2023-01-27
2023-01-27 21:15Z
HIGH

CVE-2023-0554 — Thingsforrestaurants Quick_restaurant_menu: The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-0554

The Quick Restaurant Menu plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on its AJAX actions. This makes it possible for unauthenticated attackers to update menu items, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.1 (HIGH) · EPSS 41th percentile

CWECWE 352VNDThingsforrestaurantsVNDQuickTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-01-27
2023-01-27 21:15Z
HIGH

CVE-2023-0550 — Thingsforrestaurants Quick_restaurant_menu: The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-0550

The Quick Restaurant Menu plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the fact that during menu item deletion/modification, the plugin does not verify that the post ID provided to the AJAX action is indeed a menu item. This makes it possible for authenticated attackers, with subscriber-level access or higher, to modify or delete arbitrary posts. CVSSv3.1 8.1 (HIGH) · EPSS 59th percentile

CWECWE 639VNDThingsforrestaurantsVNDQuickTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-01-26
2023-01-26 21:15Z
CRIT

CVE-2020-22452 — Phpmyadmin Phpmyadmin: SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2020-22452

SQL Injection vulnerability in function getTableCreationQuery in CreateAddField.php in phpMyAdmin 5.x before 5.2.0 via the tbl_storage_engine or tbl_collation parameters to tbl_create.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 75th percentile

CWECWE 89VNDPhpmyadminTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2023-01-20
2023-01-20 12:15Z
HIGH

CVE-2021-37500 — Reprisesoftware Reprise_license_manager: Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2021-37500

Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server. CVSSv3.1 8.1 (HIGH) · EPSS 65th percentile

CWECWE 22VNDReprisesoftwareTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2023-01-13
2023-01-13 20:15Z
HIGH

CVE-2023-0294 — Frenify Mediamatic: The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-0294

The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on its AJAX actions function. This makes it possible for unauthenticated attackers to change image categories used by the plugin, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 31th percentile

CWECWE 352VNDFrenifyVNDMediamaticTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2023-01-10
2023-01-10 14:15Z
CRIT

CVE-2022-4422 — Bulutses Bulutdesk_callcenter: Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-4422

Call Center System developed by Bulutses Information Technologies before version 3.0 has an unauthenticated Sql Injection vulnerability. This has been fixed in the version 3.0 CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile

CWECWE 89VNDBulutsesVNDCallTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2023-01-10
2023-01-10 14:15Z
CRIT

CVE-2022-3792 — Gullseye Gullseye_terminal_operating_system: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3792

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GullsEye GullsEye terminal operating system allows SQL Injection. This issue affects GullsEye terminal operating system: from unspecified before 5.0.13. CVSSv3.1 9.8 (CRITICAL) · EPSS 58th percentile

CWECWE 89VNDGullseyeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2023-01-05
2023-01-05 19:15Z
HIGH

CVE-2023-0088 — Swifty_page_manager_project Swifty_page_manager: The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-0088

The Swifty Page Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.1. This is due to missing or incorrect nonce validation on several AJAX actions handling page creation and deletion among other things. This makes it possible for unauthenticated attackers to invoke those functions, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 45th percentile

CWECWE 352VNDSwifty Page Manager ProjectVNDSwiftyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-12-22
2022-12-22 21:15Z
HIGH

CVE-2022-3805 — Jegtheme Jeg_elementor_kit: The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3805

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements. CVSSv3.1 8.6 (HIGH) · EPSS 92th percentile

CWECWE 639VNDJegthemeVNDJegTYPVulnerability
8.6
CVSS v3.1
96
Edit Score
2022-12-19
2022-12-19 22:15Z
CRIT

CVE-2022-40434 — Softr Softr: v2.0 was discovered to be vulnerable to HTML injection via the Name field

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-40434

Softr v2.0 was discovered to be vulnerable to HTML injection via the Name field of the Account page. CVSSv3.1 9.8 (CRITICAL) · EPSS 67th percentile

CWECWE 79VNDSoftrTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-12-15
2022-12-15 23:15Z
CRIT

CVE-2022-46393 — Arm Mbed_tls: There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-46393

An issue was discovered in Mbed TLS before 2.28.2 and 3.x before 3.3.0. There is a potential heap-based buffer overflow and heap-based buffer over-read in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. CVSSv3.1 9.8 (CRITICAL) · EPSS 76th percentile

CWECWE 125CWECWE 787VNDFedoraprojectVNDArmVNDTrustedfirmwareTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-12-15
2022-12-15 19:15Z
HIGH

CVE-2022-3427 — Dwbooster Corner_ad: The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3427

The Corner Ad plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.56. This is due to missing or incorrect nonce validation on its corner_ad_settings_page function. This makes it possible for unauthenticated attackers to trigger the deletion of ads via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 69th percentile

CWECWE 352VNDDwboosterVNDCornerTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-12-14
2022-12-14 21:15Z
HIGH

CVE-2022-2601 — Gnu Grub2: A buffer overflow was found in grub_font_construct_glyph().

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2601

A buffer overflow was found in grub_font_construct_glyph(). A malicious crafted pf2 font can lead to an overflow when calculating the max_glyph_size value, allocating a smaller than needed buffer for the glyph, this further leads to a buffer overflow and a heap based out-of-bounds write. An attacker may use this vulnerability to circumvent the secure boot mechanism. CVSSv3.1 8.6 (HIGH) · EPSS 19th percentile

CWECWE 787CWECWE 122VNDGnuVNDFedoraprojectTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2022-12-14
2022-12-14 20:10Z
INFO

Volatility 3 2.4.0

Volatility3 releases·github.com

Volatility 3 2.4.0 released with new plugins for Linux and Windows memory analysis (mountinfo, psaux, devicetree, joblinks, ldrmodules, mbrscan, mftscan, sessions), improved symbol handling, better QEMU support, and API enhancements for PDB symbol table integration.

SRFOsVNDVolatilityTYPToolSTGDiscovery
45
Edit Score
2022-12-14
2022-12-14 15:15Z
CRIT

CVE-2022-31358 — Proxmox Virtual_environment: A reflected cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-31358

A reflected cross-site scripting (XSS) vulnerability in Proxmox Virtual Environment prior to v7.2-3 allows remote attackers to execute arbitrary web scripts or HTML via non-existent endpoints under path /api2/html/. CVSSv3.1 9.0 (CRITICAL) · EPSS 66th percentile

CWECWE 79VNDProxmoxVNDXssTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2022-12-05
2022-12-05 22:15Z
CRIT

CVE-2022-32224 — Activerecord_project Activerecord: A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-32224

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE. CVSSv3.1 9.8 (CRITICAL) · EPSS 83th percentile

CWECWE 502VNDRceVNDActiverecord ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-12-02
2022-12-02 20:15Z
CRIT

CVE-2022-44945 — Rukovoditel Rukovoditel: v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44945

Rukovoditel v3.2.1 was discovered to contain a SQL injection vulnerability via the heading_field_id parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile

CWECWE 89VNDRukovoditelTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-12-02
2022-12-02 20:15Z
CRIT

CVE-2022-44291 — Webtareas_project Webtareas: 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44291

webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in phasesets.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 89VNDWebtareas ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-12-02
2022-12-02 20:15Z
CRIT

CVE-2022-44290 — Webtareas_project Webtareas: 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-44290

webTareas 2.4p5 was discovered to contain a SQL injection vulnerability via the id parameter in deleteapprovalstages.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 88th percentile

CWECWE 89VNDWebtareas ProjectTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2022-12-02
2022-12-02 12:15Z
HIGH

CVE-2022-2808 — Algan Prens_student_information_system: Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2808

Authorization Bypass Through User-Controlled Key vulnerability in Algan Software Prens Student Information System allows Object Relational Mapping Injection. This issue affects Prens Student Information System: before 2.1.11. CVSSv3.1 8.8 (HIGH) · EPSS 52th percentile

CWECWE 639VNDAlganTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-12-02
2022-12-02 12:15Z
CRIT

CVE-2022-2807 — Algan Prens_student_information_system: SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-2807

SQL Injection vulnerability in Algan Software Prens Student Information System allows SQL Injection. This issue affects Prens Student Information System: before 2.1.11. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 89VNDAlganTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2022-11-29
2022-11-29 21:15Z
HIGH

CVE-2022-4030 — Simple-press Simple\: The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-4030

The Simple:Press plugin for WordPress is vulnerable to Path Traversal in versions up to, and including, 6.8 via the 'file' parameter which can be manipulated during user avatar deletion. This makes it possible with attackers, with minimal permissions such as a subscriber, to supply paths to arbitrary files on the server that will subsequently be deleted. This can be used to delete the wp-config.php file that can allow an attacker to configure the site and achieve remote code CVSSv3.1 8.1 (HIGH) · EPSS 91th percentile

CWECWE 22VNDSimple PressVNDSimpleTYPVulnerability
8.1
CVSS v3.1
92
Edit Score
2022-11-29
2022-11-29 21:15Z
HIGH

CVE-2022-3898 — Tipsandtricks-hq Wp_affiliate_platform: The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3898

The WP Affiliate Platform plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.3.9. This is due to missing or incorrect nonce validation on various functions including the affiliates_menu method. This makes it possible for unauthenticated attackers to delete affiliate records, via forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile

CWECWE 352VNDTipsandtricks HqVNDAffiliateTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-29
2022-11-29 21:15Z
HIGH

CVE-2022-3747 — Muffingroup Becustom: The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3747

The Becustom plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.5.2. This is due to missing nonce validation when saving the plugin's settings. This makes it possible for unauthenticated attackers to update the plugin's settings like betheme_url_slug, replaced_theme_author, and betheme_label to name a few, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.8 (HIGH) · EPSS 77th percentile

CWECWE 352VNDMuffingroupVNDBecustomTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2022-11-29
2022-11-29 21:15Z
HIGH

CVE-2022-3384 — Ultimatemember Ultimate_member: The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-3384

The Ultimate Member plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.5.0 via the populate_dropdown_options function that accepts user supplied input and passes it through call_user_func(). This is restricted to non-parameter PHP functions like phpinfo(); since user supplied parameters are not passed through the function. This makes it possible for authenticated attackers, with administrative privileges, to execute code on the ser CVSSv3.1 7.2 (HIGH) · EPSS 97th percentile

CWECWE 94VNDUltimatememberVNDUltimateTYPVulnerability
7.2
CVSS v3.1
98
Edit Score