213680 matches found
Cross site scripting
A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, pluginsmsapikey, pluginsmscountrycode, uuid, title, or country name parameter to index.php...
Design/Logic Flaw
An issue in DA BUTCHERS mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Code injection
An issue in PARK DANDAN mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Cross site scripting
BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting XSS issues via the title, subtitle, footer, or keywords parameter in a page=create action...
Sql injection
A Blind SQL injection issue in ajax.php in GaatiTrack Courier Management System 1.0 allows an unauthenticated attacker to inject a payload via the email parameter during login...
Design/Logic Flaw
An issue in SCOL Members Card mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Design/Logic Flaw
An issue in DARTS SHOP MAXIM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Design/Logic Flaw
An issue in craftbeer bar canvas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Code injection
An issue in urbanproject mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Cross site scripting
Time Slots Booking Calendar 4.0 is vulnerable to Multiple Stored Cross-Site Scripting XSS issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...
Input validation
Shuttle Booking Software 2.0 is vulnerable to CSV Injection in the Languages section via an export...
Input validation
Car Rental Script v3.0 is vulnerable to CSV Injection via a Language Labels Export action...
Privilege escalation
A lack of rate limiting in pjActionAJaxSend in Availability Booking Calendar 5.0 allows attackers to cause resource exhaustion...
Cross site scripting
Car Rental Script 3.0 is vulnerable to Multiple Stored Cross-Site Scripting XSS issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...
Privilege escalation
A lack of rate limiting in pjActionAjaxSend in Appointment Scheduler 3.0 allows attackers to cause resource exhaustion...
Design/Logic Flaw
A lack of rate limiting in pjActionAJaxSend in Time Slots Booking Calendar 4.0 allows attackers to cause resource exhaustion...
Input validation
Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...
Cross site scripting
Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting XSS issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...
Design/Logic Flaw
Availability Booking Calendar 5.0 allows CSV injection via the unique ID field in the Reservations list component...
Input validation
Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language Labels Export action...
Input validation
Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code...
Input validation
Time Slots Booking Calendar 4.0 is vulnerable to Multiple HTML Injection issues via the name, pluginsmsapikey, pluginsmscountrycode, calendarid, title, country name, or customername parameter...
Privilege escalation
A lack of rate limiting in pjActionAjaxSend in Car Rental v3.0 allows attackers to cause resource exhaustion...
Default credentials
Jorani Leave Management System 1.0.2 allows a remote attacker to spoof a Host header associated with password reset emails...
Cross site scripting
A cross-site-scripting vulnerability exists in Ruckus Access Point products ZoneDirector, SmartZone, and AP Solo. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is logging in the product. As for the affected products/models/versions, see...
Input validation
Availability Booking Calendar 5.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code...
Design/Logic Flaw
An issue in sanTas mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...
Input validation
Time Slots Booking Calendar 4.0 is vulnerable to CSV Injection via the unique ID field of the Reservations List...
Cross site scripting
An issue was discovered in Zimbra Collaboration ZCS before 10.0.4. An XSS issue can be exploited to access the mailbox of an authenticated user. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36...
Cross site scripting
An XSS issue was discovered in a web endpoint in Zimbra Collaboration ZCS before 10.0.4 via an unsanitized parameter. This is also fixed in 8.8.15 Patch 43 and 9.0.0 Patch 36...
Design/Logic Flaw
Maxima Max Pro Power 1.0 486A devices allow BLE traffic replay. An attacker can use GATT characteristic handle 0x0012 to perform potentially disruptive actions such as starting a Heart Rate monitor...
Cross site scripting
A Cross Site Scripting XSS vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php...
Design/Logic Flaw
Squidex before 7.9.0 allows XSS via an SVG document to the Upload Assets feature. This occurs because there is an incomplete blacklist in the SVG inspection, allowing JavaScript in the SRC attribute of an IFRAME element. An authenticated attack with assets.create permission is required for...
Directory traversal
An issue was discovered in server.js in etcd-browser 87ae63d75260. By supplying a /../../../ Directory Traversal input to the URL's GET request while connecting to the remote server port specified during setup, an attacker can retrieve local operating system files from the remote system...
Cross site scripting
HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal...
Buffer overflow
strongSwan before 5.9.12 has a buffer overflow and possible unauthenticated remote code execution via a DH public value that exceeds the internal buffer in charon-tkm's DH proxy. The earliest affected version is 5.3.0. An attack can occur via a crafted IKESAINIT message...
Design/Logic Flaw
An issue was discovered in Zimbra Collaboration ZCS before 10.0.3. An attacker can gain access to a Zimbra account. This is also fixed in 9.0.0 Patch 35 and 8.8.15 Patch 42...
Cross site scripting
Cross-site Scripting XSS - Reflected in GitHub repository mlflow/mlflow prior to 2.9.0...
Integer overflow
A LogoFAIL issue was discovered in BmpDecoderDxe in Insyde InsydeH2O with kernel 5.2 before 05.28.47, 5.3 before 05.37.47, 5.4 before 05.45.47, 5.5 before 05.53.47, and 5.6 before 05.60.47 for certain Lenovo devices. Image parsing of crafted BMP logo files can copy data to a specific address duri...
Information disclosure
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sdglobalvalue function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level...
Design/Logic Flaw
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sdconstants function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level...
Design/Logic Flaw
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sdoptionvalue function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level...
Sql injection
The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'url' parameter in versions 1.4.0 to 1.4.6.1 free and versions 1.4.0 to 1.5.0 pro due to insufficient escaping on the user supplied parameter and lack of sufficient...
Design/Logic Flaw
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sdphpinfo function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level acces...
Design/Logic Flaw
The System Dashboard plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the sddbspecs function hooked via an AJAX action in all versions up to, and including, 2.8.7. This makes it possible for authenticated attackers, with subscriber-level acces...
Code injection
This flaw allows a malicious HTTP server to set "super cookies" in curl that are then passed back to more origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get sent to different and unrelated sites and domains. It could do this by exploiting a...
Code injection
Business Logic Errors in GitHub repository microweber/microweber prior to 2.0...
Sql injection
In the module "Product Tag Icons Pro" ticons before 1.8.4 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The method TiconProduct::getTiconByProductAndTicon has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection...
Design/Logic Flaw
In the module "Orders CSV, Excel Export PRO" ordersexport 5.2.0 from MyPrestaModules for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can access exports from the module which can lead to a leak of personal information fro...
Design/Logic Flaw
An issue in Netgate pfSense Plus v.23.05.1 and before and pfSense CE v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the packetcapture.php file...