Deserialization of Untrusted Data vulnerability in Pdfcrowd Dev Team Save as PDF save-as-pdf-by-pdfcrowd allows Object Injection.This issue affects Save as PDF: from n/a through <= 4.4.0.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Worldwide Express Edition small-package-quotes-wwe-edition allows SQL Injection.This issue affects Small Package Quotes – Worldwide Express Edition: from n/a through <= 5.2.17.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Small Package Quotes – Unishippers Edition small-package-quotes-unishippers-edition allows SQL Injection.This issue affects Small Package Quotes – Unishippers Edition: from n/a through <= 2.4.8.
Missing Authorization vulnerability in NotFound Admin and Site Enhancements (ASE) Pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin and Site Enhancements (ASE) Pro: from n/a through 7.6.1.1.
Authentication Bypass by Spoofing vulnerability in bestwebsoft Google Captcha google-captcha allows Identity Spoofing.This issue affects Google Captcha: from n/a through <= 1.78.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Music Store music-store allows Reflected XSS.This issue affects Music Store: from n/a through <= 1.1.19.
Missing Authorization vulnerability in Dmitry V. (CEO of "UKR Solution") Print Barcode Labels for your WooCommerce products/orders a4-barcode-generator.This issue affects Print Barcode Labels for your WooCommerce products/orders: from n/a through <= 3.4.10.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Reflected XSS.This issue affects Edwiser Bridge: from n/a through <= 3.0.8.
Cross-Site Request Forgery (CSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Cross Site Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.18.9.
Cross-Site Request Forgery (CSRF) vulnerability in Slava Abakumov BuddyPress Groups Extras buddypress-groups-extras allows Cross Site Request Forgery.This issue affects BuddyPress Groups Extras: from n/a through <= 3.6.10.
Cross-Site Request Forgery (CSRF) vulnerability in StellarWP The Events Calendar the-events-calendar allows Cross Site Request Forgery.This issue affects The Events Calendar: from n/a through <= 6.7.0.
Missing Authorization vulnerability in Gopi krishnan Fare Calculator fare-calculator allows Stored XSS.This issue affects Fare Calculator: from n/a through <= 1.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ivanchernyakov LawPress – Law Firm Website Management lawpress allows Reflected XSS.This issue affects LawPress – Law Firm Website Management: from n/a through <= 1.4.5.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ulrich Sossou The Loops the-loops allows Reflected XSS.This issue affects The Loops: from n/a through <= 1.0.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jonathan Lau CubePM cubepm allows Reflected XSS.This issue affects CubePM: from n/a through <= 1.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in davidfcarr RSVPMaker Volunteer Roles rsvpmaker-volunteer-roles allows Reflected XSS.This issue affects RSVPMaker Volunteer Roles: from n/a through <= 1.5.1.
Missing Authorization vulnerability in blokhauswp Minterpress minterpress allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Minterpress: from n/a through <= 1.0.5.
DLINK DIR-825 REVB 2.03 devices have an OS command injection vulnerability in the CGl interface apc_client_pin.cgi, which allows remote attackers to execute arbitrary commands via the parameter "wps_pin" passed to the apc_client_pin.cgi binary through a POST request.
Path Traversal: '.../...//' vulnerability in Ihor Kit Morkva UA Shipping morkva-ua-shipping allows PHP Local File Inclusion.This issue affects Morkva UA Shipping: from n/a through <= 1.0.18.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – Worldwide Express Edition ltl-freight-quotes-worldwide-express-edition allows SQL Injection.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through <= 5.0.20.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ihor Kit Shipping for Nova Poshta nova-poshta-ttn allows SQL Injection.This issue affects Shipping for Nova Poshta: from n/a through <= 1.19.6.
Deserialization of Untrusted Data vulnerability in ThimPress FundPress fundpress allows Object Injection.This issue affects FundPress: from n/a through <= 2.0.6.
Cross-Site Request Forgery (CSRF) vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Cross Site Request Forgery.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.92.0.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Busters Passwordless WP – Login with your glance or fingerprint passwordless-wp allows Reflected XSS.This issue affects Passwordless WP – Login with your glance or fingerprint: from n/a through <= 1.1.6.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shipdeoplugin Shipdeo shipdeo-woo allows Reflected XSS.This issue affects Shipdeo: from n/a through <= 1.2.8.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Phillips Simple Locator simple-locator allows Reflected XSS.This issue affects Simple Locator: from n/a through <= 2.0.4.
Eura7 CMSmanager in version 4.6 and below is vulnerable to Reflected XSS attacks through manipulation of return GET request parameter sent to a specific endpoint.
The vulnerability has been fixed by a patche patch 17012022 addressing all affected versions in use.
A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using innerHTML. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability.
Xerox Workplace Suite stores tokens in session storage, which may expose them to potential access if a user's session is compromised.Â
The patch for this vulnerability will be included in a future release of Workplace Suite, and customers will be notified through an update to the security bulletin.
A NULL Pointer Dereference vulnerability in Cesanta Frozen versions less than 1.7 allows an attacker to induce a crash of the component embedding the library by supplying a maliciously crafted JSON as input.
An Allocation of Resources Without Limits or Throttling vulnerability in Cesanta Frozen versions less than 1.7 allows an attacker to induce a crash of the component embedding the library by supplying a maliciously crafted JSON as input.
A vulnerability classified as problematic was found in INW Krbyyyzo 25.2002. Affected by this vulnerability is an unknown functionality of the file /gbo.aspx of the component Daily Huddle Site. The manipulation of the argument s leads to resource consumption. It is possible to launch the attack on the local host. Other endpoints might be affected as well.
A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive cookie settings in HTTPS sessions.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
Certain errors of the upstream libraries will insert sensitive information in the OTRS or ((OTRS)) Community Edition log mechanism and mails send to the system administrator.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
An improper privilege management vulnerability in OTRS Generic Interface module allows change of the Ticket status even if the user only has ro permissions.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
A vulnerability exists in OTRS and ((OTRS Community Edition)) that fail to set the HTTP response header X-Content-Type-Options to nosniff. An attacker could exploit this vulnerability by uploading or inserting content that would be treated as a different MIME type than intended.
This issue affects:
* OTRS 7.0.X
* OTRS 8.0.X
* OTRS 2023.X
* OTRS 2024.X
* ((OTRS)) Community Edition: 6.0.x
Products based on the ((OTRS)) Community Edition also very likely to be affected
The Altra Side Menu WordPress plugin through 2.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete arbitrary menu via a CSRF attack
A vulnerability was found in Microword eScan Antivirus 7.0.32 on Linux. It has been rated as problematic. Affected by this issue is the function removeExtraSlashes of the file /opt/MicroWorld/sbin/rtscanner of the component Folder Watch List Handler. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
A vulnerability was found in Itechscripts School Management Software 2.75. It has been classified as critical. This affects an unknown part of the file /notice-edit.php. The manipulation of the argument aid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
Develocity (formerly Gradle Enterprise) before 2024.1.8 has Incorrect Access Control. Project-level access control configuration was introduced in Enterprise Config schema version 8. Migration functionality from schema version 8 to versions 9 and 10 (in affected vulnerable versions) does not include the projects section of the configuration. This leads to all of the project settings being reset to their defaults when the old schema is loaded. In the case of projects.enabled, the default is false. Thus, using an enterprise config v8 results in Project level access control being disabled, even if it was previously enabled, and previously restricted project information disclosed. Most commonly, this occurs when a Develocity instance is upgraded from an earlier version. Specifically, this occurs if: Develocity 2023.3.X is upgraded to 2023.4.X; Develocity 2023.3.X is upgraded to 2024.1.X up to and including 2024.1.7; or Develocity 2023.4.X is upgraded to 2024.1.X up to and including 2024.1.7. The flaw does not occur when upgrading to a fixed version. An upgrade can only be triggered via administrator access, and cannot be forced by an external attacker.