| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Jenkins Credentials Binding Plugin 720.v3f6decef43ea_ and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution if Jenkins is configured to allow a low-privileged user to configure file or zip file credentials used for a job running on the built-in node. |
| Improper validation of server certificates in Canon EOS Network Setting Tool Version 1.5.0 or earlier |
| Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions. |
| Subscriber Broken Access Control in Bookify <= 1.1.1 versions. |
| Use of hard-coded cryptographic keys in Canon EOS Network Setting Tool Version 1.5.0 or earlier |
| Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. |
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. |
| Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. |
| A stack-based buffer overflow vulnerability in the CGI program of Zyxel GS1900-48HPv2 firmware versions through 2.90(ABTQ.1)C0 could allow a LAN-based, unauthenticated attacker to exploit the flaw and potentially execute OS commands via a crafted HTTP request. |
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. |
| Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. |
| Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. |
| Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. |
| Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. |
| Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. |
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. |
| Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. |
| Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. |
| Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. |
| Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. |
