Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-2851 — Agtteknik Ceppatron: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AGT Tech Ceppatron allows Command Line Execution through SQL Injection, SQL Injection.This issue affects all versions of the sofware also EOS when CVE-ID assigned. CVSSv3.1 9.8 (CRITICAL) · EPSS 28th percentile
CVE-2023-2887 — Cbot Cbot_core: Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass.This issue affects Chatbot
Authentication Bypass by Spoofing vulnerability in CBOT Chatbot allows Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
CVE-2023-2885 — Cbot Cbot_core: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in CBOT
Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability in CBOT Chatbot allows Adversary in the Middle (AiTM).This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. CVSSv3.1 8.1 (HIGH) · EPSS 27th percentile
CVE-2023-2884 — Cbot Cbot_core: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG), Use of Insufficiently Random Values vulnerability in CBOT Chatbot allows Signature Spoofing by Key Recreation.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. CVSSv3.1 9.8 (CRITICAL) · EPSS 32th percentile
CVE-2023-2883 — Cbot Cbot_core: Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This
Authorization Bypass Through User-Controlled Key vulnerability in CBOT Chatbot allows Authentication Abuse, Authentication Bypass.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile
CVE-2023-2882 — Cbot Cbot_core: Generation of Incorrect Security Tokens vulnerability in CBOT Chatbot allows Token Impersonation, Privilege Abuse.This
Generation of Incorrect Security Tokens vulnerability in CBOT Chatbot allows Token Impersonation, Privilege Abuse.This issue affects Chatbot: before Core: v4.0.3.4 Panel: v4.0.3.7. CVSSv3.1 9.8 (CRITICAL) · EPSS 29th percentile
CVE-2023-2734 — Inspireui Mstore_api: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.1. This is due to insufficient verification on the user being supplied during the cart sync from mobile REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. CVSSv3.1 9.8 (CRITICAL) · EPSS 98th percentile
CVE-2023-2733 — Inspireui Mstore_api: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.0. This is due to insufficient verification on the user being supplied during the coupon redemption REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile
CVE-2023-2732 — Inspireui Mstore_api: The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2023-2500 — Granthweb Go_pricing: The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to
The Go Pricing - WordPress Responsive Pricing Tables plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.3.19 via deserialization of untrusted input from the 'go_pricing' shortcode 'data' parameter. This allows authenticated attackers, with subscriber-level permissions and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the targe CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile
CVE-2023-2064 — Minovateknoloji Etrace: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Minova Technology eTrace allows SQL Injection.This issue affects eTrace: before 23.05.20. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile
CVE-2023-2045 — Ipekyolunet Software_auto_damage_tracking_software: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ipekyolu Software Auto Damage Tracking Software allows SQL Injection.This issue affects Auto Damage Tracking Software: before 4. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile
CVE-2023-2065 — Armoli Cargo_tracking_system: Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication
Authorization Bypass Through User-Controlled Key vulnerability in Armoli Technology Cargo Tracking System allows Authentication Abuse, Authentication Bypass.This issue affects Cargo Tracking System: before 3558f28 . CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile
CVE-2023-2750 — Cityboss E-municipality: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cityboss E-municipality allows SQL Injection.This issue affects E-municipality: before 6.05. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile
CVE-2023-1508 — Adampos Mobilmen_el_terminali_yazilimi: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adam Retail Automation Systems Mobilmen Terminal Software allows SQL Injection. This issue affects Mobilmen Terminal Software: before 3. CVSSv3.1 9.8 (CRITICAL) · EPSS 24th percentile
CVE-2023-2702 — Finexmedia Competition_management_system: Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication
Authorization Bypass Through User-Controlled Key vulnerability in Finex Media Competition Management System allows Authentication Abuse, Authentication Bypass.This issue affects Competition Management System: before 23.07. CVSSv3.1 8.8 (HIGH) · EPSS 6th percentile
CVE-2023-31742 — Linksys Wrt54gl_firmware: There is a command injection vulnerability in the Linksys WRT54GL router with firmware version
There is a command injection vulnerability in the Linksys WRT54GL router with firmware version 4.30.18.006. If an attacker gains web management privileges, they can inject commands into the post request parameters wl_ant, wl_rate, WL_atten_ctl, ttcp_num, ttcp_size in the httpd s Start_EPI() function, thereby gaining shell privileges. CVSSv3.1 7.2 (HIGH) · EPSS 95th percentile
CVE-2023-2713 — Rental_module_project Rental_module: Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's
Authorization Bypass Through User-Controlled Key vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Authentication Abuse, Authentication Bypass.This issue affects Rental Module: before 23.05.15. CVSSv3.1 9.8 (CRITICAL) · EPSS 7th percentile
CVE-2023-2712 — Rental_module_project Rental_module: Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party
Unrestricted Upload of File with Dangerous Type vulnerability in "Rental Module" developed by third-party for Ideasoft's E-commerce Platform allows Command Injection, Using Malicious Files, Upload a Web Shell to a Web Server.This issue affects Rental Module: before 23.05.15. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2023-2276 — Wclovers Wcfm_membership: The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 2.10.7. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile
CVE-2023-2704 — Vibethemes Bp_social_connect: The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions
The BP Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.5. This is due to insufficient verification on the user being supplied during a Facebook login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
CVE-2023-31729 — Totolink A3300r_firmware: A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi.
TOTOLINK A3300R v17.0.0cu.557 is vulnerable to Command Injection via /cgi-bin/cstecgi.cgi. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile
CVE-2023-2745 — Wordpress Wordpress: Core is vulnerable to Directory Traversal in versions up to, and including, 6.2
WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. CVSSv3.1 5.4 (MEDIUM) · EPSS 99th percentile
CVE-2023-2706 — Xootix Otp_login_woocommerce_\&_gravity_forms: The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication
The OTP Login Woocommerce & Gravity Forms plugin for WordPress is vulnerable to authentication bypass. This is due to the fact that when generating OTP codes for users to use in order to login via phone number, the plugin returns these codes in an AJAX response. This makes it possible for unauthenticated attackers to obtain login codes for administrators. This does require an attacker have access to the phone number configured for an account, which can be obtained via social CVSSv3.1 8.1 (HIGH) · EPSS 82th percentile
CVE-2023-2499 — Metagauss Registrationmagic: The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to
The RegistrationMagic plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.2.1.0. This is due to insufficient verification on the user being supplied during a Google social login through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile