Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. [CVSS 7.5 HIGH]
We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]
Imagedirector Capture versions up to 7.6.3.25808. is affected by use of hard-coded credentials (CVSS 7.5).
Imagedirector Capture versions up to 7.6.3.25808. is affected by use of a broken or risky cryptographic algorithm (CVSS 7.5).
NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. [CVSS 7.3 HIGH]
NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. [CVSS 7.3 HIGH]
Applinx versions up to 11.1.0 is affected by improper verification of cryptographic signature (CVSS 7.3).
NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. [CVSS 7.3 HIGH]
Remote code execution in BROWAN COMMUNICATIONS PrismX MX100 AP controller allows high-privileged remote attackers to upload arbitrary files and execute web shell backdoors without user interaction. This vulnerability affects administrators with elevated credentials and enables complete compromise of the affected access point. No patch is currently available to remediate this issue.
The NotificationX - FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. [CVSS 7.2 HIGH]
Business Intelligence versions up to 7.6.0.0.0 contains a vulnerability that allows attackers to unauthorized creation, deletion or modification access to critical data or all O (CVSS 7.1).
A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. [CVSS 7.1 HIGH]
Vm Virtualbox versions up to 7.1.14 contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 7.1).
Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. [CVSS 7.0 HIGH]
Improper authentication in CRMEB up to version 5.6.3 allows remote attackers to manipulate the uid parameter in the LoginServices.php token handler to bypass authentication, despite requiring high complexity. Public exploit code exists for this vulnerability, though no patch is currently available from the vendor.
NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. [CVSS 6.7 MEDIUM]
Unsafe code generation in binary-parser prior to version 2.3.0 allows remote code execution when processing untrusted input for parser field names or encoding parameters. Node.js applications using vulnerable versions of the library can be compromised to execute arbitrary JavaScript with process-level privileges. A patch is available and exploitation requires no authentication or user interaction.
ImageMagick versions prior to 7.1.2-13 fail to properly initialize buffer elements in the BilateralBlurImage method, leading to invalid pointer dereference and potential denial of service when memory allocation fails. An attacker can exploit this through network vectors to crash affected applications or trigger undefined behavior with high complexity requirements. A patch is available in version 7.1.2-13 and later.
Oracle Applications DBA versions 12.2.3-12.2.15 contain an authorization flaw in the Java utilities component that allows high-privileged attackers to gain unauthorized read and write access to sensitive data via HTTP. An authenticated attacker with administrative credentials can exploit this vulnerability to create, modify, or delete critical application data without restriction. A patch is available and should be prioritized for deployment in affected Oracle E-Business Suite environments.
Flexcube Universal Banking contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle FLEXCUBE U (CVSS 6.5).
Life Sciences Central Designer versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized access to critical data or complete access to all Oracle Life Scien (CVSS 6.5).
Mysql Server contains a vulnerability that allows attackers to unauthorized ability to cause a hang or frequently repeatable crash (complete DO (CVSS 6.5).
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. [CVSS 6.5 MEDIUM]
Agile Product Lifecycle Management For Process versions up to 6.2.4 is affected by cross-site scripting (xss) (CVSS 6.5).
Open5gs WebUI authentication can be bypassed by attackers who exploit the default hardcoded JWT signing key ("change-me") that is used when the JWT_SECRET_KEY environment variable is not configured. An attacker can forge valid JWT tokens to gain unauthorized access to the WebUI with limited confidentiality and integrity impacts. A patch is available to remediate this vulnerability by enforcing proper key configuration or using secure defaults.
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. [CVSS 6.5 MEDIUM]
Life Sciences Central Coding versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Life Sciences Cen (CVSS 6.5).
Life Sciences Central Designer versions up to 7.0.1.0 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Life Sciences Cen (CVSS 6.5).
Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. [CVSS 6.5 MEDIUM]
Revive Adserver contains an authorization flaw in the tracker deletion function that permits authenticated users to delete trackers belonging to other accounts. An attacker with valid credentials can exploit this access control bypass to remove tracking objects outside their administrative scope, potentially disrupting competitor or other user operations. No patch is currently available for this vulnerability.
Stored cross-site scripting in FlatPM - Ad Manager plugin for WordPress up to version 3.2.2 allows authenticated contributors and higher-privileged users to inject malicious scripts through the rank_math_description field due to inadequate input sanitization. The injected scripts execute in the browsers of users viewing affected pages, potentially enabling credential theft, session hijacking, or other client-side attacks. No patch is currently available for this vulnerability.
Stored XSS in WordPress Head Meta Data plugin (versions up to 20251118) allows authenticated contributors and above to inject malicious scripts into post metadata that execute when users visit affected pages, due to inadequate input sanitization. An attacker with contributor-level access can exploit insufficient output escaping to persistently compromise page content across all site visitors. No patch is currently available for this vulnerability.
IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. [CVSS 6.4 MEDIUM]
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by session fixation (CVSS 6.3).
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by insufficient session expiration (CVSS 6.3).
Sterling Connect\ versions up to express_adapter_for_sterling_b2b_integrator is affected by cross-site scripting (xss) (CVSS 6.1).
Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. [CVSS 6.1 MEDIUM]
WorklogPRO - Jira Timesheets plugin in the Jira Data Center versions up to 4.24.2 is affected by cross-site scripting (xss) (CVSS 6.1).
URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. [CVSS 6.1 MEDIUM]
Revive Adserver's afr.php script contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through crafted URLs targeting logged-in administrators. An attacker can exploit this to execute arbitrary JavaScript in an admin's browser session, potentially leading to unauthorized actions or credential theft. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php script contains a reflected cross-site scripting vulnerability that allows attackers to execute arbitrary scripts in the browsers of authenticated administrators through a crafted URL. An attacker can inject malicious HTML payloads into vulnerable parameters, which execute when an admin visits the malicious link, potentially compromising administrative sessions and server configuration. No patch is currently available for this vulnerability.
Revive Adserver's banner-acl.php and channel-acl.php scripts contain reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary JavaScript in an administrator's browser by crafting malicious URLs. An authenticated attacker can exploit this to perform actions with administrative privileges if a logged-in admin visits the crafted link. No patch is currently available for this vulnerability affecting PHP-based Revive Adserver installations.
Unauthenticated attackers can exploit a cross-site request forgery vulnerability in Oracle PeopleSoft Enterprise HCM Human Resources 9.2 through the Company Directory/Org Chart Viewer component to read, modify, or delete sensitive employee data via HTTP with user interaction. The vulnerability requires a victim to click a malicious link but impacts multiple PeopleSoft products and modules beyond the initial target. No patch is currently available for this medium-severity issue (CVSS 6.1).
Peoplesoft Enterprise Peopletools versions up to 8.60 is affected by cross-site scripting (xss) (CVSS 6.1).
JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.0 are vulnerable to cross-site scripting (XSS) in the Web Runtime SEC component, allowing unauthenticated attackers to manipulate data and read sensitive information through HTTP with user interaction. The vulnerability has network-wide scope, potentially compromising connected systems beyond the primary application. No patch is currently available.
Reflected cross-site scripting in Oracle E-Business Suite Scripting Admin (versions 12.2.3-12.2.15) allows unauthenticated attackers to modify or read sensitive data via malicious HTTP requests that require user interaction. The vulnerability can impact other Oracle products due to scope changes and currently lacks an available patch. CVSS 6.1 (Medium) reflects low-complexity network-based exploitation with confidentiality and integrity impacts.
Hospitality Opera 5 versions up to 5.6.19.23 contains a vulnerability that allows attackers to unauthorized update, insert or delete access to some of Oracle Hospitality OPERA (CVSS 6.1).