๐จ CVE-2021-47768
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials.
๐@cveNotify
ImportExportTools NG 10.0.4 contains a persistent HTML injection vulnerability in the email export module that allows remote attackers to inject malicious HTML payloads. Attackers can send emails with crafted HTML in the subject that execute during HTML export, potentially compromising user data or session credentials.
๐@cveNotify
๐จ CVE-2026-20047
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
๐@cveNotify
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the interface.
This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials.
๐@cveNotify
Cisco
Cisco Security Advisory: Cisco Identity Services Engine Cross-Site Scripting Vulnerability
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user ofโฆ
๐จ CVE-2022-3689
The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users
๐@cveNotify
The HTML Forms WordPress plugin before 1.3.25 does not properly properly escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users
๐@cveNotify
WPScan
HTML Forms < 1.3.25 - Admin+ SQLi
See details on HTML Forms < 1.3.25 - Admin+ SQLi CVE 2022-3689. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2023-33939
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in the Modified Facet widget in Liferay Portal 7.1.0 through 7.4.3.12, and Liferay DXP 7.1 before fix pack 27, 7.2 before fix pack 18, 7.3 before update 4, and 7.4 before update 9 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a facet label.
๐@cveNotify
๐จ CVE-2023-33940
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in IFrame type Remote Apps in Liferay Portal 7.4.0 through 7.4.3.30, and Liferay DXP 7.4 before update 31 allows remote attackers to inject arbitrary web script or HTML via the Remote App's IFrame URL.
๐@cveNotify
๐จ CVE-2023-33943
Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in the Account module in Liferay Portal 7.4.3.21 through 7.4.3.62, and Liferay DXP 7.4 update 21 through 62 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user's (1) First Name, (2) Middle Name, (3) Last Name, or (4) Job Title text field.
๐@cveNotify
๐จ CVE-2023-33944
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in Layout module in Liferay Portal 7.3.4 through 7.4.3.68, and Liferay DXP 7.3 before update 24, and 7.4 before update 69 allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a container type layout fragment's `URL` text field.
๐@cveNotify
๐จ CVE-2023-3426
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
๐@cveNotify
The organization selector in Liferay Portal 7.4.3.81 through 7.4.3.85, and Liferay DXP 7.4 update 81 through 85 does not check user permission, which allows remote authenticated users to obtain a list of all organizations.
๐@cveNotify
๐จ CVE-2024-2433
An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images.
This issue affects only the web interface of the management plane; the dataplane is unaffected.
๐@cveNotify
An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability to log into the web interface or to download PAN-OS, WildFire, and content images.
This issue affects only the web interface of the management plane; the dataplane is unaffected.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2024-2433 PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss
An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the ...
๐จ CVE-2024-24506
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
๐@cveNotify
Cross Site Scripting (XSS) vulnerability in Lime Survey Community Edition Version v.5.3.32+220817, allows remote attackers to execute arbitrary code via the Administrator email address parameter in the General Setting function.
๐@cveNotify
๐จ CVE-2024-27674
Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
๐@cveNotify
Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
๐@cveNotify
GitHub
GitHub - Alaatk/CVE-2024-27674: Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation
Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation - Alaatk/CVE-2024-27674
๐จ CVE-2024-3387
A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.
๐@cveNotify
A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2024-3387 PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure
A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panor...
๐จ CVE-2024-37282
It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
๐@cveNotify
It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
๐@cveNotify
Discuss the Elastic Stack
Elastic Cloud Enterprise 3.7.2 Security Update (ESA-2024-18)
ECE Improper Authorization (ESA-2024-18) It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges. Affectedโฆ
๐จ CVE-2024-5911
An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online.
๐@cveNotify
An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panorama back online.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2024-5911 PAN-OS: File Upload Vulnerability in the Panorama Web Interface
An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash ...
๐จ CVE-2024-6933
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component.
๐@cveNotify
A flaw has been found in LimeSurvey 6.5.14-240624. Affected by this issue is the function actionUpdateSurveyLocaleSettingsGeneralSettings of the file /index.php?r=admin/database/index/updatesurveylocalesettings_generalsettings of the component Survey General Settings Handler. This manipulation of the argument Language causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 6.6.2+240827 can resolve this issue. Patch name: d656d2c7980b7642560977f4780e64533a68e13d. You should upgrade the affected component.
๐@cveNotify
LimeSurvey | Open Source Survey Tool
Downloads
Test LimeSurvey Cloud Get the most out of LimeSurvey and start using the LimeSurvey Cloud today We take care of the infrastructure and you concentrate on the important things: your surveys. Our highly available premium hosting provides you with LimeSurveyโฆ
๐จ CVE-2024-55929
A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.
๐@cveNotify
A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources.
๐@cveNotify
๐จ CVE-2024-55930
Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files
๐@cveNotify
Xerox Workplace Suite has weak default folder permissions that allow unauthorized users to access, modify, or delete files
๐@cveNotify
๐จ CVE-2024-55931
Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.
The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.
๐@cveNotify
Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.
The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.
๐@cveNotify
๐จ CVE-2025-41375
SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.
๐@cveNotify
SQL Injection vulnerability in Limesurvey v2.65.1+170522. This vulnerability allows an attacker to retrieve, create, update and delete database via 'token' parameter in '/index.php' endpoint.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in Limesurvey
INCIBE has coordinated the publication of 2 vulnerabilities: 1 of critical severity and 1 of high seve
๐จ CVE-2025-2668
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query.
๐@cveNotify
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query.
๐@cveNotify
Ibm
Security Bulletin: IBMยฎ Db2ยฎ is vulnerable to a denial of service with a specially crafted query that uses ALTER TABLE operationsโฆ
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query that uses ALTER TABLE operations.
๐จ CVE-2025-36001
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.
๐@cveNotify
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.
๐@cveNotify
Ibm
Security Bulletin: IBMยฎ Db2ยฎ could allow an authenticated user to cause a denial of service using a specially crafted SQL statementโฆ
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion.