Search Results (Refine Search)
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-24028 |
Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo. Published: March 20, 2024; 10:52:09 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-22352 |
IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 280361. Published: March 20, 2024; 10:52:02 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1908 |
An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.16, 3.9.11, 3.10.8, and 3.11.6. This vulnerability was reported via the GitHub Bug Bounty program. Published: March 20, 2024; 10:51:48 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1503 |
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled. Published: March 20, 2024; 10:51:43 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1502 |
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts. Published: March 20, 2024; 10:51:43 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1450 |
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: March 20, 2024; 10:51:42 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1326 |
The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: March 20, 2024; 10:51:41 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1278 |
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efb_likebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: March 20, 2024; 10:51:40 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1214 |
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the save_groups_list function. This makes it possible for unauthenticated attackers to disconnect a site's facebook or instagram page/group connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: March 20, 2024; 10:51:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1213 |
The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esf_insta_save_access_token and efbl_save_facebook_access_token functions. This makes it possible for unauthenticated attackers to connect their facebook and instagram pages to the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Published: March 20, 2024; 10:51:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-1202 |
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor was contacted and it was learned that the product is not supported. Published: March 20, 2024; 10:51:38 PM -0400 |
V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2024-1142 |
Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue. Published: March 20, 2024; 10:51:36 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2024-0966 |
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon. Published: March 20, 2024; 10:51:29 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-6500 |
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and 'maincolor'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: March 20, 2024; 10:50:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49985 |
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cname parameter. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49984 |
A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49983 |
A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49982 |
Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49981 |
A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |
CVE-2023-49980 |
A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization. Published: March 20, 2024; 10:49:38 PM -0400 |
V3.x:(not available) V2.0:(not available) |