Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 54.0%.
Cross-site scripting (XSS) vulnerability in the Push-Service-Mails feature in AVM FRITZ!OS before 6.30 allows remote attackers to inject arbitrary web script or HTML via the display name in the FROM. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Absolute path traversal vulnerability in mysqldump_download.php in the WordPress Rename plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the dumpfname. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoints with software before V100R001C10SPC100 do not require entry of the old password when changing the password for the Debug. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The swin.sys kernel driver in McAfee Application Control (MAC) 6.1.0 before build 706, 6.1.1 before build 404, 6.1.2 before build 449, 6.1.3 before build 441, and 6.2.0 before build 505 on 32-bit. Rated medium severity (CVSS 6.6).
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
The HIFI driver in Huawei P8 phones with software GRA-TL00 before GRA-TL00C01B220SP01, GRA-CL00 before GRA-CL00C92B220, GRA-CL10 before GRA-CL10C92B220, GRA-UL00 before GRA-UL00C00B220, GRA-UL10. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The presentation transmission permission management mechanism in Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoints with software before V100R001C10SPC100 allows remote. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.