4985 matches found
VulnCheck KEV: CVE-2016-15040
The Kento Post View Counter plugin for WordPress is vulnerable to SQL Injection via the 'kentopvcgeo' parameter in versions up to, and including, 2.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
VulnCheck KEV: CVE-2023-7292
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized notification dismissal due to a missing capability check on the paytiumnoticedismiss function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with...
VulnCheck KEV: CVE-2017-20192
The Formidable Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters submitted during form entries like 'afterhtml' in versions before 2.05.03 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
VulnCheck KEV: CVE-2022-4972
The Download Monitor plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several REST-API routes related to reporting in versions up to, and including, 4.7.51. This makes it possible for unauthenticated attackers to view user data and other sensitive...
VulnCheck KEV: CVE-2021-4448
The Kaswara Modern VC Addons plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.0.1 due to insufficient capability checking on various AJAX actions. This makes it possible for unauthenticated attackers to perform a wide variety of unauthorized actions...
VulnCheck KEV: CVE-2020-36842
The Migration, Backup, Staging -WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvividuploadimportfiles and wpvividuploadfiles AJAX actions that allows low-level authenticated attackers to upload zip files that can be...
VulnCheck KEV: CVE-2016-15041
The MainWP Dashboard -The Private WordPress Manager for Multiple Website Maintenance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'mwpsetuppurchaseusername' parameter in versions up to, and including, 3.1.2 due to insufficient input sanitization and output...
VulnCheck KEV: CVE-2017-20194
The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form...
VulnCheck KEV: CVE-2024-42640
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of...
VulnCheck KEV: CVE-2018-20334
An issue was discovered in ASUSWRT 3.0.0.4.384.20308. When processing the /startapply.htm POST data, there is a command injection issue via shell metacharacters in the fbemail parameter. By using this issue, an attacker can control the router and get shell...
VulnCheck KEV: CVE-2023-0611
A vulnerability, which was classified as critical, has been found in TRENDnet TEW-652BRP 3.04B01. This issue affects some unknown processing of the file getset.ccp of the component Web Management Interface. The manipulation leads to command injection. The attack may be initiated remotely. The...
VulnCheck KEV: CVE-2024-22254
VMware ESXi contains an out-of-bounds write vulnerability. A malicious actor with privileges within the VMX process may trigger an out-of-bounds write leading to an escape of the sandbox...
VulnCheck KEV: CVE-2024-22255
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability in the UHCI USB controller. A malicious actor with administrative access to a virtual machine may be able to exploit this issue to leak memory from the vmx process...
VulnCheck KEV: CVE-2024-30088
Microsoft Windows Kernel contains a time-of-check to time-of-use TOCTOU race condition vulnerability that could allow for privilege escalation...
VulnCheck KEV: CVE-2024-9707
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to...
VulnCheck KEV: CVE-2023-4320
An arithmetic overflow flaw was found in Satellite when creating a new personal access token. This flaw allows an attacker who uses this arithmetic overflow to create personal access tokens that are valid indefinitely, resulting in damage to the system's integrity...
VulnCheck KEV: CVE-2024-9680
Mozilla Firefox and Firefox ESR contain a use-after-free vulnerability in Animation timelines that allows for code execution in the content process...
VulnCheck KEV: CVE-2021-39509
An issue was discovered in D-Link DIR-816 DIR-816A2FWv1.10CNB05R1B011D88210 The HTTP request parameter is used in the handler function of /goform/form2userconfig.cgi route, which can construct the user name string to delete the user function. This can lead to command injection through shell...
VulnCheck KEV: CVE-2024-23113
Fortinet FortiOS, FortiPAM, FortiProxy, and FortiWeb contain a format string vulnerability that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted requests...
VulnCheck KEV: CVE-2024-37383
RoundCube Webmail contains a cross-site scripting XSS vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code...
VulnCheck KEV: CVE-2024-43573
Microsoft Windows MSHTML Platform contains an unspecified spoofing vulnerability which can lead to a loss of confidentiality...
VulnCheck KEV: CVE-2024-43572
Microsoft Windows Management Console contains unspecified vulnerability that allows for remote code execution...
VulnCheck KEV: CVE-2024-9381
Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions...
VulnCheck KEV: CVE-2024-9379
Ivanti Cloud Services Appliance CSA contains a SQL injection vulnerability in the admin web console in versions prior to 5.0.2, which can allow a remote attacker authenticated as administrator to run arbitrary SQL statements...
VulnCheck KEV: CVE-2023-22069
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle...
VulnCheck KEV: CVE-2024-8911
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...
VulnCheck KEV: CVE-2024-8943
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing...
VulnCheck KEV: CVE-2024-44849
Qualitor up to 8.24 is vulnerable to Remote Code Execution RCE via Arbitrary File Upload in checkAcesso.php...
VulnCheck KEV: CVE-2024-9380
Ivanti Cloud Services Appliance CSA contains an OS command injection vulnerability in the administrative console which can allow an authenticated attacker with application admin privileges to pass commands to the underlying OS...
VulnCheck KEV: CVE-2024-44068
An issue was discovered in the m2m scaler driver in Samsung Mobile Processor and Wearable Processor Exynos 9820, 9825, 980, 990, 850,and W920. A Use-After-Free in the mobile processor leads to privilege escalation...
VulnCheck KEV: CVE-2024-8752
The Windows version of WebIQ 2.15.9 is affected by a directory traversal vulnerability that allows remote attackers to read any file on the system...
VulnCheck KEV: CVE-2024-7679
In Progress Telerik UI for WinForms versions prior to 2024 Q3 2024.3.924, a command injection attack is possible through improper neutralization of hyperlink elements...
VulnCheck KEV: CVE-2024-8316
In Progress Telerik UI for WPF versions prior to 2024 Q3 2024.3.924, a code execution attack is possible through an insecure deserialization vulnerability...
VulnCheck KEV: CVE-2024-7575
In Progress Telerik UI for WPF versions prior to 2024 Q3 2024.3.924, a command injection attack is possible through improper neutralization of hyperlink elements...
VulnCheck KEV: CVE-2024-7576
In Progress Telerik UI for WPF versions prior to 2024 Q3 2024.3.924, a code execution attack is possible through an insecure deserialization vulnerability...
VulnCheck KEV: CVE-2024-9014
pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data...
VulnCheck KEV: CVE-2024-3080
Certain ASUS router models have authentication bypass vulnerability, allowing unauthenticated remote attackers to log in the device...
VulnCheck KEV: CVE-2012-2626
cgi-bin/admin.cgi in the web console in Plixer Scrutinizer aka Dell SonicWALL Scrutinizer before 9.5.0 does not require token authentication, which allows remote attackers to add administrative accounts via a userprefs action...
VulnCheck KEV: CVE-2024-9265
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echocheckpostheadersent function. This makes...
VulnCheck KEV: CVE-2024-45519
Synacor Zimbra Collaboration Suite ZCS contains an unspecified vulnerability in the postjournal service that may allow an unauthenticated user to execute commands...
VulnCheck KEV: CVE-2019-0344
SAP Commerce Cloud formerly known as Hybris contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection...
VulnCheck KEV: CVE-2024-8181
An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality...
VulnCheck KEV: CVE-2024-9537
ScienceLogic SL1 formerly EM7 is affected by an unspecified vulnerability involving an unspecified third-party component...
VulnCheck KEV: CVE-2024-47308
The Templately – Elementor & Gutenberg Template Library: 5000+ Free & Pro Ready Templates & Cloud! plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.2. This makes it possible for unauthenticated...
VulnCheck KEV: CVE-2024-47176
CUPS is a standards-based, open-source printing system, and cups-browsed contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. cups-browsed binds to INADDRANY:631, causing it to trust any packet from any source, and...
VulnCheck KEV: CVE-2024-2330
A vulnerability was found in Netentsec NS-ASG Application Security Gateway 6.3. It has been classified as critical. This affects an unknown part of the file /protocol/index.php. The manipulation of the argument IPAddr leads to sql injection. It is possible to initiate the attack remotely. The...
VulnCheck KEV: CVE-2024-4325
A Server-Side Request Forgery SSRF vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the /queue/join endpoint and the saveurltocache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to...
VulnCheck KEV: CVE-2024-7954
The porteplume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request...
VulnCheck KEV: CVE-2018-18775
Microstrategy Web, version 7, does not sufficiently encode user-controlled inputs, resulting in a Cross-Site Scripting XSS vulnerability via the Login.asp Msg parameter. NOTE: this is a deprecated product...
VulnCheck KEV: CVE-2002-0953
globals.php in PHP Address before 0.2f, with the PHP allowurlfopen and registerglobals variables enabled, allows remote attackers to execute arbitrary PHP code via a URL to the code in the LangCookie parameter...