Lucene search
+L
NucleiRecent

4145 matches found

nuclei
nuclei
added yesterday61 views

Jeecg P3 Biz Chat - Local File Inclusion

Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files through specific parameters. id: CVE-2023-33510 info: name: Jeecg P3 Biz Chat - Local File Inclusion author: DhiyaneshDK severity: high description: | Jeecg P3 Biz Chat 1.0.5 allows remote attackers to read arbitrary files...

7.5CVSS7.1AI score0.04042EPSS
Exploits1References4
nuclei
nuclei
added yesterday57 views

Lightdash version <= 0.510.3 Arbitrary File Read

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension .csv or .png is used. id: CVE-2023-35844 info: name: Lightdash version = 0.510.3 Arbitrary File Read author: dwisiswant0...

7.5CVSS7AI score0.06344EPSS
Exploits2References5
nuclei
nuclei
added yesterday49 views

Qualitor <= 8.20 - Remote Code Execution

Qualitor through 8.20 allows remote attackers to execute arbitrary code via PHP code in the html/ad/adpesquisasql/request/processVariavel.php gridValoresPopHidden parameter. id: CVE-2023-47253 info: name: Qualitor = 8.20 - Remote Code Execution author: s4e-io severity: critical description: |...

9.8CVSS7.3AI score0.14422EPSS
Exploits4References3
nuclei
nuclei
added yesterday80 views

PHPJabbers Ticket Support Script v3.2 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the message parameter of index.php in PHPJabbers Ticket Support Script v3.2. id: CVE-2023-40753 info: name: PHPJabbers Ticket Support Script v3.2 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site...

5.4CVSS6.2AI score0.01053EPSS
Exploits0References2
nuclei
nuclei
added yesterday184 views

Defender Security < 4.1.0 - Protection Bypass (Hidden Login Page)

The Defender Security WordPress plugin before 4.1.0 does not prevent redirects to the login page via the authredirect WordPress function, allowing an unauthenticated visitor to access the login page, even when the hide login page functionality of the plugin is enabled. id: CVE-2023-5089 info: nam...

5.3CVSS6.2AI score0.02235EPSS
Exploits3References3
nuclei
nuclei
added yesterday23 views

PHPJabbers Yacht Listing Script v1.0 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the "action" parameter of index.php in PHPJabbers Yacht Listing Script v1.0. id: CVE-2023-40750 info: name: PHPJabbers Yacht Listing Script v1.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site...

6.1CVSS6.4AI score0.00974EPSS
Exploits0References2
nuclei
nuclei
added yesterday76 views

Repetier Server - Directory Traversal

Repetier Server through 1.4.10 allows ..%5c directory traversal for reading files that contain credentials, as demonstrated by connectionLost.php. id: CVE-2023-31059 info: name: Repetier Server - Directory Traversal author: parthmalhotra,pdresearch severity: high description: | Repetier Server...

7.5CVSS7AI score0.05574EPSS
Exploits2References2
nuclei
nuclei
added yesterday954 views

WordPress Elementor 3.18.1 - File Upload/Remote Code Execution

The plugin is vulnerable to Remote Code Execution via file upload via the template import functionality, allowing authenticated attackers, with contributor-level access and above, to upload files and execute code on the server. id: CVE-2023-48777 info: name: WordPress Elementor 3.18.1 - File...

9.9CVSS7.3AI score0.041EPSS
Exploits3References2
nuclei
nuclei
added yesterday77 views

wpForo Forum <= 2.1.8 - Cross-Site Scripting

The wpForo Forum plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘wpforodebug’ function in versions up to, and including, 2.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS6.9AI score0.00845EPSS
Exploits1References4
nuclei
nuclei
added yesterday63 views

Fujitsu IP Series - Hardcoded Credentials

Fujitsu Real-time Video Transmission Gear “IP series” use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. The credentials cannot be changed by the end-user and provide administrative...

7.5CVSS6.7AI score0.0299EPSS
Exploits0References5
nuclei
nuclei
added yesterday33 views

Store Locator WordPress < 1.4.13 - Cross-Site Scripting

The Store Locator WordPress plugin before 1.4.13 does not sanitise and escape an invalid nonce before outputting it back in an AJAX response, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-4151 info: name: Store Locator...

6.1CVSS6.4AI score0.00645EPSS
Exploits1References2
nuclei
nuclei
added yesterday20 views

PHPJabbers Make an Offer Widget v1.0 - Cross-Site Scripting

There is a Cross Site Scripting XSS vulnerability in the "action" parameter of index.php in PHPJabbers Make an Offer Widget v1.0. id: CVE-2023-40752 info: name: PHPJabbers Make an Offer Widget v1.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | There is a Cross Site...

6.1CVSS6.4AI score0.00974EPSS
Exploits0References2
nuclei
nuclei
added yesterday38 views

JS Help Desk <= 2.8.2 - SQL Injection

JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication. id:...

7.5CVSS6.1AI score0.01317EPSS
Exploits0References2
nuclei
nuclei
added yesterday126 views

PrestaShop leocustomajax 1.0 & 1.0.0 - SQL Injection

PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerable to SQL Injection via modules/leocustomajax/leoajax.php. id: CVE-2023-30150 info: name: PrestaShop leocustomajax 1.0 & 1.0.0 - SQL Injection author: mastercho severity: critical description: | PrestaShop leocustomajax 1.0 and 1.0.0 are vulnerab...

9.8CVSS7.1AI score0.03849EPSS
Exploits0References4
nuclei
nuclei
added yesterday40 views

PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting

The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. id: CVE-2023-4115 info: name: PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting author:...

6.1CVSS6.1AI score0.05177EPSS
Exploits4References5
nuclei
nuclei
added yesterday13 views

WordPress Post Timeline Plugin < 2.2.6 - Cross-Site Scripting

The Post Timeline WordPress plugin before version 2.2.6 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape an invalid nonce before outputting it back in an AJAX response, which could allow attackers to execute arbitrary JavaScript code in an...

6.1CVSS7AI score0.00709EPSS
Exploits1References2
nuclei
nuclei
added yesterday12 views

WordPress FastDup <= 2.1.9 Sensitive Information Exposure - Directory Listing

FastDup WordPress plugin 2.2 contains a directory listing vulnerability caused by lack of access restrictions in sensitive directories, letting attackers view export files, exploit requires no authentication. id: CVE-2023-6592 info: name: WordPress FastDup = 2.1.9 Sensitive Information Exposure -...

5.3CVSS6.7AI score0.00913EPSS
Exploits1References4
nuclei
nuclei
added yesterday21 views

tagDiv Composer < 4.2 - Stored Cross-Site Scripting

tagDiv Composer plugin versions before 4.2 for WordPress are vulnerable to unauthenticated stored XSS via the /wp-json/tdw/savecss endpoint. An attacker can inject malicious JavaScript code through the compiledcss parameter, which gets stored and executed when the CSS is loaded. id: CVE-2023-3169...

6.1CVSS6.8AI score0.01582EPSS
Exploits2References2
nuclei
nuclei
added yesterday30 views

openSIS v9.0 - Path Traversal

A path traversal vulnerability exists in openSIS Classic Community Edition v9.0 via the 'filename' parameter in DownloadWindow.php. An unauthenticated remote attacker can exploit this to read arbitrary files on the server by manipulating file paths. id: CVE-2023-38879 info: name: openSIS v9.0 -...

7.5CVSS7.1AI score0.03663EPSS
Exploits0References2
nuclei
nuclei
added yesterday51 views

OURPHP <= 7.2.0 - Cross Site Scripting

OURPHP al...

6.1CVSS6.4AI score0.08115EPSS
Exploits9References5
nuclei
nuclei
added yesterday13 views

OpenProject < 12.5.4 - Project Identifiers Exposure

OpenProject versions before 12.5.6 generate a publicly accessible robots.txt file revealing project identifiers, even if the instance is set to 'Login required', letting attackers gather project info, exploit requires no authentication. id: CVE-2023-33960 info: name: OpenProject 12.5.4 - Project...

7.5CVSS6.9AI score0.01268EPSS
Exploits0References3
nuclei
nuclei
added yesterday183 views

ISPConfig - PHP Code Injection

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled. id: CVE-2023-46818 info: name: ISPConfig - PHP Code Injection author: non-things severity: high description: | An issue was discovered...

7.2CVSS7AI score0.13894EPSS
Exploits14References4
nuclei
nuclei
added yesterday47 views

Adlisting Classified Ads 2.14.0 - Information Disclosure

Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects. id: CVE-2023-4168 info: name: Adlisting Classified Ads 2.14.0 - Information Disclosure autho...

7.5CVSS6.3AI score0.36205EPSS
Exploits4References5
nuclei
nuclei
added yesterday16 views

Emlog 2.1.9 - SQL Injection

emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files. id: CVE-2023-39121 info: name: Emlog 2.1.9 - SQL Injection author: wjch611 severity: high description: |...

7.2CVSS7.2AI score0.02258EPSS
Exploits1References2
nuclei
nuclei
added yesterday264 views

CraftCMS < 4.4.15 - Unauthenticated Remote Code Execution

Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector leading to Remote Code Execution RCE. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in...

10CVSS7AI score0.92918EPSS
Exploits10References5
nuclei
nuclei
added yesterday73 views

POS Codekop v2.0 - Cross Site Scripting

POS Codekop v2.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the nmmember parameter at print.php. id: CVE-2023-36346 info: name: POS Codekop v2.0 - Cross Site Scripting author: r3Y3r53 severity: medium description: | POS Codekop v2.0 was discovered to contain ...

6.1CVSS6.4AI score0.05295EPSS
Exploits4References5
nuclei
nuclei
added yesterday59 views

modoboa 2.0.4 - Admin TakeOver

Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4. id: CVE-2023-0777 info: name: modoboa 2.0.4 - Admin TakeOver author: r3Y3r53 severity: critical description: | Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to...

9.8CVSS7AI score0.15088EPSS
Exploits4References4
nuclei
nuclei
added yesterday51 views

MooSocial 3.1.8 - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability exisits in multiple url of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL. id: CVE-2023-43326 info: name: MooSocial 3.1.8 - Cross-Site Scripting author: r3Y3r53 severity:...

6.1CVSS6.4AI score0.01615EPSS
Exploits2References4
nuclei
nuclei
added yesterday108 views

WordPress Japanized for WooCommerce <2.5.5 - Cross-Site Scripting

WordPress Japanized for WooCommerce plugin before 2.5.5 is susceptible to cross-site scripting via the tab parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This...

6.1CVSS6.7AI score0.01213EPSS
Exploits3References5
nuclei
nuclei
added yesterday116 views

Dolibarr Unauthenticated Contacts Database Theft

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. id: CVE-2023-33568 info: name: Dolibarr Unauthenticated Contacts Database Theft...

7.5CVSS7AI score0.1494EPSS
Exploits2References5
nuclei
nuclei
added yesterday40 views

Home Assistant Supervisor - Authentication Bypass

Home Assistant Supervisor is an open source home automation tool. A remotely exploitable vulnerability bypassing authentication for accessing the Supervisor API through Home Assistant has been discovered.This impacts all Home Assistant installation types that use the Supervisor 2023.01.1 or older...

10CVSS7AI score0.71974EPSS
Exploits0References6
nuclei
nuclei
added yesterday103 views

mooSocial v.3.1.8 - Cross-Site Scripting

Cross-Site Scripting XSS vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function. id: CVE-2023-44813 info: name: mooSocial v.3.1.8 - Cross-Site Scripting author: ritikchaddha severity:...

6.1CVSS6.7AI score0.01754EPSS
Exploits1References3
nuclei
nuclei
added yesterday38 views

Aria2 WebUI - Path traversal

webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. id: CVE-2023-39141 info: name: Aria2 WebUI - Path traversal author: DhiyaneshDk severity: high description: | webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. impact: | An attacker...

7.5CVSS7AI score0.03051EPSS
Exploits1References5
nuclei
nuclei
added yesterday130 views

PrestaShop TshirteCommerce - Directory Traversal

The Custom Product Designer tshirtecommerce module for PrestaShop allows HTTP requests to be forged using POST and GET parameters, enabling a remote attacker to perform directory traversal on the system and view the contents of code files. id: CVE-2023-27639 info: name: PrestaShop TshirteCommerce...

7.5CVSS7AI score0.03551EPSS
Exploits1References3
nuclei
nuclei
added yesterday118 views

Adiscon LogAnalyzer v.4.1.13 - Cross-Site Scripting

A Cross Site Scripting XSS vulnerability in Adiscon Aiscon LogAnalyzer through 4.1.13 allows a remote attacker to execute arbitrary code via the asktheoracle.php id: CVE-2023-36306 info: name: Adiscon LogAnalyzer v.4.1.13 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | A...

6.1CVSS6.7AI score0.03771EPSS
Exploits4References2
nuclei
nuclei
added yesterday68 views

WordPress Easy Forms for Mailchimp Plugin < 6.8.9 - Cross-Site Scripting

The Easy Forms for Mailchimp plugin before version 6.8.9 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the sqlerror parameter before outputting it back in the page when the debug option is enabled, which could allow attackers to execute...

6.1CVSS6.6AI score0.01092EPSS
Exploits2References2
nuclei
nuclei
added yesterday14 views

WeiYe-Jing datax-web <= 2.1.2 - OS Command Injection

A vulnerability, which was classified as critical, has been found in WeiYe-Jing datax-web 2.1.2. Affected by this issue is some unknown functionality of the file /api/log/killJob of the component HTTP POST Request Handler. The manipulation of the argument processId leads to os command injection...

9.8CVSS6.6AI score0.09901EPSS
Exploits1References2
nuclei
nuclei
added yesterday52 views

BlogEngine CMS - Open Redirect

Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect id: CVE-2023-33405 info: name: BlogEngine CMS - Open Redirect author: Shankar Acharya severity: medium description: | Blogengine.net 3.3.8.0 and earlier is vulnerable to Open Redirect impact: | Unauthenticated attackers can exploit...

6.1CVSS6.4AI score0.31265EPSS
Exploits1References3
nuclei
nuclei
added yesterday25 views

SRS - Command Injection

SRS's v5.0.137v5.0.156, v6.0.18v6.0.47 api-server server is vulnerable to a drive-by command injection. id: CVE-2023-34105 info: name: SRS - Command Injection author: iamnoooob,rootxharsh,pdresearch severity: high description: | SRS's v5.0.137v5.0.156, v6.0.18v6.0.47 api-server server is vulnerab...

7.5CVSS7AI score0.0876EPSS
Exploits1References2
nuclei
nuclei
added yesterday37 views

Hongjing e-HR 2020 - SQL Injection

A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /wselfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument...

9.8CVSS6.7AI score0.03766EPSS
Exploits1References2
nuclei
nuclei
added yesterday68 views

Web2py URL - Open Redirect

Open redirect vulnerability exists in web2py versions prior to 2.23.1. When using the tool, a web2py user may be redirected to an arbitrary website by accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. id: CVE-2023-22432 info: name: Web2py URL - Ope...

6.1CVSS6.4AI score0.02382EPSS
Exploits1References5
nuclei
nuclei
added yesterday69 views

Custom 404 Pro < 3.7.3 - Cross-Site Scripting

Custom 404 Pro before 3.7.3 is susceptible to cross-site scripting via the search parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker t...

6.1CVSS6.7AI score0.0171EPSS
Exploits2References5
nuclei
nuclei
added yesterday13 views

PHP Login System 2.0.1 - Cross-Site Scripting

msaad1999's PHP-Login-System 2.0.1 contains a reflected cross-site scripting caused by unsanitized input in 'validator' parameter in /reset-password, letting remote attackers execute arbitrary JavaScript in a user's browser, exploit requires attacker to craft malicious URL id: CVE-2023-38875 info...

6.1CVSS6.6AI score0.00824EPSS
Exploits0References2
nuclei
nuclei
added yesterday61 views

Coming Soon & Maintenance < 4.1.7 - Unauthenticated Post/Page Access

The plugin does not restrict access to published and non protected posts/pages when the maintenance mode is enabled, allowing unauthenticated users to access them. id: CVE-2023-1263 info: name: Coming Soon & Maintenance 4.1.7 - Unauthenticated Post/Page Access author: r3Y3r53 severity: medium...

5.3CVSS6.7AI score0.01414EPSS
Exploits1References5
nuclei
nuclei
added yesterday47 views

PrestaShop fieldpopupnewsletter Module - Cross Site Scripting

Fieldpopupnewsletter Prestashop Module v1.0.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the callback parameter at ajax.php. id: CVE-2023-39676 info: name: PrestaShop fieldpopupnewsletter Module - Cross Site Scripting author: meme-lord severity: medium...

6.1CVSS6.4AI score0.01343EPSS
Exploits1References3
nuclei
nuclei
added yesterday116 views

OpenCMS 14 & 15 - Cross Site Scripting

Cross-site scripting XSS vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. id: CVE-2023-6379 info: name: OpenCMS 14 & 15 - Cross Site Scripting author: msegoviag severity: medium description: | Cross-site scripting XSS vulnerability in Alkacon...

6.1CVSS6.4AI score0.01752EPSS
Exploits0References5
nuclei
nuclei
added yesterday55 views

Webkul QloApps 1.6.0 - Cross-site Scripting

An unauthenticated Cross-Site Scripting XSS vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST emailcreate and back parameter. id: CVE-2023-36289 info: name: Webkul QloApps 1.6.0 - Cross-site Scripting author:...

6.1CVSS6.4AI score0.01169EPSS
Exploits1References3
nuclei
nuclei
added yesterday67 views

Webkul QloApps 1.6.0 - Cross-site Scripting

An unauthenticated Cross-Site Scripting XSS vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter. id: CVE-2023-36287 info: name: Webkul QloApps 1.6.0 - Cross-site Scripting author: theamanrawa...

6.1CVSS6.4AI score0.01199EPSS
Exploits1References3
nuclei
nuclei
added yesterday60 views

WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection

The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...

9.8CVSS7.1AI score0.04234EPSS
Exploits2References3
nuclei
nuclei
added yesterday53 views

Hoteldruid 3.0.5 - Cross-Site Scripting

A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data. id: CVE-2023-34537 info: name: Hoteldruid 3.0.5 - Cross-Site Scripting author: Harsh severity: medium...

5.4CVSS6.2AI score0.0145EPSS
Exploits1References4
Total number of security vulnerabilities4145