Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 20.6% and no vendor patch available.
SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site request forgery (CSRF) vulnerability in tracking_code.admin.inc in the Tracking Code module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the Registration codes module before 6.x-1.6, 6.x-2.x before 6.x-2.8, and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the Webform Multiple File Upload module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the CiviCRM private report module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Multiple cross-site request forgery (CSRF) vulnerabilities in the User Import module 6.x-4.x before 6.x-4.4 and 7.x-2.x before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the Registration codes module before 6.x-1.6 for Drupal allows remote attackers to hijack the authentication of administrators for requests that. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the Decisions module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that remove individual voters. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.
Cross-site request forgery (CSRF) vulnerability in the Watchdog Aggregator module for Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Spider Catalog module for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete (1). Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the Node Template module for Drupal allows remote attackers to hijack the authentication of users with the "access node template" permission for. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.
Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.
SQL injection vulnerability in the Spider Contacts module for Drupal allows remote authenticated users with the "access Spider Contacts category administration" permission to execute arbitrary SQL. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable. No vendor patch available.
Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.
Open redirect vulnerability in the finder_form_goto function in the Finder module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the Custom Sitemap module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete sitemaps via. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the Spider Video Player module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete videos via. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site request forgery (CSRF) vulnerability in the Spider Contacts module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete contact. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. No vendor patch available.
Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for Drupal allows remote attackers to bypass intended resource restrictions via vectors related to page caching. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of users with the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable.
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
The Commerce Ogone module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to complete the checkout for an order without paying via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.
The Spider Video Player module for Drupal allows remote authenticated users with the "access Spider Video Player administration" permission to delete arbitrary files via a crafted URL. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. No vendor patch available.
GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.
The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via. Rated medium severity (CVSS 4.9), this vulnerability is low attack complexity. No vendor patch available.
The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Cross-site scripting (XSS) vulnerability in the inLinks Integration module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified path arguments. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the product deployment feature in the Java core web services in Intel McAfee ePolicy Orchestrator (ePO) before 5.1.2 allows remote attackers to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.
The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not properly check the create permission for content types created during import, which allows remote authenticated users to bypass. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Multiple cross-site scripting (XSS) vulnerabilities in the Registration codes module before 6.x-1.6, 6.x-2.x before 6.x-2.8, and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Webform module before 6.x-3.22, 7.x-3.x before 7.x-3.22, and 7.x-4.x before 7.x-4.4 for Drupal allows remote authenticated users with certain. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "Administer own invoices". Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Profile2 Privacy module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer Profile2 Privacy Levels" permission to. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Trick Question module before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer Trick Question". Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Simple Subscription module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer blocks". Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.
Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-2.7 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.