VYPR

CVEs

100,472 total · page 653 of 2,010

  • CVE-2024-1937HigJul 16, 2024
    risk 0.39cvss 7.1epss 0.00

    The Brizy – Page Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_item' function in all versions up to, and including, 2.4.44. This makes it possible for authenticated attackers, with contributor…

  • CVE-2023-52290HigJul 16, 2024
    risk 0.46cvss 8.1epss 0.01

    In streampark-console the list pages(e.g: application pages), users can sort page by field. This sort field is sent from the front-end to the back-end, and the SQL query is generated using this field. However, because this sort field isn't validated, there is a risk of SQL…

  • CVE-2024-40631HigJul 15, 2024
    risk 0.46cvss 8.1epss 0.01

    Plate media is an open source, rich-text editor for React. Editors that use `MediaEmbedElement` and pass custom `urlParsers` to the `useMediaState` hook may be vulnerable to XSS if a custom parser allows `javascript:`, `data:` or `vbscript:` URLs to be embedded. Editors that do…

  • CVE-2024-36438HigJul 15, 2024
    risk 0.47cvss 7.3epss 0.00

    eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks.

  • CVE-2024-36434HigJul 15, 2024
    risk 0.49cvss 7.5epss 0.00

    An SMM callout vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.

  • CVE-2024-36433HigJul 15, 2024
    risk 0.49cvss 7.5epss 0.00

    An arbitrary memory write vulnerability was discovered in Supermicro X11DPH-T, X11DPH-Tq, and X11DPH-i motherboards with BIOS firmware before 4.4.

  • CVE-2024-36432HigJul 15, 2024
    risk 0.49cvss 7.5epss 0.00

    An arbitrary memory write vulnerability was discovered in Supermicro X11DPG-HGX2, X11PDG-QT, X11PDG-OT, and X11PDG-SN motherboards with BIOS firmware before 4.4.

  • CVE-2024-27240HigJul 15, 2024
    risk 0.46cvss 7.1epss 0.00

    Improper input validation in the installer for some Zoom Apps for Windows may allow an authenticated user to conduct a privilege escalation via local access.

  • CVE-2024-27238HigJul 15, 2024
    risk 0.46cvss 7.1epss 0.00

    Race condition in the installer for some Zoom Apps and SDKs for Windows before version 6.0.0 may allow an authenticated user to conduct a privilege escalation via local access.

  • CVE-2024-40560HigJul 15, 2024
    risk 0.47cvss 7.3epss 0.00

    Tmall_demo before v2024.07.03 was discovered to contain a SQL injection vulnerability.

  • CVE-2024-40554HigJul 15, 2024
    risk 0.49cvss 7.5epss 0.00

    An access control issue in Tmall_demo v2024.07.03 allows attackers to obtain sensitive information.

  • CVE-2024-6689HigJul 15, 2024
    risk 0.51cvss 7.8epss 0.00

    Local Privilege Escalation in MSI-Installer in baramundi Management Agent v23.1.172.0 on Windows allows a local unprivileged user to escalate privileges to SYSTEM.

  • CVE-2024-38494HigJul 15, 2024
    risk 0.56cvss epss 0.01

    This vulnerability allows a high-privileged authenticated PAM user to achieve remote command execution on the affected PAM system by sending a specially crafted HTTP request.

  • CVE-2024-38491HigJul 15, 2024
    risk 0.55cvss epss 0.00

    The vulnerability allows an unauthenticated attacker to read arbitrary information from the database.

  • CVE-2024-5402HigJul 15, 2024
    risk 0.51cvss 7.8epss 0.00

    Unquoted Search Path or Element vulnerability in ABB Mint Workbench. A local attacker who successfully exploited this vulnerability could gain elevated privileges by inserting an executable file in the path of the affected service. This issue affects Mint Workbench I…

  • CVE-2024-6745HigJul 15, 2024
    risk 0.48cvss 7.3epss 0.01

    A vulnerability classified as critical has been found in code-projects Simple Ticket Booking 1.0. Affected is an unknown function of the file adminauthenticate.php of the component Login. The manipulation of the argument email/password leads to sql injection. It is possible to…

  • CVE-2023-49566HigJul 15, 2024
    risk 0.57cvss 8.8epss 0.01

    In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should be blacklisted.  This attack…

  • CVE-2023-46801HigJul 15, 2024
    risk 0.50cvss 8.8epss 0.01

    In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute…

  • CVE-2024-6075HigJul 15, 2024
    risk 0.57cvss 8.8epss 0.00

    The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

  • CVE-2024-5630HigJul 15, 2024
    risk 0.57cvss 8.8epss 0.01

    The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.

  • CVE-2024-21513HigJul 15, 2024
    risk 0.48cvss 8.5epss 0.02

    Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary…

  • CVE-2024-6737HigJul 15, 2024
    risk 0.57cvss 8.8epss 0.01

    The access control in the Electronic Official Document Management System from 2100 TECHNOLOGY is not properly implemented, allowing remote attackers with regular privileges to access the account settings functionality and create an administrator account.

  • CVE-2024-6345HigJul 15, 2024
    risk 0.50cvss 8.8epss 0.02

    A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are…

  • CVE-2023-52885HigJul 14, 2024
    risk 0.51cvss 7.8epss 0.00

    In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed…

  • CVE-2024-5715HigJul 13, 2024
    risk 0.46cvss 7.1epss 0.00

    The wp-eMember WordPress plugin before 10.6.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2024-5472HigJul 13, 2024
    risk 0.46cvss 7.1epss 0.00

    The WP QuickLaTeX WordPress plugin before 3.8.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite…

  • CVE-2024-5287HigJul 13, 2024
    risk 0.46cvss 7.1epss 0.00

    The wp-affiliate-platform WordPress plugin before 6.5.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in user change them via a CSRF attack

  • CVE-2024-5167HigJul 13, 2024
    risk 0.53cvss 8.1epss 0.00

    The CM Email Registration Blacklist and Whitelist WordPress plugin before 1.4.9 does not have CSRF check when adding or deleting an item from the blacklist or whitelist, which could allow attackers to make a logged in admin add or delete settings from the blacklist or whitelist…

  • CVE-2024-5151HigJul 13, 2024
    risk 0.46cvss 7.1epss 0.00

    The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

  • CVE-2024-5080HigJul 13, 2024
    risk 0.57cvss 8.8epss 0.01

    The wp-eMember WordPress plugin before 10.6.6 does not validate files to be uploaded, which could allow admins to upload arbitrary files such as PHP on the server

  • CVE-2024-5076HigJul 13, 2024
    risk 0.57cvss 8.8epss 0.00

    The wp-eMember WordPress plugin before 10.6.6 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

  • CVE-2024-5034HigJul 13, 2024
    risk 0.57cvss 8.8epss 0.00

    The SULly WordPress plugin before 4.3.1 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks

  • CVE-2024-30213HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution.

  • CVE-2024-5902HigJul 12, 2024
    risk 0.47cvss 7.2epss 0.00

    The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the name parameter in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output…

  • CVE-2024-40552HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    PublicCMS v4.0.202302.e was discovered to contain a remote commande execution (RCE) vulnerability via the cmdarray parameter at /site/ScriptComponent.java.

  • CVE-2024-40551HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.00

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40550HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlaceMetaData of Public CMS v.4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40549HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/savePlace of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40548HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40546HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40545HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file.

  • CVE-2024-40544HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.00

    PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/#maintenance_sysTask/edit.

  • CVE-2024-40543HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.00

    PublicCMS v4.0.202302.e was discovered to contain a Server-Side Request Forgery (SSRF) via the component /admin/ueditor?action=catchimage.

  • CVE-2024-40522HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    There is a remote code execution vulnerability in SeaCMS 12.9. The vulnerability is caused by phomebak.php writing some variable names passed in without filtering them before writing them into the php file. An authenticated attacker can exploit this vulnerability to execute…

  • CVE-2024-40521HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is due to the fact that although admin_template.php imposes certain restrictions on the edited file, attackers can still bypass the restrictions and write code in some way, allowing authenticated attackers…

  • CVE-2024-40520HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_config_mark.php directly splicing and writing the user input data into inc_photowatermark_config.php without processing it, which allows authenticated attackers to exploit the…

  • CVE-2024-40519HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_smtp.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary…

  • CVE-2024-40518HigJul 12, 2024
    risk 0.57cvss 8.8epss 0.01

    SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_weixin.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary…

  • CVE-2024-39917HigJul 12, 2024
    risk 0.40cvss 7.2epss 0.01

    xrdp is an open source RDP server. xrdp versions prior to 0.10.0 have a vulnerability that allows attackers to make an infinite number of login attempts. The number of max login attempts is supposed to be limited by a configuration parameter `MaxLoginRetry` in…

  • CVE-2024-38735HigJul 12, 2024
    risk 0.49cvss 7.5epss 0.01

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bastien Ho Event post event-post.This issue affects Event post: from n/a through <= 5.9.5.