| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Control of Interaction Frequency vulnerability in MIA Technology Inc. Pizzy Library allows Flooding.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. |
| Improper neutralization of formula elements in a CSV file vulnerability in MIA Technology Inc. Pizzy Library allows Code Injection.
This issue affects Pizzy Library: from 1.0.0.26250 before 1.3.9.26250. |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation.
This issue affects Faust.Js: from n/a through 1.8.7. |
| Insertion of Sensitive Information Into Sent Data vulnerability in Stiofan GetPaid allows Retrieve Embedded Sensitive Data.
This issue affects GetPaid: from n/a through 2.8.49. |
| Impact: multer versions 1.0.0 through 2.1.1 and 3.0.0-alpha.1 are vulnerable to a Denial of Service via deeply nested field names in multipart form data. The append-field dependency parses bracket notation in field names with no limit on nesting depth, allowing an attacker to force allocation of deeply nested object structures that consume CPU and memory. A single HTTP request with a crafted multipart body is sufficient to exploit this.
Patches: Users should upgrade to multer 2.2.0 (2.x line) or 3.0.0-alpha.2 (3.x prerelease) and configure the new limits.fieldNestingDepth option to the minimum depth their application requires.
Workarounds: Set limits.fields to a reasonable value to reduce the number of fields an attacker can send per request. This does not fully mitigate the issue but limits the impact. |
| Fortra BoKS Manager contains an OS command injection vulnerability in the client upgrade and patch tooling for legacy tar-based client installations. A malicious or compromised legacy tar-installed client selected for upgrade or patching may be able to cause commands to be executed on the BoKS Master during client version handling. |
| Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. |
| Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. |
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. |
| Shop manager PHP Object Injection in YayMail <= 4.3.3 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions. |
| Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. |
| Unauthenticated Broken Access Control in Redsys for WooCommerce Light <= 7.0.0 versions. |
| Unauthenticated Arbitrary File Deletion in Contact Form Extender for Divi – Save Entries, File Upload & Country Code Field <= 1.0.6 versions. |
| Unauthenticated Broken Access Control in Royal MCP <= 1.4.2 versions. |
| Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.8 versions. |
| Subscriber Broken Authentication in AutomatorWP <= 5.6.7 versions. |
| Unauthenticated Sensitive Data Exposure in Amelia <= 2.2 versions. |