Export limit exceeded: 342476 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (342476 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-6050 | 1 Estatik | 1 Estatik | 2025-06-03 | 6.1 Medium |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not sanitise and escape various parameters and generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | ||||
| CVE-2023-6049 | 1 Estatik | 1 Estatik | 2025-06-03 | 9.8 Critical |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog | ||||
| CVE-2023-6048 | 1 Estatik | 1 Estatik | 2025-06-03 | 6.5 Medium |
| The Estatik Real Estate Plugin WordPress plugin before 4.1.1 does not prevent user with low privileges on the site, like subscribers, from setting any of the site's options to 1, which could be used to break sites and lead to DoS when certain options are reset | ||||
| CVE-2023-5691 | 1 Collect.chat | 1 Chatbot | 2025-06-03 | 4.4 Medium |
| The Chatbot for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 2.3.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2023-51804 | 1 Rymcu | 1 Forest | 2025-06-03 | 7.5 High |
| An issue in rymcu forest v.0.02 allows a remote attacker to obtain sensitive information via manipulation of the HTTP body URL in the com.rymcu.forest.web.api.common.UploadController file. | ||||
| CVE-2023-51071 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | 6.5 Medium |
| An access control issue in QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 allows unauthenticated attackers to arbitrarily disable the SMB service on a victim's Qstar instance by executing a specific command in a link. | ||||
| CVE-2023-51068 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | 5.4 Medium |
| An authenticated reflected cross-site scripting (XSS) vulnerability in QStar Archive Solutions Release RELEASE_3-0 Build 7 allows attackers to execute arbitrary javascript on a victim's browser via a crafted link. | ||||
| CVE-2023-51063 | 1 Qstar | 1 Archive Storage Manager | 2025-06-03 | 8.8 High |
| QStar Archive Solutions Release RELEASE_3-0 Build 7 Patch 0 was discovered to contain a DOM Based Reflected Cross Site Scripting (XSS) vulnerability within the component qnme-ajax?method=tree_level. | ||||
| CVE-2023-50919 | 1 Gl-inet | 24 Gl-a1300, Gl-a1300 Firmware, Gl-ar300m and 21 more | 2025-06-03 | 9.8 Critical |
| An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7. | ||||
| CVE-2023-50440 | 1 Primx | 3 Zed\!, Zedmail, Zonecentral | 2025-06-03 | 5.5 Medium |
| ZED containers produced by PRIMX ZED! for Windows before Q.2020.3 (ANSSI qualification submission); ZED! for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before Q.2021.2 (ANSSI qualification submission); ZONECENTRAL for Windows before 2023.5; ZEDMAIL for Windows before 2023.5; ZED! for Windows, Mac, Linux before 2023.5; ZEDFREE for Windows, Mac, Linux before 2023.5; or ZEDPRO for Windows, Mac, Linux before 2023.5 can be modified by an unauthenticated attacker to include a UNC reference so that it could trigger network access to an attacker-controlled computer when opened by the victim. | ||||
| CVE-2023-50072 | 1 Openkm | 1 Openkm | 2025-06-03 | 5.4 Medium |
| A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. | ||||
| CVE-2023-4960 | 1 Wclovers | 1 Wcfm Marketplace | 2025-06-03 | 6.4 Medium |
| The WCFM Marketplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wcfm_stores' shortcode in versions up to, and including, 3.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-4248 | 1 Givewp | 1 Givewp | 2025-06-03 | 5.4 Medium |
| The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.33.3. This is due to missing or incorrect nonce validation on the give_stripe_disconnect_connect_stripe_account function. This makes it possible for unauthenticated attackers to deactivate the plugin's stripe integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2023-49262 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | 9.8 Critical |
| The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session. | ||||
| CVE-2023-49260 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | 6.1 Medium |
| An XSS attack can be performed by changing the MOTD banner and pointing the victim to the "terminal_tool.cgi" path. It can be used together with the vulnerability CVE-2023-49255. | ||||
| CVE-2023-49258 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | 6.1 Medium |
| User browser may be forced to execute JavaScript and pass the authentication cookie to the attacker leveraging the XSS vulnerability located at "/gui/terminal_tool.cgi" in the "data" parameter. | ||||
| CVE-2023-49255 | 1 Hongdian | 2 H8951-4g-esp, H8951-4g-esp Firmware | 2025-06-03 | 9.8 Critical |
| The router console is accessible without authentication at "data" field, and while a user needs to be logged in in order to modify the configuration, the session state is shared. If any other user is currently logged in, the anonymous user can execute commands in the context of the authenticated one. If the logged in user has administrative privileges, it is possible to use webadmin service configuration commands to create a new admin user with a chosen password. | ||||
| CVE-2023-47460 | 1 Knovos | 1 Discovery | 2025-06-03 | 8.8 High |
| SQL injection vulnerability in Knovos Discovery v.22.67.0 allows a remote attacker to execute arbitrary code via the /DiscoveryProcess/Service/Admin.svc/getGridColumnStructure component. | ||||
| CVE-2023-46942 | 1 Evershop | 1 Evershop | 2025-06-03 | 7.5 High |
| Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints. | ||||
| CVE-2023-43449 | 1 Hummerrisk | 1 Hummerrisk | 2025-06-03 | 8.8 High |
| An issue in HummerRisk HummerRisk v.1.10 thru 1.4.1 allows an authenticated attacker to execute arbitrary code via a crafted request to the service/LicenseService component. | ||||