CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2023-4674 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yaztek Software Technologies and Computer Systems E-Commerce Software allows SQL Injection.This is... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-41544 SSTI injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to execute arbitrary code via crafted HTTP request to the /jmreport/loadTableData component. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-20101 A vulnerability in Cisco Emergency Responder could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot b... | 9.8 | CRITICAL | β | 0 |
| CVE-2013-2513 The flash_tool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6593 Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker that has access to the application to execute entries in a SQL data source withou... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-44807 D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the cancelPing function. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-45239 A lack of input validation exists in tac_plus prior to commit 4fdf178 which, when pre or post auth commands are enabled, allows an attacker who can control the username, rem-addr, or NAC address sent ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-41543 SQL injection vulnerability in jeecg-boot v3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the component /sys/replicate/check. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-41542 SQL injection vulnerability in jeecg-boot version 3.5.3, allows remote attackers to escalate privileges and obtain sensitive information via the jmreport/qurestSql component. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-43364 main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-45311 fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsev... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-50035 PHPGurukul Small CRM 3.0 is vulnerable to SQL Injection on the Users login panel because of "password" parameter is directly used in the SQL query without any sanitization and the SQL Injection payloa... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-50578 Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/list.do. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-20819 In CDMA PPP protocol, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privilege needed. User inter... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-4541 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection.This issue affects Admin Panel: through 20231229.Β ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-45199 Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can lead to remote Code execution. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-4675 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GM Information Technologies MDO allows SQL Injection.This issue affects MDO: through 20231229.Β N... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-46456 In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48049 A SQL injection vulnerability in Cybrosys Techno Solutions Website Blog Search (aka website_search_blog) v. 13.0 through 13.0.1.0.1 allows a remote attacker to execute arbitrary code and to gain privi... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-0705 The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 3.7.9 due to insufficient escaping on the use... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-40954 A SQL injection vulnerability in Grzegorz Marczynski Dynamic Progress Bar (aka web_progress) v. 11.0 through 11.0.2, v12.0 through v12.0.2, v.13.0 through v13.0.2, v.14.0 through v14.0.2.1, v.15.0 thr... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-5716 ASUS Armoury Crate has a vulnerability in arbitrary file write and allows remote attackers to access or modify arbitrary files by sending specific HTTP requests without permission. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6979 The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ivole_import_upload_csv AJAX action in all versions up to, ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48050 SQL injection vulnerability in Cams Biometrics Zkteco, eSSL, Cams Biometrics Integration Module with HR Attendance (aka odoo-biometric-attendance) v. 13.0 through 16.0.1 allows a remote attacker to ex... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48371 ITPison OMICARD EDMβs file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary execut... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-47577 An issue discovered in Relyum RELY-PCIe 22.2.1 and RELY-REC 23.1.0 allows for unauthorized password changes due to no check for current password. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48372 ITPison OMICARD EDM 's SMS-related function has insufficient validation for user input. An unauthenticated remote attacker can exploit this vulnerability to inject arbitrary SQL commands to access, mo... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48376 SmartStar Software CWS is a web-based integration platform, its file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulner... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-5399 A CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause tampering of files on the personal computer running C-Bus when using... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-5391 A CWE-502: Deserialization of untrusted data vulnerability exists that could allow an attacker to execute arbitrary code on the targeted system by sending a specifically crafted packet to the appli... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48384 ArmorX Global Technology Corporation ArmorX Spam has insufficient validation for user input within a special function. An unauthenticated remote attacker can exploit this vulnerability to inject arbit... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48388 Multisuns EasyLog web+ has a vulnerability of using hard-coded credentials. An remote attacker can exploit this vulnerability to access the system to perform arbitrary system operations or disrupt ser... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48390 Multisuns EasyLog web+ has a code injection vulnerability. An unauthenticated remote attacker can exploit this vulnerability to inject code and access the system to perform arbitrary system operation... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-48392 Kaifa Technology WebITR is an online attendance system, it has a vulnerability in using hard-coded encryption key. An unauthenticated remote attacker can generate valid token parameter and exploit thi... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-36619 Atos Unify OpenScape Session Border Controller through V10 R3.01.03 allows execution of administrative scripts by unauthenticated users. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-6567 The LearnPress plugin for WordPress is vulnerable to time-based SQL Injection via the βorder_byβ parameter in all versions up to, and including, 4.2.5.7 due to insufficient escaping on the user suppli... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-0204 Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-7221 A vulnerability was found in Totolink T6 4.1.9cu.5241_B20210923. It has been classified as critical. This affects the function main of the file /cgi-bin/cstecgi.cgi?action=login of the component HTTP ... | 9.8 | CRITICAL | β | 0 |
| CVE-2023-5806 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.This issue affects Quality Manageme... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-0642 Inadequate access control in the C21 Live Encoder and Live Mosaic product, version 5.3. This vulnerability allows a remote attacker to access the application as an administrator user through the appli... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-22916 In D-LINK Go-RT-AC750 v101b03, the sprintf function in the sub_40E700 function within the cgibin is susceptible to stack overflow. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-23057 TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the tz parameter in the setNtpCfg function. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-52042 An issue discovered in sub_4117F8 function in TOTOLINK X6000R V9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the 'lang' parameter. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-50002 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formRebootMeshNode. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-50001 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formUpgradeMeshOnline. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-50000 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function formResetMeshNode. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-49999 Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setUmountUSBPartition. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-49410 Tenda W30E V16.01.0.12(4843) was discovered to contain a stack overflow via the function via the function set_wan_status. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-49403 Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setFixTools. | 9.8 | CRITICAL | β | 0 |
| CVE-2023-51972 Tenda AX1803 v1.0.0.1 was discovered to contain a command injection vulnerability via the function fromAdvSetLanIp. | 9.8 | CRITICAL | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.