4.8 - Unauthenticated Customer Data Exposure

The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.5.4.8 via the 'tickeraticketsinfo' endpoint. This makes it possible for unauthenticated attackers to extract sensitive data from bookings like full names, ema...

5.3CVSS6.7AI score0.0049EPSS
Exploits0References2
CVE
CVE
added 2024/12/14 4:23 a.m.43 views

CVE-2024-12578

CVE-2024-12578 affects the Tickera – WordPress Event Ticketing plugin for WordPress. The vulnerability is an information disclosure via the unprotected tickera_tickets_info endpoint, allowing unauthenticated access to sensitive booking data (full names, email addresses, check-in/out timestamps, a...

5.3CVSS5.2AI score0.0049EPSS
Exploits0References2
CVE
CVE
added 2024/12/13 3:24 a.m.63 views

CVE-2019-25221

CVE-2019-25221 affects the WordPress plugin Responsive Filterable Portfolio (versions ≤ 1.0.8). Root cause: insufficient escaping and lack of prepared statements in the SQL query, via the id parameter, enabling unauthenticated SQL injection to extract DB data. Evidence indicates the vendor patche...

6.5CVSS6.7AI score0.00471EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2024/12/07 9:27 a.m.7 views

CVE-2024-12270 Beautiful Taxonomy Filters <= 2.4.3 - Unauthenticated SQL Injection

The Beautiful taxonomy filters plugin for WordPress is vulnerable to SQL Injection via the 'selects0term' parameter in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS7.7AI score0.03556EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2024/12/06 3:25 a.m.8 views

CVE-2024-10247 YouTube Gallery and Vimeo Gallery Plugin <= 2.4.2 - Authenticated (Administrator+) SQL Injection

The Video Gallery – Best WordPress YouTube Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

7.2CVSS7.3AI score0.00521EPSS
Exploits0References4
Rapid7 Blog
Rapid7 Blog
added 2024/09/09 2:33 p.m.43 views

Multiple Vulnerabilities in Veeam Backup & Replication

On Wednesday, September 4, 2024, backup and recovery software provider Veeam released their September security bulletin disclosing various vulnerabilities in Veeam products. One of the higher-severity vulnerabilities included in the bulletin is CVE-2024-40711, a critical unauthenticated remote co...

9.8CVSS10AI score0.88193EPSS
Exploits7
NVD
NVD
added 2024/06/11 6:15 a.m.28 views

CVE-2024-3723

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.2 via the wp-content/uploads/advanced-cf7-upload directory. This makes it possible for unauthenticated attackers to extract sensitive data uploaded via thi...

5.3CVSS0.00439EPSS
Exploits0References3
CNVD
CNVD
added 2024/04/24 12:0 a.m.9 views

IBM Aspera Faspex Log Message Disclosure Vulnerability

IBM Aspera is a set of fast file transfer and streaming solutions built on the IBM FASP protocol from International Business Machines IBM. A log information disclosure vulnerability exists in IBM Aspera Faspex, which can be exploited by an attacker to obtain sensitive information...

5.5CVSS5.9AI score0.0019EPSS
Exploits0References1
OSV
OSV
added 2024/04/09 6:59 p.m.8 views

CVE-2024-0952 WP ERP <= 1.12.9 - Authenticated (Accounting Manager+) SQL Injection via id

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to time-based SQL Injection via the id parameter in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of...

7.2CVSS7.2AI score0.00906EPSS
Exploits0References4
Prion
Prion
added 2023/10/31 9:15 a.m.19 views

Sql injection

The Image vertical reel scroll slideshow plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

4CVSS7.1AI score0.00797EPSS
Exploits1References3Affected Software1
Prion
Prion
added 2023/10/25 6:17 p.m.16 views

Authentication flaw

Missing authentication in the StudentPopupDetailsStudentDetails method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction of sensitive student data by unauthenticated attackers...

5CVSS7.7AI score0.00695EPSS
Exploits0References1Affected Software1
Prion
Prion
added 2023/10/25 6:17 p.m.15 views

Authentication flaw

Missing authentication in the SearchStudentsRFID method in IDAttend’s IDWeb application 3.1.052 and earlier allows extraction sensitive student data by unauthenticated attackers...

5CVSS7.7AI score0.00695EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2023/06/06 12:0 a.m.14 views

CVE-2023-27126

The AES Key-IV pair used by the TP-Link TAPO C200 camera V3 EU on firmware version 1.1.22 Build 220725 is reused across all cameras. An attacker with physical access to a camera is able to extract and decrypt sensitive data containing the Wifi password and the TP-LINK account credential of the...

6.8AI score0.0035EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2022/09/15 3:21 a.m.21 views

Pageflow vulnerable to sensitive user data extraction via Ransack query injection

Impact The attack allows extracting sensitive properties of database objects that are associated with users or entries belonging to an account that the attacker has access to. Pageflow uses the ActiveAdmin Ruby library to provide some management features to its users. ActiveAdmin relies on the...

4AI score
Exploits0References3Affected Software1
Prion
Prion
added 2022/06/02 6:15 p.m.14 views

Code injection

Solutions Atlantic Regulatory Reporting System RRS v500 is vulnerable to Local File Inclusion LFI. Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the...

4CVSS6.5AI score0.01852EPSS
Exploits2References2Affected Software1
Cvelist
Cvelist
added 2022/06/02 5:12 p.m.29 views

CVE-2022-29597

Solutions Atlantic Regulatory Reporting System RRS v500 is vulnerable to Local File Inclusion LFI. Any authenticated user has the ability to reference internal system files within requests made to the RRSWeb/maint/ShowDocument/ShowDocument.aspx page. The server will successfully respond with the...

6.7AI score0.01852EPSS
Exploits2References2
Cvelist
Cvelist
added 2022/03/16 3:1 p.m.28 views

CVE-2021-45821

A blind SQL injection vulnerability exists in Xbtit 3.1 via the sid parameter in ajaxchat/getHistoryChatData.php file that is accessible by a registered user. As a result, a malicious user can extract sensitive data such as usernames and passwords and in some cases use this vulnerability in order...

9.2AI score0.02505EPSS
Exploits1References3
Rows per page
Query Builder