Skip to main content
CVE-2023-29778 CRITICAL POC THREAT Emergency

GL.iNET MT3000 4.1.0 Release 2 is vulnerable to OS Command Injection via /usr/lib/oui-httpd/rpc/logread. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 17.7%.

Command Injection Gl Mt3000 Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
17.7%
Threat
4.0
CVE-2023-2479 CRITICAL POC PATCH THREAT Act Now

OS Command Injection in GitHub repository appium/appium-desktop prior to v1.22.3-4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Command Injection Appium Desktop
NVD GitHub
CVSS 3.1
9.8
EPSS
22.0%
CVE-2023-30869 CRITICAL POC PATCH Act Now

Improper Authentication vulnerability in Easy Digital Downloads plugin allows unauth. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Privilege Escalation Authentication Bypass Easy Digital Downloads
NVD
CVSS 3.1
9.8
EPSS
3.1%
CVE-2023-1730 CRITICAL POC THREAT Act Now

The SupportCandy WordPress plugin before 3.1.5 does not validate and escape user input before using it in an SQL statement, which could allow unauthenticated attackers to perform SQL injection attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi Supportcandy
NVD WPScan
CVSS 3.1
9.8
EPSS
40.6%
CVE-2023-31433 HIGH POC This Week

A SQL injection issue in Logbuch in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allows authenticated attackers to execute SQL statements via the welche parameter. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Evasys
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-1196 HIGH POC This Week

The Advanced Custom Fields (ACF) Free and Pro WordPress plugins 6.x before 6.1.0 and 5.x before 5.12.5 unserialize user controllable data, which could allow users with a role of Contributor and above. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization Advanced Custom Fields
NVD WPScan
CVSS 3.1
8.8
EPSS
1.1%
CVE-2023-31435 HIGH POC This Week

Multiple components (such as Onlinetemplate-Verwaltung, Liste aller Teilbereiche, Umfragen anzeigen, and questionnaire previews) in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 allow. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Evasys
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2023-30403 HIGH POC THREAT This Week

An issue in the time-based authentication mechanism of Aigital Aigital Wireless-N Repeater Mini_Router v0.131229 allows attackers to bypass login by connecting to the web app after a successful. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Wireless N Repeater Mini Router Firmware
NVD
CVSS 3.1
7.5
EPSS
13.8%
CVE-2023-1809 HIGH POC This Week

The Download Manager WordPress plugin before 6.3.0 leaks master key information without the need for a password, allowing attackers to download arbitrary password-protected package files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation WordPress Download Manager
NVD WPScan
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-1669 HIGH POC THREAT This Week

The SEOPress WordPress plugin before 6.5.0.3 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress PHP Deserialization Seopress
NVD WPScan
CVSS 3.1
7.2
EPSS
18.5%
CVE-2023-0924 HIGH POC This Week

The ZYREX POPUP WordPress plugin through 1.0 does not validate the type of files uploaded when creating a popup, allowing a high privileged user (such as an Administrator) to upload arbitrary files,. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload WordPress Popup
NVD WPScan
CVSS 3.1
7.2
EPSS
1.0%
CVE-2023-1125 MEDIUM POC This Month

The Ruby Help Desk WordPress plugin before 1.3.4 does not ensure that the ticket being modified belongs to the user making the request, allowing an attacker to close and/or add files and replies to. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Ruby Help Desk
NVD WPScan
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-2477 MEDIUM POC This Month

A vulnerability was found in Funadmin up to 3.2.3. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP XSS Funadmin
NVD VulDB
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-1805 MEDIUM POC This Month

The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1.1 does not sanitise and escape the page parameter before outputting it back in an attribute, leading to a Reflected Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Product Catalog Feed
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-1804 MEDIUM POC This Month

The Product Catalog Feed by PixelYourSite WordPress plugin before 2.1.1 does not sanitise and escape the edit parameter before outputting it back in an attribute, leading to a Reflected Cross-Site. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Product Catalog Feed
NVD WPScan
CVSS 3.1
6.1
EPSS
0.5%
CVE-2023-1546 MEDIUM POC This Month

The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Mycryptocheckout
NVD WPScan
CVSS 3.1
6.1
EPSS
0.9%
CVE-2023-26089 CRITICAL Act Now

European Chemicals Agency IUCLID 6.x before 6.27.6 allows authentication bypass because a weak hard-coded secret is used for JWT signing. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Iuclid
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2023-29856 CRITICAL Act Now

D-Link DIR-868L Hardware version A1, firmware version 1.12 is vulnerable to Buffer Overflow. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow D-Link Dir 868l Firmware
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2023-27892 MEDIUM POC PATCH This Month

Insufficient length checks in the ShapeShift KeepKey hardware wallet firmware before 7.7.0 allow a global buffer overflow via crafted messages. Rated medium severity (CVSS 5.7), this vulnerability is no authentication required. Public exploit code available.

Buffer Overflow Information Disclosure Keepkey Firmware
NVD GitHub
CVSS 3.1
5.7
EPSS
0.5%
CVE-2023-31434 MEDIUM POC This Month

The parameters nutzer_titel, nutzer_vn, and nutzer_nn in the user profile, and langID and ONLINEID in direct links, in evasys before 8.2 Build 2286 and 9.x before 9.0 Build 2401 do not validate. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Evasys
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-29918 MEDIUM POC This Month

RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Code Injection Rosariosis
NVD Exploit-DB
CVSS 3.1
5.4
EPSS
2.2%
CVE-2023-2476 MEDIUM POC This Month

A vulnerability was found in Dromara J2eeFAST up to 2.6.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS J2Eefast
NVD VulDB
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-2475 MEDIUM POC This Month

A vulnerability was found in Dromara J2eeFAST up to 2.6.0 and classified as problematic. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS J2Eefast
NVD VulDB
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-1861 MEDIUM POC THREAT This Month

The Limit Login Attempts WordPress plugin through 1.7.2 does not sanitize and escape usernames when outputting them back in the logs dashboard, which could allow any authenticated users, such as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Limit Login Attempts
NVD WPScan
CVSS 3.1
5.4
EPSS
28.8%
CVE-2023-0891 MEDIUM POC This Month

The StagTools WordPress plugin before 2.3.7 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Stagtools
NVD WPScan
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-30943 MEDIUM POC PATCH This Month

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Moodle Extra Packages For Enterprise Linux Fedora
NVD
CVSS 3.1
5.3
EPSS
6.6%
CVE-2023-29772 MEDIUM POC THREAT This Month

A Cross-site scripting (XSS) vulnerability in the System Log/General Log page of the administrator web UI in ASUS RT-AC51U wireless router firmware version up to and including 3.0.0.4.380.8591 allows. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Rt Ac51U Firmware
NVD
CVSS 3.1
5.2
EPSS
11.2%
CVE-2023-26546 HIGH This Week

European Chemicals Agency IUCLID before 6.27.6 allows remote authenticated users to execute arbitrary code via Server Side Template Injection (SSTI) with a crafted template file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Code Injection Iuclid
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2023-32007 HIGH PATCH This Week

** UNSUPPORTED WHEN ASSIGNED ** The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache Command Injection Spark
NVD
CVSS 3.1
8.8
EPSS
75.8%
CVE-2023-1614 MEDIUM POC This Month

The WP Custom Author URL WordPress plugin before 1.0.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Wp Custom Author Url
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2023-1554 MEDIUM POC This Month

The Quick Paypal Payments WordPress plugin before 5.7.26.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Quick Paypal Payments
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2023-1525 MEDIUM POC This Month

The Site Reviews WordPress plugin before 6.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Site Reviews
NVD WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2023-1090 MEDIUM POC This Month

The SMTP Mailing Queue WordPress plugin before 2.0.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Smtp Mailing Queue
NVD GitHub WPScan
CVSS 3.1
4.8
EPSS
0.5%
CVE-2023-1021 MEDIUM POC This Month

The amr ical events lists WordPress plugin through 6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS Amr Ical Events List
NVD WPScan
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-2474 MEDIUM POC This Month

A vulnerability has been found in Rebuild 3.2 and classified as problematic. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Rebuild
NVD VulDB
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-1911 MEDIUM POC This Month

The Blocksy Companion WordPress plugin before 1.8.82 does not ensure that posts to be accessed via a shortcode are already public and can be viewed, allowing any authenticated users, such as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress Authentication Bypass Blocksy Companion
NVD WPScan
CVSS 3.1
4.3
EPSS
0.5%
CVE-2023-21666 HIGH PATCH This Week

Memory Corruption in Graphics while accessing a buffer allocated through the graphics pool. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Memory Leak vulnerability could allow attackers to exhaust available memory leading to denial of service.

Buffer Overflow Wcn3998 Firmware Qca6390 Firmware Wcn685X 5 Firmware Wcn685X 1 Firmware +161
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-21665 HIGH PATCH This Week

Memory corruption in Graphics while importing a file. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity.

Buffer Overflow 315 5g Iot Modem Firmware 9206 Lte Modem Firmware Apq8017 Firmware Apq8052 Firmware +216
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2023-21642 HIGH This Week

Memory corruption in HAB Memory management due to broad system privileges via physical address. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Authentication Bypass Qam8295p Firmware Qca6574au Firmware Qca6696 Firmware +10
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2023-30861 HIGH PATCH This Week

Flask is a lightweight WSGI web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Python Information Disclosure Flask
NVD GitHub
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-30944 HIGH PATCH This Week

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi Moodle Extra Packages For Enterprise Linux Fedora
NVD
CVSS 3.1
7.3
EPSS
1.1%
CVE-2023-29868 MEDIUM This Month

Zammad 5.3.x (Fixed in 5.4.0) is vulnerable to Incorrect Access Control. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Zammad
NVD
CVSS 3.1
6.5
EPSS
1.0%
CVE-2023-29867 MEDIUM This Month

Zammad 5.3.x (Fixed 5.4.0) is vulnerable to Incorrect Access Control. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Zammad
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2023-31207 MEDIUM This Month

Transmission of credentials within query parameters in Checkmk <= 2.1.0p26, <= 2.0.0p35, and <= 2.2.0b6 (beta) may cause the automation user's secret to be written to the site Apache access log. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Apache Information Disclosure Checkmk
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2023-2000 MEDIUM This Month

Mattermost Desktop App fails to validate a mattermost server redirection and navigates to an arbitrary website. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Mattermost Open Redirect Mattermost Desktop
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-26268 MEDIUM This Month

Design documents with matching document IDs, from databases on the same cluster, may share a mutable Javascript environment when using these design document functions: * validate_doc_update * list *. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Couchdb Cloudant
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2023-2247 MEDIUM This Month

In affected versions of Octopus Deploy it is possible to unmask variable secrets using the variable preview function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Octopus Deploy
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2023-2445 MEDIUM This Month

Improper access control in Subscriptions Folder path filter in Devolutions Server 2023.1.1 and earlier allows attackers with administrator privileges to retrieve usage information on folders in user. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Devolutions Server
NVD
CVSS 3.1
4.9
EPSS
1.0%
CVE-2023-23723 MEDIUM This Month

Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Wp Email Capture
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2023-2473 MEDIUM This Month

A vulnerability was found in Dreamer CMS up to 4.1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Java Information Disclosure Dreamer Cms
NVD VulDB
CVSS 3.1
4.3
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy