Lucene search
+L
NucleiRecent

4146 matches found

nuclei
nuclei
added 6 hours ago162 views

GeoServer WPS - Server Side Request Forgery

GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service WPS specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request...

9.8CVSS7AI score0.67715EPSS
Exploits0References4
nuclei
nuclei
added 6 hours ago101 views

JumpServer > 3.6.4 - Information Disclosure

JumpServer is an open source bastion host and a professional operation and maintenance security audit system. Starting in version 3.0.0 and prior to versions 3.5.5 and 3.6.4, session replays can download without authentication. Session replays stored in S3, OSS, or other cloud storage are not...

8.2CVSS6.7AI score0.55861EPSS
Exploits5References5
nuclei
nuclei
added 6 hours ago117 views

mooSocial 3.1.8 - Reflected XSS

A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index. id: CVE-2023-4173 info: name: mooSocial 3.1.8 - Reflected XSS author: momika233 severity: medium description: | A vulnerability, which was...

6.1CVSS5.9AI score0.03336EPSS
Exploits5References5
nuclei
nuclei
added 6 hours ago40 views

PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting

The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials. id: CVE-2023-4115 info: name: PHPJabbers Cleaning Business 1.0 - Cross-Site Scripting author:...

6.1CVSS6.1AI score0.05177EPSS
Exploits4References5
nuclei
nuclei
added 6 hours ago244 views

RealGimm by GruppoSCAI v1.1.37p38 - Cross-Site Scripting

Multiple reflected cross-site scripting XSS vulnerabilities in the ErroreNonGestito.aspx component of GruppoSCAI RealGimm 1.1.37p38 allow attackers to execute arbitrary Javascript in the context of a victim user's browser via a crafted payload injected into the VIEWSTATE parameter. id:...

6.1CVSS6.5AI score0.01071EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago47 views

PrestaShop fieldpopupnewsletter Module - Cross Site Scripting

Fieldpopupnewsletter Prestashop Module v1.0.0 was discovered to contain a reflected cross-site scripting XSS vulnerability via the callback parameter at ajax.php. id: CVE-2023-39676 info: name: PrestaShop fieldpopupnewsletter Module - Cross Site Scripting author: meme-lord severity: medium...

6.1CVSS6.4AI score0.01343EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago74 views

PHPJabbers Service Booking Script 1.0 - Cross Site Scripting

A vulnerability was found in PHP Jabbers Service Booking Script 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument index leads to cross site scripting. The attack can be initiated remotely. id: CVE-2023-4113...

6.1CVSS4.4AI score0.05177EPSS
Exploits4References4
nuclei
nuclei
added 6 hours ago58 views

MooDating 1.2 - Cross-Site Scripting

A vulnerability classified as problematic has been found in mooSocial mooDating 1.2. This affects an unknown part of the file /pages of the component URL Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. id: CVE-2023-3846 info: name: MooDatin...

6.1CVSS4.5AI score0.03648EPSS
Exploits4References4
nuclei
nuclei
added 6 hours ago79 views

Uncanny Toolkit for LearnDash - Open Redirection

A vulnerability in the WordPress Uncanny Toolkit for LearnDash Plugin allowed malicious actors to redirect users, posing a potential risk of phishing incidents. The issue has been resolved in version 3.6.4.4, and users are urged to update for security. id: CVE-2023-34020 info: name: Uncanny Toolk...

6.1CVSS6.9AI score0.00963EPSS
Exploits0References3
nuclei
nuclei
added 6 hours ago63 views

rConfig 3.9.4 - Server-Side Request Forgery

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the patha parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39109 info: name: rConf...

8.8CVSS7.1AI score0.02965EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago63 views

Fujitsu IP Series - Hardcoded Credentials

Fujitsu Real-time Video Transmission Gear “IP series” use hard-coded credentials, which may allow a remote unauthenticated attacker to initialize or reboot the products, and as a result, terminate the video transmission. The credentials cannot be changed by the end-user and provide administrative...

7.5CVSS6.7AI score0.0299EPSS
Exploits0References5
nuclei
nuclei
added 6 hours ago38 views

Aria2 WebUI - Path traversal

webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. id: CVE-2023-39141 info: name: Aria2 WebUI - Path traversal author: DhiyaneshDk severity: high description: | webui-aria2 commit 4fe2e was discovered to contain a path traversal vulnerability. impact: | An attacker...

7.5CVSS7AI score0.03051EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago88 views

IceWarp Email Client - Cross Site Scripting

Cross Site Scripting vulnerability in IceWarp Corporation WebClient v.10.2.1 allows a remote attacker to execute arbitrary code via a crafted payload to the mid parameter. id: CVE-2023-39598 info: name: IceWarp Email Client - Cross Site Scripting author: Imjust0 severity: medium description: |...

6.1CVSS6.7AI score0.0139EPSS
Exploits0References4
nuclei
nuclei
added 6 hours ago46 views

Zimbra Collaboration Suite (ZCS) v.8.8.15 - Cross-Site Scripting

Zimbra Collaboration ZCS 8 before 8.8.15 Patch 41 allows XSS in the Zimbra Classic Web Client. id: CVE-2023-37580 info: name: Zimbra Collaboration Suite ZCS v.8.8.15 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Zimbra Collaboration ZCS 8 before 8.8.15 Patch 41 allow...

6.1CVSS6.8AI score0.60034EPSS
Exploits0References5
nuclei
nuclei
added 6 hours ago94 views

FileMage Gateway - Directory Traversal

Directory Traversal vulnerability in FileMage Gateway Windows Deployments v.1.10.8 and before allows a remote attacker to obtain sensitive information via a crafted request to the /mgmt/ component. id: CVE-2023-39026 info: name: FileMage Gateway - Directory Traversal author: DhiyaneshDk severity:...

7.5CVSS7AI score0.10562EPSS
Exploits4References5
nuclei
nuclei
added 6 hours ago56 views

CopyParty v1.8.6 - Cross Site Scripting

Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting XSS Attack.Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link...

6.3CVSS6.7AI score0.06195EPSS
Exploits3References5
nuclei
nuclei
added 6 hours ago67 views

IceWarp 11.4.6.0 - Cross-Site Scripting

IceWarp 11.4.6.0 was discovered to contain a cross-site scripting XSS vulnerability via the color parameter. id: CVE-2023-39600 info: name: IceWarp 11.4.6.0 - Cross-Site Scripting author: Imjust0 severity: medium description: | IceWarp 11.4.6.0 was discovered to contain a cross-site scripting XSS...

6.1CVSS6.4AI score0.01165EPSS
Exploits0References4
nuclei
nuclei
added 6 hours ago99 views

IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect

An issue in IceWarp Mail Server Deep Castle 2 v.13.0.1.2 allows a remote attacker to execute arbitrary code via a crafted request to the URL. id: CVE-2023-40779 info: name: IceWarp Mail Server Deep Castle 2 v.13.0.1.2 - Open Redirect author: r3Y3r53 severity: medium description: | An issue in...

6.1CVSS6.7AI score0.01355EPSS
Exploits0References3
nuclei
nuclei
added 6 hours ago79 views

PrestaShop MyPrestaModules - PhpInfo Disclosure

PrestaShop modules by MyPrestaModules expose PHPInfo id: CVE-2023-39677 info: name: PrestaShop MyPrestaModules - PhpInfo Disclosure author: meme-lord severity: high description: | PrestaShop modules by MyPrestaModules expose PHPInfo remediation: | Apply the latest security patches and updates fro...

7.5CVSS7AI score0.30806EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago64 views

PaperCut < 22.1.3 - Path Traversal

PaperCut NG and PaperCut MF before 22.1.3 are vulnerable to path traversal which enables attackers to read, delete, and upload arbitrary files. id: CVE-2023-39143 info: name: PaperCut 22.1.3 - Path Traversal author: pdteam severity: critical description: PaperCut NG and PaperCut MF before 22.1.3...

9.8CVSS7.2AI score0.78696EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago56 views

mooDating 1.2 - Cross-site scripting

A vulnerability, which was classified as problematic, was found in mooSocial mooDating 1.2. Affected is an unknown function of the file /find-a-match of the component URL Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. id: CVE-2023-3849 info:...

6.1CVSS4.6AI score0.03678EPSS
Exploits4References5
nuclei
nuclei
added 6 hours ago56 views

IceWarp Mail Server v10.4.5 - Cross-Site Scripting

IceWarp Mail Server v10.4.5 was discovered to contain a reflected cross-site scripting XSS vulnerability via the color parameter. id: CVE-2023-39700 info: name: IceWarp Mail Server v10.4.5 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | IceWarp Mail Server v10.4.5 was...

6.1CVSS6.4AI score0.01376EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago74 views

PHPJabbers Bus Reservation System 1.1 - Cross-Site Scripting

A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickupid leads to cross site scripting. The attack may be launched remotely. id:...

6.1CVSS4.4AI score0.02499EPSS
Exploits3References4
nuclei
nuclei
added 6 hours ago137 views

KeyCloak - Information Exposure

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients like client secret without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this...

6.5CVSS6.6AI score0.17943EPSS
Exploits0References4
nuclei
nuclei
added 6 hours ago62 views

MooDating 1.2 - Cross-site scripting

A vulnerability, which was classified as problematic, has been found in mooSocial mooDating 1.2. This issue affects some unknown processing of the file /users/view of the component URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. id: CVE-2023-3848...

6.1CVSS4.5AI score0.03678EPSS
Exploits4References5
nuclei
nuclei
added 6 hours ago44 views

rConfig 3.9.4 - Server-Side Request Forgery

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the path parameter at /ajaxGetFileByPath.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39110 info: name: rConfig 3.9.4 - Server-Side...

8.8CVSS7.1AI score0.02746EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago23 views

rConfig 3.9.4 - Server-Side Request Forgery

rconfig v3.9.4 was discovered to contain a Server-Side Request Forgery SSRF via the pathb parameter in the doDiff Function of /classes/compareClass.php. This vulnerability allows authenticated attackers to make arbitrary requests via injection of crafted URLs. id: CVE-2023-39108 info: name: rConf...

8.8CVSS7.1AI score0.02965EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago115 views

FUXA - Unauthenticated Remote Code Execution

A remote command execution RCE vulnerability in the /api/runscript endpoint of FUXA 1.1.13 allows attackers to execute arbitrary commands via a crafted POST request. id: CVE-2023-33831 info: name: FUXA - Unauthenticated Remote Code Execution author: gy741 severity: critical description: | A remot...

9.8CVSS7.3AI score0.13746EPSS
Exploits3References4
nuclei
nuclei
added 6 hours ago53 views

Hoteldruid 3.0.5 - Cross-Site Scripting

A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data. id: CVE-2023-34537 info: name: Hoteldruid 3.0.5 - Cross-Site Scripting author: Harsh severity: medium...

5.4CVSS6.2AI score0.0145EPSS
Exploits1References4
nuclei
nuclei
added 6 hours ago116 views

Dolibarr Unauthenticated Contacts Database Theft

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. id: CVE-2023-33568 info: name: Dolibarr Unauthenticated Contacts Database Theft...

7.5CVSS7AI score0.1494EPSS
Exploits2References5
nuclei
nuclei
added 6 hours ago251 views

Kyocera TASKalfa printer - Path Traversal

CCRX has a Path Traversal vulnerability. Path Traversal is an attack on web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings. id: CVE-2023-34259 info: name: Kyocera TASKalfa printer - Path...

4.9CVSS6.7AI score0.60745EPSS
Exploits2References5
nuclei
nuclei
added 6 hours ago67 views

Webkul QloApps 1.6.0 - Cross-site Scripting

An unauthenticated Cross-Site Scripting XSS vulnerability found in Webkul QloApps 1.6.0 allows an attacker to obtain a user's session cookie and then impersonate that user via POST controller parameter. id: CVE-2023-36287 info: name: Webkul QloApps 1.6.0 - Cross-site Scripting author: theamanrawa...

6.1CVSS6.4AI score0.01199EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago60 views

Bloofox v0.5.2.1 - SQL Injection

Bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings&page=charset&action=edit. id: CVE-2023-34756 info: name: Bloofox v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | Bloofox v0.5.2.1 was...

9.8CVSS7.1AI score0.04228EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago110 views

Ultimate Member < 2.6.7 - Unauthenticated Privilege Escalation

The plugin does not prevent visitors from creating user accounts with arbitrary capabilities, effectively allowing attackers to create administrator accounts at will. This is actively being exploited in the wild. id: CVE-2023-3460 info: name: Ultimate Member 2.6.7 - Unauthenticated Privilege...

9.8CVSS7.2AI score0.72306EPSS
Exploits12References5
nuclei
nuclei
added 6 hours ago54 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the tid parameter at admin/index.php?mode=settings&page=tmpl&action=edit. id: CVE-2023-34753 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.1AI score0.04228EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago123 views

Gibbon v25.0.0 - Cross-Site Scripting

Multiple Cross-Site Scripting XSS vulnerabilities have been identified in Gibbon v25.0.0, which enable attackers to execute arbitrary Javascript code. id: CVE-2023-34599 info: name: Gibbon v25.0.0 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Multiple Cross-Site...

6.1CVSS6.6AI score0.01868EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago68 views

Traggo Server - Local File Inclusion

traggo/server version 0.3.0 is vulnerable to directory traversal. id: CVE-2023-34843 info: name: Traggo Server - Local File Inclusion author: DhiyaneshDk severity: high description: | traggo/server version 0.3.0 is vulnerable to directory traversal. impact: | Successful exploitation of this...

7.5CVSS7AI score0.07176EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago64 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the userid parameter at admin/index.php?mode=user&action=edit. id: CVE-2023-34755 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was discovered to...

9.8CVSS7.1AI score0.04228EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago46 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the gid parameter at admin/index.php?mode=user&page=groups&action=edit. id: CVE-2023-34751 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.1AI score0.04228EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago92 views

Hestiacp <= 1.7.7 - Cross-Site Scripting

Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to 1.7.8. id: CVE-2023-3479 info: name: Hestiacp = 1.7.7 - Cross-Site Scripting author: edoardottt severity: medium description: | Cross-site Scripting XSS - Reflected in GitHub repository hestiacp/hestiacp prior to...

6.1CVSS6.1AI score0.01293EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago325 views

Sitecore - Remote Code Execution

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3. id: CVE-2023-35813 info: name: Sitecore - Remote Code Execution author: DhiyaneshDk,iamnoooob severity: critical description: | Multiple Sitecore...

9.8CVSS7.2AI score0.86685EPSS
Exploits7References5
nuclei
nuclei
added 6 hours ago52 views

bloofoxCMS v0.5.2.1 - SQL Injection

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the lid parameter at admin/index.php?mode=settings&page=lang&action=edit. id: CVE-2023-34752 info: name: bloofoxCMS v0.5.2.1 - SQL Injection author: theamanrawat severity: critical description: | bloofox v0.5.2.1 was...

9.8CVSS7.1AI score0.04383EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago207 views

Honeywell PM43 Printers - Command Injection

Improper Input Validation vulnerability in Honeywell PM43 on 32 bit, ARM Printer web page modules allows Command Injection.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 e.g. P10.19.050006 id:...

9.9CVSS7AI score0.33094EPSS
Exploits3References5
nuclei
nuclei
added 6 hours ago42 views

NocoDB version <= 0.106.1 - Arbitrary File Read

NocoDB through 0.106.1 has a path traversal vulnerability that allows an unauthenticated attacker to access arbitrary files on the server by manipulating the path parameter of the /download route. This vulnerability could allow an attacker to access sensitive files and data on the server, includi...

7.5CVSS7AI score0.08875EPSS
Exploits1References5
nuclei
nuclei
added 6 hours ago57 views

Lightdash version <= 0.510.3 Arbitrary File Read

packages/backend/src/routers in Lightdash before 0.510.3 has insecure file endpoints, e.g., they allow .. directory traversal and do not ensure that an intended file extension .csv or .png is used. id: CVE-2023-35844 info: name: Lightdash version = 0.510.3 Arbitrary File Read author: dwisiswant0...

7.5CVSS7AI score0.06344EPSS
Exploits2References5
nuclei
nuclei
added 6 hours ago116 views

MOVEit Transfer - SQL Injection

In Progress MOVEit Transfer before 2020.1.11 12.1.11, 2021.0.9 13.0.9, 2021.1.7 13.1.7, 2022.0.7 14.0.7, 2022.1.8 14.1.8, and 2023.0.4 15.0.4, a SQL injection vulnerability has been identified in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain unauthorized...

9.1CVSS7.1AI score0.94716EPSS
Exploits0References5
nuclei
nuclei
added 6 hours ago13 views

WP Cerber Security, Anti-spam & Malware Scan < 8.9.6 - Cross-Site Scripting

The WP Cerber Security, Anti-spam & Malware Scan WordPress plugin before 8.9.6 does not sanitise the $url variable before using it in an attribute in the Activity tab in the plugins dashboard, leading to an unauthenticated stored Cross-Site Scripting vulnerability. id: CVE-2022-0429 info: name: W...

6.1CVSS6.4AI score0.01378EPSS
Exploits2References3
nuclei
nuclei
added 6 hours ago76 views

User Profile Picture < 2.5.0 - Sensitive Information Disclosure

The REST API endpoint getusers in the User Profile Picture WordPress plugin before 2.5.0 returned more information than was required for its functionality to users with the uploadfiles capability. This included password hashes, hashed user activation keys, usernames, emails, and other less...

7.5CVSS7AI score0.04788EPSS
Exploits2References3
nuclei
nuclei
added 6 hours ago21 views

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...

9.8CVSS6.1AI score0.02333EPSS
Exploits1References3
nuclei
nuclei
added 6 hours ago20 views

WordPress Frontend File Manager < 4.0 & N-Media Post Frontend < 1.1 - Arbitrary File Upload

The Frontend File Manager plugin 4.0 and N-Media Post Front-end Form plugin 1.1 for WordPress were vulnerable to arbitrary file uploads due to missing file type validation. This allowed unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution. id:...

9.8CVSS6.3AI score0.05515EPSS
Exploits2References5
Total number of security vulnerabilities4146