| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve passwords and access control settings for protected media attachments, which can then be used to bypass the intended media protection and download restricted files. |
| The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
| Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60. |
| Authorization Bypass Through User-Controlled Key vulnerability in GG Soft Software Services Inc. PaperWork allows Exploitation of Trusted Identifiers.This issue affects PaperWork: from 5.2.0.9427 before 6.0. |
| Bio.Entrez in Biopython through 186 allows doctype XXE. |
| Freedombox before 25.17.1 does not set proper permissions for the backups-data directory, allowing the reading of dump files of databases. |
| RG - AP180, Indoor Wall Plate Wireless AP AP180 series provided by Ruijie Networks Co., Ltd. contain an OS command injection vulnerability. An arbitrary OS command may be executed on the product by an attacker who logs in to the CLI service. |
| Memory Corruption when processing IOCTLs for JPEG data without verification. |
| Memory corruption while loading an invalid firmware in boot loader. |
| Memory Corruption when a corrupted ELF image with an oversized file size is read into a buffer without authentication. |
| Memory corruption while handling concurrent memory mapping and unmapping requests from a user-space application. |
| Information disclosure while processing system calls with invalid parameters. |
| Memory corruption while routing GPR packets between user and root when handling large data packet. |
| Memory corruption while handling IOCTL calls to set mode. |
| Memory corruption while copying packets received from unix clients. |
| Memory corruption while processing MFC channel configuration during music playback. |
| Information disclosure while exposing internal TA-to-TA communication APIs to HLOS |
| Memory corruption during video playback when video session open fails with time out error. |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. |
| Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a information disclosure vulnerability in the HTML style sanitizer. |
