Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. Rated medium severity (CVSS 6.4). Public exploit code available and no vendor patch available.
curl can be told to parse a `.netrc` file for credentials. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The WP OAuth Server (OAuth Authentication) WordPress plugin before 3.4.2 does not have CSRF check when regenerating secrets, which could allow attackers to make logged in admins regenerate the secret. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
The Advanced Import WordPress plugin before 1.3.8 does not have CSRF check when installing and activating plugins, which could allow attackers to make a logged in admin install arbitrary plugins from. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (XSS) vulnerability in the component /signup_script.php of Ecommerce-Website v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A cross-site scripting (XSS) vulnerability in ClicShopping_V3 v3.402 allows attackers to execute arbitrary web scripts or HTML via a crafted URL parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Open redirect vulnerability in SHIRASAGI v1.14.4 to v1.15.0 allows a remote unauthenticated attacker to redirect users to an arbitrary web site and conduct a phishing attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Floating Point Comparison with Incorrect Operator in GitHub repository vim/vim prior to 9.0.0804. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Stored cross-site scripting vulnerability in SHIRASAGI versions prior to v1.16.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Add Comments WordPress plugin through 1.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP OAuth Server (OAuth Authentication) WordPress plugin before 4.2.2 does not sanitize and escape Client IDs, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WPUpper Share Buttons WordPress plugin through 3.42 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Uji Countdown WordPress plugin before 2.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The WP Page Builder WordPress plugin through 1.2.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Advanced WP Columns WordPress plugin through 2.0.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In ccci, there is a possible out of bounds write due to improper input validation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Wi-Fi, there is a possible memory access violation due to a logic error. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Wi-Fi, there is a possible out of bounds write due to improper input validation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In Wi-Fi, there is a possible out of bounds write due to improper input validation. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In throttling, there is a possible out of bounds write due to an incorrect calculation of buffer size. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In isp, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In isp, there is a possible out of bounds write due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In display, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In display, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In throttling, there is a possible out of bounds write due to an incorrect calculation of buffer size. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In gz, there is a possible memory corruption due to a missing bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In mpu, there is a possible memory corruption due to a logic error. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In keyinstall, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In widevine, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In widevine, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In widevine, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
In widevine, there is a possible out of bounds write due to an incorrect bounds check. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
ZTE OTCP product is impacted by a permission and access control vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A use-after-free in res_pjsip_pubsub.c in Sangoma Asterisk 16.28, 18.14, 19.6, and certified/18.9-cert2 may allow a remote authenticated attacker to crash Asterisk (denial of service) by performing. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.
Missing authorization vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to alter the product settings without authentication by sending. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Session information easily guessable vulnerability exists in Kyocera Document Solutions MFPs and printers, which may allow a network-adjacent attacker to log in to the product by spoofing a user with. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
In isp, there is a possible out of bounds write due to a race condition. Rated medium severity (CVSS 6.4). No vendor patch available.
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Cross-site scripting vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting vulnerability in Salon booking system versions prior to 7.9 allows a remote unauthenticated attacker to inject an arbitrary script. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Telepad allows an attacker (in a man-in-the-middle position between the server and a connected device) to see all data (including keypresses) in cleartext. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
A flaw was found in the Linux kernel Traffic Control (TC) subsystem. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Advanced Booking Calendar plugin <= 1.7.1 on WordPress. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-site scripting (XSS) vulnerability in the Web UI of StackStorm versions prior to 3.8.0 allowed logged in users with write access to pack rules to inject arbitrary script or HTML that may be. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Phpgurukul User Registration & User Management System v3.0 was discovered to contain multiple stored cross-site scripting (XSS) vulnerabilities via the firstname and lastname parameters of the. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The BD BodyGuard™ infusion pumps specified allow for access through the RS-232 (serial) port interface. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.
Improper authentication vulnerability in WordPress versions prior to 6.0.3 allows a remote unauthenticated attacker to obtain the email address of the user who posted a blog using the WordPress Post. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
An issue was discovered in Sangoma Asterisk through 16.28, 17 and 18 through 18.14, 19 through 19.6, and certified through 18.9-cert1. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.