In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/activitylogreport, 'sortby' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/exportactiveuserrpt, 'sort_name' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/default/reports/activeuserrptpdf, 'sort_name' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/reports/businessunits/format/html, 'bunitname' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/empscreening/add, 'agencyids' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/sentrifugo/index.php/index/updatecontactnumber, 'id' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Sentrifugo 3.2, through /sentrifugo/index.php/index/getdepartments/format/html, 'business_id' parameter./sentrifugo/index.php/index/getdepartments/format/html,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A SQL Injection has been found on SCAN_VISIO eDocument Suite Web Viewer of Abast. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Download of Code Without Integrity Check vulnerability in Apache Doris. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and uploading of files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Weak access control in OpenText PVCS Version Manager allows potential bypassing of authentication and download of files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Use of Hard-coded Credentials in Kiloview NDI allows un-authenticated users to bypass authenticationThis issue affects Kiloview NDI N3, N3-s, N4, N20, N30, N40 and was fixed in Firmware version. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Wasmi is an efficient and lightweight WebAssembly interpreter with a focus on constrained and embedded systems. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Write vulnerability could allow attackers to write data beyond allocated buffer boundaries leading to code execution or crashes.
TOMP Bare Server implements the TompHTTP bare server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.
Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the pin_code_3g parameter at /apply.cgi. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Datalust Seq before 2023.4.11151 and 2024 before 2024.1.11146 has Incorrect Access Control because a Project Owner or Organization Owner can escalate to System privileges. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.6.9. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability exists in GetDIAE_astListParameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path traversal attack is possible and write outside of the intended directory and may access sensitive information. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability exists in GetDIAE_slogListParameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability exists in GetDIAE_unListParameters. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability exists in the script Handler_CFG.ashx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privileges are not fully verified server-side, which can be abused by a user with limited privileges to bypass authorization and access privileged functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL injection vulnerability exists in the script DIAE_tagHandler.ashx. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An OS Command Injection vulnerability in Kiloview NDI allows a low-privileged user to execute arbitrary code remotely on the device with high privileges.02.0227 . Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability was found in OpenBMB XAgent 1.0.0. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Xbox Gaming Services Elevation of Privilege Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Deno is a JavaScript, TypeScript, and WebAssembly runtime. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Minder is a software supply chain security platform. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Coder allows oragnizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
It is possible to perform a path traversal attack and write outside of the intended directory. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Weak password recovery mechanism in CDeX application allows to retrieve password reset token.7.1. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In JetBrains TeamCity before 2023.11 users with access to the agent machine might obtain permissions of the user running the agent process. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Kerlink firewall in ChirpStack chirpstack-mqtt-forwarder before 4.2.1 and chirpstack-gateway-bridge before 4.0.11 wrongly accepts certain TCP packets when a connection is not in the ESTABLISHED. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Frappe is a full-stack web application framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenZeppelin Contracts is a library for secure smart contract development. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.
Out-of-bounds Write vulnerability in Apache Commons Configuration.0 before 2.10.1. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YITHEMES YITH WooCommerce Product Add-Ons yith-woocommerce-product-add-ons.5.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Florian 'fkrauthan' Krauthan allows Reflected XSS.7.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in typps Calendarista Basic Edition calendarista-basic-edition.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.7.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Open redirection vulnerability in CDeX application allows to redirect users to arbitrary websites via a specially crafted URL.7.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in zuoxingdong lagom v.0.1.2 allows a local attacker to execute arbitrary code via the pickle_load function of the serialize.py file. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in David Artiss Code Embed simple-embed-code.3.6. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.