Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-4673 — Sanalogi Turasistan: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sanalogy Turasistan allows SQL Injection. This issue affects Turasistan: before 20230911 . CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2023-4972 — Yepas Digital_yepas: Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as
Incorrect Use of Privileged APIs vulnerability in Yepas Digital Yepas allows Collect Data as Provided by Users. This issue affects Digital Yepas: before 1.0.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile
CVE-2023-4702 — Yepas Digital_yepas: Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows
Authentication Bypass Using an Alternate Path or Channel vulnerability in Yepas Digital Yepas allows Authentication Bypass. This issue affects Digital Yepas: before 1.0.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 18th percentile
CVE-2023-4766 — Movus Movus: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Movus allows SQL Injection. This issue affects Movus: before 20230913. CVSSv3.1 9.8 (CRITICAL) · EPSS 35th percentile
CVE-2023-4669 — Exagate Sysguard_3001_firmware: Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass.
Authentication Bypass by Assumed-Immutable Data vulnerability in Exagate SYSGuard 3001 allows Authentication Bypass. This issue affects SYSGuard 3001: before 3.2.20.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile
CVE-2023-4832 — Acekaholding Company_management: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aceka Company Management allows SQL Injection. This issue affects Company Management: before 3072 . CVSSv3.1 9.8 (CRITICAL) · EPSS 35th percentile
CVE-2023-4916 — Idehweb Login_with_phone_number: The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery
The Login with phone number plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.6. This is due to missing nonce validation on the 'lwp_update_password_action' function. This makes it possible for unauthenticated attackers to change user password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 34th percentile
CVE-2023-4213 — Mikevanwinkle Simplr_registration_form_plus\+: The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object
The Simplr Registration Form Plus+ plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.4.5. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber-level permissions or above to change user passwords and potentially take over administrator accounts. CVSSv3.1 8.8 (HIGH) · EPSS 18th percentile
CVE-2023-4153 — Webmedia Ban_users: The BAN Users plugin for WordPress is vulnerable to privilege escalation in versions up
The BAN Users plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.5.3 due to a missing capability check on the 'w3dev_save_ban_user_settings_callback' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify the plugin settings to access the ban and unban functionality and set the role of the unbanned user. CVSSv3.1 8.8 (HIGH) · EPSS 29th percentile
CVE-2023-39637 — Dlink Dir-816_firmware: D-Link DIR-816 A2 1.10 B05 was discovered to contain a command injection vulnerability via
D-Link DIR-816 A2 1.10 B05 was discovered to contain a command injection vulnerability via the component /goform/Diagnosis. CVSSv3.1 9.8 (CRITICAL) · EPSS 80th percentile
CVE-2021-27715 — Mofinetwork Mofi4500-4gxelte-v2_firmware: An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the
An issue was discovered in MoFi Network MOFI4500-4GXeLTE-V2 3.5.6-xnet-5052 allows attackers to bypass the authentication and execute arbitrary code via crafted HTTP request. CVSSv3.1 9.8 (CRITICAL) · EPSS 60th percentile
CVE-2023-4634 — Davidlingren Media_library_assistant: The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and
The Media Library Assistant plugin for WordPress is vulnerable to Local File Inclusion and Remote Code Execution in versions up to, and including, 3.09. This is due to insufficient controls on file paths being supplied to the 'mla_stream_file' parameter from the ~/includes/mla-stream-image.php file, where images are processed via Imagick(). This makes it possible for unauthenticated attackers to supply files via FTP that will make directory lists, local file inclusion, and re CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2023-41009 — Adlered Bolo-solo: File Upload vulnerability in adlered bolo-solo v.2.6 allows a remote attacker to execute arbitrary
File Upload vulnerability in adlered bolo-solo v.2.6 allows a remote attacker to execute arbitrary code via a crafted script to the authorization field in the header. CVSSv3.1 9.8 (CRITICAL) · EPSS 74th percentile
CVE-2023-4531 — Mestav E-commerce_software: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mestav Software E-commerce Software allows SQL Injection. This issue affects E-commerce Software: before 20230901 . CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2023-4178 — Neutron Smart_vms: Authentication Bypass by Spoofing vulnerability in Neutron Neutron Smart VMS allows Authentication Bypass.
Authentication Bypass by Spoofing vulnerability in Neutron Neutron Smart VMS allows Authentication Bypass. This issue affects Neutron Smart VMS: before b1130.1.0.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile
CVE-2023-4034 — Digitatek Smartrise_document_management_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Digita Information Technology Smartrise Document Management System allows SQL Injection. This issue affects Smartrise Document Management System: before Hvl-2.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile
CVE-2023-3616 — Mava Hotel_management_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mava Software Hotel Management System allows SQL Injection.This issue affects Hotel Management System: before 2.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2023-35072 — Coyavtravel Proagent: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Coyav Travel Proagent allows SQL Injection.This issue affects Proagent: before 20230904 . CVSSv3.1 9.8 (CRITICAL) · EPSS 23th percentile
CVE-2023-35068 — Bma Personnel_tracking_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BMA Personnel Tracking System allows SQL Injection.This issue affects Personnel Tracking System: before 20230904. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2023-35065 — Osoft Dyeing_-_printing_-_finishing_production_management: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Osoft Paint Production Management allows SQL Injection.This issue affects Paint Production Management: before 2.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 19th percentile
CVE-2023-3374 — Bookreen Bookreen: Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation.This issue affects
Incomplete List of Disallowed Inputs vulnerability in Unisign Bookreen allows Privilege Escalation.This issue affects Bookreen: before 3.0.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 27th percentile
CVE-2023-36361 — Web-audimex Audimexee: v14.1.7 was discovered to contain a SQL injection vulnerability via the p_table_name parameter.
Audimexee v14.1.7 was discovered to contain a SQL injection vulnerability via the p_table_name parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile
CVE-2023-3677 — Rednao Woocommerce_pdf_invoice_builder: The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to SQL Injection via
The WooCommerce PDF Invoice Builder plugin for WordPress is vulnerable to SQL Injection via the pageId parameter in versions up to, and including, 1.2.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for subscribers or higher to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSSv3.1 8.8 (HIGH) · EPSS 60th percentile
CVE-2023-3636 — Wedevs Wp_project_manager: The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions
The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.4 due to insufficient restriction on the 'save_users_map_name' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'usernames' parameter. CVSSv3.1 8.8 (HIGH) · EPSS 24th percentile
CVE-2023-3162 — Webtoffee Stripe_payment_plugin_for_woocommerce: The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass
The Stripe Payment Plugin for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.7.7. This is due to insufficient verification on the user being supplied during a Stripe checkout through the plugin. This allows unauthenticated attackers to log in as users who have orders, who are typically customers. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile