Lucene search
K
NvdMost viewed

364114 matches found

NVD
NVD
added 2024/02/17 8:15 a.m.49 views

CVE-2024-1512

The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST route in all versions up to, and including, 3.2.5 due to insufficient escaping on the user supplied...

9.8CVSS9.7AI score0.77729EPSS
Exploits1References2
NVD
NVD
added 2024/02/15 11:15 p.m.49 views

CVE-2023-40114

In multiple functions of MtpFfsHandle.cpp , there is a possible out of bounds write due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation...

8.4CVSS6.8AI score0.00097EPSS
Exploits0References2
NVD
NVD
added 2024/02/13 7:15 p.m.49 views

CVE-2024-1374

A command injection vulnerability was identified in GitHub Enterprise Server that allowed an attacker with an editor role in the Management Console to gain admin SSH access to the appliance via nomad templates when configuring audit log forwarding. Exploitation of this vulnerability required acce...

9.1CVSS9.6AI score0.02632EPSS
Exploits0References4
NVD
NVD
added 2024/02/09 11:15 p.m.49 views

CVE-2024-24828

pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by pkg are written to a hardcoded directory. On unix systems, this is /tmp/pkg/ which is a shared directory for all users on the same local system. There is no uniqueness to the package names within...

7.8CVSS6.7AI score0.00231EPSS
Exploits0References2
NVD
NVD
added 2024/02/09 1:15 a.m.49 views

CVE-2024-23639

Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical ...

7.8CVSS6.3AI score0.00261EPSS
Exploits0References2
NVD
NVD
added 2024/01/30 4:15 p.m.49 views

CVE-2024-21671

The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning FL and Multi-Party Computation MPC. It is possible to find out usernames from the response time of login requests. This could aid attackers in credential attacks. Version 4.2.0 patches this...

3.7CVSS4AI score0.00398EPSS
Exploits0References2
NVD
NVD
added 2024/01/19 9:15 p.m.49 views

CVE-2024-22420

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. This vulnerability depends on user interaction by opening a malicious Markdown file using JupyterLab preview feature. A malicious user can access any data that the...

6.5CVSS6.5AI score0.00568EPSS
Exploits0References3
NVD
NVD
added 2023/12/29 5:16 p.m.49 views

CVE-2023-51663

Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and methods for working with genomic data. Hail relies on OpenID Connect OIDC email addresses from ID tokens to verify the validity of a user's domain, but because users have the ability to change...

5.3CVSS0.00367EPSS
Exploits0References1
NVD
NVD
added 2023/12/22 9:15 p.m.49 views

CVE-2023-50727

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /". This issue has been patched in version 2.6.0...

6.3CVSS0.00514EPSS
Exploits0References3
NVD
NVD
added 2023/12/22 8:15 p.m.49 views

CVE-2023-50725

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=alertdocument.cookie" and "/queues/". This issue has been patched in...

6.3CVSS0.00526EPSS
Exploits0References4
NVD
NVD
added 2023/12/21 8:15 p.m.49 views

CVE-2023-50732

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1...

8.3CVSS0.00486EPSS
Exploits1References3
NVD
NVD
added 2023/12/18 5:15 p.m.49 views

CVE-2023-48762

Cross-Site Request Forgery CSRF vulnerability in Crocoblock JetElements For Elementor.This issue affects JetElements For Elementor: from n/a through 2.6.13...

8.8CVSS0.00237EPSS
Exploits0References1
NVD
NVD
added 2023/12/04 11:15 p.m.49 views

CVE-2023-40459

The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could potentially result in a Denial of Service DoS condition for ACEManager without impairing other router functions. ACEManager recovers from the DoS condition by...

7.5CVSS0.02296EPSS
Exploits2References1
NVD
NVD
added 2023/11/17 10:15 p.m.49 views

CVE-2023-48294

LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. In affected versions of LibreNMS when a user accesses their device dashboard, one request is sent to graph.php to access graphs generated on t...

4.3CVSS0.00695EPSS
Exploits1References3
NVD
NVD
added 2023/11/17 1:15 p.m.49 views

CVE-2023-22273

Adobe RoboHelp Server versions 11.4 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could lead to Remote Code Execution by an admin authenticated attacker. Exploitation of this issue does not require user interaction...

7.2CVSS0.01937EPSS
Exploits0References1
NVD
NVD
added 2023/11/10 6:15 p.m.49 views

CVE-2023-47128

Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1, the handling of named transaction savepoints in all database implementations is vulnerable to SQL Injection via f-strings. While the likelihood of an end developer exposing a savepoints name...

9.1CVSS0.00776EPSS
Exploits1References2
NVD
NVD
added 2023/11/07 12:15 p.m.49 views

CVE-2023-5567

The QR Code Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'qrcodetag' shortcode in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with...

6.4CVSS0.00434EPSS
Exploits0References2
NVD
NVD
added 2023/11/01 6:15 p.m.49 views

CVE-2023-20031

A vulnerability in the SSL/TLS certificate handling of Snort 3 Detection Engine integration with Cisco Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to cause the Snort 3 detection engine to restart. This vulnerability is due to a logic error that occurs whe...

5.4CVSS5.2AI score0.00283EPSS
Exploits0References1
NVD
NVD
added 2023/10/16 9:15 p.m.49 views

CVE-2023-45128

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery CSRF vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to injec...

10CVSS9.6AI score0.00313EPSS
Exploits0References2
NVD
NVD
added 2023/09/20 3:15 a.m.49 views

CVE-2023-4088

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service DoS condition, if the...

9.3CVSS8.8AI score0.00177EPSS
Exploits0References3
NVD
NVD
added 2023/09/12 3:15 a.m.49 views

CVE-2023-40621

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user. The application has a security option to disable or prompt users before...

6.3CVSS6.4AI score0.00646EPSS
Exploits0References2
NVD
NVD
added 2023/09/05 6:15 p.m.49 views

CVE-2023-39681

Cuppa CMS v1.0 was discovered to contain a remote code execution RCE vulnerability via the emailoutgoing parameter at /Configuration.php. This vulnerability is triggered via a crafted payload...

9.8CVSS9.8AI score0.01391EPSS
Exploits1References1
NVD
NVD
added 2023/09/05 4:15 a.m.49 views

CVE-2023-36308

disintegration Imaging 1.6.2 allows attackers to cause a panic because of an integer index out of range during a Grayscale call via a crafted TIFF file to the scan function of scanner.go. NOTE: it is unclear whether there are common use cases in which this panic could have any security consequenc...

5.5CVSS5.3AI score0.00354EPSS
Exploits1References4
NVD
NVD
added 2023/09/01 8:15 p.m.49 views

CVE-2023-41046

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the...

6.3CVSS6.5AI score0.00445EPSS
Exploits0References4
NVD
NVD
added 2023/08/30 6:15 p.m.49 views

CVE-2023-41039

RestrictedPython is a restricted execution environment for Python to run untrusted code. Python's "format" functionality allows someone controlling the format string to "read" all objects accessible through recursive attribute lookup and subscription from objects he can access. This can lead to...

8.3CVSS8.2AI score0.00637EPSS
Exploits0References2
NVD
NVD
added 2023/08/30 2:15 a.m.49 views

CVE-2023-4597

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slimstat' shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.7AI score0.00576EPSS
Exploits2References4
NVD
NVD
added 2023/08/28 1:15 a.m.49 views

CVE-2023-26270

IBM Security Guardium Data Encryption IBM Guardium Cloud Key Manager GCKM 1.10.3 could allow a remote attacker to execute arbitrary code on the system, caused by an angular template injection flaw. By sending specially crafted request, an attacker could exploit this vulnerability to execute...

9.8CVSS8.4AI score0.00698EPSS
Exploits0References2
NVD
NVD
added 2023/08/16 3:15 p.m.49 views

CVE-2023-40348

The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output...

5.3CVSS5.2AI score0.00547EPSS
Exploits0References2
NVD
NVD
added 2023/08/14 9:15 p.m.49 views

CVE-2023-40013

SVG Loader is a javascript library that fetches SVGs using XMLHttpRequests and injects the SVG code in the tag's place. According to the docs, svg-loader will strip all JS code before injecting the SVG file for security reasons but the input sanitization logic is not sufficient and can be trivial...

7.1CVSS6.6AI score0.00473EPSS
Exploits0References4
NVD
NVD
added 2023/08/03 3:15 p.m.49 views

CVE-2023-2754

The Cloudflare WARP client for Windows assigns loopback IPv4 addresses for the DNS Servers, since WARP acts as local DNS server that performs DNS queries in a secure manner, however, if a user is connected to WARP over an IPv6-capable network, te WARP client did not assign loopback IPv6 addresses...

7.4CVSS7.3AI score0.00746EPSS
Exploits0References3
NVD
NVD
added 2023/08/03 5:15 a.m.49 views

CVE-2023-4112

A vulnerability was found in PHP Jabbers Shuttle Booking Software 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this...

6.1CVSS5.1AI score0.05177EPSS
Exploits4References3
NVD
NVD
added 2023/08/02 8:15 p.m.49 views

CVE-2023-29409

Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to = 8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three...

5.3CVSS6.7AI score0.01328EPSS
Exploits0References6
NVD
NVD
added 2023/07/31 11:15 p.m.49 views

CVE-2023-3462

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed i...

5.3CVSS5.5AI score0.00613EPSS
Exploits0References1
NVD
NVD
added 2023/07/31 3:15 p.m.49 views

CVE-2023-38308

An issue was discovered in Webmin 2.021. A Cross-Site Scripting XSS vulnerability was discovered in the HTTP Tunnel functionality when handling third-party domain URLs. By providing a crafted URL from a third-party domain, an attacker can inject malicious code. leading to the execution of arbitra...

6.1CVSS6AI score0.00615EPSS
Exploits1References2
NVD
NVD
added 2023/07/27 4:15 p.m.49 views

CVE-2023-38492

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 affects all Kirby sites with user accounts unless Kirby's API and Panel are disabled in the config. The real-world impact of this vulnerability is limited, however we still...

7.5CVSS6.3AI score0.01028EPSS
Exploits0References7
NVD
NVD
added 2023/07/13 11:15 p.m.49 views

CVE-2023-37274

Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. When Auto-GPT is executed directly on the host system via the provided run.sh or run.bat files, custom Python code execution is sandboxed using a temporary dedicated docker container which...

7.8CVSS0.00338EPSS
Exploits0References2
NVD
NVD
added 2023/07/12 10:15 a.m.49 views

CVE-2022-45855

SpringEL injection in the metrics source in Apache Ambari version 2.7.0 to 2.7.6 allows a malicious authenticated user to execute arbitrary code remotely. Users are recommended to upgrade to 2.7.7...

8.8CVSS8.3AI score0.01052EPSS
Exploits0References1
NVD
NVD
added 2023/07/11 9:15 a.m.49 views

CVE-2023-34015

Cross-Site Request Forgery CSRF vulnerability in PI Websolution Conditional shipping & Advanced Flat rate shipping rates / Flexible shipping for WooCommerce shipping plugin = 1.6.4.4 versions...

8.8CVSS6.5AI score0.00246EPSS
Exploits0References1
NVD
NVD
added 2023/07/04 8:15 a.m.49 views

CVE-2023-2321

The WPForms Google Sheet Connector WordPress plugin before 3.4.6, gsheetconnector-wpforms-pro WordPress plugin through 3.4.6 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

6.1CVSS6AI score0.00458EPSS
Exploits1References1
NVD
NVD
added 2023/06/28 6:15 p.m.49 views

CVE-2023-21171

In verifyInputEvent of InputDispatcher.cpp, there is a possible way to conduct click fraud due to side channel information disclosure. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions...

6.7CVSS6.5AI score0.00096EPSS
Exploits0References1
NVD
NVD
added 2023/06/27 2:15 p.m.49 views

CVE-2023-0588

The Catalyst Connect Zoho CRM Client Portal WordPress plugin before 2.1.0 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high-privilege users such as admin...

6.1CVSS6.1AI score0.00458EPSS
Exploits2References1
NVD
NVD
added 2023/06/19 5:15 p.m.49 views

CVE-2023-34162

Version update determination vulnerability in the user profile module.Successful exploitation of this vulnerability may cause repeated HMS Core updates and cause services to fail...

7.5CVSS7.5AI score0.00437EPSS
Exploits0References1
NVD
NVD
added 2023/06/14 10:15 p.m.49 views

CVE-2023-34251

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this...

9.9CVSS9.9AI score0.02338EPSS
Exploits1References3
NVD
NVD
added 2023/06/12 4:15 p.m.49 views

CVE-2023-34468

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The resolution validates the Database URL and rejects H2 JDBC...

8.8CVSS8.7AI score0.63633EPSS
Exploits9References5
NVD
NVD
added 2023/06/07 1:15 a.m.49 views

CVE-2023-33781

An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file...

8.8CVSS8.9AI score0.36026EPSS
Exploits2References2
NVD
NVD
added 2023/05/27 7:15 p.m.49 views

CVE-2015-20108

xmlsecurity.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used...

9.8CVSS9.9AI score0.01332EPSS
Exploits0References5
NVD
NVD
added 2023/05/18 11:15 a.m.49 views

CVE-2023-27423

Cross-Site Request Forgery CSRF vulnerability in Ramon Fincken Auto Prune Posts plugin = 1.8.0 versions...

8.8CVSS6.5AI score0.00265EPSS
Exploits0References1
NVD
NVD
added 2023/05/15 4:15 a.m.49 views

CVE-2023-32758

giturlparse aka git-url-parse through 1.2.2, as used in Semgrep 1.5.2 through 1.24.1, is vulnerable to ReDoS Regular Expression Denial of Service if parsing untrusted URLs. This might be relevant if Semgrep is analyzing an untrusted package for example, to check whether it accesses any Git...

7.5CVSS7.4AI score0.01033EPSS
Exploits0References5
NVD
NVD
added 2023/05/11 7:15 a.m.49 views

CVE-2023-2643

A vulnerability classified as critical was found in SourceCodester File Tracker Manager System 1.0. This vulnerability affects unknown code of the file register/updatepassword.php of the component POST Parameter Handler. The manipulation of the argument newpassword leads to sql injection. The...

9.8CVSS7.5AI score0.00726EPSS
Exploits1References3
NVD
NVD
added 2023/05/10 12:15 p.m.49 views

CVE-2023-1732

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read returns an error. In rare deployment cases error thrown by the Read function, this could lead to a predictable shared secret. The tkn20 and blindrsa components did not...

8.2CVSS6.4AI score0.00386EPSS
Exploits0References1
Total number of security vulnerabilities5000