OneUptime is a solution for monitoring and managing online services. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Incorrect access control in the getSubUsersByProvider function of OpenCode Systems USSD Gateway OC Release: 5 Version 6.13.11 allows attackers with low-level privileges to dump user records and. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Formwork is a flat file-based Content Management System (CMS). Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A reflected cross-site scripted (XSS) vulnerability in OpenCode Systems USSD Gateway OC Release: 5 allows attackers to execute arbitrary JavaScript in the context of a user's browser via injecting a. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
REDAXO is a PHP-based CMS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Incorrect access control in the /aux1/ocussd/trace endpoint of OpenCode Systems USSD Gateway OC Release:5, version 6.13.11 allows attackers with low-level privileges to read server logs. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
CMService.exe creates the C:\\usr directory and subdirectories with insecure permissions, granting write access to all authenticated users. Rated medium severity (CVSS 6.9), this vulnerability is low attack complexity. No vendor patch available.
In KDE Krita before 5.2.13, loading a manipulated TGA file could result in a heap-based buffer overflow in plugins/impex/tga/kis_tga_import.cpp (aka KisTgaImport). Rated medium severity (CVSS 6.7), this vulnerability is no authentication required. No vendor patch available.
pypdf is a free and open-source pure-python PDF library. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 8.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user with specific. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.3 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that under specific conditions could have allowed an. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Forge (also called `node-forge`) is a native implementation of Transport Layer Security in JavaScript. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Integer Overflow vulnerability could allow attackers to cause unexpected behavior through arithmetic overflow.
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
BPv7 dissector crash in Wireshark 4.6.0 allows denial of service. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Files is a module for managing files inside spaces and user profiles. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
GitLab has remediated an issue in GitLab EE affecting all versions from 13.7 before 18.4.5, 18.5 before 18.5.3, and 18.6 before 18.6.1 that could have allowed an authenticated user to view. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Caido is a web security auditing toolkit. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.