Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in itsourcecode Apartment Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A flaw has been found in PHPGurukul Online Course Registration 3.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A security vulnerability has been detected in SourceCodester Online Bank Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A weakness has been identified in SourceCodester Online Bank Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability was identified in PHPGurukul User Management System 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ProveSource LTD ProveSource Social Proof allows Retrieve Embedded Sensitive Data.0.5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains an Incorrect Permission Assignment for Critical Resource vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.
Phproject is a high performance full-featured project management system. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was determined in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Rated medium severity (CVSS 5.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
WeGIA is a Web manager for charitable institutions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial of Service (DoS) via a crafted POST request. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
{border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A vulnerability has been found in yarnpkg Yarn up to 1.22.22. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
A flaw was found in org.keycloak/keycloak-model-storage-service. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. Rated medium severity (CVSS 5.2), this vulnerability is no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.
SQL Injection in the listdomains function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to access or manipulate database contents via the arananalan POST parameter. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
MCCMS 2.7.0 is vulnerable to Arbitrary file deletion in the Backups.php component. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘selector_height’ parameter in all versions up to, and including, 6.0.1 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The SlingBlocks - Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status(). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.