4985 matches found
VulnCheck KEV: CVE-2023-41990
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain an unspecified vulnerability that allows for code execution when processing a font file...
VulnCheck KEV: CVE-2021-24918
The Smash Balloon Social Post Feed WordPress plugin before 4.0.1 did not have any privilege or nonce validation before saving the plugin's setting. As a result, any logged-in user on a vulnerable site could update the settings and store rogue JavaScript on each of its posts and pages...
VulnCheck KEV: CVE-2023-24059
Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023...
VulnCheck KEV: CVE-2022-47615
Local File Inclusion vulnerability in LearnPress – WordPress LMS Plugin = 4.1.7.3.2 versions...
VulnCheck KEV: CVE-2022-45808
SQL Injection vulnerability in LearnPress – WordPress LMS Plugin = 4.1.7.3.2 versions...
VulnCheck KEV: CVE-2021-24258
The Elements Kit Lite and Elements Kit Pro WordPress Plugins before 2.2.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting XSS by lower-privileged users such as contributors, all via a similar method...
VulnCheck KEV: CVE-2022-47966
Multiple Zoho ManageEngine products contain an unauthenticated remote code execution vulnerability due to the usage of an outdated third-party dependency, Apache Santuario...
VulnCheck KEV: CVE-2021-24164
In the Ninja Forms Contact Form WordPress plugin before 3.4.34.1, low-level users, such as subscribers, were able to trigger the action, wpajaxnfoauth, and retrieve the connection url needed to establish a connection. They could also retrieve the clientid for an already established OAuth...
VulnCheck KEV: CVE-2022-39197
Fortra Cobalt Strike contains a cross-site scripting XSS vulnerability in Teamserver that would allow an attacker to set a malformed username in the Beacon configuration, allowing them to execute code remotely...
VulnCheck KEV: CVE-2022-0456
Use after free in Web Search in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption via profile destruction...
VulnCheck KEV: CVE-2022-23714
A local privilege escalation LPE issue was discovered in the ransomware canaries features of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account...
VulnCheck KEV: CVE-2022-24500
Windows SMB Remote Code Execution Vulnerability...
VulnCheck KEV: CVE-2023-23488
The Paid Memberships Pro WordPress Plugin, version 2.9.8, is affected by an unauthenticated SQL injection vulnerability in the 'code' parameter of the '/pmpro/v1/order' REST route...
VulnCheck KEV: CVE-2022-27510
Unauthorized access to Gateway user capabilities...
VulnCheck KEV: CVE-2022-31474
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in iThemes BackupBuddy allows Path Traversal.This issue affects BackupBuddy: from 8.5.8.0 through 8.7.4.1...
VulnCheck KEV: CVE-2022-2486
A vulnerability, which was classified as critical, was found in WAVLINK WN535K2 and WN535K3. This affects an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade. The manipulation of the argument key leads to os command injection. The exploit has been disclosed to the public and may be used...
VulnCheck KEV: CVE-2022-31499
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256...
VulnCheck KEV: CVE-2022-42889
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "$prefix:name", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the...
VulnCheck KEV: CVE-2021-34429
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc...
VulnCheck KEV: CVE-2021-24184
Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions...
VulnCheck KEV: CVE-2021-24183
The tutorquizbuildergetquestionform AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students...
VulnCheck KEV: CVE-2021-24527
The User Registration & User Profile – Profile Builder WordPress plugin before 3.4.9 has a bug allowing any user to reset the password of the admin of the blog, and gain unauthorised access, due to a bypass in the way the reset key is checked. Furthermore, the admin will not be notified of such...
VulnCheck KEV: CVE-2022-44877
CWP Control Web Panel formerly CentOS Web Panel contains an OS command injection vulnerability that allows remote attackers to execute commands via shell metacharacters in the login parameter...
VulnCheck KEV: CVE-2022-4700
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wpractivaterequiredtheme' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to activate the...
VulnCheck KEV: CVE-2022-4705
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprfinalsettingssetup' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to finalize activation of...
VulnCheck KEV: CVE-2023-21674
Microsoft Windows Advanced Local Procedure Call ALPC contains an unspecified vulnerability that allows for privilege escalation...
VulnCheck KEV: CVE-2022-4711
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprsavemegamenusettings' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to enable and modify...
VulnCheck KEV: CVE-2015-2291
Intel ethernet diagnostics driver for Windows IQVW32.sys and IQVW64.sys contain an unspecified vulnerability that allows for a denial-of-service DoS...
VulnCheck KEV: CVE-2023-2877
The Formidable Forms WordPress plugin before 6.3.1 does not adequately authorize the user or validate the plugin URL in its functionality for installing add-ons. This allows a user with a role as low as Subscriber to install and activate arbitrary plugins of arbitrary versions from the...
VulnCheck KEV: CVE-2022-4709
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprimportlibrarytemplate' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to import and activate...
VulnCheck KEV: CVE-2022-4702
The Royal Elementor Addons plugin for WordPress is vulnerable to insufficient access control in the 'wprfixroyalcompatibility' AJAX action in versions up to, and including, 1.3.59. This allows any authenticated user, including those with subscriber-level permissions, to deactivate every plugin...
VulnCheck KEV: CVE-2022-46169
Cacti contains a command injection vulnerability that allows an unauthenticated user to execute code...
VulnCheck KEV: CVE-2023-22278
m-FILTER prior to Ver.5.70R01 Ver.5 Series and m-FILTER prior to Ver.4.87R04 Ver.4 Series allows a remote unauthenticated attacker to bypass authentication and send users' unintended email when email is being sent under the certain conditions. The attacks exploiting this vulnerability have...
VulnCheck KEV: CVE-2023-22952
Multiple SugarCRM products contain a remote code execution vulnerability in the EmailTemplates. Using a specially crafted request, custom PHP code can be injected through the EmailTemplates...
VulnCheck KEV: CVE-2022-3805
The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the...
VulnCheck KEV: CVE-2019-17232
Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import...
VulnCheck KEV: CVE-2016-10972
The newspaper theme before 6.7.2 for WordPress has a lack of options access control via tdajaxupdatepanel...
VulnCheck KEV: CVE-2019-17233
Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection...
VulnCheck KEV: CVE-2018-5430
TIBCO JasperReports Server contain a vulnerability which may allow any authenticated user read-only access to the contents of the web application, including key configuration files...
VulnCheck KEV: CVE-2018-18809
TIBCO JasperReports Library contains a directory-traversal vulnerability that may allow web server users to access contents of the host system...
VulnCheck KEV: CVE-2022-4060
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it...
VulnCheck KEV: CVE-2022-45359
Unauth. Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards premium plugin = 3.19.0 on WordPress...
VulnCheck KEV: CVE-2017-17106
Credentials for Zivif PR115-204-P-RS V2.3.4.2103 Webcams can be obtained by an unauthenticated remote attacker using a standard web /cgi-bin/hi3510/param.cgi?cmd=getuser HTTP request. This vulnerability exists because of a lack of authentication checks in requests to CGI pages...
VulnCheck KEV: CVE-2018-20057
An issue was discovered in /bin/boa on D-Link DIR-619L Rev.B 2.06B1 and DIR-605L Rev.B 2.12B1 devices. goform/formSysCmd allows remote authenticated users to execute arbitrary OS commands via the sysCmd POST parameter...
VulnCheck KEV: CVE-2017-17105
Zivif PR115-204-P-RS V2.3.4.2103 and V4.7.4.2121 and possibly in-between versions web cameras are vulnerable to unauthenticated, blind remote command injection via CGI scripts used as part of the web interface, as demonstrated by a...
VulnCheck KEV: CVE-2022-31137
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Versions prior to 6.1.1.0 are subject to a remote code execution vulnerability. System commands can be run remotely via the subprocessexecute function without processing the inputs received from the user in...
VulnCheck KEV: CVE-2022-30023
Tenda ONT GPON AC1200 Dual band WiFi HG9 v1.0.1 is vulnerable to Command Injection via the Ping function...
VulnCheck KEV: CVE-2022-33891
Apache Spark contains a command injection vulnerability via Spark User Interface UI when Access Control Lists ACLs are enabled...
VulnCheck KEV: CVE-2020-7209
LinuxKI v6.0-1 and earlier is vulnerable to an remote code execution which is resolved in release 6.0-2...
VulnCheck KEV: CVE-2022-41080
Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation. This vulnerability is chainable with CVE-2022-41082, which allows for remote code execution...