| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Open redirect vulnerability in Pleasanter 1.3.47.0 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary web sites via a specially crafted URL. |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Parcel Pro.This issue affects Parcel Pro: from n/a through 1.6.11.
|
| An issue in openCRX v.5.2.2 allows a remote attacker to read internal files and execute server side request forgery attack via insecure DocumentBuilderFactory. |
| An issue in minCal v.1.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the customer_data parameter. |
| ZStack Cloud version 3.10.38 and before allows unauthenticated API access to the list of active job UUIDs and the session ID for each of these. This leads to privilege escalation. |
| Authorization Bypass Through User-Controlled Key vulnerability in gVectors Team Comments – wpDiscuz.This issue affects Comments – wpDiscuz: from n/a through 7.6.3.
|
| An unauthenticated could abuse a XXE vulnerability in the Smart Device Server to leak data or perform a Server-Side Request Forgery (SSRF). |
| Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine (EVM). Contracts containing large arrays might underallocate the number of slots they need by 1. Prior to v0.3.8, the calculation to determine how many slots a storage variable needed used `math.ceil(type_.size_in_bytes / 32)`. The intermediate floating point step can produce a rounding error if there are enough bits set in the IEEE-754 mantissa. Roughly speaking, if `type_.size_in_bytes` is large (> 2**46), and slightly less than a power of 2, the calculation can overestimate how many slots are needed by 1. If `type_.size_in_bytes` is slightly more than a power of 2, the calculation can underestimate how many slots are needed by 1. This issue is patched in version 0.3.8. |
| IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 269683. |
| IBM WebSphere Application Server Liberty 23.0.0.9 through 23.0.0.10 could provide weaker than expected security due to improper resource expiration handling. IBM X-Force ID: 268775. |
| JumpServer is an open source bastion host and maintenance security audit system that complies with 4A specifications. Prior to version 3.8.0, the default email for initial user admin is `admin[@]mycompany[.]com`, and users reset their passwords by sending an email. Currently, the domain `mycompany.com` has not been registered. However, if it is registered in the future, it may affect the password reset functionality. This issue has been patched in version 3.8.0 by changing the default email domain to `example.com`. Those who cannot upgrade may change the default email domain to `example.com` manually. |
| zzzcms v2.2.0 was discovered to contain an open redirect vulnerability. |
| An indirect Object Reference (IDOR) in the Order and Invoice pages in Floorsight Customer Portal Q3 2023 allows an unauthenticated remote attacker to view sensitive customer information. |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Michael Uno (miunosoft) Responsive Column Widgets.This issue affects Responsive Column Widgets: from n/a through 1.2.7.
|
| Engelsystem is a shift planning system for chaos events. If a users' password is compromised and an attacker gained access to a users' account, i.e., logged in and obtained a session, an attackers' session is not terminated if the users' account password is reset. This vulnerability has been fixed in the commit `dbb089315ff3d`. Users are advised to update their installations. There are no known workarounds for this vulnerability. |
| In JetBrains Ktor before 2.3.5 default configuration of ContentNegotiation with XML format was vulnerable to XXE |
| An Insecure Direct Object Reference (IDOR) vulnerability leads to events profiles access in Elenos ETG150 FM transmitter running on version 3.12. |
| An indirect object reference (IDOR) in GRANDING UTime Master v9.0.7-Build:Apr 4,2023 allows authenticated attackers to access sensitive information via a crafted cookie. |
| In the module "Order Duplicator " Clone and Delete Existing Order" (orderduplicate) in version <= 1.1.7 from Silbersaiten for PrestaShop, a guest can download personal information without restriction. Due to a lack of permissions control, a guest can download personal information from ps_customer/ps_address tables such as name / surname / phone number / full postal address. |
| An issue was discovered in the Wikibase extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. During item merging, ItemMergeInteractor does not have an edit filter running (e.g., AbuseFilter). |
