U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 229,251 matching records.
Displaying matches 1,001 through 1,020.
Vuln ID Summary CVSS Severity
CVE-2024-24028

Server Side Request Forgery (SSRF) vulnerability in Likeshop before 2.5.7 allows attackers to view sensitive information via the avatar parameter in function UserLogic::updateWechatInfo.

Published: March 20, 2024; 10:52:09 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22352

IBM InfoSphere Information Server 11.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 280361.

Published: March 20, 2024; 10:52:02 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1908

An Improper Privilege Management vulnerability was identified in GitHub Enterprise Server that allowed an attacker to use the Enterprise Actions GitHub Connect download token to fetch private repository data. An attacker would require an account on the server instance with non-default settings for GitHub Connect. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.12 and was fixed in versions 3.8.16, 3.9.11, 3.10.8, and 3.11.6. This vulnerability was reported via the GitHub Bug Bounty program. 

Published: March 20, 2024; 10:51:48 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1503

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.

Published: March 20, 2024; 10:51:43 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1502

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.

Published: March 20, 2024; 10:51:43 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1450

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.10 due to insufficient input sanitization and output escaping on user supplied attributes such as 'align'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 10:51:42 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1326

The Jeg Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via HTML Tag attributes in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 10:51:41 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1278

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'efb_likebox' shortcode in all versions up to, and including, 6.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 10:51:40 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1214

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the save_groups_list function. This makes it possible for unauthenticated attackers to disconnect a site's facebook or instagram page/group connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: March 20, 2024; 10:51:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1213

The Easy Social Feed – Social Photos Gallery – Post Feed – Like Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.5.4. This is due to missing or incorrect nonce validation on the esf_insta_save_access_token and efbl_save_facebook_access_token functions. This makes it possible for unauthenticated attackers to connect their facebook and instagram pages to the site via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Published: March 20, 2024; 10:51:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1202

Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1.  NOTE: The vendor was contacted and it was learned that the product is not supported.

Published: March 20, 2024; 10:51:38 PM -0400
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2024-1142

Path Traversal in Sonatype IQ Server from version 143 allows remote authenticated attackers to overwrite or delete files via a specially crafted request. Version 171 fixes this issue.

Published: March 20, 2024; 10:51:36 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0966

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes like 'info_text'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and clicks the information icon.

Published: March 20, 2024; 10:51:29 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-6500

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shariff' shortcode in all versions up to, and including, 4.6.9 due to insufficient input sanitization and output escaping on user supplied attributes such as 'secondarycolor' and 'maincolor'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 10:50:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49985

A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the cname parameter.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49984

A cross-site scripting (XSS) vulnerability in the component /management/settings of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49983

A cross-site scripting (XSS) vulnerability in the component /management/class of School Fees Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49982

Broken access control in the component /admin/management/users of School Fees Management System v1.0 allows attackers to escalate privileges and perform Administrative actions, including adding and deleting user accounts.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49981

A directory listing vulnerability in School Fees Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-49980

A directory listing vulnerability in Best Student Result Management System v1.0 allows attackers to list directories and sensitive files within the application without requiring authorization.

Published: March 20, 2024; 10:49:38 PM -0400
V3.x:(not available)
V2.0:(not available)