Trimble Cityworks asset management platform contains a deserialization vulnerability allowing authenticated users to achieve remote code execution on the IIS web server hosting the application.
WhoDB open-source database management tool allows unauthenticated path traversal to access any SQLite3 database on the host machine. Beyond data exposure, affected versions enable reading sensitive system files and executing arbitrary commands through SQLite extensions, achieving full server compromise.
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue in Kanaries Inc Pygwalker before v.0.4.9.9 allows a remote attacker to obtain sensitive information and execute arbitrary code via the redirect_path parameter of the login redirection. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
OpenPLC_V3 contains an arbitrary file upload vulnerability, which could be leveraged for malvertising or phishing campaigns. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me KW-60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b allow a malicious user to gain. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Built-in SMS-configuration command in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW-60. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Honeywell OneWireless Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command injection vulnerability. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Sandbox escape in the JavaScript Task feature of Google Cloud Application Integration allows an actor to execute arbitrary unsandboxed code via crafted JavaScript code executed by the Rhino engine. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Security Verify Directory 10.0.0 through 10.0.3 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability classified as problematic has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h, and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b have a Hardcoded password. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue in deep-diver LLM-As-Chatbot before commit 99c2c03 allows a remote attacker to execute arbitrary code via the modelsbyom.py component. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Tiny File Manager v2.4.7 and below was discovered to contain a Cross Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Platform component of Mitel OpenScape 4000 and OpenScape 4000 Manager through V10 R1.54.1 and V11 through R0.22.1 could allow an authenticated attacker to conduct a privilege escalation attack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Buffer overflow vulnerability exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Unprotected Windows messaging channel ('Shatter') issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Execution with unnecessary privileges issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Unprotected Windows messaging channel ('Shatter') issue exists in Defense Platform Home Edition Ver.3.9.51.x and earlier. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.
Server-side request forgery (ssrf) in Microsoft Dynamics 365 Sales allows an authorized attacker to elevate privileges over a network. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Similarly to CVE-2024-34055, Apache James is vulnerable to denial of service through the abuse of IMAP literals from both authenticated and unauthenticated users, which could be used to cause. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The LikeBot WordPress plugin through 0.85 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WhoDB is an open source database management tool. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Cross Site Request Forgery (CSRF) in Users.php in SourceCodester Packers and Movers Management System 1.0 allows attackers to create unauthorized admin accounts via crafted requests sent to an. Rated medium severity (CVSS 4.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Lite UI of Apache ShardingSphere ElasticJob-UI allows an attacker to perform RCE by constructing a special JDBC URL of H2 database.0.1 and prior versions. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability has been identified in GoldPanKit eva-server v4.1.0. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h is vulnerable to MITM attack. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
2N Access Commander version 2.1 and prior is vulnerable in default settings to Man In The Middle attack due to not verifying certificates of 2N edge devices. Rated high severity (CVSS 8.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Cross Site Scripting vulnerability in Gilnei Moraes phpABook v.0.9 allows a remote attacker to execute arbitrary code via the rol parameter in index.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Security Verify Access Appliance 10.0.0 through 10.0.3 could allow a locally authenticated user to increase their privileges due to execution with unnecessary privileges. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
The Platform component of Mitel OpenScape 4000 and OpenScape 4000 Manager V11 R0.22.0 through V11 R0.22.1, V10 R1.54.0 through V10 R1.54.1, and V10 R1.42.6 and earlier could allow an unauthenticated. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Input verification vulnerability in the ExternalStorageProvider module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated high severity (CVSS 7.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
On Darwin, building a Go module which contains CGO can trigger arbitrary code execution when using the Apple version of ld, due to usage of the @executable_path, @loader_path, or @rpath special. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h suffers from Cleartext Transmission of Sensitive Information due to lack of encryption in device-server communication. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The The CURCY - Multi Currency for WooCommerce - The best free currency exchange plugin - Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
NetMod VPN Client 5.3.1 is vulnerable to DLL injection, allowing an attacker to execute arbitrary code by placing a malicious DLL in a directory where the application loads dependencies. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM EntireX 11.1 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Certain HP LaserJet Pro printers may potentially experience a denial of service when a user sends a raw JPEG file to the printer via IPP (Internet Printing Protocol). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Out-of-bounds write vulnerability in the emcom module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. Rated medium severity (CVSS 6.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Apache James server JMAP HTML to text plain implementation in versions below 3.8.2 and 3.7.6 is subject to unbounded memory consumption that can result in a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Post and Page Builder by BoldGrid - Visual Drag and Drop Editor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.27.6 via the template_via_url(). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.