Lucene search
K
CveMost viewed

367529 matches found

CVE
CVE
added 2023/07/25 12:0 a.m.2502 views

CVE-2022-46902

CVE-2022-46902 relates to Vocera Report Server/Voice Server 5.x–5.8. The issue is a path traversal vulnerability in an unzip operation used during a ZIP-based database restore via the Vocera Report Console’s websocket function. During extraction, the code uses file paths from the ZIP without suff...

7.5CVSS7.7AI score0.00532EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2023/07/04 4:29 p.m.2502 views

CVE-2023-31999

CVE-2023-31999 affects all versions of @fastify/oauth2 due to a statically generated OAuth2 state parameter at startup, reused across requests for all users and sessions. This CSRF flaw could enable forged requests. The issue was addressed in v7.2.0, which switches to per-user state stored in a c...

8.8CVSS8.6AI score0.00581EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2025/02/18 2:37 p.m.2501 views

CVE-2025-21702

The CVE CVE-2025-21702 concerns a bug in Linux kernel pfifo_tail_enqueue where, when sch->limit == 0, a path can cause qlen to be increased to one even if a preceding drop would have kept it at zero. This leads to a mismatch where a parent qlen no longer equals the sum of its children’s qlen, ...

7.8CVSS7.3AI score0.00256EPSS
Exploits0References11Affected Software1
CVE
CVE
added 2023/09/26 12:0 a.m.2501 views

CVE-2023-41904

CVE-2023-41904 affects Zoho ManageEngine ADManager Plus prior to version 7203, where the REST APIs suffer a 2FA bypass in AuthToken generation. This enables unauthorized access via REST endpoints, per multiple sources. Remediation is to upgrade to version 7203 or later; as a temporary measure, re...

5.4CVSS5.5AI score0.01988EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/17 1:50 a.m.2501 views

CVE-2023-33237

CVE-2023-33237 affects Moxa TN-5900 Series firmware v3.3 and prior. Vulnerability arises from inadequate authentication in the web API handler, allowing low-privilege APIs to perform restricted actions typically allowed to high-privilege APIs. CVSS v3.1 base score 8.8 (High): Network access, low ...

8.8CVSS8.8AI score0.00521EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/09 4:9 p.m.2501 views

CVE-2023-39531

CVE-2023-39531 affects Sentry. From version 10.0.0 up to, but not including, 23.7.2, an attacker with client-side exploits could obtain a valid access token for another user during the OAuth token exchange due to incorrect credential validation. The attack requires a known client_id and an API ap...

6.8CVSS6.4AI score0.00308EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/02 12:23 p.m.2501 views

CVE-2023-26447

CVE-2023-26447 affects Open-Xchange AppSuite’s portal upsell widget, where a product description sourced from a user-controllable jslob is inserted into the DOM without proper escaping. The underlying issue is DOM-based XSS: unescaped jslob content can execute script in the victim’s browser, pote...

5.4CVSS5.5AI score0.00558EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/07/07 4:23 p.m.2501 views

CVE-2023-37264

CVE-2023-37264 affects Tekton Pipelines: starting from 0.35.0, the Pipelines controller does not validate child TaskRun UIDs, allowing a user who can create TaskRuns to subvert ownership checks by creating a child TaskRun with the same name/owner reference. This can lead to the Pipeline controlle...

4.3CVSS4.2AI score0.00318EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2023/09/26 8:40 p.m.2500 views

CVE-2023-42819

CVE-2023-42819 is a directory traversal vulnerability in JumpServer. Authenticated users can access and modify arbitrary files via the API endpoint /api/v1/ops/playbook/{playbook_id}/file/?key=../../../../../../../etc/passwd, enabling file disclosure (and potential modification) on affected syste...

8.9CVSS8.6AI score0.01856EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2023/08/30 2:22 p.m.2500 views

CVE-2023-4209

CVE-2023-4209: The POEditor WordPress plugin prior to version 0.9.8 is vulnerable to CSRF due to missing checks in multiple areas, enabling an attacker to trick a logged-in admin into performing actions such as resetting settings or updating the API key. Public sources (NVD, Red Hat, CVE lists) c...

4.3CVSS4.9AI score0.00218EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2023/08/09 3:29 a.m.2500 views

CVE-2023-38752

CVE-2023-38752 concerns an improper authorization vulnerability in the Special Interest Group Network for Analysis and Liaison (Inter-SOC Cooperation API). Affected versions are 4.4.0 through 4.7.7, where an authorized API user can view the attribute information of a poster marked as non-disclosu...

4.3CVSS4.5AI score0.00376EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/08/02 12:23 p.m.2500 views

CVE-2023-26450

Open-Xchange CVE-2023-26450 affects the OX Count web service in Open-Xchange AppSuite. The root cause is that the OX Count service did not specify a media-type when processing responses from external resources, enabling malicious script code to execute in the victim’s context and potentially lead...

5.4CVSS5.8AI score0.00665EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/07/25 12:0 a.m.2500 views

CVE-2022-46901

CVE-2022-46901 affects Vocera Report Server and Voice Server 5.x through 5.8. The issue is an Access Control Violation for database operations via the Vocera Report Console’s websocket interface, which permits unauthenticated execution of tasks and database functions, including system tasks and a...

7.5CVSS7.6AI score0.00514EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2024/04/04 8:37 p.m.2499 views

CVE-2023-45288

CVE-2023-45288 concerns an HTTP/2 HPACK processing issue where an attacker can force an endpoint to parse excessive HEADERS and CONTINUATION frames, potentially reading large, even Huffman-encoded, header data beyond intended bounds. The vulnerability arises when request headers exceed MaxHeaderB...

7.5CVSS8.1AI score0.91969EPSS
Exploits1References9
CVE
CVE
added 2023/08/16 4:36 a.m.2499 views

CVE-2023-3958

CVE-2023-3958 affects the WP Remote Users Sync WordPress plugin. The vulnerability is a Server-Side Request Forgery (SSRF) via the notify_ping_remote AJAX function in versions up to and including 1.2.12. An authenticated attacker with subscriber-level permissions (or higher) can cause the web app...

8.5CVSS5.8AI score0.00539EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/08/09 3:36 a.m.2499 views

CVE-2023-4242

CVE-2023-4242 affects the WordPress plugin FULL – Customer . The issue allows an authenticated user with subscriber-level permissions or higher to disclose sensitive site configuration information via the REST route /health . Affected versions are up to and including 2.2.3 ; the underlying cause ...

4.3CVSS4.4AI score0.00432EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2023/07/05 9:22 p.m.2499 views

CVE-2023-36827

CVE-2023-36827 (Fides) : A path traversal vulnerability affects Fides webserver in versions below 2.15.1, enabling remote attackers to access arbitrary files on the webserver container filesystem. The issue is fixed in 2.15.1. If the webserver API is behind a reverse proxy and the proxy is an AWS...

7.5CVSS7.6AI score0.0109EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2023/09/21 12:0 a.m.2498 views

CVE-2023-38344

Affected software: Ivanti Endpoint Manager prior to 2022 SU4. Vulnerability: GetFileContents SOAP action in /landesk/managementsuite/core/core.secure/OsdScript.asmx allows reading arbitrary remote files when user-supplied paths aren’t properly restricted. Impact: authenticated attacker can read s...

6.5CVSS6.3AI score0.01031EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/08/22 12:59 p.m.2498 views

CVE-2023-24515

The CVE-2023-24515 entry describes a Server-Side Request Forgery (SSRF) vulnerability in the API checker of Pandora FMS. The root cause is that the application does not validate the URL scheme when retrieving the API URL, allowing schemes such as file in addition to http/https. This could enable ...

6.5CVSS5.5AI score0.00427EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/08/02 12:23 p.m.2498 views

CVE-2023-26448

Open-Xchange AppSuite is affected by CVE-2023-26448 due to unsafe handling of customized login/logout locations defined as jslob, which were not validated for malicious protocol handlers. The underlying issue allows malicious script code to execute in the victim’s context, potentially enabling se...

5.4CVSS5.6AI score0.00558EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2025/01/21 12:18 p.m.2497 views

CVE-2025-21660

Technical details for CVE-2025-21660 are not provided in the supplied documents. No affected products, root cause, or remediation are disclosed here; monitor for updates from official advisories.

5.5CVSS6.6AI score0.00197EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2023/08/03 12:0 a.m.2497 views

CVE-2023-33368

CVE-2023-33368 affects Control ID IDSecure 4.7.26.0 and earlier. The issue concerns API routes that exfiltrate sensitive information and passwords to users accessing those routes. Impact: information disclosure (Confidentiality HIGH per CVSS). No fix version is publicly documented in the provided...

6.5CVSS6.3AI score0.00541EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/27 6:54 a.m.2497 views

CVE-2023-3956

CVE-2023-3956 affects the InstaWP Connect WordPress plugin (versions up to and including 0.0.9.18). The vulnerability stems from a missing capability check in the events_receiver function, enabling unauthenticated attackers to add, modify, or delete posts and taxonomies, install/activate/deactiva...

9.8CVSS9.2AI score0.00758EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2024/05/22 7:5 p.m.2496 views

CVE-2024-25737

VuFind 2.4–9.1 (pre-9.1.1) is affected by a Server-Side Request Forgery (SSRF) in the /Cover/Show route (ShowAction in CoverController.php). The vulnerability allows an attacker to proxy arbitrary URLs via the proxy GET parameter, enabling access to internal HTTP services and potentially enabling...

5.4CVSS6.3AI score0.0045EPSS
Exploits0References3
CVE
CVE
added 2023/09/13 2:54 a.m.2496 views

CVE-2023-4917

CVE-2023-4917 (Leyka WordPress plugin) affects Leyka versions

6.5CVSS6.8AI score0.0059EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2023/09/08 6:17 p.m.2496 views

CVE-2023-41338

The CVE-2023-41338 issue affects gofiber (Fiber) prior to v2.49.2 where ctx.IsFromLocal() may return true for requests with X-Forwarded-For: 127.0.0.1, allowing access to localhost-scoped resources. Root cause: improper handling of the X-Forwarded-For header in the Ctx.IsFromLocal logic, enabling...

5.3CVSS5.1AI score0.00531EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/09/06 5:27 p.m.2496 views

CVE-2023-0925

Summary (CVE-2023-0925): Software AG webMethods OneData 10.11 is exposed with an embedded Azul Zulu Java 11.0.15 that runs a Java RMI registry on port 2099 and two RMI interfaces on a high, dynamically assigned port. An unauthenticated attacker with network access to these ports can instruct the ...

9.8CVSS9.5AI score0.00649EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/16 11:3 a.m.2496 views

CVE-2023-0551

The CVE CVE-2023-0551 affects the WordPress plugin REST API TO MiniProgram (through 4.6.1). The vulnerability is due to missing authorization checks and CSRF protection in an AJAX action, allowing any authenticated user (e.g., subscriber) to call and delete arbitrary attachments. Connected source...

5.4CVSS5.4AI score0.0028EPSS
Exploits2References1Affected Software1
CVE
CVE
added 2023/08/13 12:41 p.m.2496 views

CVE-2023-39404

CVE-2023-39404 concerns Huawei HarmonyOS and is tied to the window management module. The vulnerability stems from insufficient input parameter verification in certain APIs, which can be exploited to cause a device reboot (DoS). Public exploitation details are not provided in the supplied documen...

7.5CVSS7.3AI score0.00379EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/19 9:45 p.m.2496 views

CVE-2023-34429

CVE-2023-34429 affects Weintek Weincloud v0.13.6, where processing of a forged JWT token can cause a denial-of-service. The connected ICS/nvd entries corroborate the DoS impact and indicate remediation: Weincloud account API updated to v0.13.8 (no action required by users beyond this update). No ...

7.5CVSS7.6AI score0.00531EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2024/05/01 5:20 a.m.2495 views

CVE-2024-26977

CVE-2024-26977 — Linux kernel MMIO leak due to broken guarding of iounmap(). The vulnerability arises because the ARCH_HAS_GENERIC_IOPORT_MAP guard was applied to iounmap() in pci_iounmap(), causing MMIO mappings to leak. The fix relocates the guard so iounmap() is called for MMIO mappings, preve...

5.5CVSS6.7AI score0.00226EPSS
Exploits0References6Affected Software1
CVE
CVE
added 2023/09/06 5:54 p.m.2495 views

CVE-2023-41319

The CVE-2023-41319 vulnerability affects Fides versions 2.11.0–2.19.0, where the webserver API accepts ZIP uploads that may contain Python code executed in a sandbox that can be bypassed. An attacker with API access using the CONNECTOR_TEMPLATE_REGISTER scope (restricted in Admin UI to highly pri...

8.8CVSS8.1AI score0.00837EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/09/01 12:0 a.m.2495 views

CVE-2023-36100

CVE-2023-36100 affects IceCMS 2.0.1. The issue is a privilege escalation and information disclosure via the UserID parameter in the endpoint api/User/ChangeUser. Root cause details are not fully disclosed in the provided documents, but multiple sources confirm the vulnerability in this specific v...

9.8CVSS9.3AI score0.00566EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2019/05/08 4:18 p.m.2495 views

CVE-2019-11510

CVE-2019-11510 affects Pulse Secure Pulse Connect Secure (PCS). An unauthenticated remote attacker can exploit a crafted URI to perform an arbitrary file read on PCS appliances. Impact is described as reading arbitrary files from the device, which can facilitate further intrusion steps. Affected ...

10CVSS9.6AI score0.99999EPSS
In wildExploits22References12Affected Software1
CVE
CVE
added 2023/08/02 12:23 p.m.2494 views

CVE-2023-26451

CVE-2023-26451 concerns Open-Xchange AppSuite’s integrated oAuth Authorization Service, which used a weak randomness source to generate authorization tokens. This made authorization codes predictable to third parties, enabling interception of the client authorization process and potential account...

7.5CVSS7.5AI score0.00995EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/07/03 7:53 a.m.2494 views

CVE-2023-3313

CVE-2023-3313 pertains to an OS command injection in the Trellix Enterprise Security Manager (ESM) certificate API, caused by insufficient neutralization of special elements. The vulnerability could let an unauthorized user with local access execute system commands, potentially escalating privile...

7.8CVSS8.1AI score0.00459EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/09/04 10:33 a.m.2493 views

CVE-2023-4614

LG LED Assistant is affected by CVE-2023-4614 due to a path traversal flaw in the /api/installation/setThumbnailRc endpoint, caused by insufficient validation of a user-supplied path. This unauthenticated vulnerability can be leveraged to access files in the current user context; some sources des...

9.8CVSS9.7AI score0.02146EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/08/25 8:31 p.m.2493 views

CVE-2023-40585

CVE-2023-40585 affects the Metal³ ironic-image container used to run OpenStack Ironic. Prior to capm3-v1.4.3, if TLS is not used and API/Conductor aren’t split, the Ironic API can be accessed without authentication over the host network. The vulnerability description notes that the API is otherwi...

7.5CVSS7.4AI score0.00367EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/08/02 12:22 p.m.2493 views

CVE-2023-26430

CVE-2023-26430 affects Open-Xchange AppSuite. Attackers with user access can inject arbitrary control characters into SIEVE mail-filter rules, potentially enabling access to disallowed SIEVE extensions or corrupting per-user filter processing. The underlying issue is character injection into mail...

4.3CVSS4.7AI score0.00627EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2023/07/12 3:52 p.m.2493 views

CVE-2023-37957

CVE-2023-37957 affects Jenkins Pipeline restFul API Plugin up to version 0.11. A CSRF flaw allows an attacker to cause the Jenkins instance to connect to an attacker-controlled URL, enabling capture of a newly generated JCLI token. The vulnerability’s description and Red Hat/GitHub/NVD references...

8.8CVSS8.6AI score0.0034EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/17 3:23 p.m.2492 views

CVE-2023-3584

Mattermost CVE-2023-3584 affects the POST /api/v4/teams endpoint. The root cause is improper authorization checks when a team override scheme ID is supplied, enabling an authenticated attacker who knows a valid Team Override Scheme ID to create a new team using that scheme. Documents consistently...

3.1CVSS3.6AI score0.00296EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/07/06 12:26 p.m.2492 views

CVE-2023-37238

The CVE-2023-37238 entry concerns Huawei HarmonyOS. Affected component: wireless projection module (and related screen casting interfaces). Root cause: incomplete verification of apps’ permission to access a specific API, enabling insufficient permission checks. Impact: exploitation could affect ...

5.3CVSS5.1AI score0.00255EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2025/01/19 10:18 a.m.2491 views

CVE-2025-21648

CVE-2025-21648 affects the Linux kernel netfilter conntrack code. The vulnerability arises from the hashtable resize path where the maximum size could exceed practical limits, risking a WARN_ON_ONCE in __kvmalloc_node_noprof() when __GFP_NOWARN is unset. The fix clamps the conntrack hashtable siz...

5.5CVSS7AI score0.00209EPSS
Exploits0References9Affected Software1
CVE
CVE
added 2023/08/27 10:31 p.m.2491 views

CVE-2023-4559

CVE-2023-4559 affects Bettershop LaikeTui; the issue is in the POST Request Handler at index.php?module=api&action=user&m=upload, allowing unrestricted file upload. Root cause and details point to unknown affected versions due to rolling-release behavior; no version-specific fixes are disclosed i...

9.8CVSS7.9AI score0.00519EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/11 12:0 a.m.2491 views

CVE-2023-37658

CVE-2023-37658 affects fast-poster v2.15.0. The vulnerability is in the file upload path: ApiUploadHandler.post in /server/fast.py, where the image check is based on binary data and does not strictly verify the file suffix, enabling stored XSS. Several connected sources confirm this issue; exploi...

5.4CVSS5.1AI score0.00332EPSS
Exploits1References1Affected Software1
CVE
CVE
added 2024/12/29 8:42 a.m.2490 views

CVE-2024-56709

CVE-2024-56709 — Linux kernel io_uring race condition : The vulnerability arises when a task’s work is queued after the task has gone through io_uring termination, potentially finding the io_wq pointer already killed and null. The fix adds a guard so that io_queue_iowq() will fail in this scenari...

5.5CVSS6.5AI score0.00211EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2023/09/13 6:53 a.m.2490 views

CVE-2023-4400

Skyhigh Secure Web Gateway (SWG) is affected: versions 11.x prior to 11.2.14, 10.x prior to 10.2.25, and 12.x prior to 12.2.1 contain a password-management issue where authentication information stored in configuration files can be extracted via the SWG REST API because passwords are stored in pl...

6.5CVSS6.5AI score0.003EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2023/07/11 1:15 p.m.2490 views

CVE-2023-2746

Rockwell Automation Enhanced HIM is affected by CSRF due to an API that is not sufficiently protected and incorrect CORS settings. Exploitation could lead to sensitive information disclosure and full remote access to affected products. Judgment from multiple sources (ICS advisory ICSA-23-192-01, ...

9.6CVSS9.2AI score0.00399EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/14 4:2 a.m.2489 views

CVE-2023-3263

CVE-2023-3263 affects the Dataprobe iBoot PDU (firmware 1.43.03312023 and earlier). The vulnerability is an authentication bypass in the REST API caused by mishandling of special characters when parsing credentials, enabling an attacker to obtain a valid authorization token and read the relays/po...

7.5CVSS7.5AI score0.00638EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2023/08/08 9:2 p.m.2489 views

CVE-2023-39951

CVE-2023-39951 affects OpenTelemetry Java Instrumentation prior to 1.28.0. When instrumenting AWS SDK v2 calls to SES v1, the request query parameters are inserted into the trace url.path, causing the HTTP body (subject and message) to be exposed in telemetry backends. This information disclosure...

6.5CVSS6.3AI score0.00672EPSS
Exploits1References3Affected Software1
Total number of security vulnerabilities5000