‼ CVE-2023-1420 ‼
📖 Read
via "National Vulnerability Database".
The Ajax Search Lite WordPress plugin before 4.11.1, Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape a parameter before outputting it back in a response of an AJAX action, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1435 ‼
📖 Read
via "National Vulnerability Database".
The Ajax Search Pro WordPress plugin before 4.26.2 does not sanitise and escape various parameters before outputting them back in pages, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin📖 Read
via "National Vulnerability Database".
‼ CVE-2023-2257 ‼
📖 Read
via "National Vulnerability Database".
Authentication Bypass in Hub Business integration in Devolutions Workspace Desktop 2023.1.1.3 and earlier on Windows and macOS allows an attacker with access to the user interface to unlock a Hub Business space without being prompted to enter the password via an unimplemented "Force Login" security feature.This vulnerability occurs only if "Force Login" feature is enabled on the Hub Business instance and that an attacker has access to a locked Workspace desktop application configured with a Hub Business space.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1624 ‼
📖 Read
via "National Vulnerability Database".
The WPCode WordPress plugin before 2.0.9 has a flawed CSRF when deleting log, and does not ensure that the file to be deleted is inside the expected folder. This could allow attackers to make users with the wpcode_activate_snippets capability delete arbitrary log files on the server, including outside of the blog folders📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1414 ‼
📖 Read
via "National Vulnerability Database".
The WP VR WordPress plugin before 8.3.0 does not have authorisation and CSRF checks in various AJAX actions, one in particular could allow any authenticated users, such as subscriber to update arbitrary tours📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1623 ‼
📖 Read
via "National Vulnerability Database".
The Custom Post Type UI WordPress plugin before 1.13.5 does not properly check for CSRF when sending the debug information to a user supplied email, which could allow attackers to make a logged in admin send such information to an arbitrary email address via a CSRF attack.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1129 ‼
📖 Read
via "National Vulnerability Database".
The WP FEvents Book WordPress plugin through 0.46 does not ensures that bookings to be updated belong to the user making the request, allowing any authenticated user to book, add notes, or cancel booking on behalf of other users.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-1020 ‼
📖 Read
via "National Vulnerability Database".
The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27848 ‼
📖 Read
via "National Vulnerability Database".
broccoli-compass v0.2.4 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26099 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Telindus Apsal 3.14.2022.235 b. The consultation permission is insecure.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26865 ‼
📖 Read
via "National Vulnerability Database".
SQL injection vulnerability found in PrestaShop bdroppy v.2.2.12 and before allowing a remote attacker to gain privileges via the BdroppyCronModuleFrontController::importProducts component.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29566 ‼
📖 Read
via "National Vulnerability Database".
huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27990 ‼
📖 Read
via "National Vulnerability Database".
The XSS vulnerability in Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker with administrator privileges to store malicious scripts in a vulnerable device. A successful XSS attack could then result in the stored malicious scripts being executed when the user visits the Logs page of the GUI on the device.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27849 ‼
📖 Read
via "National Vulnerability Database".
rails-routes-to-json v1.0.0 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26059 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Nokia NetAct before 22 SP1037. On the Site Configuration Tool tab, attackers can upload a ZIP file which, when processed, exploits Stored XSS. The upload option of the Site Configuration tool does not validate the file contents. The application is in a demilitarised zone behind a perimeter firewall and without exposure to the internet. The attack can only be performed by an internal user.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-22918 ‼
📖 Read
via "National Vulnerability Database".
A post-authentication information exposure vulnerability in the CGI program of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, VPN series firmware versions 4.30 through 5.35, NWA110AX firmware version 6.50(ABTG.2) and earlier versions, WAC500 firmware version 6.50(ABVS.0) and earlier versions, and WAX510D firmware version 6.50(ABTF.2) and earlier versions, which could allow a remote authenticated attacker to retrieve encrypted information of the administrator on an affected device.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-26097 ‼
📖 Read
via "National Vulnerability Database".
An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-27991 ‼
📖 Read
via "National Vulnerability Database".
The post-authentication command injection vulnerability in the CLI command of Zyxel ATP series firmware versions 4.32 through 5.35, USG FLEX series firmware versions 4.50 through 5.35, USG FLEX 50(W) firmware versions 4.16 through 5.35, USG20(W)-VPN firmware versions 4.16 through 5.35, and VPN series firmware versions 4.30 through 5.35, which could allow an authenticated attacker to execute some OS commands remotely.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-29780 ‼
📖 Read
via "National Vulnerability Database".
Third Reality Smart Blind 1.00.54 contains a denial-of-service vulnerability, which allows a remote attacker to send malicious Zigbee messages to a vulnerable device and cause crashes.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0899 ‼
📖 Read
via "National Vulnerability Database".
The Steveas WP Live Chat Shoutbox WordPress plugin through 1.4.2 does not sanitise and escape a parameter before outputting it back in the Shoutbox, leading to Stored Cross-Site Scripting which could be used against high privilege users such as admins.📖 Read
via "National Vulnerability Database".
‼ CVE-2023-0276 ‼
📖 Read
via "National Vulnerability Database".
The Weaver Xtreme Theme Support WordPress plugin before 6.2.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.📖 Read
via "National Vulnerability Database".