U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 229,277 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2024-0609

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'api_key' parameter in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 29, 2024; 3:15:41 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0608

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting plugin for WordPress is vulnerable to union-based SQL Injection via the 'email' parameter in all versions up to, and including, 1.12.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: March 29, 2024; 3:15:41 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2936

The Sydney Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute of widgets in all versions up to, and including, 1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 29, 2024; 2:15:08 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2844

The Easy Appointments plugin for WordPress is vulnerable to unauthorized modification of data due to insufficient user validation on the ajax_cancel_appointment() function in all versions up to, and including, 3.11.18. This makes it possible for unauthenticated attackers to cancel other users orders.

Published: March 29, 2024; 2:15:08 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2842

The Easy Appointments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ea_full_calendar' shortcode in all versions up to, and including, 3.11.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 29, 2024; 2:15:07 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-28960

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory.

Published: March 29, 2024; 2:15:07 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-3077

An malicious BLE device can crash BLE victim device by sending malformed gatt packet

Published: March 29, 2024; 1:15:46 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2841

The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.6.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'id'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 29, 2024; 1:15:46 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2475

The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 3.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 29, 2024; 1:15:46 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1729

Th password check condition is vulnerable to timing attack to guess the password

Published: March 29, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-29489

Jerryscript 2.4.0 has SEGV at ./jerry-core/ecma/base/ecma-helpers.c:238:58 in ecma_get_object_type.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-29316

NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via "isadmin":true.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-28714

SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-28456

Cross Site Scripting vulnerability in Campcodes Online Marriage Registration System v.1.0 allows a remote attacker to execute arbitrary code via the text fields in the marriage registration request form.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-24407

SQL Injection vulnerability in Best Courier management system v.1.0 allows a remote attacker to obtain sensitive information via print_pdets.php component.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-50969

Thales Imperva SecureSphere WAF 14.7.0.40 allows remote attackers to bypass WAF rules via a crafted POST request, a different vulnerability than CVE-2021-45468.

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-33528

halo v1.6.0 is vulnerable to Cross Site Scripting (XSS).

Published: March 28, 2024; 7:15:46 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2021-31156

Allied Telesis AT-S115 1.2.0 devices before 1.00.024 with Boot Loader 1.00.006 allow Directory Traversal to achieve partial access to data.

Published: March 28, 2024; 7:15:45 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-25341

A Directory Traversal vulnerability in ladle dev server 2.5.1 and earlier allows an attacker on the same network to read files accessible to the user via GET requests.

Published: March 28, 2024; 6:15:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-23727

The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component.

Published: March 28, 2024; 5:16:01 PM -0400
V3.x:(not available)
V2.0:(not available)