Design/Logic Flaw

External Control of File Name or Path in h2oai/h2o-3...

Sql injection

SQLi vulnerability in LMS Lite component for Joomla...

Cross site scripting

A reflected XSS vulnerability was discovered in the Joomdoc component for Joomla...

Server side request forgery (ssrf)

Unauthenticated LFI/SSRF in JCDashboards component for Joomla...

Cross site scripting

A reflected XSS vulnerability was discovered in the Proforms Basic component for Joomla...

Cross site scripting

A reflected XSS vulnerability was discovered in the Clicky Analytics Dashboard module for Joomla...

Sql injection

SQLi vulnerability in Starshop component for Joomla...

Open redirect

URL Redirection to Untrusted Site 'Open Redirect' vulnerability when "form" authentication is used in Apache Shiro. Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+...

Sql injection

SQLi vulnerability in S5 Register module for Joomla...

Cross site scripting

A reflected XSS vulnerability was discovered in the LivingWord component for Joomla...

Cross site scripting

A reflected XSS vulnerability was discovered in the Extplorer component for Joomla...

Sql injection

SQL njection vulnerability in SunnyToo sturls before version 1.1.13, allows attackers to escalate privileges and obtain sensitive information via StUrls::hookActionDispatcher and StUrls::getInstanceId methods...

Cross site scripting

A reflected XSS vulnerability was discovered in the Easy Quick Contact module for Joomla...

Sql injection

SQL injection vulnerability in Buy Addons bavideotab before version 1.0.6, allows attackers to escalate privileges and obtain sensitive information via the component BaVideoTabSaveVideoModuleFrontController::run...

Cross site scripting

A reflected XSS vulnerability was discovered in the Quickform component for Joomla...

Code injection

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the configuration of Octopus Server...

Command injection

There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands...

Input validation

There is a denial of service vulnerability in some ZTE mobile internet products. Due to insufficient validation of Web interface parameter, an attacker could use the vulnerability to perform a denial of service attack...

Buffer overflow

There is a buffer overflow vulnerability in some ZTE mobile internet producsts. Due to insufficient validation of tcp port parameter, an authenticated attacker could use the vulnerability to perform a denial of service attack...

Sql injection

Nagios XI before version 5.11.3 was discovered to contain a SQL injection vulnerability via the bulk modification tool...

Command injection

There is a weak folder permission vulnerability in ZTE's ZXCLOUD iRAI product. Due to weak folder permission, an attacker with ordinary user privileges could construct a fake DLL to execute command to escalate local privileges...

Arbitrary file deletion

There is an arbitrary file download vulnerability in ZXCLOUD iRAI. Since the backend does not escape special strings or restrict paths, an attacker with user permission could access the download interface by modifying the request parameter, causing arbitrary file downloads...

Remote code execution

Nagios XI before version 5.11.3 was discovered to contain a remote code execution RCE vulnerability via the component commandtest.php...

Sql injection

There is a SQL injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of SMS interface parameter, an authenticated attacker could use the vulnerability to execute SQL injection and cause information leak...

Integer overflow

PlutoSVG commit 336c02997277a1888e6ccbbbe674551a0582e5c4 and before was discovered to contain an integer overflow via the component plutosvgloadfrommemory...

Design/Logic Flaw

A CWE-494: Download of Code Without Integrity Check vulnerability exists that could allow a privileged user to install an untrusted firmware...

Null pointer dereference

An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. A NULL pointer dereference leads to denial of service. The fixed versions are 22.05.11, 23.02.7, and 23.11.1...

Double free

An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. Because of a double free, attackers can cause a denial of service or possibly execute arbitrary code. The fixed versions are 22.05.11, 23.02.7, and 23.11.1...

Sql injection

An issue was discovered in SchedMD Slurm 23.11.x. There is SQL Injection against the SlurmDBD database. The fixed version is 23.11.1...

Open redirect

A CWE-601:URL Redirection to Untrusted Site ‘Open Redirect’ vulnerability exists that could cause disclosure of information through phishing attempts over HTTP...

Path traversal

A CWE-22: Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability exists that could cause arbitrary file deletion upon service restart when accessed by a local and low-privileged attacker...

Design/Logic Flaw

An issue was discovered in SchedMD Slurm 22.05.x, 23.02.x, and 23.11.x. There is Improper Enforcement of Message Integrity During Transmission in a Communication Channel. This allows attackers to modify RPC traffic in a way that bypasses message hash checks. The fixed versions are 22.05.11,...

Design/Logic Flaw

An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect agains...

Improper access control

An issue was discovered in SchedMD Slurm 22.05.x and 23.02.x. There is Incorrect Access Control: an attacker can modified their extended group list that is used with the sbcast subsystem, and open files with an unauthorized set of extended groups. The fixed versions are 22.05.11 and 23.02.7...

Improper access control

IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270...

Design/Logic Flaw

A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker with a foothold on an Ivanti Connect Secure ICS appliance can escalate their privileges by exploiting a vulnerable installed application. This vulnerability allows the attacker to gain elevated executio...

Remote code execution

A vulnerability exists on all versions of Ivanti Connect Secure below 22.6R2 where an attacker impersonating an administrator may craft a specific web request which may lead to remote code execution...

Default credentials

IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Storage Virtualize 8.3 products use default passwords for a privileged user. IBM X-Force ID: 266874...

Cross site scripting

Cross Site Scripting XSS vulnerability in DedeBIZ v6.0.3 allows attackers to run arbitrary code via the search feature...

Code injection

IBM Spectrum Scale 5.1.5.0 through 5.1.5.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 239080...

Cross site scripting

Emlog Pro v2.1.14 was discovered to contain a reflective cross-site scripting XSS vulnerability via the component /admin/article.php?activesavedraft...

Sql injection

SQL Injection vulnerability in functions/pointlist.php in Common Services soliberte before v4.3.03 allows attackers to obtain sensitive information via the lat and lng parameters...

Spoofing

Azure DevOps Server Spoofing Vulnerability...

Path traversal

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access...

Information disclosure

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access...

Command injection

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the piobe command to escalate privileges or cause a denial of service. IBM X-Force ID: 267968...

Command injection

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a privileged local user to exploit a vulnerability in the qdaemon command to escalate privileges or cause a denial of service. IBM X-Force ID: 267972...

Authentication flaw

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access...

Cross site scripting

A Cross Site Scripting XSS vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php...

Design/Logic Flaw

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a non-privileged local user to exploit a vulnerability in the piodmgrsu command to obtain elevated privileges. IBM X-Force ID: 267964...