Intel® QuickAssist Technology Engine for OpenSSL Advisory

Summary: Potential security vulnerabilities in the Intel® QuickAssist Technology Intel® QAT Engine for OpenSSL engine for OpenSSL software may allow information disclosure . Intel is releasing software updates to mitigate these potential vulnerabilities. Vulnerability Details: CVEID: CVE-2024-336...

CVE-2023-43871

A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting XSS...

CVE-2023-43871

A File upload vulnerability in WBCE v.1.6.1 allows a local attacker to upload a pdf file with hidden Cross Site Scripting XSS...

Privilege escalation

An arbitrary file upload vulnerability in the /languages/install.php component of WBCE CMS v1.6.1 allows attackers to execute arbitrary code via a crafted PHP file...

CVE-2023-27164

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file...

Privilege escalation

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file...

CVE-2023-27164

An arbitrary file upload vulnerability in Halo up to v1.6.1 allows attackers to execute arbitrary code via a crafted .md file...

Cross site scripting vulnerability with discussion titles

Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title input, either by creating a new discussion or...

Design/Logic Flaw

Flarum is an open source discussion platform. Flarum's page title system allowed for page titles to be converted into HTML DOM nodes when pages were rendered. The change was made after v1.5 and was not noticed. This allowed an attacker to inject malicious HTML markup using a discussion title inpu...

CVE-2022-41938

CVE-2022-41938 (Flarum): XSS in Flarum occurs because the page title system could convert titles into HTML DOM nodes, allowing attacker-controlled HTML markup via a discussion title input. Affected versions: 1.5.0–1.6.1. Impact is browser-based XSS on the discussion page when opened. Remediation:...

CVE-2022-39383

CVE-2022-39383 describes a blind SSRF in the KubeVela VelaUX APIserver when using Helm Chart as the component delivery method, where the warehouse request address is not restricted. This affects KubeVela’s VelaUX APIserver and enables an SSRF vulnerability. Public reports and advisories (GitHub G...

CVE-2022-37857

bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default...

CVE-2022-37857

CVE-2022-37857 affects bilde2910 Hauk v1.6.1, where a hardcoded default password (blank) is hashed but stored in server-side config.php and also in plaintext on the Android client by default. This creates a persistent credential exposure risk that could enable unauthorized access if the default i...

CVE-2022-37857

bilde2910 Hauk v1.6.1 requires a hardcoded password which by default is blank. This hardcoded password is hashed but stored within the config.php file server-side as well as in clear-text on the android client device by default...

Default credentials

In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password...

CVE-2022-23331

In DataEase v1.6.1, an authenticated user can gain unauthorized access to all user information and can change the administrator password...

CVE-2022-23331

Summary: DataEase v1.6.1 contains an access-control vulnerability that allows an authenticated user to access all user information and to change the administrator password. The issue is described as an access control error in DataEase; no details about a patch are provided in the connected docume...

CVE-2021-24854

The QR Redirector WordPress plugin before 1.6.1 does not sanitise and escape some of the QR Redirect fields, which could allow users with a role as low as Contributor perform Stored Cross-Site Scripting attacks...

Download Plugin < 1.6.1 - Subscriber+ Arbitrary Plugin Activation

The plugin does not have capability and CSRF checks in the dpwappluginactivate AJAX action, allowing any authenticated users, such as subscribers, to activate plugins that are already installed. v 1.5.9 - jQuery.postajaxurl, action:"dpwappluginactivate", dpwapurl:"hello.php" v 1.6.0 -...

Security Bulletin: Netcool Operations Insight - Cloud Native Event Analytics is affected by a International Components for Unicode (ICU) for C/C++ vulnerability (CVE-2020-10531)

Summary Netcool Operations Insight - Cloud Native Event Analytics has addressed the following vulnerability in International Components for Unicode ICU for C/C++ Vulnerability Details CVEID: CVE-2020-11080 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error in the HTTP/2...