| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Lylme Spage v1.9.5 is vulnerable to Incorrect Access Control. There is no limit on the number of login attempts, and the verification code will not be refreshed after a failed login, which allows attackers to blast the username and password and log into the system backend. |
| Typecho v1.3.0 was discovered to contain a race condition vulnerability in the post commenting function. This vulnerability allows attackers to post several comments before the spam protection checks if the comments are posted too frequently. |
| The JetBackup WordPress plugin before 2.0.9.9 doesn't use index files to prevent public directory listing of sensitive directories in certain configurations, which allows malicious actors to leak backup files. |
| Roothub v2.6 was discovered to contain a SQL injection vulnerability via the nodeTitle parameter in the parentNode() function.. |
| Roothub v2.5 was discovered to contain an arbitrary file upload vulnerability via the customPath parameter in the upload() function. This vulnerability allows attackers to execute arbitrary code via a crafted JSP file. |
| In s::can moni::tools in versions below 4.2 an unauthenticated attacker could get any file from the device by path traversal in the image-relocator module. |
| Roothub v2.6 was discovered to contain a SQL injection vulnerability via the topic parameter in the list() function. |
| Sensitive information leak through log files. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40107. |
| SAP Biller Direct allows an unauthenticated attacker to craft a legitimate looking URL. When clicked by an unsuspecting victim, it will use an unsensitized parameter to redirect the victim to a malicious site of the attacker's choosing which can result in disclosure or modification of the victim's information. |
| In FRRouting (FRR) through 9.1, it is possible for the get_edge() function in ospf_te.c in the OSPF daemon to return a NULL pointer. In cases where calling functions do not handle the returned NULL value, the OSPF daemon crashes, leading to denial of service. |
| In the Opaque LSA Extended Link parser in FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ext_link for OSPF LSA packets during an attempt to read Segment Routing Adjacency SID subTLVs (lengths are not validated). |
| In FRRouting (FRR) through 9.1, there can be a buffer overflow and daemon crash in ospf_te_parse_ri for OSPF LSA packets during an attempt to read Segment Routing subTLVs (their size is not validated). |
| The Persian Fonts WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). |
| Cross Site Scripting vulnerability in Sentry v.6.0.9 allows a remote attacker to execute arbitrary code via the z parameter. |
| The WP Dashboard Notes WordPress plugin before 1.0.11 is vulnerable to Insecure Direct Object References (IDOR) in post_id= parameter. Authenticated users are able to delete private notes associated with different user accounts. This poses a significant security risk as it violates the principle of least privilege and compromises the integrity and privacy of user data. |
| Missing Authentication for Critical Function vulnerability in Drupal Panels allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Panels: from 0.0.0 before 4.9.0. |
| A vulnerability has been found in Telestream Sentry 6.0.9 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /?page=reports of the component Reports Page. The manipulation of the argument z leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection.This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5. |
| Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection.This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3. |
| In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. |
