2023-04-13
2023-04-13 14:15Z
CRIT

CVE-2023-27812 — Bloofox Bloofoxcms: v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file()

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-27812

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function. CVSSv3.1 9.1 (CRITICAL) · EPSS 65th percentile

CWECWE 22VNDBloofoxTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2023-04-12
2023-04-12 19:33Z
INFO

Volatility 3 2.4.1

Volatility3 releases·github.com

Volatility 3 version 2.4.1 released with new Linux and Windows memory analysis plugins (sockstat, iomem, psscan, envars, drivermodule, vadwalk), improved Windows pstree filtering, and infrastructure improvements including Python 3.7+ requirement and replacement of python-snappy with ctypes.

SRFOsVNDVolatilityTYPTool
35
Edit Score
2023-04-12
2023-04-12 17:15Z
HIGH

CVE-2023-27216 — Dlink Dsl-3782_firmware: An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-27216

An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page. CVSSv3.1 8.8 (HIGH) · EPSS 90th percentile

CWECWE 78VNDDlinkVNDLinkTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2023-04-05
2023-04-05 19:15Z
CRIT

CVE-2022-4939 — Wclovers Wcfm_membership: THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-4939

THe WCFM Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 2.10.0, due to a missing capability check on the wp_ajax_nopriv_wcfm_ajax_controller AJAX action that controls membership settings. This makes it possible for unauthenticated attackers to modify the membership registration form in a way that allows them to set the role for registration to that of any user including administrators. Once configured, the attacker can t CVSSv3.1 9.8 (CRITICAL) · EPSS 96th percentile

CWECWE 862VNDWcloversVNDTheTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-04-05
2023-04-05 18:15Z
HIGH

CVE-2022-4935 — Wclovers Wcfm_marketplace: The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-4935

The WCFM Marketplace plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 3.4.11 due to missing capability checks on various AJAX actions. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to perform a wide variety of actions such as modifying shipping method details, modifying products, deleting arbitrary posts, and privilege escalation (via the wp_ajax_wcfm_vendor CVSSv3.1 8.8 (HIGH) · EPSS 44th percentile

CWECWE 89CWECWE 862VNDWcloversVNDWcfmTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-04-04
2023-04-04 15:15Z
CRIT

CVE-2021-28235 — Etcd Etcd: Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-28235

Authentication vulnerability found in Etcd-io v.3.4.10 allows remote attackers to escalate privileges via the debug function. CVSSv3.1 9.8 (CRITICAL) · EPSS 73th percentile

CWECWE 287VNDEtcdTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-04-04
2023-04-04 15:15Z
CRIT

CVE-2020-29312 — Zend Zend_framework: An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-29312

An issue found in Zend Framework v.3.1.3 and before allow a remote attacker to execute arbitrary code via the unserialize function. Note: This has been disputed by third parties as incomplete and incorrect. The framework does not have a version that surpasses 2.x.x and was deprecated in early 2020. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502VNDZendTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-04-04
2023-04-04 09:15Z
CRIT

CVE-2023-1728 — Fernus Learning_management_systems: Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1728

Unrestricted Upload of File with Dangerous Type vulnerability in Fernus Informatics LMS allows OS Command Injection, Server Side Include (SSI) Injection.This issue affects LMS: before 23.04.03. CVSSv3.1 9.8 (CRITICAL) · EPSS 81th percentile

CWECWE 434VNDFernusTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-04-03
2023-04-03 14:15Z
CRIT

CVE-2023-1765 — Akbim Panon: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1765

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akbim Computer Panon allows SQL Injection.This issue affects Panon: before 1.0.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile

CWECWE 89VNDAkbimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-31
2023-03-31 20:15Z
CRIT

CVE-2023-27162 — Openapi-generator Openapi_generator: up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-27162

openapi-generator up to v6.4.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /api/gen/clients/{language}. This vulnerability allows attackers to access network resources and sensitive information via a crafted API request. CVSSv3.1 9.1 (CRITICAL) · EPSS 57th percentile

CWECWE 918VNDOpenapi GeneratorTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2023-03-31
2023-03-31 19:15Z
HIGH

CVE-2023-27159 — Appwrite Appwrite: up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-27159

Appwrite up to v1.2.1 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /v1/avatars/favicon. This vulnerability allows attackers to access network resources and sensitive information via a crafted GET request. CVSSv3.1 7.5 (HIGH) · EPSS 98th percentile

CWECWE 918VNDAppwriteTYPVulnerability
7.5
CVSS v3.1
98
Edit Score
2023-03-30
2023-03-30 15:15Z
CRIT

CVE-2023-1725 — Infoline-tr Project_management_system: Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1725

Server-Side Request Forgery (SSRF) vulnerability in Infoline Project Management System allows Server Side Request Forgery.This issue affects Project Management System: before 4.09.31.125. CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile

CWECWE 918VNDInfoline TrTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-29
2023-03-29 11:15Z
HIGH

CVE-2023-1509 — Gmace_project Gmace: The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1509

The GMAce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5.2. This is due to missing nonce validation on the gmace_manager_server function called via the wp_ajax_gmace_manager AJAX action. This makes it possible for unauthenticated attackers to modify arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile

CWECWE 352VNDGmace ProjectVNDGmaceTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-03-27
2023-03-27 21:15Z
CRIT

CVE-2023-25261 — Stimulsoft Designer: Certain Stimulsoft GmbH products are affected by: Remote Code Execution.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-25261

Certain Stimulsoft GmbH products are affected by: Remote Code Execution. This affects Stimulsoft Designer (Desktop) 2023.1.4 and Stimulsoft Designer (Web) 2023.1.3 and Stimulsoft Viewer (Web) 2023.1.3. Access to the local file system is not prohibited in any way. Therefore, an attacker may include source code which reads or writes local directories and files. It is also possible for the attacker to prepare a report which has a variable that holds the gathered data and render CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile

CWECWE 94VNDCertainVNDStimulsoftTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-03-24
2023-03-24 23:15Z
CRIT

CVE-2022-45597 — Componentspace Saml: ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-45597

ComponentSpace.Saml2 4.4.0 Missing SSL Certificate Validation. NOTE: the vendor does not consider this a vulnerability because the report is only about use of certificates at the application layer (not the transport layer) and "Certificates are exchanged in a controlled fashion between entities within a trust relationship. This is why self-signed certificates may be used and why validating certificates isn’t as important as doing so for the transport layer certificates." CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile

CWECWE 295VNDComponentspaceTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-23
2023-03-23 07:15Z
CRIT

CVE-2023-1050 — Askoc Web_report_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1050

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in As Koc Energy Web Report System allows SQL Injection. This issue affects Web Report System: before 23.03.10. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 89VNDAskocTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-21
2023-03-21 12:15Z
CRIT

CVE-2023-1153 — Pacsrapor Pacsrapor: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1153

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pacsrapor allows SQL Injection, Command Line Execution through SQL Injection. This issue affects Pacsrapor: before 1.22. CVSSv3.1 9.8 (CRITICAL) · EPSS 65th percentile

CWECWE 89VNDPacsraporTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-21
2023-03-21 09:15Z
HIGH

CVE-2023-1462 — Vadi Digikent: Authorization Bypass Through User-Controlled Key vulnerability in Vadi Corporate Information Systems DigiKent allows Authentication

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1462

Authorization Bypass Through User-Controlled Key vulnerability in Vadi Corporate Information Systems DigiKent allows Authentication Bypass, Authentication Abuse. This issue affects DigiKent: before 23.03.20. CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile

CWECWE 639VNDVadiTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-03-17
2023-03-17 14:15Z
HIGH

CVE-2023-1471 — Wp_popup_banners_project Wp_popup_banners: The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1471

The WP Popup Banners plugin for WordPress is vulnerable to SQL Injection via the 'banner_id' parameter in versions up to, and including, 1.2.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to append additional SQL queries into already existing queries that can be used to extract sensitive information fr CVSSv3.1 8.8 (HIGH) · EPSS 49th percentile

CWECWE 89VNDWp Popup Banners ProjectTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-03-17
2023-03-17 09:15Z
CRIT

CVE-2023-1152 — Utarit Persolus: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1152

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Utarit Information Technologies Persolus allows SQL Injection. This issue affects Persolus: before 2.03.93. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 89VNDUtaritTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-17
2023-03-17 04:15Z
CRIT

CVE-2023-28531 — Openbsd Openssh: ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-28531

ssh-add in OpenSSH before 9.3 adds smartcard keys to ssh-agent without the intended per-hop destination constraints. The earliest affected version is 8.9. CVSSv3.1 9.8 (CRITICAL) · EPSS 60th percentile

VNDOpensshVNDNetappTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-10
2023-03-10 22:15Z
HIGH

CVE-2023-23328 — Avantfax Avantfax: An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-23328

A File Upload vulnerability exists in AvantFAX 3.3.7. An authenticated user can bypass PHP file type validation in FileUpload.php by uploading a specially crafted PHP file. CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile

CWECWE 434VNDAvantfaxTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-03-10
2023-03-10 21:15Z
CRIT

CVE-2023-1198 — Saysis Starcities: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1198

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saysis Starcities allows SQL Injection. This issue affects Starcities: through 1.3. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 89VNDSaysisTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-10
2023-03-10 08:15Z
CRIT

CVE-2023-1091 — Alpatateknoloji Licensed_warehousing_automation_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1091

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alpata Licensed Warehousing Automation System allows Command Line Execution through SQL Injection. This issue affects Licensed Warehousing Automation System: through 2023.1.01. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile

CWECWE 89VNDAlpatateknolojiTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-03-09
2023-03-09 08:15Z
CRIT

CVE-2023-1251 — Akinsoft Wolvox: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-1251

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akinsoft Wolvox. This issue affects Wolvox: before 8.02.03. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 89VNDAkinsoftTYPVulnerability
9.8
CVSS v3.1
99
Edit Score