2023-07-27
2023-07-27 07:15Z
CRIT

CVE-2023-3956 — Instawp Instawp_connect: The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3956

The InstaWP Connect plugin for WordPress is vulnerable to unauthorized access of data, modification of data and loss of data due to a missing capability check on the 'events_receiver' function in versions up to, and including, 0.0.9.18. This makes it possible for unauthenticated attackers to add, modify or delete post and taxonomy, install, activate or deactivate plugin, change customizer settings, add or modify or delete user including administrator user. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile

CWECWE 862VNDInstawpTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-25
2023-07-25 07:15Z
CRIT

CVE-2023-35066 — Infodrom E-invoice_approval_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35066

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infodrom Software E-Invoice Approval System allows SQL Injection.This issue affects E-Invoice Approval System: before v.20230701. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDInfodromTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-25
2023-07-25 06:15Z
CRIT

CVE-2023-3046 — Biltay Scienta: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3046

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Biltay Technology Scienta allows SQL Injection.This issue affects Scienta: before 20230630.1953. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDBiltayTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-24
2023-07-24 09:15Z
CRIT

Analysis of CVE-2023-3519 in Citrix ADC and NetScaler Gateway (Part 2)

Assetnote·blog.assetnote.ioCVE-2023-3519in the wild

Assetnote published part 2 of their technical analysis of CVE-2023-3519, a critical RCE vulnerability affecting Citrix ADC and NetScaler Gateway. The vulnerability has been exploited in the wild and represents a significant attack surface for organizations running these appliances.

TACTA0001SRFNetwork ApplianceVNDCitrixTYPResearchTYPWriteupSTGInitial AccessEXPRceSTAitw exploited
78
Edit Score
2023-07-22
2023-07-22 03:59Z
CRIT

Chaining our way to Pre-Auth RCE in Metabase (CVE-2023-38646)

Assetnote·blog.assetnote.ioCVE-2023-38646

Assetnote published a detailed writeup of CVE-2023-38646, a pre-authentication RCE vulnerability in Metabase achieved through vulnerability chaining. The exploit allows unauthenticated remote code execution on affected Metabase instances.

SRFApplicationTACTA0001VNDMetabaseTYPWriteupTYPVulnerabilitySTGInitial AccessTECT1190EXPRce
82
Edit Score
2023-07-21
2023-07-21 14:00Z
CRIT

Advisory: Metabase Pre-Auth RCE (CVE-2023-38646)

Assetnote·blog.assetnote.ioCVE-2023-38646

Assetnote disclosed CVE-2023-38646, a pre-authentication remote code execution vulnerability in Metabase. The vulnerability allows unauthenticated attackers to execute arbitrary code on affected instances without requiring valid credentials.

SRFApplicationTACTA0001SRFWebVNDMetabaseTYPVulnerabilityTYPAdvisorySTGInitial AccessTECT1190
82
Edit Score
2023-07-18
2023-07-18 03:15Z
HIGH

CVE-2023-3713 — Metagauss Profilegrid: The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3713

The ProfileGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'profile_magic_check_smtp_connection' function in versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update the site options arbitrarily. This can be used by attackers to achieve privilege escalation. CVSSv3.1 8.8 (HIGH) · EPSS 28th percentile

CWECWE 862VNDMetagaussVNDProfilegridTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-07-17
2023-07-17 15:15Z
CRIT

CVE-2023-2958 — Orjinyazilim Ats_pro: Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2958

Authorization Bypass Through User-Controlled Key vulnerability in Origin Software ATS Pro allows Authentication Abuse, Authentication Bypass.This issue affects ATS Pro: before 20230714. CVSSv3.1 9.8 (CRITICAL) · EPSS 6th percentile

CWECWE 639VNDOrjinyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-17
2023-07-17 14:15Z
CRIT

CVE-2023-3376 — Dijital Zekiweb: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3376

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Digital Strategy Zekiweb allows SQL Injection.This issue affects Zekiweb: before 2. CVSSv3.1 9.8 (CRITICAL) · EPSS 29th percentile

CWECWE 89VNDDijitalTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-17
2023-07-17 14:15Z
CRIT

CVE-2023-2963 — Olivaekspertiz Oliva_ekspertiz: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2963

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oliva Expertise Oliva Expertise EKS allows SQL Injection.This issue affects Oliva Expertise EKS: before 1.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 29th percentile

CWECWE 89VNDOlivaekspertizTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-13
2023-07-13 14:15Z
CRIT

CVE-2023-35070 — Vegagroup Web_collection: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-35070

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VegaGroup Web Collection allows SQL Injection.This issue affects Web Collection: before 31197. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDVegagroupTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-13
2023-07-13 08:15Z
CRIT

CVE-2023-2957 — Lisayazilim Florist_site: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2957

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Lisa Software Florist Site allows SQL Injection.This issue affects Florist Site: before 3.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDLisayazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-13
2023-07-13 08:15Z
CRIT

CVE-2023-1547 — Elra Parkmatik: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1547

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Elra Parkmatik allows SQL Injection through SOAP Parameter Tampering, Command Line Execution through SQL Injection. This issue affects Parkmatik: before 02.01-a51. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile

CWECWE 89VNDElraTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-13
2023-07-13 03:15Z
HIGH

CVE-2023-3343 — Wpeverest User_registration: The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3343

The User Registration plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.1 via deserialization of untrusted input from the 'profile-pic-url' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to del CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile

CWECWE 502VNDWpeverestTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-13
2023-07-13 03:15Z
CRIT

CVE-2023-3342 — Wpeverest User_registration: The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3342

The User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to a hardcoded encryption key and missing file type validation on the 'ur_upload_profile_pic' function in versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with subscriber-level capabilities or above to upload arbitrary files on the affected site's server which may make remote code execution possible. This was partially patched in version 3.0.2 and ful CVSSv3.1 9.9 (CRITICAL) · EPSS 91th percentile

CWECWE 434VNDWpeverestTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2023-07-12
2023-07-12 13:15Z
CRIT

CVE-2023-33668 — Digiexam Digiexam: up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33668

DigiExam up to v14.0.2 lacks integrity checks for native modules, allowing attackers to access PII and takeover accounts on shared computers. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile

CWECWE 354VNDDigiexamTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-12
2023-07-12 05:15Z
HIGH

CVE-2023-3105 — Learndash Learndash: The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3105

The LearnDash LMS plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for attackers with with existing account access at any level, to change user passwords and potentially take over administrator accounts. CVSSv3.1 8.8 (HIGH) · EPSS 18th percentile

CWECWE 639VNDLearndashTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-11
2023-07-11 18:15Z
CRIT

CVE-2023-33150 — Microsoft 365_apps: Office Security Feature Bypass Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33150

Microsoft Office Security Feature Bypass Vulnerability CVSSv3.1 9.6 (CRITICAL) · EPSS 42th percentile

CWECWE 693VNDMicrosoftTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2023-07-10
2023-07-10 16:15Z
HIGH

CVE-2023-3271 — Sick Icr890-4_firmware: Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3271

Improper Access Control in the SICK ICR890-4 could allow an unauthenticated remote attacker to gather information about the system and download data via the REST API by accessing unauthenticated endpoints. CVSSv3.1 8.2 (HIGH) · EPSS 44th percentile

CWECWE 284VNDAccessVNDSickTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-3045 — Tise Parking_web_report: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-3045

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tise Technology Parking Web Report allows SQL Injection.This issue affects Parking Web Report: before 2.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDTiseTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-2852 — Softmedyazilim Selfpatron: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2852

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Softmed SelfPatron allows SQL Injection.This issue affects SelfPatron : before 2.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDSoftmedyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-10
2023-07-10 16:15Z
CRIT

CVE-2023-2046 — Yontemizleme Vehicle_tracking_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-2046

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yontem Informatics Vehicle Tracking System allows SQL Injection.This issue affects Vehicle Tracking System: before 8. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile

CWECWE 89VNDYontemizlemeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-07-05
2023-07-05 03:15Z
HIGH

CVE-2022-42175 — Soluslabs Solusvm: Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-42175

Insecure Direct Object Reference vulnerability in WHMCS module SolusVM 1 4.1.2 allows an attacker to change the password and hostname of other customer servers without authorization. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 639VNDDirectVNDSoluslabsTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-07-01
2023-07-01 06:15Z
HIGH

CVE-2021-4401 — Analogwp Style_kits: The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-4401

The Style Kits plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.8.0. This is due to missing or incorrect nonce validation on the update_posts_stylekit() function. This makes it possible for unauthenticated attackers to update style kits for posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 51th percentile

CWECWE 352VNDAnalogwpVNDStyleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-06-30
2023-06-30 23:15Z
HIGH

CVE-2023-36144 — Intelbras Sg_2404_mr_firmware: An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-36144

An authentication bypass in Intelbras Switch SG 2404 MR in firmware 1.00.54 allows an unauthenticated attacker to download the backup file of the device, exposing critical information about the device configuration. CVSSv3.1 7.5 (HIGH) · EPSS 98th percentile

CWECWE 862VNDIntelbrasTYPVulnerability
7.5
CVSS v3.1
99
Edit Score