367610 matches found
CVE-2023-32761
CVE-2023-32761 is a CSRF vulnerability in Archer Platform prior to version 6.13. An authenticated attacker can execute arbitrary code via a crafted request. The issue is fixed in Archer Platform versions 6.12.0.6 and 6.13.0. No exploitation details are provided beyond the authenticated vector; no...
CVE-2024-27005
CVE-2024-27005 : The vulnerability is a race in the Linux kernel interconnect subsystem where the req_list of icc_node could be modified while icc_set_bw() iterates it, due to locking not guaranteeing mutual exclusion between icc_bw_lock and icc_lock. The issue arises after splitting icc_lock and...
CVE-2023-25042
CVE-2023-25042 : Stored XSS in the oAuth Twitter Feed for Developers WordPress plugin (
CVE-2023-21410
CVE-2023-21410 affects the AXIS License Plate Verifier via the api.cgi endpoint, where user input is not sanitized, enabling arbitrary code execution. Public details (NVD) list a high-impact CVSSv3.1 score (base 8.8) with NETWORK attack vector, low attack complexity, and privileges required as lo...
CVE-2023-37918
CVE-2023-37918 affects Dapr and describes an API-token authentication bypass in HTTP endpoints when API token authentication is enabled. The root cause involves health check endpoint allowlisting, where requests containing /healthz in the URL could bypass the dapr-api-token check and reach the Da...
CVE-2023-37600
Office Suite Premium affected product: Version v10.9.1.42602. Vulnerability: reflected cross-site scripting (XSS) via the id parameter at /api?path=profile. Root cause: input reflected back to output without adequate sanitization (per the provided CVE record and secondary sources). Impact (as des...
CVE-2023-1547
The CVE-2023-1547 entry concerns Elra Parkmatik (Parkmatik software) with an SQL Injection vulnerability due to improper neutralization of special elements in SQL commands. It allows SQL injection through SOAP parameter tampering and can lead to command line execution, affecting versions before 0...
CVE-2023-26861
CVE-2023-26861 affects PrestaShop vivawallet, version 1.7.10 and earlier, where a SQL injection in the vivawallet() module could allow a remote attacker to gain privileges. The issue is tied to the vivawallet() integration and is documented across multiple sources; no publicly available fix versi...
CVE-2023-3606
TamronOS (IPTV) contains a remote OS command injection in the /api/ping endpoint, caused by manipulation of the host parameter. Affects TamronOS versions up to 20230703; exploitation can be remote and the vulnerability has been publicly disclosed (CVE-2023-3606). The CVE entry notes no fix detail...
CVE-2023-3131
CVE-2023-3131 affects the MStore API WordPress plugin prior to version 3.9.7. The vulnerability arises because most AJAX actions are not protected by privilege checks or nonce validation, enabling unauthorized actions such as modifying settings. Public references describe practical proof-of-conce...
CVE-2023-3209
CVE-2023-3209 affects the MStore API WordPress plugin prior to version 3.9.7, where many AJAX actions lack proper privilege checks and nonce validation, enabling unauthorized changes to settings (CSRF). Multiple sources corroborate an upstream issue that allows privilege escalation via crafted re...
CVE-2023-39422
The CVE-2023-39422 issue affects the IRM Next Generation booking engine’s /irmdata/api/ endpoints. The root cause is that HMAC tokens used to authenticate requests are exposed in a client-side JavaScript file, which renders this extra safety mechanism ineffective. Descriptions across sources repe...
CVE-2023-38617
Office Suite Premium v10.9.1.42602 is affected by a reflected cross-site scripting (XSS) vulnerability in the filter parameter of the API endpoint /api?path=files. The issue is documented across multiple sources, with no public exploit details provided in the attached documents. CVSS 3.1 base sco...
CVE-2023-3581
CVE-2023-3581 affects Mattermost. The issue is that the product fails to properly validate the origin of a websocket connection, which can allow a Man-In-The-Middle (MITM) attacker to access the websocket APIs. Concrete details across connected sources consistently describe this as an origin-vali...
CVE-2023-3271
CVE-2023-3271 concerns the SICK ICR890-4, where an improper access control flaw allows an unauthenticated remote attacker to gather system information and download data via unauthenticated REST API endpoints. The issue is documented across multiple feeds (NVD, Red Hat, PRION, CNNVD, and Sick PSIR...
CVE-2023-36817
In CVE-2023-36817, the repository tktchurch/website (The King’s Temple Church website) version 0.1.0 exposed a Stripe API key in public code. The root cause is sensitive credentials accidentally committed to the codebase, enabling potential unauthorized financial transactions and access to custom...
CVE-2024-54132
Summary: CVE-2024-54132 affects GitHub CLI (gh). When a user downloads a GitHub Actions workflow artifact named .. using gh run download, the artifact name and the --dir value determine the extraction path, causing files within the artifact to be extracted one directory higher than intended. This...
CVE-2023-52653
CVE-2023-52653 : Linux kernel SUNRPC fix for a memory leak in gss_import_v2_context. The ctx->mech_used.data allocated via kmemdup was not freed on error, nor by gss_import_v2_context or its caller. The patch adjusts the final call of gss_import_v2_context to gss_krb5_import_ctx_v2 to prevent ...
CVE-2021-38938
CVE-2021-38938 affects IBM Host Access Transformation Services (HATS) versions 9.6–9.6.1.4 and 9.7–9.7.0.3. The underlying issue is storing user credentials in plaintext, allowing a local user to read them. Reported by IBM/X-Force; CVSS base scores indicate confidentiality impactHigh with local a...
CVE-2023-39421
CVE-2023-39421 involves the RDPWin.dll component used by the IRM Next Generation booking engine, which contains hardcoded API keys for third‑party services (Twilio, Vonage). The root cause is hardcoded credentials in RDPWin.dll, enabling unrestricted interaction with these services. NVD assigns a...
CVE-2023-37862
The CVE-2023-37862 entry concerns PHOENIX CONTACT WP 6xxx series web panels (versions prior to 4.0.10) with insufficient authorization in the HTTP API upload functions. An unauthenticated remote attacker can access the upload endpoints, which can lead to SSL certificate errors and may cause a par...
CVE-2025-24500
The CVE-2025-24500 entry concerns Broadcom Symantec Privileged Access Management (PAM). Multiple connected sources confirm an unauthenticated attacker can access information in the PAM database. No concrete affected versions or root-cause details are provided in the documents; some sources (PT-20...
CVE-2024-56589
CVE-2024-56589 affects the Linux kernel’s scsi/hisi_sas path, where on no-forced preemption kernels an expander connected to 12 SAS SSDs could trigger a watchdog soft lockup due to interrupt handling on a single CPU. The provided details confirm the vulnerability’s root cause as a missing cond_re...
CVE-2023-4740
CVE-2023-4740 affects IBOS OA 4.5.5, with a SQL injection in the Delete Draft Handler at the endpoint described as the unknown part of ?r=email/api/delDraft&archiveId=0. Multiple connected sources (NVD/NVD-derived, Red Hat, CVE lists, and PT Security) confirm remote exploitation potential and pub...
CVE-2023-40165
The CVE-2023-40165 entry concerns RubyGems.org, the Ruby community gem hosting service. The vulnerability arose from insufficient input validation that allowed replacement of uploaded gems whose platform, version, or gem name matched “/-\d/,” enabling a malicious upload to temporarily override a ...
CVE-2023-2759
TapHome core platform before version 2023.2 contains a hidden API vulnerability that lets an authenticated, low-privilege user change other users’ passwords, potentially giving full device access. This is documented across CVE-2023-2759 entries (NVD/Red Hat) and aligns with the vendor’s disclosur...
CVE-2024-53229
Summary (CVE-2024-53229) : In the Linux kernel, the RDMArxe path had a fix for qp flush warnings in req. When a QP is in an error state, WQEs in the queue must be marked as error; otherwise a kernel warning can occur (for example in rxe_completer). The provided data confirms this CVE is tracked i...
CVE-2023-36622
The affected product is Loxone Miniserver Go Gen.2 (prior to 14.1.5.9). The vulnerability is a command-injection flaw in the websocket configuration endpoint, where remote authenticated administrators can inject arbitrary OS commands via the timezone parameter. This impacts confidentiality, integ...
CVE-2023-28019
CVE-2023-28019 concerns the Bigfix WebUI API App. The issue is described as insufficient validation in the WebUI API, affecting versions prior to 14, enabling an authenticated WebUI user to issue SQL queries via an unparameterized SQL query. The root cause is unparameterized queries/insufficient ...
CVE-2023-39423
CVE-2023-39423 affects RDPData.dll, where the /irmdata/api/common endpoint processes session IDs and other features. The underlying issue is improper neutralization of SQL commands, enabling a UNION-based SQL injection that can leak the sessions table and obtain currently valid sessions, allowing...
CVE-2023-37241
CVE-2023-37241 is an input verification vulnerability in the WMS API. Exploitation could cause the affected device to restart. The available connected sources confirm the issue and its impact but do not provide concrete exploit details, affected versions, or a validated fix/update. No remediation...
CVE-2024-56707
The connected Astra Linux and MS/ENISA/Nessus entries confirm CVE-2024-56707 affects the Linux kernel octeontx2-pf driver and states the root cause as missing error pointer checks after otx2_mbox_get_rsp in otx2_dmac_flt.c. A fix adds error pointer validation after the call. The remediation is th...
CVE-2022-22965
CVE-2022-22965 (Spring4Shell) affects Spring Framework’s Spring MVC and Spring WebFlux when data binding is enabled in apps running on JDK 9+, with exploitation requiring Tomcat as WAR deployment. The issue is not exploited in Spring Boot executable jars. Vulnerable configurations are associated ...
CVE-2023-32760
CVE-2023-32760 affects Archer Platform prior to version 6.13, with fixes in 6.12.0.6 and 6.13.0. An authenticated attacker could access sensitive information via API calls related to data feeds and data publication. The vulnerability’s impact and exact exploited components are described in the li...
CVE-2023-3529
Rotem Dynamics Rotem CRM up to 20230729 contains an information-exposure issue in the OTP URI Interface, specifically the /LandingPages/api/otp/send?id=[ID]&method=sms endpoint. The vulnerability allows remote initiation and arises from a discrepancy in the handling of this API, with no public ex...
CVE-2025-25188
CVE-2025-25188 affects Hickory DNS (Rust-based DNS client/server/resolver). The vulnerability lies in DNSSEC validation: the routines may treat entire RRsets of DNSKEY records as trusted after establishing trust with a single DNSKEY, causing all keys in a zone to be trusted to authenticate other ...
CVE-2023-35948
Novu Open Redirect vulnerability (CVE-2023-35948) affects the open-source Novu repository prior to 0.16.0 in the Sign In with GitHub flow. An open redirect could allow an attacker to coerce a victim into opening a malicious URL, potentially enabling the attacker to access the victim’s account on ...
CVE-2024-56630
The CVE-2024-56630 issue affects the Linux kernel’s ocfs2 subsystem: when ocfs2_get_init_inode() fails, inodes could be leaked due to not iput()'ing after new_inode() succeeds and dquot_initialize() fails. The syzbot trace mentions busy inodes after unmount for commit 9c89fe0af826 and that the er...
CVE-2024-53164
CVE-2024-53164 affects the Linux kernel net_sched subsystem. The root cause was an incorrect ordering of qlen updates (sch->q.qlen) around qdisc_tree_reduce_backlog(), which could fail to notify parent qdiscs when a child becomes empty. The fix ensures the qlen adjustment happens before the ca...
CVE-2025-26506
CVE-2025-26506 affects HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed printers. When processing a PostScript print job, these devices may be vulnerable to Remote Code Execution and Elevation of Privilege due to the underlying handling of PostScript data. The issue is documented ...
CVE-2022-0836
The CVE-2022-0836 entry concerns the WordPress plugin SEMA API, affected versions prior to 4.02. The issue is an SQL injection caused by improper sanitisation/escaping of parameters used in SQL statements via an AJAX action, exploitable by unauthenticated users. Several connected sources (Red Hat...
CVE-2014-6440
VLC media player, affected up to versions before 2.1.5, is affected by CVE-2014-6440 due to a heap overflow in the transcode module that could allow remote code execution or a denial of service. Public references in OpenVAS/Gentoo advisories confirm a heap-based overflow/remote code execution vec...
CVE-2022-0858
McAfee Enterprise ePolicy Orchestrator (ePO) prior to 5.10 Update 13 contains a cross‑site scripting (XSS) vulnerability that could allow a remote attacker to obtain an administrator’s session by persuading the user to click a crafted link, with limited ability to alter information in the affecte...
CVE-2024-56644
CVE-2024-56644 : In the Linux kernel, the IPv6 stack vulnerability causes a leaked destination (dst) in the exception table when an expired IPv6 route’s dst is processed by ip6_negative_advice() after MTU change and TCP timeout. Root cause: an extra dst_hold() increments the reference counter, wh...
CVE-2024-27816
The CVE-2024-27816 entry affects tvOS 17.5 (Apple TV) via the AppleMobileFileIntegrity component. A logic issue was addressed with improved checks, with the impact that an attacker may be able to access user data. Apple’s security content indicates this fix is part of tvOS 17.5, and related Apple...
CVE-2022-1352
GitLab EE/CE is affected by CVE-2022-1352 due to an insecure direct object reference. Versions affected: 11.0 and newer up to but excluding 14.8.6 (i.e., 11.0–14.8.5), 14.9 until before 14.9.4 (i.e., 14.9.0–14.9.3), and 14.10 until before 14.10.1 (i.e., 14.10.0). The vulnerability allows an endpo...
CVE-2024-57800
CVE-2024-57800 affects the Linux kernel in ALSA memalloc handling. When DMA API debugging is enabled, it may warn about a device driver failing to check a DMA address map, e.g. device address 0x00000000ffff0000, due to explicit address checks instead of using dma_mapping_error(). The documented f...
CVE-2024-5143
The CVE-2024-5143 entry describes a vulnerability in HP LaserJet Pro printers where a user with device administrative privileges can modify SMTP server settings without re‑entering credentials. This can redirect send‑to‑email traffic to an attacker‑controlled SMTP server and potentially expose th...
CVE-2024-2961
CVE-2024-2961 affects the GNU C Library (glibc) versions 2.39 and older. The iconv() implementation may overflow the output buffer by up to 4 bytes when converting strings to ISO-2022-CN-EXT, potentially crashing the application or overwriting adjacent memory. Publicly documented in glibc advisor...
CVE-2024-56571
CVE-2024-56571 entry is rejected/not used; not an active vulnerability.