2023-08-10
2023-08-10 07:15Z
HIGH

CVE-2023-4277 — Pragmaticmates Realia: The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4277

The Realia plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.4.0. This is due to missing nonce validation on the 'process_change_profile_form' function. This makes it possible for unauthenticated attackers to change user email via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 21th percentile

CWECWE 352VNDPragmaticmatesVNDRealiaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-08-10
2023-08-10 07:15Z
HIGH

CVE-2023-4276 — Johnkolbert Absolute_privacy: The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4276

The Absolute Privacy plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1. This is due to missing nonce validation on the 'abpr_profileShortcode' function. This makes it possible for unauthenticated attackers to change user email and password via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 26th percentile

CWECWE 352VNDJohnkolbertVNDAbsoluteTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-08-09
2023-08-09 20:15Z
CRIT

CVE-2023-33468 — Kramerav Via_go2_firmware: VIA Connect (2) and VIA Go (2) devices with a version prior to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33468

KramerAV VIA Connect (2) and VIA Go (2) devices with a version prior to 4.0.1.1326 exhibit a vulnerability that enables remote manipulation of the device. This vulnerability involves extracting the connection confirmation code remotely, bypassing the need to obtain it directly from the physical screen. CVSSv3.1 9.1 (CRITICAL) · EPSS 46th percentile

CWECWE 863VNDKrameravTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2023-08-09
2023-08-09 19:15Z
CRIT

CVE-2023-39004 — Opnsense Opnsense: Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-39004

Insecure permissions in the configuration directory (/conf/) of OPNsense Community Edition before 23.7 and Business Edition before 23.4.2 allow attackers to access sensitive information (e.g., hashed root password) which could lead to privilege escalation. CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile

CWECWE 732VNDOpnsenseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-09
2023-08-09 09:15Z
CRIT

CVE-2023-3632 — Kunduz Kunduz: Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz -

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3632

Use of Hard-coded Cryptographic Key vulnerability in Sifir Bes Education and Informatics Kunduz - Homework Helper App allows Authentication Abuse, Authentication Bypass. This issue affects Kunduz - Homework Helper App: before 6.2.3. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile

CWECWE 321VNDKunduzTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-09
2023-08-09 04:15Z
HIGH

CVE-2023-4243 — Full Full_-_customer: The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4243

The FULL - Customer plugin for WordPress is vulnerable to Arbitrary File Upload via the /install-plugin REST route in versions up to, and including, 2.2.3 due to improper authorization. This allows authenticated attackers with subscriber-level permissions and above to execute code by installing plugins from arbitrary remote locations including non-repository sources onto the site, granted they are packaged as a valid WordPress plugin. CVSSv3.1 8.8 (HIGH) · EPSS 73th percentile

CWECWE 434CWECWE 285TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-08-09
2023-08-09 03:15Z
HIGH

CVE-2023-4239 — Webcodingplace Real_estate_manager: The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4239

The Real Estate Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 7.2 due to insufficient restriction on the 'rem_save_profile_front' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update. CVSSv3.1 8.8 (HIGH) · EPSS 19th percentile

CWECWE 269VNDWebcodingplaceVNDRealTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-08-08
2023-08-08 22:00Z
CRIT

Finding and Exploiting Citrix NetScaler Buffer Overflow (CVE-2023-3519) (Part 3)

Assetnote·blog.assetnote.ioCVE-2023-3519in the wild

Assetnote published part 3 of a technical writeup on exploiting CVE-2023-3519, a heap buffer overflow in Citrix NetScaler that enables remote code execution. The article provides exploitation methodology and practical techniques for triggering and leveraging the vulnerability in the wild.

TACTA0001SRFNetwork ApplianceVNDCitrixTYPWriteupTYPExploitSTGInitial AccessTECT1190EXPHeap Overflow
78
Edit Score
2023-08-08
2023-08-08 18:15Z
HIGH

CVE-2023-36897 — Microsoft 365_apps: Visual Studio Tools for Office Runtime Spoofing Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36897

Visual Studio Tools for Office Runtime Spoofing Vulnerability CVSSv3.1 8.1 (HIGH) · EPSS 37th percentile

CWECWE 20VNDMicrosoftVNDVisualTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-08-08
2023-08-08 16:15Z
CRIT

CVE-2023-3522 — A2technology License_portal_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3522

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in a2 License Portal System allows SQL Injection.This issue affects License Portal System: before 1.48. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDA2technologyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-08
2023-08-08 16:15Z
CRIT

CVE-2023-3386 — A2technology Camera_trap_tracking_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3386

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in a2 Camera Trap Tracking System allows SQL Injection.This issue affects Camera Trap Tracking System: before 3.1905. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDA2technologyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-08
2023-08-08 15:15Z
CRIT

CVE-2023-3651 — Digital-ant Digital_ant: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3651

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Digital Ant E-Commerce Software allows SQL Injection. This issue affects E-Commerce Software: before 11. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDDigital AntTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-08
2023-08-08 12:15Z
CRIT

CVE-2023-3716 — Oduyo Online_collection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3716

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Online Collection Software allows SQL Injection. This issue affects Online Collection Software: before 1.0.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDOduyoTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-08
2023-08-08 11:15Z
CRIT

CVE-2023-3717 — Farmakom Remote_administration_console: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3717

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Farmakom Remote Administration Console allows SQL Injection. This issue affects Remote Administration Console: before 1.02. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDFarmakomTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-08
2023-08-08 09:15Z
CRIT

CVE-2023-3898 — Mayanets E-commerce: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3898

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mAyaNet E-Commerce Software allows SQL Injection. This issue affects E-Commerce Software: before 1.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDMayanetsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-05
2023-08-05 03:15Z
CRIT

CVE-2023-36095 — Langchain Langchain: An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36095

An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt. CVSSv3.1 9.8 (CRITICAL) · EPSS 65th percentile

CWECWE 94VNDLangchainVNDHarrisonTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-04
2023-08-04 03:15Z
HIGH

CVE-2023-4142 — Smackcoders Wp_ultimate_csv_importer: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4142

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus1' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that this means remote code ex CVSSv3.1 8.0 (HIGH) · EPSS 89th percentile

CWECWE 94VNDSmackcodersVNDUltimateTYPVulnerability
8.0
CVSS v3.1
91
Edit Score
2023-08-04
2023-08-04 03:15Z
HIGH

CVE-2023-4141 — Smackcoders Wp_ultimate_csv_importer: The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-4141

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '->cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin settings, to create a PHP file and execute code on the server. The author resolved this vulnerability by removing the ability for authors and editors to import files, please note that thi CVSSv3.1 8.0 (HIGH) · EPSS 89th percentile

CWECWE 94VNDSmackcodersVNDUltimateTYPVulnerability
8.0
CVSS v3.1
91
Edit Score
2023-08-03
2023-08-03 23:15Z
CRIT

CVE-2023-38951 — Zkteco Biotime: 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-38951

ZKTeco BioTime 8.5.5 through 9.x before 9.0.1 (20240617.19506) allows authenticated attackers to create or overwrite arbitrary files on the server via crafted requests to /base/sftpsetting/ endpoints that abuse a path traversal issue in the Username field and a lack of input sanitization on the SSH Key field. Overwriting specific files may lead to arbitrary code execution as NT AUTHORITY\SYSTEM. CVSSv3.1 9.8 (CRITICAL) · EPSS 87th percentile

CWECWE 22VNDZktecoTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-08-03
2023-08-03 23:15Z
HIGH

CVE-2023-38950 — Zkteco Biotime: A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-38950in the wild

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload. This vulnerability was fixed in version 9.0.120240617.19506 of ZKBioTime. CVSSv3.1 7.5 (HIGH) · EPSS 100th percentile

CWECWE 22VNDZktecoTYPVulnerabilitySTAitw exploited
7.5
CVSS v3.1
100
Edit Score
2023-08-03
2023-08-03 17:36Z
HIGH

Impacket 0.11.0

Impacket releases·github.comCVE-2020-17049

Impacket 0.11.0 released with significant enhancements to Kerberos handling, SMB protocol support, and example tools. Notable additions include MS-TSTS Terminal Services protocol implementation, SASL LDAP authentication, improved ntlmrelayx capabilities with DNS record registration via LDAP, and new utilities like changepasswd.py and DumpNTLMInfo.py for credential and host enumeration.

SRFNetworkTACTA0006SRFIdentityTACTA0008VNDImpacketTYPToolSTGDiscoverySTGCred Access
78
Edit Score
2023-08-03
2023-08-03 03:15Z
CRIT

CVE-2023-37679 — Nextgen Mirth_connect: A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-37679

A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile

CWECWE 77VNDRceVNDNextgenTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-08-03
2023-08-03 02:15Z
CRIT

CVE-2023-38954 — Zkteco Bioaccess_ivs: BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-38954

ZKTeco BioAccess IVS v3.3.1 was discovered to contain a SQL injection vulnerability. CVSSv3.1 9.8 (CRITICAL) · EPSS 40th percentile

CWECWE 89VNDZktecoTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-08-03
2023-08-03 02:15Z
HIGH

CVE-2023-36255 — Eramba Eramba: An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36255

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile

CWECWE 94VNDErambaTYPVulnerability
8.8
CVSS v3.1
100
Edit Score
2023-08-03
2023-08-03 01:15Z
CRIT

CVE-2023-36082 — Gatesair Flexiva_fax_150w_firmware: An isssue in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W allows a remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36082

An isssue in GatesAIr Flexiva FM Transmitter/Exiter Fax 150W allows a remote attacker to gain privileges via the LDAP and SMTP credentials. CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile

CWECWE 522VNDGatesairTYPVulnerability
9.8
CVSS v3.1
99
Edit Score