Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-1251 — Akinsoft Wolvox: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Akinsoft Wolvox. This issue affects Wolvox: before 8.02.03. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2023-1267 — Pttemkart Pttem_kart: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ulkem Company PtteM Kart. This issue affects PtteM Kart: before 2.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile
CVE-2023-1263 — Niteothemes Coming_soon_\&_maintenance: The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information
The CMP – Coming Soon & Maintenance plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 4.1.6 via the cmp_get_post_detail function. This can allow unauthenticated individuals to obtain the contents of any non-password-protected, published post or page even when maintenance mode is enabled. CVSSv3.1 5.3 (MEDIUM) · EPSS 96th percentile
CVE-2021-4331 — Posimyth The_plus_addons_for_elementor: The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in
The Plus Addons for Elementor plugin for WordPress is vulnerable to privilege escalation in versions up to, and including 4.1.9 (pro) and 2.0.6 (free). The plugin adds a registration form to the Elementor page builders functionality. As part of the registration form, users can choose which role to set as the default for users upon registration. This field is not hidden for lower-level users so any user with access to the Elementor page builder, such as contributors, can set t CVSSv3.1 8.8 (HIGH) · EPSS 53th percentile
CVE-2021-4330 — Envato Envato_elements: The Envato Elements & Download and Template Kit – Import plugins for WordPress are
The Envato Elements & Download and Template Kit – Import plugins for WordPress are vulnerable to arbitrary file uploads due to insufficient validation of file type upon extracting uploaded Zip files in the installFreeTemplateKit and uploadTemplateKitZipFile functions. This makes it possible for attackers with contributor-lever permissions and above to upload arbitrary files and potentially gain remote code execution in versions up to and including 1.0.13 of Template Kit – Imp CVSSv3.1 8.8 (HIGH) · EPSS 93th percentile
CVE-2020-36669 — Jetbackup Jetbackup: The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to
The JetBackup – WP Backup, Migrate & Restore plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including 1.3.9. This is due to missing nonce validation on the backup_guard_get_import_backup() function. This makes it possible for unauthenticated attackers to upload arbitrary files to the vulnerable site's server via a forged request, granted they can trick a site's administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 46th percentile
CVE-2022-3760 — Miateknoloji Mia-med: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mia Technology Mia-Med. This issue affects Mia-Med: before 1.0.0.58. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
CVE-2023-0979 — Meddatapacs Meddatapacs: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in MedData MedDataPACS allows SQL Injection. This issue affects MedDataPACS : before 2023-03-03. CVSSv3.1 9.8 (CRITICAL) · EPSS 35th percentile
CVE-2023-0839 — Inscada_project Inscada: allows Account Footprinting.
Improper Protection for Outbound Error Messages and Alert Signals vulnerability in ProMIS Process Co. InSCADA allows Account Footprinting. This issue affects inSCADA: before 20230115-1. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile
CVE-2022-45553 — Zbt We1626_firmware: An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Router v 21.06.18 allows attacker
An issue discovered in Shenzhen Zhibotong Electronics WBT WE1626 Router v 21.06.18 allows attacker to execute arbitrary commands via serial connection to the UART port. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile
CVE-2022-45551 — Zbt We1626_firmware: An issue discovered in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers
An issue discovered in Shenzhen Zhiboton Electronics ZBT WE1626 Router v 21.06.18 allows attackers to escalate privileges via WGET command to the Network Diagnosis endpoint. CVSSv3.1 9.8 (CRITICAL) · EPSS 98th percentile
CVE-2022-46501 — Accruent Maintenance_connection: LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL
Accruent LLC Maintenance Connection 2021 (all) & 2022.2 was discovered to contain a SQL injection vulnerability via the E-Mail to Work Order function. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2023-0084 — Wpmet Metform_elementor_contact_form_builder: The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site
The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via text areas on forms in versions up to, and including, 3.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, which is the submissions page. CVSSv3.1 7.2 (HIGH) · EPSS 98th percentile
CVE-2021-3854 — Glox Useroam_hotspot: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Glox Technology Useroam Hotspot allows SQL Injection. This issue affects Useroam Hotspot: before 5.1.0.15. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
CVE-2022-45608 — Thingsboard Thingsboard: An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain
An issue was discovered in ThingsBoard 3.4.1, allows low privileged attackers (CUSTOMER_USER) to gain escalated privileges (vertically) and become an Administrator (TENANT_ADMIN) or (SYS_ADMIN) on the web application. It is important to note that in order to accomplish this, the attacker must know the corresponding API's parameter (authority : value). CVSSv3.1 8.8 (HIGH) · EPSS 55th percentile
CVE-2023-1114 — Eskom E-belediye: Missing Authorization vulnerability in Eskom e-Belediye allows Information Elicitation.
Missing Authorization vulnerability in Eskom e-Belediye allows Information Elicitation. This issue affects e-Belediye: from 1.0.0.95 before 1.0.0.100. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
CVE-2023-1064 — Uzaybaskul Weighbridge_automation_software: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Uzay Baskul Weighbridge Automation Software allows SQL Injection. This issue affects Weighbridge Automation Software: before 1.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile
CVE-2021-3855 — Liman Port_mys: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Liman Central Management System Liman MYS (HTTP/Controllers, CronMail, Jobs modules) allows Command Injection. This issue affects Liman Central Management System: from 1.7.0 before 1.8.3-462. CVSSv3.1 8.8 (HIGH) · EPSS 81th percentile
CVE-2023-1080 — Gnpublisher Gn_publisher: The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the
The GN Publisher plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 1.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSSv3.1 6.1 (MEDIUM) · EPSS 98th percentile
CVE-2021-33224 — Umbraco Umbraco_forms: File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code
File upload vulnerability in Umbraco Forms v.8.7.0 allows unauthenticated attackers to execute arbitrary code via a crafted web.config and asp file. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile
CVE-2021-4105 — Bg-tek Coslat_bx5s1d3_firmware: Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion.
Improper Handling of Parameters vulnerability in BG-TEK COSLAT Firewall allows Remote Code Inclusion. This issue affects COSLAT Firewall: from 5.24.0.R.20180630 before 5.24.0.R.20210727. CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile
CVE-2023-24317 — Judging_management_system_project Judging_management_system: Judging Management System 1.0 was discovered to contain an arbitrary file upload vulnerability via
Judging Management System 1.0 was discovered to contain an arbitrary file upload vulnerability via the component edit_organizer.php. CVSSv3.1 8.1 (HIGH) · EPSS 74th percentile
CVE-2022-2504 — Sdd-baro_project Sdd-baro: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SDD Computer Software SDD-Baro allows SQL Injection. This issue affects SDD-Baro: before 2.8.432. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2023-0939 — Online_services_project Online_services: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection. This issue affects Online Services Software: before 1.17. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
CVE-2023-26314 — Mono-project Mono: The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable
The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile