Auto Dealer Management System v1.0 was discovered to contain a SQL injection vulnerability.

AM Presencia v3.7.3 was discovered to contain a SQL injection vulnerability via the user parameter in the login form.

lmxcms v1.4.1 was discovered to contain a SQL injection vulnerability via the setbook parameter at index.php.

bloofox v0.5.2 was discovered to contain an arbitrary file deletion vulnerability via the delete_file() function.

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine >= 2.14.0 and enable the "Check Content-Type overrides" configuration option.

Memory corruption due to buffer copy without checking the size of input in modem while decoding raw SMS received.

memory corruption in modem due to improper check while calculating size of serialized CoAP message

Memory corruption in modem due to improper input validation while handling the incoming CoAP message

Memory corruption in modem due to buffer overwrite while building an IPv6 multicast address based on the MAC address of the iface

Memory correction in modem due to buffer overwrite during coap connection

An issue in WooCommerce Payments plugin for WordPress (versions 5.6.1 and lower) allows an unauthenticated attacker to send requests on behalf of an elevated user, like administrator. This allows a remote, unauthenticated attacker to gain admin access on a site that has the affected version of the plugin activated.

TightVNC before v2.8.75 allows attackers to escalate privileges on the host operating system via replacing legitimate files with crafted files when executing a file transfer. This is due to the fact that TightVNC runs in the backend as a high-privileges account.

Prestashop advancedpopupcreator v1.1.21 to v1.1.24 was discovered to contain a SQL injection vulnerability via the component AdvancedPopup::getPopups().

Some Hikvision Hybrid SAN/Cluster Storage products have an access control vulnerability which can be used to obtain the admin permission. The attacker can exploit the vulnerability by sending crafted messages to the affected devices.

Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

A vulnerability classified as critical was found in SourceCodester Complaint Management System 1.0. This vulnerability affects unknown code of the file /users/check_availability.php of the component POST Parameter Handler. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-225532.

File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter.

A vulnerability was found in SourceCodester Sales Tracker Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/products/manage_product.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-225530 is the identifier assigned to this vulnerability.

A missing authentication for critical function vulnerability [CWE-306] in FortiPresence infrastructure server before version 1.2.1 allows a remote, unauthenticated attacker to access the Redis and MongoDB instances via crafted authentication requests.