Buffer overflow in AudioCoder 0.8.46 allows remote attackers to execute arbitrary code via a crafted .m3u file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 37.6%.
Buffer overflow in MediaCoder 0.8.48.5888 allows remote attackers to execute arbitrary code via a crafted .m3u file. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 35.4%.
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 41.7%.
Reporter.exe in Acunetix 8 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a malformed PRE file, related to a "User Mode Write AV starting at. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 33.2% and no vendor patch available.
The fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly have unspecified. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect Access Control vulnerability in Hashtopussy 0.4.0 allows remote authenticated users to execute actions that should only be available for administrative roles, as demonstrated by an. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
SQL injection vulnerability in Hashtopus 1.5g allows remote authenticated users to execute arbitrary SQL commands via the format parameter in admin.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) exists in Hashtopus 1.5g via the password parameter to admin.php in an a=config action. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-Site Request Forgery (CSRF) exists in Hashtopussy 0.4.0, allowing an admin password change via users.php. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
There is an illegal address access in the build_table function in libavcodec/bitstream.c of Libav 12.1 that will lead to remote denial of service via crafted input. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allows remote attackers to obtain an authenticated user's password via XSS vulnerabilities or sniffing non-SSL traffic on the network, because the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (memory allocation error and application. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Multiple Persistent cross-site scripting (XSS) vulnerabilities in Event log parsing and Display functions in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Multiple Reflective cross-site scripting (XSS) vulnerabilities in search and display of event data in Zoho ManageEngine Event Log Analyzer 11.4 and 11.5 allow remote attackers to inject arbitrary web. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in Hashtopus 1.5g allows remote attackers to inject arbitrary web script or HTML via the query string to admin.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross-site scripting vulnerability in Hashtopussy 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the (1) version, (2) url, or (3) rootdir parameter in hashcat.php. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (heap-based buffer over-read and application. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted wav file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The next_text function in src/libmpg123/id3.c in mpg123 1.24.0 allows remote attackers to cause a denial of service (buffer over-read) via a crafted mp3 file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Reporter.exe in Acunetix 8 allows remote attackers to cause a denial of service (application crash) via a malformed PRE file, related to a "Read Access Violation starting at reporter!madTraceProcess.". Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site scripting (XSS) vulnerability in auth_profile.php in Cacti 1.1.13 allows remote attackers to inject arbitrary web script or HTML via specially crafted HTTP Referer headers. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Apache HTTP Server, in all releases prior to 2.2.32 and 2.4.25, was liberal in the whitespace accepted from requests and sent in response lines and headers. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Avira Antivirus engine versions before 8.3.36.60 allow remote code execution as NT AUTHORITY\SYSTEM via a section header with a very large relative virtual address in a PE file, causing an integer. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The ff_amf_get_field_value function in libavformat/rtmppkt.c in FFmpeg 3.3.2 allows remote RTMP servers to cause a denial of service (Segmentation Violation and application crash) via a crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Sendio versions before 8.2.1 were affected by a Local File Inclusion vulnerability that allowed an unauthenticated, remote attacker to read potentially sensitive system files via a specially crafted. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a reachable assertion in the Internal::TiffReader::visitDirectory function in tiffvisitor.cpp of Exiv2 0.26 that will lead to a remote denial of service attack via crafted input. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.