Multiple stored cross-site scripting (XSS) vulnerabilities in openMAINT 2.1-3.3-b allow remote attackers to inject arbitrary web script or HTML via any "Add" sections, such as Add Card Building &. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Cross-site Scripting (XSS) vulnerability in MyBB before 1.8.26 via Nested Auto URL when parsing messages. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Text-based feedback answers required additional sanitizing to prevent stored XSS and blind SSRF risks in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Gitea 1.12.x and 1.13.x before 1.13.4 allows XSS via certain issue data in some situations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
All versions of package github.com/tyktechnologies/tyk/gateway are vulnerable to Directory Traversal via the handleAddOrUpdateApi function. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
When booting a Zync-7000 SOC device from nand flash memory, the nand driver in the ROM does not validate the inputs when reading in any parameters in the nand’s parameter page. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Unquoted service path vulnerability in McAfee Endpoint Product Removal (EPR) Tool prior to 21.2 allows local administrators to execute arbitrary code, with higher-level privileges, via execution from. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
The urllib3 library 1.26.x before 1.26.4 for Python omits SSL certificate validation in some cases involving HTTPS to HTTPS proxies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
In Cloudera Data Engineering (CDE) 1.3.0, JWT authentication tokens are exposed to administrators in virtual cluster server logs. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
If certificates that signed grub are installed into db, grub can be booted directly. Rated medium severity (CVSS 6.4). No vendor patch available.
A cross-site scripting (XSS) vulnerability on the Delete Personal Data page in Cryptshare Server before 4.8.0 allows an attacker to inject arbitrary web script or HTML via the user name. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site Scripting vulnerability in MyBB before 1.8.26 via Custom moderator tools. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
An issue was discovered in Argo CD before 1.8.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability has been identified in SIMATIC S7-PLCSIM V5.4 (All versions). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
The ID number user profile field required additional sanitizing to prevent a stored XSS risk in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
When creating a user account, it was possible to verify the account without having access to the verification email link/secret in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
It was possible for some users without permission to view other users' full names to do so via the online users block in moodle before 3.10.2, 3.9.5, 3.8.8, 3.5.17. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
The web service responsible for fetching other users' enrolled courses did not validate that the requesting user had permission to view that information in each course in moodle before 3.10.2, 3.9.5,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.
IBM API Connect 10.0.0.0, and 2018.4.1.0 through 2018.4.1.13 does not restrict member registration to the intended recepient. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.