Deserialization of untrusted data

Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2...

Open redirect

URL Redirection to Untrusted Site 'Open Redirect' vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.4.1...

Design/Logic Flaw

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6...

Unrestricted file upload

Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through 1.5.1...

Cross site scripting

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in IP2Location IP2Location Country Blocker.This issue affects IP2Location Country Blocker: from n/a through 2.33.3...

Server side request forgery (ssrf)

Server-Side Request Forgery SSRF vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through 0.5.70...

Deserialization of untrusted data

Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0...

Design/Logic Flaw

An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Code injection

An issue in Q co ltd mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in picot.golf mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Code injection

An issue in Cleaningmakotoya mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Open redirect

URL redirection to untrusted site 'Open Redirect' vulnerability in file access component in Synology DiskStation Manager DSM before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors...

Code injection

An issue in mokumoku chohu mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in cherub-hair mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Code injection

An issue in PRIMA CLINIC mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Code injection

An issue in Yoruichi hobby base mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in COLORFULlaundry mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Authorization

An issue in Otakara lapis totuka mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in nature fitness saijo mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in Ailand clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in smaregiappmarket mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Design/Logic Flaw

An issue in STOCKMAN GROUP mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token...

Cross site scripting

The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

Design/Logic Flaw

An issue was discovered in Regify Regipay Client for Windows version 4.5.1.0 allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed...

Design/Logic Flaw

An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component...

Command injection

Active debug code exists in Yamaha wireless LAN access point devices. If a logged-in user who knows how to use the debug function accesses the device's management page, this function can be enabled by performing specific operations. As a result, an arbitrary OS command may be executed and/or...

Command injection

OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. Affected products and versions are as follows: WRC-X1800GS-B v1.17 and...

Code injection

NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. A successful exploit of this vulnerability may lead to code execution on the OS...

Xxe

Electronic Deliverables Creation Support Tool Construction Edition prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool Design & Survey Edition prior to Ver1.0.4 improperly restrict XML external entity references XXE. By processing a specially crafted XML file, arbitrary files on t...

Xxe

Electronic Delivery Check System Doboku Ver.18.1.0 and earlier, Electronic Delivery Check System Dentsu Ver.12.1.0 and earlier, Electronic Delivery Check System Kikai Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML...

Xxe

Electronic Delivery Check System Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references XXE. By processing a specially crafted XML file,...

Authentication flaw

Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set...

Design/Logic Flaw

Use after free in Passwords in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction. Chromium security severity: Medium...

Design/Logic Flaw

Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. Chromium security severity: Low...

Design/Logic Flaw

Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...

Design/Logic Flaw

Use after free in Web Audio in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

Integer overflow

Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. Chromium security severity: High...

Design/Logic Flaw

Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. Chromium security severity: Low...

Memory corruption

Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. Chromium security severity: High...

Design/Logic Flaw

Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. Chromium security severity: Medium...

Information disclosure

Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to perform domain spoofing via a crafted domain name. Chromium security severity: Medium...

Hardcoded credentials

Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. This API key may be used for unexpected access of the associated service...

Design/Logic Flaw

Squid is a caching proxy for the Web. Due to an expired pointer reference bug, Squid prior to version 6.6 is vulnerable to a Denial of Service attack against Cache Manager error responses. This problem allows a trusted client to perform Denial of Service when generating error pages for Client...

Design/Logic Flaw

Insufficient policy enforcement in DevTools in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. Chromium security severity: Medium...

Server side request forgery (ssrf)

Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. Prior to version 1.10.1, this feature could had been abused to download a HTML file that executed malicious...

Design/Logic Flaw

Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. Chromium security severity: Medium...

Default credentials

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. Authentication for web interface is completed via an unauthenticated WiFi AP. The administrative password for the web interface has a default password, equal to the registration ID of the device. This same registration ID is used as...

Design/Logic Flaw

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. An attacker within RF range can obtain a cleartext copy of the network configuration of the device, including the Wi-Fi PSK, during device setup and reconfiguration. Upon success, the attacker is able to further infiltrate the...

Authentication flaw

An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. The device provides a WiFi access point for initial configuration. The WiFi network provided has no network authentication such as an encryption key and persists permanently, including after enrollment and setup is complete. The WiF...

Cross site scripting

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...