The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2020-15569 | PlayerGeneric.cpp in MilkyTracker through 1.02.00 has a use-after-free in the PlayerGeneric destructor. | MEDIUM | Jul 6, 2020 | n/a |
| CVE-2020-24227 | Playground Sessions v2.5.582 (and earlier) for Windows, stores the user credentials in plain text allowing anyone with access to UserProfiles.sol to extract the email and password. | MEDIUM | Nov 23, 2020 | n/a |
| CVE-2017-9080 | PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection. | HIGH | May 19, 2017 | n/a |
| CVE-2020-8644 | PlaySMS before 1.4.3 does not sanitize inputs from a malicious string. | HIGH | Feb 7, 2020 | n/a |
| CVE-2021-40373 | playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI. | HIGH | Sep 10, 2021 | n/a |
| CVE-2018-18387 | playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse. | HIGH | Oct 29, 2018 | n/a |
| CVE-2020-15018 | playSMS through 1.4.3 is vulnerable to session fixation. | MEDIUM | Jun 24, 2020 | n/a |
| CVE-2018-6547 | plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, contains an HTTP message parsing function that takes a user-defined path and writes non-user controlled data as SYSTEM to the file when the extract_files parameter is used. This occurs without properly authenticating the user. | HIGH | Apr 13, 2018 | n/a |
| CVE-2018-6546 | plays_service.exe in the plays.tv service before 1.27.7.0, as distributed in AMD driver-installation packages and Gaming Evolved products, executes code at a user-defined (local or SMB) path as SYSTEM when the execute_installer parameter is used in an HTTP message. This occurs without properly authenticating the user. | HIGH | Apr 18, 2018 | n/a |
| CVE-2020-13792 | PlayTube 1.8 allows disclosure of user details via ajax.php?type=../admin-panel/autoload&page=manage-users directory traversal, aka local file inclusion. | MEDIUM | Jun 4, 2020 | n/a |
| CVE-2021-42705 | PLC Editor Versions 1.3.8 and prior is vulnerable to a stack-based buffer overflow while processing project files, which may allow an attacker to execute arbitrary code. | MEDIUM | Nov 23, 2021 | n/a |
| CVE-2021-42707 | PLC Editor Versions 1.3.8 and prior is vulnerable to an out-of-bounds write while processing project files, which may allow an attacker to execute arbitrary code. | MEDIUM | Nov 23, 2021 | n/a |
| CVE-2020-12497 | PLCopen XML file parsing in Phoenix Contact PC Worx and PC Worx Express version 1.87 and earlier can lead to a stack-based overflow. Manipulated PC Worx projects could lead to a remote code execution due to insufficient input data validation. | MEDIUM | Jul 1, 2020 | n/a |
| CVE-2023-34439 | Pleasanter 1.3.47.0 and earlier contains a stored cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user\'s web browser. | -- | Dec 6, 2023 | n/a |
| CVE-2023-45210 | Pleasanter 1.3.47.0 and earlier contains an improper access control vulnerability, which may allow a remote authenticated attacker to view the temporary files uploaded by other users who are not permitted to access. | -- | Dec 6, 2023 | n/a |
| CVE-2024-21584 | Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulnerability. If an attacker tricks the user to access the product with a specially crafted URL and perform a specific operation, an arbitrary script may be executed on the web browser of the user. | -- | Mar 12, 2024 | n/a |
| CVE-2023-46277 | please (aka pleaser) through 0.5.4 allows privilege escalation through the TIOCSTI and/or TIOCLINUX ioctl. (If both TIOCSTI and TIOCLINUX are disabled, this cannot be exploited.) | -- | Oct 20, 2023 | n/a |
| CVE-2021-31153 | please before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the --check option, or the -d option. | LOW | May 27, 2021 | n/a |
| CVE-2021-31154 | pleaseedit in please before 0.4 uses predictable temporary filenames in /tmp and the target directory. This allows a local attacker to gain full root privileges by staging a symlink attack. | HIGH | May 27, 2021 | n/a |
| CVE-2023-0829 | Plesk 17.0 through 18.0.31 version, is vulnerable to a Cross-Site Scripting. A malicious subscription owner (either a customer or an additional user), can fully compromise the server if an administrator visits a certain page in Plesk related to the malicious subscription. | -- | Sep 20, 2023 | n/a |
| CVE-2021-45007 | Plesk 18.0.37 is affected by a Cross Site Request Forgery (CSRF) vulnerability that allows an attacker to insert data on the user and admin panel. NOTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | MEDIUM | Feb 20, 2022 | n/a |
| CVE-2021-45008 | Plesk CMS 18.0.37 is affected by an insecure permissions vulnerability that allows privilege Escalation from user to admin rights. OTE: the vendor states that this is only a site-specific problem on websites of one or more Plesk users | MEDIUM | Feb 24, 2022 | n/a |
| CVE-2022-45130 | Plesk Obsidian allows a CSRF attack, e.g., via the /api/v2/cli/commands REST API to change an Admin password. NOTE: Obsidian is a specific version of the Plesk product: version numbers were used through version 12, and then the convention was changed so that versions are identified by names (Obsidian), not numbers. | -- | Nov 10, 2022 | n/a |
| CVE-2023-43784 | Plesk Onyx 17.8.11 has accessKeyId and secretAccessKey fields that are related to an Amazon AWS Firehose component. NOTE: the vendor\'s position is that there is no security threat. | -- | Sep 26, 2023 | n/a |
| CVE-2021-33959 | Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service. | -- | Jan 26, 2023 | n/a |
| CVE-2023-37460 | Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified `Archiver`/`UnArchiver` API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the `resolveFile()` function will return the symlink\'s source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later `Files.newOutputStream()`, that follows symlinks by default, will actually write the entry\'s content to the symlink\'s target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue. | -- | Jul 25, 2023 | n/a |
| CVE-2018-1002200 | plexus-archiver before 3.6.0 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in an archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'. | MEDIUM | Jul 26, 2018 | n/a |
| CVE-2017-1000487 | Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | HIGH | Jan 3, 2018 | n/a |
| CVE-2020-25287 | Pligg 2.0.3 allows remote authenticated users to execute arbitrary commands because the template editor can edit any file, as demonstrated by an admin/admin_editor.php the_file=..%2Findex.php&open=Open request. | MEDIUM | Sep 13, 2020 | n/a |
| CVE-2020-21121 | Pligg CMS 2.0.2 contains a time-based SQL injection vulnerability via the $recordIDValue parameter in the admin_update_module_widgets.php file. | HIGH | Sep 15, 2021 | n/a |
| CVE-2023-37677 | Pligg CMS v2.0.2 (also known as Kliqqi) was discovered to contain a remote code execution (RCE) vulnerability in the component admin_editor.php. | -- | Jul 25, 2023 | n/a |
| CVE-2022-34956 | Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection vulnerability via the page_size parameter at load_data_for_groups.php. | -- | Aug 4, 2022 | n/a |
| CVE-2022-34955 | Pligg CMS v2.0.2 was discovered to contain a time-based SQL injection vulnerability via the page_size parameter at load_data_for_topusers.php. | -- | Aug 4, 2022 | n/a |
| CVE-2021-28993 | Plixer Scrutinizer 19.0.2 is affected by: SQL Injection. The impact is: obtain sensitive information (remote). | MEDIUM | Jun 30, 2021 | n/a |
| CVE-2016-4042 | Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors. | MEDIUM | Feb 24, 2017 | n/a |
| CVE-2015-7318 | Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses. | MEDIUM | Sep 25, 2017 | n/a |
| CVE-2015-7315 | Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registration enabled, without acknowledgment of site administrator. | MEDIUM | Sep 25, 2017 | n/a |
| CVE-2016-4041 | Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors. | HIGH | Feb 24, 2017 | n/a |
| CVE-2017-5524 | Plone 4.x through 4.3.11 and 5.x through 5.0.6 allow remote attackers to bypass a sandbox protection mechanism and obtain sensitive information by leveraging the Python string format method. | MEDIUM | Mar 23, 2017 | n/a |
| CVE-2020-28735 | Plone before 5.2.3 allows SSRF attacks via the tracebacks feature (only available to the Manager role). | MEDIUM | Dec 30, 2020 | n/a |
| CVE-2020-28734 | Plone before 5.2.3 allows XXE attacks via a feature that is explicitly only available to the Manager role. | MEDIUM | Dec 30, 2020 | n/a |
| CVE-2020-28736 | Plone before 5.2.3 allows XXE attacks via a feature that is protected by an unapplied permission of plone.schemaeditor.ManageSchemata (therefore, only available to the Manager role). | MEDIUM | Dec 30, 2020 | n/a |
| CVE-2021-3313 | Plone CMS until version 5.2.4 has a stored Cross-Site Scripting (XSS) vulnerability in the user fullname property and the file upload functionality. The user\'s input data is not properly encoded when being echoed back to the user. This data can be interpreted as executable code by the browser and allows an attacker to execute JavaScript in the context of the victim\'s browser if the victim opens a vulnerable page containing an XSS payload. | LOW | May 22, 2021 | n/a |
| CVE-2021-33511 | Plone though 5.2.4 allows SSRF via the lxml parser. This affects Diazo themes, Dexterity TTW schemas, and modeleditors in plone.app.theming, plone.app.dexterity, and plone.supermodel. | MEDIUM | May 22, 2021 | n/a |
| CVE-2021-33510 | Plone through 5.2.4 allows remote authenticated managers to conduct SSRF attacks via an event ical URL, to read one line of a file. | MEDIUM | May 22, 2021 | n/a |
| CVE-2021-33509 | Plone through 5.2.4 allows remote authenticated managers to perform disk I/O via crafted keyword arguments to the ReStructuredText transform in a Python script. | HIGH | May 22, 2021 | n/a |
| CVE-2021-33512 | Plone through 5.2.4 allows stored XSS attacks (by a Contributor) by uploading an SVG or HTML document. | LOW | May 22, 2021 | n/a |
| CVE-2021-33508 | Plone through 5.2.4 allows XSS via a full name that is mishandled during rendering of the ownership tab of a content item. | LOW | May 22, 2021 | n/a |
| CVE-2021-33513 | Plone through 5.2.4 allows XSS via the inline_diff methods in Products.CMFDiffTool. | LOW | May 22, 2021 | n/a |
| CVE-2023-41048 | plone.namedfile allows users to handle `File` and `Image` fields targeting, but not depending on, Plone Dexterity content. Prior to versions 5.6.1, 6.0.3, 6.1.3, and 6.2.1, there is a stored cross site scripting vulnerability for SVG images. A security hotfix from 2021 already partially fixed this by making sure SVG images are always downloaded instead of shown inline. But the same problem still exists for scales of SVG images. Note that an image tag with an SVG image as source is not vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. Patches are available in versions 5.6.1 (for Plone 5.2), 6.0.3 (for Plone 6.0.0-6.0.4), 6.1.3 (for Plone 6.0.5-6.0.6), and 6.2.1 (for Plone 6.0.7). There are no known workarounds. | -- | Sep 21, 2023 | n/a |
