Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-5448 — Aviplugins Wp_register_profile_with_shortcode: The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request
The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.5.9. This is due to missing or incorrect nonce validation on the update_password_validate function. This makes it possible for unauthenticated attackers to reset a user's password via a forged request granted they can trick the user into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile
CVE-2023-26999 — Netscout Ngeniusone: An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary
An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file. CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile
CVE-2023-50643 — Evernote Evernote: An issue in Evernote Evernote for MacOS v.10.68.2 allows a remote attacker to execute
An issue in Evernote Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments components. CVSSv3.1 9.8 (CRITICAL) · EPSS 80th percentile
CVE-2023-47890 — Pyload Pyload: 0.5.0 is vulnerable to Unrestricted File Upload.
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload. CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile
CVE-2023-45559 — Linecorp Line: An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage
An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token. CVSSv3.1 8.2 (HIGH) · EPSS 39th percentile
CVE-2023-6600 — Daan Omgf: plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting
The OMGF | GDPR/DSGVO Compliant, Faster Google Fonts. Easy. plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting due to a missing capability check on the update_settings() function hooked via admin_init in all versions up to, and including, 5.7.9. This makes it possible for unauthenticated attackers to update the plugin's settings which can be used to inject Cross-Site Scripting payloads and delete entire directories. PLease CVSSv3.1 8.6 (HIGH) · EPSS 40th percentile
CVE-2023-47458 — Bladex Springblade: An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges
An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile
CVE-2023-6436 — Ekolbilisim Web_sablonu_yazilimi: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection. This issue affects Website Template: through 20231215. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-50651 — Totolink X6000r_firmware: X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via
TOTOLINK X6000R v9.4.0cu.852_B20230719 was discovered to contain a remote command execution (RCE) vulnerability via the component /cgi-bin/cstecgi.cgi. CVSSv3.1 9.8 (CRITICAL) · EPSS 74th percentile
CVE-2023-4675 — Gmbilisim Multi-disciplinary_design_optimization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GM Information Technologies MDO allows SQL Injection. This issue affects MDO: through 20231229. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 25th percentile
CVE-2023-4541 — Ween Management_panel: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ween Software Admin Panel allows SQL Injection. This issue affects Admin Panel: through 20231229. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2023-46987 — Seacms Seacms: v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the
SeaCMS v12.9 was discovered to contain a remote code execution (RCE) vulnerability via the component /augap/adminip.php. CVSSv3.1 8.8 (HIGH) · EPSS 72th percentile
CVE-2023-4671 — Talentyazilim Ecop: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Talent Software ECOP allows Command Line Execution through SQL Injection. This issue affects ECOP: before 32255. CVSSv3.1 9.8 (CRITICAL) · EPSS 21th percentile
CVE-2023-6879 — Aomedia Aomedia: Increasing the resolution of video frames, while performing a multi-threaded encode, can result in
Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc(). CVSSv3.1 9.0 (CRITICAL) · EPSS 63th percentile
CVE-2023-6190 — Ikcu University_information_management_system: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in İzmir
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in İzmir Katip Çelebi University University Information Management System allows Absolute Path Traversal. This issue affects University Information Management System: before 30.11.2023. CVSSv3.1 9.8 (CRITICAL)
CVE-2023-7002 — Backupbliss Backup_migration: The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all
The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operating system. CVSSv3.1 7.2 (HIGH) · EPSS 96th percentile
CVE-2023-6972 — Backupbliss Backup_migration: The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions
The Backup Migration plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.9 via the 'content-backups' and 'content-name', 'content-manifest', or 'content-bmitmp' and 'content-identy' HTTP headers. This makes it possible for unauthenticated attackers to delete arbitrary files, including the wp-config.php file, which can make site takeover and remote code execution possible. CVSSv3.1 9.8 (CRITICAL) · EPSS 95th percentile
CVE-2023-6145 — Softomi Advanced_c2c_marketplace_software: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in İstanbul Soft Informatics and Consultancy Limited Company Softomi Advanced C2C Marketplace Software allows SQL Injection. This issue affects Softomi Advanced C2C Marketplace Software: before 12122023. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2023-50992 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via the ip
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a stack overflow via the ip parameter in the setPing function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2023-50990 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the rebootTime
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the rebootTime parameter in the sysScheduleRebootSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2023-50989 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a command injection vulnerability via the pingSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile
CVE-2023-50988 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the bandwidth parameter in the wifiRadioSetIndoor function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2023-50987 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysTimeInfoSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2023-50986 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the time parameter in the sysLogin function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2023-50985 — Tenda I29_firmware: i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw
Tenda i29 v1.0 V1.0.0.5 was discovered to contain a buffer overflow via the lanGw parameter in the lanCfgSet function. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile