Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 26.7% and no vendor patch available.
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions 6.10.80.00 through 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An issue was discovered in AnyDesk for Windows before 9.0.6 and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Rejected reason: Not a security vulnerability. No vendor patch available.
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.3.2.0 through. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.1.36. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.1.36. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.1.17. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.7.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS.2.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ido Kobelkowsky Simple Payment simple-payment.4.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile.App wpappninja.App: from n/a through <= 11.71. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.6.5. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force SureRank surerank.3.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AndonDesign UDesign Core u-design-core.14.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.3.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.10.5.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.10.5.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll.5.37. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Incorrect Privilege Assignment vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Cloud Library td-cloud-library allows DOM-Based XSS.9.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.1.42. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem thegem.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Famita famita allows PHP Local File Inclusion.54. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.