The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2020-20347 | WTCMS 1.0 contains a stored cross-site scripting (XSS) vulnerability in the source field under the article management module. | LOW | Sep 2, 2021 |
CVE-2018-10267 | WTCMS 1.0 has a CSRF vulnerability to add an administrator account via the index.php?admin&m=user&a=add_post URI. | MEDIUM | Apr 21, 2018 |
CVE-2019-15716 | WTF before 0.19.0 does not set the permissions of config.yml, which might make it easier for local attackers to read passwords or API keys if the permissions were misconfigured or were based on unsafe OS defaults. | LOW | Sep 4, 2019 |
CVE-2017-17821 | WTF/wtf/FastBitVector.h in WebKit, as distributed in Safari Technology Preview Release 46, allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact because it calls the FastBitVectorWordOwner::resizeSlow function (in WTF/wtf/FastBitVector.cpp) for a purpose other than initializing a bitvector size, and resizeSlow mishandles cases where the old array length is greater than the new array length. | HIGH | Dec 20, 2017 |
CVE-2019-14276 | WUSTL XNAT 1.7.5.3 allows XXE attacks via a POST request body. | MEDIUM | Oct 30, 2019 |
CVE-2018-20572 | WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893. | HIGH | Dec 28, 2018 |
CVE-2018-10313 | WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI. | LOW | Apr 23, 2018 |
CVE-2018-11722 | WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded. | HIGH | Jun 5, 2018 |
CVE-2018-11528 | WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI. | HIGH | May 29, 2018 |
CVE-2018-17426 | WUZHI CMS 4.1.0 has stored XSS via the \"Extension module\" \"SMS in station\" field under the index.php?m=core URI. | LOW | Mar 22, 2019 |
CVE-2018-17425 | WUZHI CMS 4.1.0 has stored XSS via the \"Membership Center\" \"I want to ask\" \"detailed description\" field under the index.php?m=member URI. | LOW | Mar 22, 2019 |
CVE-2018-16350 | WUZHI CMS 4.1.0 has XSS via the index.php?m=core&f=set&v=basic form[statcode] parameter. | MEDIUM | Sep 2, 2018 |
CVE-2018-16349 | WUZHI CMS 4.1.0 has XSS via the index.php?m=link&f=index&v=add form[remark] parameter. | MEDIUM | Sep 2, 2018 |
CVE-2023-31860 | Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system. | -- | May 23, 2023 |
CVE-2020-20122 | Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php. | HIGH | Oct 6, 2021 |
CVE-2020-20124 | Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \\attachment\\admin\\index.php. | MEDIUM | Oct 6, 2021 |
CVE-2023-30123 | wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings. | -- | Apr 28, 2023 |
CVE-2023-52064 | Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter at /core/admin/copyfrom.php. | -- | Jan 11, 2024 |
CVE-2022-27431 | Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php. | HIGH | May 4, 2022 |
CVE-2023-30860 | WWBN AVideo is an open source video platform. In AVideo prior to version 12.4, a normal user can make a Meeting Schedule where the user can invite another user in that Meeting, but it does not properly sanitize the malicious characters when creating a Meeting Room. This allows attacker to insert malicious scripts. Since any USER including the ADMIN can see the meeting room that was created by the attacker this can lead to cookie hijacking and takeover of any accounts. Version 12.4 contains a patch for this issue. | -- | May 9, 2023 |
CVE-2023-32073 | WWBN AVideo is an open source video platform. In versions 12.4 and prior, a command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for CVE-2023-30854, which affects WWBN AVideo up to version 12.3. This issue is patched in commit 1df4af01f80d56ff2c4c43b89d0bac151e7fb6e3. | -- | May 12, 2023 |
CVE-2017-8110 | www.modified-shop.org modified eCommerce Shopsoftware 2.0.2.2 rev 10690 has XXE in api/it-recht-kanzlei/api-it-recht-kanzlei.php. | HIGH | May 5, 2017 |
CVE-2019-17199 | www/getfile.php in WPO WebPageTest 19.04 on Windows allows Directory Traversal (for reading arbitrary files) because of an unanchored regular expression, as demonstrated by the a.jpg\\.. substring. | MEDIUM | Oct 10, 2019 |
CVE-2018-18635 | www/guis/admin/application/controllers/UserController.php in the administration login interface in MailCleaner CE 2018.08 and 2018.09 allows XSS via the admin/login/user/message/ PATH_INFO. | MEDIUM | Oct 24, 2018 |
CVE-2019-7313 | www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the Location header of /auth/login and /auth/logout via the redirect parameter. This affects other web sites in the same domain. | Medium | Feb 6, 2019 |
CVE-2018-20323 | www/soap/application/MCSoap/Logs.php in MailCleaner Community Edition 2018.08 allows remote attackers to execute arbitrary OS commands. | HIGH | Mar 28, 2019 |
CVE-2018-13439 | WXPayUtil in WeChat Pay Java SDK allows XXE attacks involving a merchant notification URL. | MEDIUM | Jul 8, 2018 |
CVE-2022-23157 | Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A authenticated malicious user could potentially exploit this vulnerability in order to view sensitive information from the WMS Server. | LOW | Apr 2, 2022 |
CVE-2022-23158 | Wyse Device Agent version 14.6.1.4 and below contain a sensitive data exposure vulnerability. A local authenticated user with standard privilege could potentially exploit this vulnerability and provide incorrect port information and get connected to valid WMS server | LOW | Apr 2, 2022 |
CVE-2022-23156 | Wyse Device Agent version 14.6.1.4 and below contain an Improper Authentication vulnerability. A malicious user could potentially exploit this vulnerability by providing invalid input in order to obtain a connection to WMS server. | MEDIUM | Apr 2, 2022 |
CVE-2021-36336 | Wyse Management Suite 3.3.1 and below versions contain a deserialization vulnerability that could allow an unauthenticated attacker to execute code on the affected system. | HIGH | Dec 21, 2021 |
CVE-2021-21586 | Wyse Management Suite versions 3.2 and earlier contain an absolute path traversal vulnerability. A remote authenticated malicious user could exploit this vulnerability in order to read arbitrary files on the system. | MEDIUM | Jul 15, 2021 |
CVE-2021-21533 | Wyse Management Suite versions up to 3.2 contains a vulnerability wherein a malicious authenticated user can cause a denial of service in the job status retrieval page, also affecting other users that would have normally access to the same subset of job details | MEDIUM | Apr 3, 2021 |
CVE-2014-2079 | X File Explorer (aka xfe) might allow local users to bypass intended access restrictions and gain access to arbitrary files by leveraging failure to use directory masks when creating files on Samba and NFS shares. | LOW | Jul 16, 2018 |
CVE-2017-15285 | X-Cart 5.2.23, 5.3.1.9, 5.3.2.13, and 5.3.3 is vulnerable to Remote Code Execution. This vulnerability exists because the application fails to check remote file extensions before saving locally. This vulnerability can be exploited by anyone with Vendor access or higher. One attack methodology is to upload an image file in the Attachments section of a product catalog, upload a .php file with an Add File Via URL action, and change the image's Description URL to reference the .php URL in the attachments/ directory. | MEDIUM | Oct 12, 2017 |
CVE-2019-7220 | X-Cart V5 is vulnerable to XSS via the CategoryFilter2 parameter. | MEDIUM | Jun 10, 2019 |
CVE-2022-46021 | X-Man 1.0 has a SQL injection vulnerability, which can cause data leakage. | -- | Apr 1, 2023 |
CVE-2017-8450 | X-Pack 5.1.1 did not properly apply document and field level security to multi-search and multi-get requests so users without access to a document and/or field may have been able to access this information. | MEDIUM | Jun 16, 2017 |
CVE-2018-3824 | X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user. | MEDIUM | Sep 19, 2018 |
CVE-2018-3823 | X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs. | LOW | Sep 19, 2018 |
CVE-2017-8449 | X-Pack Security 5.2.x would allow access to more fields than the user should have seen if the field level security rules used a mix of grant and exclude rules when merging multiple rules with field level security rules for the same index. | MEDIUM | Jun 16, 2017 |
CVE-2018-3822 | X-Pack Security versions 6.2.0, 6.2.1, and 6.2.2 are vulnerable to a user impersonation attack via incorrect XML canonicalization and DOM traversal. An attacker might have been able to impersonate a legitimate user if the SAML Identity Provider allows for self registration with arbitrary identifiers and the attacker can register an account which an identifier that shares a suffix with a legitimate account. Both of those conditions must be true in order to exploit this flaw. | HIGH | Mar 30, 2018 |
CVE-2019-19605 | X-Plane before 11.41 allows Arbitrary Memory Write via crafted network packets, which could cause a denial of service or arbitrary code execution. | HIGH | Apr 1, 2020 |
CVE-2019-19606 | X-Plane before 11.41 has multiple improper path validations that could allow reading and writing files from/to arbitrary paths (or a leak of OS credentials to a remote system) via crafted network packets. This could be used to execute arbitrary commands on the system. | HIGH | Apr 1, 2020 |
CVE-2020-7922 | X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected. This issue affects MongoDB Enterprise Kubernetes Operator version 1.0, MongoDB Enterprise Kubernetes Operator version 1.1, MongoDB Enterprise Kubernetes Operator version 1.2 versions prior to 1.2.4, MongoDB Enterprise Kubernetes Operator version 1.3 versions prior to 1.3.1, 1.2, 1.4 versions prior to 1.4.4. | MEDIUM | Apr 9, 2020 |
CVE-2016-7946 | X.org libXi before 1.7.7 allows remote X servers to cause a denial of service (infinite loop) via vectors involving length fields. | MEDIUM | Dec 13, 2016 |
CVE-2016-7948 | X.org libXrandr before 1.5.1 allows remote X servers to trigger out-of-bounds write operations by leveraging mishandling of reply data. | HIGH | Dec 13, 2016 |
CVE-2016-7952 | X.org libXtst before 1.2.3 allows remote X servers to cause a denial of service (infinite loop) via a reply in the (1) XRecordStartOfData, (2) XRecordEndOfData, or (3) XRecordClientDied category without a client sequence and with attached data. | MEDIUM | Dec 13, 2016 |
CVE-2022-30636 | x/crypto/acme/autocert: httpTokenCacheKey allows limited directory traversal on windows | -- | May 27, 2022 |
CVE-2022-23604 | x26-Cogs is a repository of cogs made by Twentysix for the Red Discord bot. Among these cogs is the Defender cog, a tool for Discord server moderation. A vulnerability in the Defender cog prior to version 1.10.0 allows users with admin privileges to issue commands as other users who share the same server. If a bot owner shares the same server as the attacker, it is possible for the attacker to issue bot-owner restricted commands. The issue has been patched in version 1.10.0. One may unload the Defender cog as a workaround. | MEDIUM | Feb 15, 2022 |