The Alt Text AI - Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to generic SQL Injection via the ‘last_post_id’ parameter in all versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A specially crafted Zip file containing path traversal characters can be imported to the CyberPower PowerPanel server, which allows file writing to the server outside the intended scope, and could. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Insecure Permissions vulnerability in VITEC AvediaServer (Model avsrv-m8105) 8.6.2-1 allows a remote attacker to escalate privileges via a crafted script. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The month name translation benaceur WordPress plugin before 2.3.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.514), a code execution attack is possible through an insecure instantiation vulnerability. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
SUBNET Solutions Inc. Rated high severity (CVSS 8.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A vulnerability in the web-based management interface of Cisco AsyncOS Software for Cisco Secure Email and Web Manager could allow an authenticated, remote attacker to conduct an XSS attack against a. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
If misconfigured, alpitronic Hypercharger EV charging devices can expose a web interface protected by authentication. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The HL Twitter WordPress plugin through 2014.1.18 does not have CSRF check when unlinking twitter accounts, which could allow attackers to make logged in admins perform such actions via a CSRF attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Insufficient verification of data authenticity in the installer for Zoom Workplace VDI App for Windows may allow an authenticated user to conduct an escalation of privilege via local access. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Tail-f High Availability Cluster Communications (HCC) function pack of Cisco Crosswork Network Services Orchestrator (NSO) could allow an authenticated, local attacker to. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
In Progress® Telerik® Reporting versions prior to 2024 Q2 (18.1.24.2.514), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Certain MQTT wildcards are not blocked on the CyberPower PowerPanel system, which might result in an attacker obtaining data from throughout the system after gaining access to any device. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Server Side Request Forgery vulnerability has been discovered in OpenText™ iManager 3.2.6.0200. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Server Side Request Forgery vulnerability has been discovered in OpenText™ iManager 3.2.6.0200. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A memory corruption vulnerability in SdHost and SdMmcDevice in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and. Rated high severity (CVSS 7.4). No vendor patch available.
A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6. Rated high severity (CVSS 7.4). No vendor patch available.
A memory corruption vulnerability in StorageSecurityCommandDxe in Insyde InsydeH2O before kernel 5.2: IB19130163 in 05.29.07, kernel 5.3: IB19130163 in 05.38.07, kernel 5.4: IB19130163 in 05.46.07,. Rated high severity (CVSS 7.4). No vendor patch available.
In the Linux kernel through 6.9, an untrusted hypervisor can inject virtual interrupts 0 and 14 at any point in time and can trigger the SIGFPE signal handler in userspace applications. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.
A vulnerability in the Network Access Manager (NAM) module of Cisco Secure Client could allow an unauthenticated attacker with physical access to an affected device to elevate privileges to SYSTEM. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Stalwart Mail Server is an open-source mail server. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A local code execution vulnerability is possible in Telerik UI for WinForms beginning in v2021.1.122 but prior to v2024.2.514. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Buffer overflow in some Zoom Workplace Apps and SDK’s may allow an authenticated user to conduct a denial of service via network access. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget Image Box in all versions up to, and including, 1.1.36. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Visual Portfolio, Photo Gallery & Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 3.3.2 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Install-type password disclosure vulnerability in Universal Installer including the Silent Installer in TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3 allows user's Enterprise Message Service. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
An information disclosure vulnerability exists in Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, allows low-privilege attacker to read systems file via XML External Entity. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Bonitasoft runtime Community edition, the lack of dynamic permissions causes IDOR vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper access control was identified in the Identity Security Cloud (ISC) message server API that allowed an authenticated user to exfiltrate job processing metadata (opaque messageIDs, work. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.
The Mega Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Button widget in all versions up to, and including, 1.2.1 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Sina Extension for Elementor (Slider, Gallery, Form, Modal, Data Table, Tab, Particle, Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Image Optimization by Optimole - Lazy Load, CDN, Convert WebP & AVIF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘allow_meme_types’ function in versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the typer effect in the advanced heading widget in all. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Team Member widget in all versions up to, and including, 2.6.9.6 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
The Base64 Encoder/Decoder WordPress plugin through 0.9.2 does not have CSRF check when updating its settings, and is missing sanitisation as well as escaping, which could allow attackers to make. Rated low severity (CVSS 2.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.