CVE-2023-21740

Windows Media Remote Code Execution Vulnerability...

GHSA-37VQ-HR2F-G7H7 HtmlUnit vulnerable to Remote Code Execution (RCE) via XSTL

Summary HtmlUnit 3.8.0 are vulnerable to Remote Code Execution RCE via XSTL, when browsing the attacker’s webpage Details Vulnerability code location: org.htmlunit.activex.javascript.msxml.XSLProcessortransformorg.htmlunit.activex.javascript.msxml.XMLDOMNode The reason for the vulnerability is th...

SuiteCRM Code Injection Vulnerability

SuiteCRM is a customer relationship management system from the SuiteCRM team. SuiteCRM has a security vulnerability that can be exploited by an attacker to cause arbitrary code execution...

CVE-2023-44398 Out-of-bounds write in exiv2

Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds write was found in Exiv2 version v0.28.0. The vulnerable function, BmffImage::brotliUncompress, is new in v0.28.0, so earlier versions of Exiv2 are not...

BaserCMS Code Injection Vulnerability

baserCMS is an enterprise-level content management system CMS from the baserCMS team. A code injection vulnerability exists in baserCMS versions 4.6.0 through 4.7.6, which stems from the application's failure to properly filter special elements of constructed snippets. An attacker can exploit the...

CVE-2023-45679 Attempt to free an uninitialized memory pointer in vorbis_deinit in stb_vorbis

stbvorbis is a single file MIT licensed library for processing ogg vorbis files. A crafted file may trigger memory allocation failure in startdecoder. In that case the function returns early, but some of the pointers in f-commentlist are left initialized and later setupfree is called on these...

PT-2023-29071 · WordPress · Essential Blocks

Name of the Vulnerable Software and Affected Versions: The Essential Blocks plugin for WordPress versions up to, and including, 4.2.0 Description: The issue allows unauthenticated attackers to inject a PHP Object via deserialization of untrusted input in the get products function. This could...

CVE-2023-36578

Microsoft Message Queuing MSMQ Remote Code Execution Vulnerability...

PT-2023-26770 · Unknown · Zlmediakit

Name of the Vulnerable Software and Affected Versions: ZLMediaKiet versions 4.0 through 5.0 Description: The issue allows an attacker to execute arbitrary code via a crafted script to the URL, potentially leading to the execution of malicious scripts. This is a Cross Site Scripting vulnerability...

PT-2023-28225 · Unknown · Pdf-Xchange Editor

Name of the Vulnerable Software and Affected Versions: PDF-XChange Editor affected versions not specified Description: This issue allows remote attackers to execute arbitrary code on affected installations. User interaction is required, where the target must visit a malicious page or open a...

PT-2023-25537 · Relic · Relic

Name of the Vulnerable Software and Affected Versions: RELIC versions before commit 421f2e91cf2ba42473d4d54daf24e295679e290e Description: The issue allows attackers to execute arbitrary code and cause a denial of service. This is due to an integer overflow vulnerability in the bn get prime...

PT-2023-28016 · Grupposcai · Realgimm

Name of the Vulnerable Software and Affected Versions: GruppoSCAI RealGimm version 1.1.37p38 Description: The issue allows attackers to execute arbitrary code via uploading a crafted HTML file, exploiting an arbitrary file upload vulnerability in the Carica immagine function. Recommendations: For...

CVE-2023-39010

BoofCV 0.42 was discovered to contain a code injection vulnerability via the component boofcv.io.calibration.CalibrationIO.load. This vulnerability is exploited by loading a crafted camera calibration file...

Adobe ColdFusion Deserialization Vulnerability (CNVD-2024-25608)

Adobe ColdFusion is the United States Odo than Adobe company's set of rapid application development platform. The platform includes an integrated development environment and scripting language. Adobe ColdFusion has a deserialization vulnerability that arises from unsafe deserialization of...

PT-2023-26107 · Geeklog · Geeklog

Name of the Vulnerable Software and Affected Versions: Geeklog version 2.2.2 Description: The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Rule and Route parameters of "/admin/router.php" API endpoint. This enables the execution of...

CVE-2020-26708

requests-xml v0.2.3 was discovered to contain an XML External Entity Injection XXE vulnerability which allows attackers to execute arbitrary code via a crafted XML file...

CVE-2023-25001

creationtimestamp| type| source ---|---|--- 2023-06-28 02:12:22+00:00| seen| https://t.me/cibsecurity/65592...

PT-2023-25385 · Npm · @Backstage/Plugin-Scaffolder-Backend

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-scaffolder-backend versions prior to 1.15.0 Description: The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, allowing for code injection. A malicious actor with write access to a...

CVE-2023-34944

An arbitrary file upload vulnerability in the /fileUpload.lib.php component of Chamilo 1.11. up to v1.11.18 allows attackers to execute arbitrary code via uploading a crafted SVG file...

CVE-2023-27352

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Sonos One Speaker 70.3-35220. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of the SMB directory query command. The issue...