Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2023-24026 In MISP 2.4.167, app/webroot/js/event-graph.js has an XSS vulnerability via an event-graph preview payload. | 6.1 | MEDIUM | — | 0 |
| CVE-2023-24027 In MISP 2.4.167, app/webroot/js/action_table.js allows XSS via a network history name. | 6.1 | MEDIUM | — | 0 |
| CVE-2023-24028 In MISP 2.4.167, app/Controller/Component/ACLComponent.php has incorrect access control for the decaying import function. | 9.8 | CRITICAL | — | 0 |
| CVE-2020-36655 Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | 8.8 | HIGH | — | 0 |
| CVE-2023-24038 The HTML-StripScripts module through 1.06 for Perl allows _hss_attval_style ReDoS because of catastrophic backtracking for HTML content with certain style attributes. | 7.5 | HIGH | — | 0 |
| CVE-2023-24039 A stack-based buffer overflow in ParseColors in libXm in Common Desktop Environment 1.6 can be exploited by local low-privileged users via the dtprintinfo setuid binary to escalate their privileges to... | 7.8 | HIGH | — | 0 |
| CVE-2023-22884 Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Apache Software Foundation Apache Airflow, Apache Software Foundation Apache Airflow MySQL Provider... | 9.8 | CRITICAL | — | 0 |
| CVE-2023-22617 A remote attacker might be able to cause infinite recursion in PowerDNS Recursor 4.8.0 via a DNS query that retrieves DS records for a misconfigured domain, because QName minimization is used in QM fa... | 7.5 | HIGH | — | 0 |
| CVE-2021-24881 The Passster WordPress plugin before 3.5.5.9 does not properly check for password, as well as that the post to be viewed is public, allowing unauthenticated users to bypass the protection offered by t... | 7.5 | HIGH | — | 0 |
| CVE-2023-24044 A Host Header Injection issue on the Login page of Plesk Obsidian through 18.0.49 allows attackers to redirect users to malicious websites via a Host request header. NOTE: the vendor's position is "th... | 6.1 | MEDIUM | — | 0 |
| CVE-2023-24056 In pkgconf through 1.9.3, variable duplication can cause unbounded string expansion due to incorrect checks in libpkgconf/tuple.c:pkgconf_tuple_parse. For example, a .pc file containing a few hundred ... | 5.5 | MEDIUM | — | 0 |
| CVE-2023-24058 Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014; the latest v... | 4.3 | MEDIUM | — | 0 |
| CVE-2023-24059 Grand Theft Auto V for PC allows attackers to achieve partial remote code execution or modify files on a PC, as exploited in the wild in January 2023. | 7.3 | HIGH | — | 0 |
| CVE-2022-48281 processCropSelections in tools/tiffcrop.c in LibTIFF through 4.5.0 has a heap-based buffer overflow (e.g., "WRITE of size 307203") via a crafted TIFF image. | 5.5 | MEDIUM | — | 0 |
| CVE-2022-46959 An issue in the component /admin/backups/work-dir of Sonic v1.0.4 allows attackers to execute a directory traversal. | 4.3 | MEDIUM | — | 0 |
| CVE-2021-43444 ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. Signed document download URLs can be forged due to a weak default URL signing key. | 7.5 | HIGH | — | 0 |
| CVE-2021-43445 ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An attacker can authenticate with the web socket service of the ONLYOFFICE document editor which is protected by JWT a... | 9.8 | CRITICAL | — | 0 |
| CVE-2021-43446 ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. | 6.1 | MEDIUM | — | 0 |
| CVE-2021-43447 ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. | 7.5 | HIGH | — | 0 |
| CVE-2021-43448 ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Improper Input Validation. A lack of input validation can allow an attacker to spoof the names of users who interact with a document, if the d... | 5.3 | MEDIUM | — | 0 |
| CVE-2021-43449 ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Server-Side Request Forgery (SSRF). The document editor service can be abused to read and serve arbitrary URLs as a document. | 8.1 | HIGH | — | 0 |
| CVE-2022-0316 The WeStand WordPress theme before 2.1, footysquare WordPress theme, aidreform WordPress theme, statfort WordPress theme, club-theme WordPress theme, kingclub-theme WordPress theme, spikes WordPress t... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-3425 The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable g... | 7.2 | HIGH | — | 0 |
| CVE-2022-3811 The EU Cookie Law for GDPR/CCPA WordPress plugin through 3.1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scri... | 4.8 | MEDIUM | — | 0 |
| CVE-2022-41505 An access control issue on TP-LInk Tapo C200 V1 devices allows physically proximate attackers to obtain root access by connecting to the UART pins, interrupting the boot process, and setting an init=/... | 6.4 | MEDIUM | — | 0 |
| CVE-2022-4017 The Booster for WooCommerce WordPress plugin before 6.0.1, Booster Plus for WooCommerce WordPress plugin before 6.0.1, Booster Elite for WooCommerce WordPress plugin before 6.0.1 have either flawed CS... | 8.8 | HIGH | — | 0 |
| CVE-2022-4230 The WP Statistics WordPress plugin before 13.2.9 does not escape a parameter, which could allow authenticated users to perform SQL Injection attacks. By default, the affected feature is available to u... | 8.8 | HIGH | — | 0 |
| CVE-2022-4303 The WP Limit Login Attempts WordPress plugin through 2.6.4 prioritizes getting a visitor's IP from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass IP-based restrictions ... | 7.5 | HIGH | — | 0 |
| CVE-2022-4305 The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-4307 The پلاگین پرداخت دلخواه WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered whe... | 6.1 | MEDIUM | — | 0 |
| CVE-2022-4323 The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable g... | 7.2 | HIGH | — | 0 |
| CVE-2022-4346 The All-In-One Security (AIOS) WordPress plugin before 5.1.3 leaked settings of the plugin publicly, including the used email address. | 5.3 | MEDIUM | — | 0 |
| CVE-2022-4383 The CBX Petition for WordPress plugin through 1.0.3 does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading ... | 9.8 | CRITICAL | — | 0 |
| CVE-2022-4443 The BruteBank WordPress plugin before 1.9 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin change them via a CSRF attack. | 6.5 | MEDIUM | — | 0 |
| CVE-2022-4467 The Search & Filter WordPress plugin before 1.2.16 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as ... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4474 The Easy Social Feed WordPress plugin before 6.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as ... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4475 The Collapse-O-Matic WordPress plugin before 1.8.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as ... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4485 The Page-list WordPress plugin before 5.3 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contribut... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4509 The Content Control WordPress plugin before 1.1.10 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4542 The Compact WP Audio Player WordPress plugin before 1.9.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as ... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4545 The Sitemap WordPress plugin before 4.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4548 The Optimize images ALT Text & names for SEO using AI WordPress plugin before 2.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged-in admin ... | 6.5 | MEDIUM | — | 0 |
| CVE-2022-40034 Cross-Site Scripting (XSS) vulnerability found in Rawchen blog-ssm v1.0 allows attackers to execute arbitrary code via the 'notifyInfo' parameter. | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4570 The Top 10 WordPress plugin before 3.2.3 does not validate and escape some of its Block attributes before outputting them back in the page, which could allow users with a role as low as contributor to... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4576 The Easy Bootstrap Shortcode WordPress plugin through 4.5.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role a... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4624 The GS Logo Slider WordPress plugin before 3.3.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as co... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4625 The Login Logout Menu WordPress plugin before 1.4.0 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4627 The ShiftNav WordPress plugin before 1.7.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contribu... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4629 The Product Slider for WooCommerce WordPress plugin before 2.6.4 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a r... | 5.4 | MEDIUM | — | 0 |
| CVE-2022-4650 The HashBar WordPress plugin before 1.3.6 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting... | 5.4 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.