U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 229,215 matching records.
Displaying matches 1,121 through 1,140.
Vuln ID Summary CVSS Severity
CVE-2024-2124

The Translate WordPress and go Multilingual – Weglot plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widget/block in all versions up to, and including, 4.2.5 due to insufficient input sanitization and output escaping on user supplied attributes such as 'className'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22085

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. The shadow file is world readable.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22084

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Cleartext passwords and hashes are exposed through log files.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22083

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. A hardcoded backdoor session ID exists that can be used for further access to the device, including reconfiguration tasks.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22082

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated directory listing can occur: the web interface cay be abused be an attacker get a better understanding of the operating system.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22081

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur in the HTTP header parsing mechanism.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22080

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Unauthenticated memory corruption can occur during XML body parsing.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22079

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Directory traversal can occur via the system logs download mechanism.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22078

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. Privilege escalation can occur via world writable files. The network configuration script has weak filesystem permissions. This results in write access for all authenticated users and the possibility to escalate from user privileges to administrative privileges.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22077

An issue was discovered in Elspec G5 digital fault recorder versions 1.1.4.15 and before. The SQLite database file has weak permissions.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-1983

The Simple Ajax Chat WordPress plugin before 20240223 does not prevent visitors from using malicious Names when using the chat, which will be reflected unsanitized to other users.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0856

The Appointment Booking Calendar WordPress plugin before 1.3.83 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks such as adding a booking to the calendar without paying.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-0337

The Travelpayouts: All Travel Brands in One Place WordPress plugin through 1.1.15 is vulnerable to Open Redirect due to insufficient validation on the travelpayouts_redirect variable. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2023-7246

The System Dashboard WordPress plugin before 2.8.10 does not sanitize and escape some parameters, which could allow administrators in multisite WordPress configurations to perform Cross-Site Scripting attacks

Published: March 20, 2024; 1:15:45 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2671

A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/user/index.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-257371.

Published: March 20, 2024; 12:15:11 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2670

A vulnerability was found in Campcodes Online Job Finder System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/vacancy/index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-257370 is the identifier assigned to this vulnerability.

Published: March 20, 2024; 12:15:11 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2255

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.5.2 due to insufficient input sanitization and output escaping on user supplied attributes such as listStyle. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 20, 2024; 12:15:10 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-22258

Spring Authorization Server versions 1.0.0 - 1.0.5, 1.1.0 - 1.1.5, 1.2.0 - 1.2.2 and older unsupported versions are susceptible to a PKCE Downgrade Attack for Confidential Clients. Specifically, an application is vulnerable when a Confidential Client uses PKCE for the Authorization Code Grant. An application is not vulnerable when a Public Client uses PKCE for the Authorization Code Grant.

Published: March 20, 2024; 12:15:08 AM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2460

The GamiPress – Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gamipress_button' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: March 19, 2024; 11:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)
CVE-2024-2384

The WooCommerce POS plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.4.11. This is due to the plugin not properly verifying the authentication and authorization of the current user This makes it possible for authenticated attackers, with customer-level access and above, to view potentially sensitive information about other users by leveraging their order id

Published: March 19, 2024; 11:15:08 PM -0400
V3.x:(not available)
V2.0:(not available)