4985 matches found
VulnCheck KEV: CVE-2022-34154
Authenticated author or higher user role Arbitrary File Upload vulnerability in ideasToCode Enable SVG, WebP & ICO Upload plugin = 1.0.1 at WordPress...
VulnCheck KEV: CVE-2022-26138
Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group...
VulnCheck KEV: CVE-2022-2383
The Feed Them Social WordPress plugin before 3.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting...
VulnCheck KEV: CVE-2022-2461
The Transposh WordPress Translation plugin for WordPress is vulnerable to unauthorized setting changes by unauthenticated users in versions up to, and including, 1.0.9.6. This is due to insufficient permissions checking on the 'tptranslation' AJAX action and default settings which makes it...
VulnCheck KEV: CVE-2022-31181
PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users...
VulnCheck KEV: CVE-2018-6055
Insufficient policy enforcement in Catalog Service in Google Chrome prior to 64.0.3282.119 allowed a remote attacker to potentially run arbitrary code outside sandbox via a crafted HTML page...
VulnCheck KEV: CVE-2020-9934
Apple iOS, iPadOS, and macOS contain an unspecified vulnerability involving input validation which can allow a local attacker to view sensitive user information...
VulnCheck KEV: CVE-2022-2856
Google Chromium Intents contains an insufficient validation of untrusted input vulnerability that allows a remote attacker to browse to a malicious website via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google...
VulnCheck KEV: CVE-2022-26352
dotCMS ContentResource API contains an unrestricted upload of file with a dangerous type vulnerability that allows for directory traversal, in which the file is saved outside of the intended storage location. Exploitation allows for remote code execution...
VulnCheck KEV: CVE-2022-2003
AutomationDirect DirectLOGIC is vulnerable to a specifically crafted serial message to the CPU serial port that will cause the PLC to respond with the PLC password in cleartext. This could allow an attacker to access and make unauthorized changes. This issue affects: AutomationDirect...
VulnCheck KEV: CVE-2022-22047
Microsoft Windows CSRSS contains an unspecified vulnerability that allows for privilege escalation to SYSTEM privileges...
VulnCheck KEV: CVE-2022-2294
WebRTC, an open-source project providing web browsers with real-time communication, contains a heap buffer overflow vulnerability that allows an attacker to perform shellcode execution. This vulnerability impacts web browsers using WebRTC including but not limited to Google Chrome...
VulnCheck KEV: CVE-2022-33198
Unauthenticated WordPress Options Change vulnerability in Biplob Adhikari's Accordions plugin = 2.0.2 at WordPress...
VulnCheck KEV: CVE-2022-34487
Unauthenticated Arbitrary Option Update vulnerability in biplob018's Shortcode Addons plugin = 3.0.2 at WordPress...
VulnCheck KEV: CVE-2020-26878
Ruckus through 1.5.1.0.21 is affected by remote command injection. An authenticated user can submit a query to the API /service/v1/createUser endpoint, injecting arbitrary commands that will be executed as root user via web.py...
VulnCheck KEV: CVE-2022-28666
Broken Access Control vulnerability in YIKES Inc. Custom Product Tabs for WooCommerce plugin = 1.7.7 at WordPress leading to &yikes-the-content-toggle option update...
VulnCheck KEV: CVE-2020-26879
Ruckus vRioT through 1.5.1.0.21 has an API backdoor that is hardcoded into validatetoken.py. An unauthenticated attacker can interact with the service API by using a backdoor value as the Authorization header...
VulnCheck KEV: CVE-2018-4344
Apple iOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability which can allow for code execution...
VulnCheck KEV: CVE-2022-29499
The Service Appliance component in Mitel MiVoice Connect allows remote code execution due to incorrect data validation...
VulnCheck KEV: CVE-2020-9907
Apple iOS, iPadOS, and tvOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges...
VulnCheck KEV: CVE-2019-8605
A use-after-free vulnerability in Apple iOS, macOS, tvOS, and watchOS could allow a malicious application to execute code with system privileges...
VulnCheck KEV: CVE-2020-3837
Apple iOS, iPadOS, macOS, tvOS, and watchOS contain a memory corruption vulnerability that could allow an application to execute code with kernel privileges...
VulnCheck KEV: CVE-2021-20655
FileZen V3.0.0 to V4.2.7 and V5.0.0 to V5.0.2 allows a remote attacker with administrator rights to execute arbitrary OS commands via unspecified vectors...
VulnCheck KEV: CVE-2021-34730
A vulnerability in the Universal Plug-and-Play UPnP service of Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers could allow an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service DoS...
VulnCheck KEV: CVE-2022-34478
The ms-msdt, search, and search-ms protocols deliver content to Microsoft applications, bypassing the browser, when a user accepts a prompt. These applications have had known vulnerabilities, exploited in the wild although we know of none exploited through Thunderbird, so in this release...
VulnCheck KEV: CVE-2021-43226
Microsoft Windows Common Log File System Driver contains a privilege escalation vulnerability that could allow a local, privileged attacker to bypass certain security mechanisms...
VulnCheck KEV: CVE-2021-43207
Windows Common Log File System Driver Elevation of Privilege Vulnerability...
VulnCheck KEV: CVE-2021-38163
SAP NetWeaver contains a vulnerability that allows unrestricted file upload...
VulnCheck KEV: CVE-2016-2386
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors...
VulnCheck KEV: CVE-2016-2388
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request...
VulnCheck KEV: CVE-2009-0557
Microsoft Office contains an object record corruption vulnerability that allows remote attackers to execute code via a crafted Excel file with a malformed record object...
VulnCheck KEV: CVE-2019-15271
A deserialization of untrusted data vulnerability in the web-based management interface of certain Cisco Small Business RV Series Routers could allow an attacker to execute code with root privileges...
VulnCheck KEV: CVE-2017-6862
Multiple NETGEAR devices contain a buffer overflow vulnerability that allows for authentication bypass and remote code execution...
VulnCheck KEV: CVE-2021-4034
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights...
VulnCheck KEV: CVE-2022-1903
The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username...
VulnCheck KEV: CVE-2021-41951
ResourceSpace before 9.6 rev 18290 is affected by a reflected Cross-Site Scripting vulnerability in plugins/wordpresssso/pages/index.php via the wordpressuser parameter. If an attacker is able to persuade a victim to visit a crafted URL, malicious JavaScript content may be executed within the...
VulnCheck KEV: CVE-2021-20837
Movable Type 7 r.5002 and earlier Movable Type 7 Series, Movable Type 6.8.2 and earlier Movable Type 6 Series, Movable Type Advanced 7 r.5002 and earlier Movable Type Advanced 7 Series, Movable Type Advanced 6.8.2 and earlier Movable Type Advanced 6 Series, Movable Type Premium 1.46 and...
VulnCheck KEV: CVE-2021-43778
Barcode is a GLPI plugin for printing barcodes and QR codes. GLPI instances version 2.x prior to version 2.6.1 with the barcode plugin installed are vulnerable to a path traversal vulnerability. This issue was patched in version 2.6.1. As a workaround, delete the front/send.php file...
VulnCheck KEV: CVE-2021-41277
Metabase contains a local file inclusion vulnerability in the custom map support in the API to read GeoJSON formatted data...
VulnCheck KEV: CVE-2021-22053
Applications using both spring-cloud-netflix-hystrix-dashboard and spring-boot-starter-thymeleaf expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at /hystrix/monitor;user-provided data, the path elements...
VulnCheck KEV: CVE-2021-41349
Microsoft Exchange Server Spoofing Vulnerability...
VulnCheck KEV: CVE-2021-21980
The vSphere Web Client FLEX/Flash contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information...
VulnCheck KEV: CVE-2021-24750
The WP Visitor Statistics Real Time Traffic WordPress plugin before 4.8 does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks...
VulnCheck KEV: CVE-2021-41174
Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...
VulnCheck KEV: CVE-2022-30190
A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run code with the privileges of the calling application...
VulnCheck KEV: CVE-2021-35064
KramerAV VIAWare, all tested versions, allow privilege escalation through misconfiguration of sudo. Sudoers permits running of multiple dangerous commands, including unzip, systemctl and dpkg...
VulnCheck KEV: CVE-2021-4039
A command injection vulnerability in the web interface of the Zyxel NWA-1100-NH firmware could allow an attacker to execute arbitrary OS commands on the device...
VulnCheck KEV: CVE-2021-36356
KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames even though browseSystemFiles.php is no longer reachable via the GUI. NOTE: this issue exists because of an incomplete fix...
VulnCheck KEV: CVE-2018-16763
FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution...
VulnCheck KEV: CVE-2019-3010
Oracle Solaris component: XScreenSaver contains an unspecified vulnerability that allows for privilege escalation...