Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2023-0939 — Online_services_project Online_services: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NTN Information Technologies Online Services Software allows SQL Injection. This issue affects Online Services Software: before 1.17. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
CVE-2023-26314 — Mono-project Mono: The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable
The mono package before 6.8.0.105+dfsg-3.3 for Debian allows arbitrary code execution because the application/x-ms-dos-executable MIME type is associated with an un-sandboxed Mono CLR interpreter. CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile
CVE-2023-24080 — Chamberlain Myq: A lack of rate limiting on the password reset endpoint of Chamberlain myQ v5.222.0.32277
A lack of rate limiting on the password reset endpoint of Chamberlain myQ v5.222.0.32277 (on iOS) allows attackers to compromise user accounts via a bruteforce attack. CVSSv3.1 9.8 (CRITICAL) · EPSS 63th percentile
CVE-2023-0942 — Artisanworkshop Japanized_for_woocommerce: The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via
The Japanized For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tab’ parameter in versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVSSv3.1 6.1 (MEDIUM) · EPSS 97th percentile
CVE-2022-48329 — Misp-project Misp: before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php
MISP before 2.4.166 unsafely allows users to use the order parameter, related to app/Model/Attribute.php, app/Model/GalaxyCluster.php, app/Model/Workflow.php, and app/Plugin/Assets/models/behaviors/LogableBehavior.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 56th percentile
CVE-2022-48328 — Misp-project Misp: app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters.
app/Controller/Component/IndexFilterComponent.php in MISP before 2.4.167 mishandles ordered_url_params and additional_delimiters. CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile
CVE-2022-45701 — Commscope Arris_tg2482a_firmware: Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility
Arris TG2482A firmware through 9.1.103GEM9 allow Remote Code Execution (RCE) via the ping utility feature. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile
CVE-2023-0882 — Krontech Single_connect: Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Kron Tech Single Connect on Windows allows Privilege Abuse. This issue affects Single Connect: 2.16. CVSSv3.1 8.8 (HIGH) · EPSS 48th percentile
CVE-2023-21529 — Microsoft Exchange_server: Exchange Server Remote Code Execution Vulnerability
Microsoft Exchange Server Remote Code Execution Vulnerability CVSSv3.1 8.8 (HIGH) · EPSS 97th percentile
CVE-2023-24188 — Ureport_project Ureport: v2.2.9 was discovered to contain a directory traversal vulnerability via the deletion function
ureport v2.2.9 was discovered to contain a directory traversal vulnerability via the deletion function which allows for arbitrary files to be deleted. CVSSv3.1 9.1 (CRITICAL) · EPSS 70th percentile
CVE-2022-45725 — Comfast Cf-wr610n_firmware: Improper Input Validation in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the
Improper Input Validation in Comfast router CF-WR6110N V2.3.1 allows a remote attacker on the same network to execute arbitrary code on the target via an HTTP POST request CVSSv3.1 8.8 (HIGH) · EPSS 95th percentile
CVE-2022-4557 — Gruparge Smartpower: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile
CVE-2022-45090 — Gruparge Smartpower_web: Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile
CVE-2022-45089 — Gruparge Smartpower_web: Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows SQL Injection. This issue affects Smartpower Web: before 23.01.01. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile
CVE-2022-45088 — Gruparge Smartpower_web: Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows
Improper Input Validation vulnerability in Group Arge Energy and Control Systems Smartpower Web allows PHP Local File Inclusion. This issue affects Smartpower Web: before 23.01.01. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile
CVE-2022-3568 — Orangelab Imagemagick_engine: The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain CVSSv3.1 8.8 (HIGH) · EPSS 71th percentile
CVE-2023-25136 — Openbsd Openssh: One third-party report states "remote code execution is theoretically possible."
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. This is fixed in OpenSSH 9.2. The double free can be leveraged, by an unauthenticated remote attacker in the default configuration, to jump to any location in the sshd address space. One third-party report states "remote code execution is theoretically possible." CVSSv3.1 6.5 (MEDIUM) · EPSS 100th percentile
CVE-2022-46965 — 202-ecommerce Administrative_mandate: PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability.
PrestaShop module, totadministrativemandate before v1.7.1 was discovered to contain a SQL injection vulnerability. CVSSv3.1 8.1 (HIGH) · EPSS 57th percentile
CVE-2022-47003 — Murasoftware Mura_cms: A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers
A vulnerability in the Remember Me function of Mura CMS before v10.0.580 allows attackers to bypass authentication via a crafted web request. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile
CVE-2022-47770 — Serinf Fast_checkin: Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection.
Serenissima Informatica Fast Checkin version v1.0 is vulnerable to Unauthenticated SQL Injection. CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile
CVE-2022-47769 — Serinf Fast_checkin: An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers
An arbitrary file write vulnerability in Serenissima Informatica Fast Checkin v1.0 allows unauthenticated attackers to upload malicious files in the web root of the application to gain access to the server via the web shell. CVSSv3.1 9.8 (CRITICAL) · EPSS 63th percentile
CVE-2022-23334 — Ip-label Newtest: The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature
The Robot application in Ip-label Newtest before v8.5R0 was discovered to use weak signature checks on executed binaries, allowing attackers to have write access and escalate privileges via replacing NEWTESTREMOTEMANAGER.EXE. CVSSv3.1 9.8 (CRITICAL) · EPSS 41th percentile
CVE-2023-0558 — Contentstudio Contentstudio: The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure
The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to an unsecure token check that is susceptible to type juggling in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to execute functions intended for use by users with proper API keys. CVSSv3.1 8.2 (HIGH) · EPSS 82th percentile
CVE-2023-0556 — Contentstudio Contentstudio: The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing
The ContentStudio plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on several functions in versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to obtain the blog metadata (via the function cstu_get_metadata) that includes the plugin's contentstudio_token. Knowing this token allows for other interactions with the plugin such as creating posts in versions prior to 1.2.5, which added other require CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile
CVE-2023-0555 — Thingsforrestaurants Quick_restaurant_menu: The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to
The Quick Restaurant Menu plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to invoke those actions intended for administrator use. Actions include menu item creation, update and deletion and other menu management functions. Since the plugin does not verify that a post ID passed CVSSv3.1 8.1 (HIGH) · EPSS 55th percentile