213680 matches found
Null pointer dereference
In the Linux kernel, the following vulnerability has been resolved: usb: hub: Guard against accesses to uninitialized BOS descriptors Many functions in drivers/usb/core/hub.c and drivers/usb/core/hub.h access fields inside udev-bos without checking if it was allocated and initialized. If...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in GS Plugins Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation.This issue affects Logo Slider – Logo Showcase, Logo Carousel, Logo Gallery and Client Logo Presentation: from n/a through 3.5.1...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Senol Sahin AI Power: Complete AI Pack – Powered by GPT-4.This issue affects AI Power: Complete AI Pack – Powered by GPT-4: from n/a through 1.8.12...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in HasThemes HT Mega – Absolute Addons For Elementor.This issue affects HT Mega – Absolute Addons For Elementor: from n/a through 2.3.3...
Code injection
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.6...
Cross site scripting
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's advancediframe shortcode in all versions up to, and including, 2024.1 due to the plugin allowing users to include JS files from external sources through the additionaljs attribute. This makes it...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in ?leanTalk - Anti-Spam Protection Spam protection, Anti-Spam, FireWall by CleanTalk.This issue affects Spam protection, Anti-Spam, FireWall by CleanTalk: from n/a through 6.20...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Thrive Themes Thrive Automator.This issue affects Thrive Automator: from n/a through 1.17...
Input validation
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaximportoptions function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with...
Cross site scripting
The Custom Field Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a meta import in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the meta values. This makes it possible for authenticated attackers, with...
Information disclosure
IBM Cloud Pak for Security CP4S 1.10.0.0 through 1.10.6.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle...
Cross site scripting
Cross Site Scripting XSS vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the page or classmonth parameter in the /php-attendance/attendancereport component...
Design/Logic Flaw
An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service DoS via the clojure.core$partial$fn5920 function...
Sql injection
SQL Injection vulnerability in the Simple Student Attendance System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the id parameter in the studentform.php and the classform.php pages...
Code injection
IBM Cloud Pak Foundational Services Identity Provider idP API IBM Cloud Pak for Automation 18.0.0, 18.0.1, 18.0.2, 19.0.1, 19.0.2, 19.0.3, 20.0.1, 20.0.2, 20.0.3, 21.0.1, 21.0.2, 21.0.3, 22.0.1, and 22.0.2 allows CRUD Operations with an invalid token. This could allow an unauthenticated attacker ...
Information disclosure
IBM Watson CloudPak for Data Data Stores information disclosure 4.6.0 allows web pages to be stored locally which can be read by another user on the system. IBM X-Force ID: 248947...
Cross site scripting
Cross Site Scripting XSS vulnerability in School Fees Management System v.1.0 allows a remote attacker to execute arbitrary code via a crafted payload to the mainsettings component in the phone, address, bank, accname, accnumber parameters, newclass and cname parameter, addnewparent function in t...
Cross site scripting
KLiK SocialMediaWebsite version 1.0.1 from msaad1999 has a reflected cross-site scripting XSS vulnerability which may allow remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload into the 'selector' or 'validator' parameters of...
Path traversal
Possible path traversal in Apache OFBiz allowing file inclusion. Users are recommended to upgrade to version 18.12.12, that fixes the issue...
Deserialization of untrusted data
Dataease is an open source data visualization analysis tool. A deserialization vulnerability exists in the DataEase datasource, which can be exploited to execute arbitrary code. The location of the vulnerability code is core/core-backend/src/main/java/io/dataease/datasource/type/Mysql.java. The...
Cross site scripting
F-logic DataCube3 Version 1.0 is affected by a reflected cross-site scripting XSS vulnerability due to improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface...
Cross site scripting
Webasyst 2.9.9 has a Cross-Site Scripting XSS vulnerability, Attackers can create blogs containing malicious code after gaining blog permissions...
Cross site scripting
A reflected cross-site scripting XSS vulnerability in SocialMediaWebsite v1.0.1 allows attackers to inject malicious JavaScript into the web browser of a victim via the poll parameter in poll.php...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in M&S Consulting Email Before Download.This issue affects Email Before Download: from n/a through 6.9.7...
Sql injection
livehelperchat 4.28v is vulnerable to Server-Side Template Injection SSTI...
Design/Logic Flaw
A host header injection vulnerability in the forgot password function of FullStackHero's WebAPI Boilerplate v1.0.0 and v1.0.1 allows attackers to leak the password reset token via a crafted request...
Cross site scripting
Flask-AppBuilder is an application development framework, built on top of Flask. A Cross-Site Scripting XSS vulnerability has been discovered on the OAuth login page. An attacker could trick a user to follow a specially crafted URL to the OAuth login page. This URL could inject and execute...
Code injection
http-swagger before 1.2.6 allows XSS via PUT requests, because a file that has been uploaded via httpSwagger.WrapHandler and webdav.memFile can subsequently be accessed via a GET request. NOTE: this is independently fixable with respect to CVE-2022-24863, because if a solution continued to allow...
Memory corruption
Kerberos 5 aka krb5 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmaprmt.c...
Heap overflow
texlive-bin commit c515e was discovered to contain heap buffer overflow via the function ttfLoadHDMX:ttfdump. This vulnerability allows attackers to cause a Denial of Service DoS via supplying a crafted TTF file...
Memory corruption
Bento4 v1.5.1-628 contains a Memory leak on AP4Movie::AP4Movie, parsing tracks and added into mTracks list, but mp42aac cannot correctly delete when we got an no audio track found error. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted mp4 file...
Cross site scripting
Inadequate escaping of mail addresses lead to XSS vulnerabilities in various components...
Design/Logic Flaw
Couchbase Server before 7.2.4 has a private key leak in goxdcr.log...
Sql injection
F-logic DataCube3 v1.0 is vulnerable to unauthenticated SQL injection, which could allow an unauthenticated malicious actor to execute arbitrary SQL queries in database...
Path traversal
F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the...
Input validation
Inadequate input validation for media selection fields lead to XSS vulnerabilities in various extensions...
Design/Logic Flaw
Element Android is an Android Matrix Client. Element Android version 1.4.3 through 1.6.10 is vulnerable to intent redirection, allowing a third-party malicious application to start any internal activity by passing some extra parameters. Possible impact includes making Element Android display an...
Design/Logic Flaw
Element Android is an Android Matrix Client. A third-party malicious application installed on the same phone can force Element Android, version 0.91.0 through 1.6.12, to share files stored under the files directory in the application's private data directory to an arbitrary room. The impact of th...
Directory traversal
XenForo before 2.2.14 allows Directory Traversal with write access by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import...
Cross site request forgery (csrf)
Cross Site Request Forgery vulnerability in FlyCms v.1.0 allows a remote attacker to execute arbitrary code via the system/article/categoryedit component...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Heureka Group Heureka.This issue affects Heureka: from n/a through 1.0.8...
Design/Logic Flaw
An issue in WuKongOpenSource WukongCRM v.72crm9.0.120191202 allows a remote attacker to execute arbitrary code via the parseObject function in the fastjson component...
Cross site scripting
Cross-site scripting XSS vulnerability in Parents & Student Portal in Genesis School Management Systems in Genesis AIMS Student Information Systems v.3053 allows remote attackers to inject arbitrary web script or HTML via the message parameter...
Unrestricted file upload
F-logic DataCube3 v1.0 is vulnerable to unrestricted file upload, which could allow an authenticated malicious actor to upload a file of dangerous type by manipulating the filename extension...
Cross site scripting
A reflected cross-site scripting XSS vulnerability in zhimengzhe iBarn v1.5 allows attackers to inject malicious JavaScript into the web browser of a victim via the search parameter in offer.php...
Memory corruption
Kerberos 5 aka krb5 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in W3speedster W3SPEEDSTER.This issue affects W3SPEEDSTER: from n/a through 7.19...
Cross site request forgery (csrf)
Cross-Site Request Forgery CSRF vulnerability in Native Grid LLC A no-code page builder for beautiful performance-based content.This issue affects A no-code page builder for beautiful performance-based content: from n/a through 2.1.20...
Memory corruption
A memory leak issue discovered in parseSWFDEFINEBUTTON in libming v0.4.8 allows attackers to cause s denial of service via a crafted SWF file...
Design/Logic Flaw
Hoppscotch is an API development ecosystem. Due to lack of validation for fields like Label Edit Team - TeamName, bad actors can send emails with Spoofed Content as Hoppscotch. Part of payload external link is presented in clickable form - easier to achieve own goals by malicious actors. This iss...