| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Arthur Yarwood Fast eBay Listings allows Phishing. This issue affects Fast eBay Listings: from n/a through 2.12.15. |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Webilia Inc. Listdom allows Phishing. This issue affects Listdom: from n/a through 4.0.0. |
| In the Linux kernel, the following vulnerability has been resolved:
efi: libstub: only free priv.runtime_map when allocated
priv.runtime_map is only allocated when efi_novamap is not set.
Otherwise, it is an uninitialized value. In the error path, it is freed
unconditionally. Avoid passing an uninitialized value to free_pool.
Free priv.runtime_map only when it was allocated.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc. |
| Authorization Bypass Through User-Controlled Key vulnerability in ameliabooking Amelia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through 1.2.16. |
| atop through 2.11.0 allows local users to cause a denial of service (e.g., assertion failure and application exit) or possibly have unspecified other impact by running certain types of unprivileged processes while a different user runs atop. |
| API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Prior to 4.0.22 and 3.4.17, a GraphQL grant on a property might be cached with different objects. The ApiPlatform\GraphQl\Serializer\ItemNormalizer::isCacheKeySafe() method is meant to prevent the caching but the parent::normalize method that is called afterwards still creates the cache key and causes the issue. This vulnerability is fixed in 4.0.22 and 3.4.17. |
| Improper Restriction of XML External Entity Reference vulnerability in supsystic Easy Google Maps allows XML Injection. This issue affects Easy Google Maps: from n/a through 1.11.17. |
| The Attesa Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.2 via the 'attesa-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. |
| An Improper Isolation or Compartmentalization vulnerability in the Packet Forwarding Engine (pfe) of Juniper Networks Junos OS on QFX5000 Series and EX Series allows an unauthenticated, adjacent attacker to cause a Denial of Service (DoS).
If a specific malformed LACP packet is received by a QFX5000 Series, or an EX4400, EX4100 or EX4650 Series device, an LACP flap will occur resulting in traffic loss.
This issue affects Junos OS on QFX5000 Series, and on EX4400, EX4100 or EX4650 Series:
* 20.4 versions from
20.4R3-S4
before 20.4R3-S8,
* 21.2 versions from
21.2R3-S2
before 21.2R3-S6,
* 21.4 versions from
21.4R2
before 21.4R3-S4,
* 22.1 versions from
22.1R2
before 22.1R3-S3,
* 22.2 versions before 22.2R3-S1,
* 22.3 versions before 22.3R2-S2, 22.3R3,
* 22.4 versions before 22.4R2-S1, 22.4R3. |
| Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Preliminary checks on actions computed by the clawback vesting accounts are performed in the ante handler. Evmos core, implements two different ante handlers: one for Cosmos transactions and one for Ethereum transactions. Checks performed on the two implementation are different. The vulnerability discovered allowed a clawback account to bypass Cosmos ante handler checks by sending an Ethereum transaction targeting a precompile used to interact with a Cosmos SDK module. This vulnerability is fixed in 18.0.0.
|
| Authorization Bypass Through User-Controlled Key vulnerability in ExtremePacs Extreme XDS allows Authentication Abuse.This issue affects Extreme XDS: before 3914.
|
| A CWE-646 “Reliance on File Name or Extension of Externally-Supplied File” vulnerability in the “iec61850” functionality of the web application allows a remote authenticated attacker to upload any arbitrary type of file into the device. This issue affects: AiLux imx6 bundle below version imx6_1.0.7-2. |
| The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. |
| The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts. |
| The Content No Cache: prevent specific content from being cached plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.1.2 via the eos_dyn_get_content action due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. |
| The AnyWhere Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.11 via the 'INSERT_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created by Elementor that they should not have access to. |
| Insufficient control flow management for some Intel(R) Xeon Processors may allow an authenticated user to potentially enable denial of service via local access. |
| Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2. |
| In Newgensoft OmniDocs 11.0_SP1_03_006, Insecure Direct Object Reference (IDOR) in the getuserproperty function allows user's configuration and PII to be stolen. |
| Protection mechanism failure in some 3rd, 4th, and 5th Generation Intel(R) Xeon(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. |
