The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2022-34297 | Yii Yii2 Gii through 2.2.4 allows stored XSS by injecting a payload into any field. | -- | Dec 10, 2022 | n/a |
| CVE-2021-3692 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | MEDIUM | Aug 10, 2021 | n/a |
| CVE-2021-3689 | yii2 is vulnerable to Use of Predictable Algorithm in Random Number Generator | MEDIUM | Aug 10, 2021 | n/a |
| CVE-2023-50708 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth1/2 `state` and OpenID Connect `nonce` is vulnerable for a `timing attack` since it is compared via regular string comparison (instead of `Yii::$app->getSecurity()->compareString()`). Version 2.2.15 contains a patch for the issue. No known workarounds are available. | -- | Dec 22, 2023 | n/a |
| CVE-2023-50714 | yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the `authCodeVerifier` should be removed after usage (similar to `authState`). Second, there is a risk for a `downgrade attack` if PKCE is being relied on for CSRF protection. Version 2.2.15 contains a patch for the issue. No known workarounds are available. | -- | Dec 22, 2023 | n/a |
| CVE-2019-16130 | YII2-CMS v1.0 has XSS in protected\\core\\modules\\home\\models\\Contact.php via a name field to /contact.html. | MEDIUM | Sep 9, 2019 | n/a |
| CVE-2022-36605 | Yimioa v6.1 was discovered to contain a SQL injection vulnerability via the orderbyGET parameter. | -- | Aug 19, 2022 | n/a |
| CVE-2023-51837 | Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation. | -- | Jan 30, 2024 | n/a |
| CVE-2023-51838 | Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm. | -- | Feb 2, 2024 | n/a |
| CVE-2018-20133 | ymlref allows code injection. | HIGH | Dec 17, 2018 | n/a |
| CVE-2017-12760 | Ynet Interactive - http://demo.ynetinteractive.com/mobiketa/ Mobiketa 4.0 is affected by: SQL Injection. The impact is: Code execution (remote). | MEDIUM | May 10, 2019 | n/a |
| CVE-2017-12759 | Ynet Interactive - http://demo.ynetinteractive.com/soa/ SOA School Management 3.0 is affected by: SQL Injection. The impact is: Code execution (remote). | HIGH | May 13, 2019 | n/a |
| CVE-2024-25626 | Yocto Project is an open source collaboration project that helps developers create custom Linux-based systems regardless of the hardware architecture. In Yocto Projects Bitbake before 2.6.2 (before and included Yocto Project 4.3.1), with the Toaster server (included in bitbake) running, missing input validation allows an attacker to perform a remote code execution in the server\'s shell via a crafted HTTP request. Authentication is not necessary. Toaster server execution has to be specifically run and is not the default for Bitbake command line builds, it is only used for the Toaster web based user interface to Bitbake. The fix has been backported to the bitbake included with Yocto Project 5.0, 3.1.31, 4.0.16, and 4.3.2. | -- | Feb 20, 2024 | n/a |
| CVE-2016-10375 | Yodl before 3.07.01 has a Buffer Over-read in the queue_push function in queue/queuepush.c. | HIGH | Jun 6, 2017 | n/a |
| CVE-2020-5627 | Yodobashi App for Android versions 1.8.7 and earlier allows remote attackers to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack. | MEDIUM | Sep 9, 2020 | n/a |
| CVE-2023-29626 | Yoga Class Registration System 1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at /admin/login.php. | -- | Apr 14, 2023 | n/a |
| CVE-2023-1722 | Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. | -- | Jun 24, 2023 | n/a |
| CVE-2023-1721 | Yoga Class Registration System version 1.0 allows an administrator to execute commands on the server. This is possible because the application does not correctly validate the thumbnails of the classes uploaded by the administrators. | -- | Jun 24, 2023 | n/a |
| CVE-2017-17630 | Yoga Class Script 1.0 has SQL Injection via the /list city parameter. | HIGH | Dec 13, 2017 | n/a |
| CVE-2018-17896 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The affected controllers utilize hard-coded credentials which may allow an attacker gain unauthorized access to the maintenance functions and obtain or modify information. This attack can be executed only during maintenance work. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-17902 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The application utilizes multiple methods of session management which could result in a denial of service to the remote management functions. | MEDIUM | Oct 12, 2018 | n/a |
| CVE-2018-17900 | Yokogawa STARDOM Controllers FCJ, FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The web application improperly protects credentials which could allow an attacker to obtain credentials for remote access to controllers. | MEDIUM | Oct 12, 2018 | n/a |
| CVE-2018-17898 | Yokogawa STARDOM Controllers FCJ,FCN-100, FCN-RTU, FCN-500, All versions R4.10 and prior, The controller application fails to prevent memory exhaustion by unauthorized requests. This could allow an attacker to cause the controller to become unstable. | HIGH | Oct 12, 2018 | n/a |
| CVE-2018-10592 | Yokogawa STARDOM FCJ controllers R4.02 and prior, FCN-100 controllers R4.02 and prior, FCN-RTU controllers R4.02 and prior, and FCN-500 controllers R4.02 and prior utilize hard-coded credentials that could allow an attacker to gain unauthorized administrative access to the device, which could result in remote code execution. | HIGH | Aug 1, 2018 | n/a |
| CVE-2023-51927 | YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method. | -- | Jan 20, 2024 | n/a |
| CVE-2023-51926 | YonBIP v3_23.05 was discovered to contain an arbitrary file read vulnerability via the nc.bs.framework.comn.serv.CommonServletDispatcher component. | -- | Jan 20, 2024 | n/a |
| CVE-2022-26263 | Yonyou u8 v13.0 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability via the component /u8sl/WebHelp. | MEDIUM | Mar 25, 2022 | n/a |
| CVE-2017-3211 | Yopify, an e-commerce notification plugin, up to April 06, 2017, leaks the first name, last initial, city, and recent purchase data of customers, all without user authorization. | MEDIUM | Jan 15, 2020 | n/a |
| CVE-2021-45475 | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated Information disclosure vulnerability. | -- | Oct 28, 2022 | n/a |
| CVE-2021-45476 | Yordam Library Information Document Automation product before version 19.02 has an unauthenticated reflected XSS vulnerability. | -- | Oct 28, 2022 | n/a |
| CVE-2018-11522 | Yosoro 1.0.4 has stored XSS. | MEDIUM | Jun 2, 2018 | n/a |
| CVE-2022-32299 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the id parameter at /App/Lib/Action/Admin/SiteAction.class.php. | MEDIUM | Jun 15, 2022 | n/a |
| CVE-2022-32301 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the IdList parameter at /App/Lib/Action/Home/ApiAction.class.php. | HIGH | Jun 15, 2022 | n/a |
| CVE-2022-32300 | YoudianCMS v9.5.0 was discovered to contain a SQL injection vulnerability via the MailSendID parameter at /App/Lib/Action/Admin/MailAction.class.php. | MEDIUM | Jun 15, 2022 | n/a |
| CVE-2018-18242 | youke365 v1.1.5 has SQL injection via admin/login.html, as demonstrated by username=admin&pass=123456&code=9823&act=login&submit=%E7%99%BB+%E9%99%86. | HIGH | Oct 11, 2018 | n/a |
| CVE-2020-13911 | Your Online Shop 1.8.0 allows authenticated users to trigger XSS via a Change Name or Change Surname operation. | LOW | Jun 12, 2020 | n/a |
| CVE-2021-3785 | yourls is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') | LOW | Sep 15, 2021 | n/a |
| CVE-2021-3783 | yourls is vulnerable to Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') | MEDIUM | Sep 15, 2021 | n/a |
| CVE-2021-3734 | yourls is vulnerable to Improper Restriction of Rendered UI Layers or Frames | MEDIUM | Aug 26, 2021 | n/a |
| CVE-2019-14537 | YOURLS through 1.7.3 is affected by a type juggling vulnerability in the api component that can result in login bypass. | HIGH | Aug 14, 2019 | n/a |
| CVE-2024-28196 | your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version < 1.9.0 does not prevent other pages from displaying it in an iframe and is thus vulnerable to clickjacking. Clickjacking can be used to trick an existing user of YourSpotify to trigger actions, such as allowing signup of other users or deleting the current user account. Clickjacking works by opening the target application in an invisible iframe on an attacker-controlled site and luring a victim to visit the attacker page and interacting with it. By positioning elements over the invisible iframe, a victim can be tricked into triggering malicious or destructive actions in the invisible iframe, while they think they interact with a totally different site altogether. When a victim visits an attacker-controlled site while they are logged into YourSpotify, they can be tricked into performing actions on their YourSpotify instance without their knowledge. These actions include allowing signup of other users or deleting the current user account, resulting in a high impact to the integrity of YourSpotify. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | -- | Mar 13, 2024 | n/a |
| CVE-2024-28193 | your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 allows users to create a public token in the settings, which can be used to provide guest-level access to the information of that specific user in YourSpotify. The /me API endpoint discloses Spotify API access and refresh tokens to guest users. Attackers with access to a public token for guest access to YourSpotify can therefore obtain access to Spotify API tokens of YourSpotify users. As a consequence, attackers may extract profile information, information about listening habits, playlists and other information from the corresponding Spotify profile. In addition, the attacker can pause and resume playback in the Spotify app at will. This issue has been resolved in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this issue. | -- | Mar 14, 2024 | n/a |
| CVE-2024-28192 | your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify version <1.8.0 is vulnerable to NoSQL injection in the public access token processing logic. Attackers can fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This vulnerability allows an attacker to fully bypass the public token authentication mechanism, regardless if a public token has been generated before or not, without any user interaction or prerequisite knowledge. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | -- | Mar 14, 2024 | n/a |
| CVE-2024-28194 | your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | -- | Mar 14, 2024 | n/a |
| CVE-2024-28195 | your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | -- | Mar 13, 2024 | n/a |
| CVE-2021-43692 | youtube-php-mirroring (last update Jun 9, 2017) is affected by a Cross Site Scripting (XSS) vulnerability in file ytproxy/index.php. | MEDIUM | Dec 1, 2021 | n/a |
| CVE-2021-27503 | Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application encrypts on the application layer of the communication protocol between the Ypsomed mylife App and mylife Cloud credentials based on hard-coded secrets, which allows man-in-the-middle attackers to tamper with messages. | MEDIUM | Aug 3, 2021 | n/a |
| CVE-2021-27499 | Ypsomed mylife Cloud, mylife Mobile Application, Ypsomed mylife Cloud: All versions prior to 1.7.2, Ypsomed mylife App: All versions prior to 1.7.5,The application layer encryption of the communication protocol between the Ypsomed mylife App and mylife Cloud uses non-random IVs, which allows man-in-the-middle attackers to tamper with messages. | MEDIUM | Aug 3, 2021 | n/a |
| CVE-2021-27495 | Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint. | MEDIUM | Jul 31, 2021 | n/a |
| CVE-2021-27491 | Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process. | MEDIUM | Jul 31, 2021 | n/a |
