The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2021-24710 | The Print-O-Matic WordPress plugin before 2.0.3 does not escape some of its settings before outputting them in attribute, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. | LOW | Nov 11, 2021 | n/a |
| CVE-2022-4753 | The Print-O-Matic WordPress plugin before 2.1.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. | -- | Jan 23, 2023 | n/a |
| CVE-2017-14594 | The printable searchrequest issue resource in Atlassian Jira before version 7.2.12 and from version 7.3.0 before 7.6.1 allows remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the jqlQuery query parameter. | MEDIUM | Jan 12, 2018 | n/a |
| CVE-2018-6358 | The printDefineFont2 function (util/listfdb.c) in libming through 0.4.8 is vulnerable to a heap-based buffer overflow, which may allow attackers to cause a denial of service or unspecified other impact via a crafted FDB file. | MEDIUM | Jan 27, 2018 | n/a |
| CVE-2014-3741 | The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command. | -- | Oct 23, 2017 | n/a |
| CVE-2019-9505 | The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not sanitize special characters allowing for remote unauthorized changes to configuration files. An unauthenticated attacker may be able to remotely execute arbitrary code with SYSTEM privileges. | HIGH | May 10, 2019 | n/a |
| CVE-2018-5408 | The PrinterLogic Print Management software, versions up to and including 18.3.1.96, does not validate, or incorrectly validates, the PrinterLogic management portal\'s SSL certificate. When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. | MEDIUM | May 10, 2019 | n/a |
| CVE-2018-5409 | The PrinterLogic Print Management software, versions up to and including 18.3.1.96, updates and executes the code without sufficiently verifying the origin and integrity of the code. An attacker can execute malicious code by compromising the host server, performing DNS spoofing, or modifying the code in transit. | HIGH | May 10, 2019 | n/a |
| CVE-2018-5107 | The printing process can bypass local access protections to read files available through symlinks, bypassing local file restrictions. The printing process requires files in a specific format so arbitrary data cannot be read but it is possible that some local file information could be exposed. This vulnerability affects Firefox < 58. | MEDIUM | Jun 12, 2018 | n/a |
| CVE-2016-9265 | The printMP3Headers function in listmp3.c in Libming 0.4.7 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted mp3 file. | MEDIUM | Mar 27, 2017 | n/a |
| CVE-2017-16898 | The printMP3Headers function in util/listmp3.c in libming v0.4.8 or earlier is vulnerable to a global buffer overflow, which may allow attackers to cause a denial of service via a crafted file, a different vulnerability than CVE-2016-9264. | MEDIUM | Nov 20, 2017 | n/a |
| CVE-2018-20509 | The print_binder_ref_olocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading ref *desc *node lines in a debugfs file. | Low | May 2, 2019 | n/a |
| CVE-2018-20510 | The print_binder_transaction_ilocked function in drivers/android/binder.c in the Linux kernel 4.14.90 allows local users to obtain sensitive address information by reading *from *code *flags lines in a debugfs file. | Low | May 3, 2019 | n/a |
| CVE-2016-5033 | The print_exprloc_content function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. | MEDIUM | Feb 22, 2017 | n/a |
| CVE-2016-5028 | The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via an object file with empty bss-like sections. | MEDIUM | Feb 22, 2017 | n/a |
| CVE-2016-5031 | The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. | MEDIUM | Feb 22, 2017 | n/a |
| CVE-2017-16830 | The print_gnu_property_note function in readelf.c in GNU Binutils 2.29.1 does not have integer-overflow protection on 32-bit platforms, which allows remote attackers to cause a denial of service (segmentation violation and application crash) or possibly have unspecified other impact via a crafted ELF file. | MEDIUM | Nov 15, 2017 | n/a |
| CVE-2017-9743 | The print_insn_score32 function in opcodes/score7-dis.c:552 in GNU Binutils 2.28 allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted binary file, as demonstrated by mishandling of this file during objdump -D execution. | Medium | Jun 26, 2017 | n/a |
| CVE-2017-9044 | The print_symbol_for_build_attribute function in readelf.c in GNU Binutils 2017-04-12 allows remote attackers to cause a denial of service (invalid read and SEGV) via a crafted ELF file. | MEDIUM | May 23, 2017 | n/a |
| CVE-2021-24409 | The Prismatic WordPress plugin before 2.8 does not escape the \'tab\' GET parameter before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue which will be executed in the context of a logged in administrator | MEDIUM | Jul 15, 2021 | n/a |
| CVE-2021-24408 | The Prismatic WordPress plugin before 2.8 does not sanitise or validate some of its shortcode parameters, allowing users with a role as low as Contributor to set Cross-Site payload in them. A post made by a contributor would still have to be approved by an admin to have the XSS trigger able in the frontend, however, higher privilege users, such as editor could exploit this without the need of approval, and even when the blog disallows the unfiltered_html capability. | LOW | Jul 15, 2021 | n/a |
| CVE-2022-3010 | The Priva TopControl Suite contains predictable credentials for the SSH service, based on the Serial number. Which makes it possible for an attacker to calculate the login credentials for the Priva TopControll suite. | -- | Jan 2, 2024 | n/a |
| CVE-2019-15514 | The Privacy > Phone Number feature in the Telegram app 5.10 for Android and iOS provides an incorrect indication that the access level is Nobody, because attackers can find these numbers via the Group Info feature, e.g., by adding a significant fraction of a region\'s assigned phone numbers. | MEDIUM | Aug 30, 2019 | n/a |
| CVE-2021-25106 | The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WPLegalPages WordPress plugin before 2.7.1 does not check for authorisation and has a flawed CSRF logic when saving its settings, allowing any authenticated users, such as subscriber, to update them. Furthermore, due to the lack of sanitisation and escaping, it could lead to Stored Cross-Site Scripting | LOW | Feb 10, 2022 | n/a |
| CVE-2022-29903 | The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension\'s configuration. The attacker must trigger a POST request to Special:PrivateDomains. | MEDIUM | Apr 29, 2022 | n/a |
| CVE-2022-1793 | The Private Files WordPress plugin through 0.40 is missing CSRF check when disabling the protection, which could allow attackers to make a logged in admin perform such action via a CSRF attack and make the blog public | MEDIUM | Jun 13, 2022 | n/a |
| CVE-2024-27277 | The private key for the IBM Storage Protect Plus Server 10.1.0 through 10.1.16 certificate can be disclosed, undermining the security of the certificate. IBM X-Force ID: 285205. | -- | Mar 21, 2024 | n/a |
| CVE-2018-7506 | The private key of the web server in Moxa MXview versions 2.8 and prior is able to be read and accessed via an HTTP GET request, which may allow a remote attacker to decrypt encrypted information. | MEDIUM | Apr 6, 2018 | n/a |
| CVE-2020-11735 | The private-key operations in ecc.c in wolfSSL before 4.4.0 do not use a constant-time modular inverse when mapping to affine coordinates, aka a projective coordinates leak. | MEDIUM | Jun 25, 2020 | n/a |
| CVE-2023-0581 | The PrivateContent plugin for WordPress is vulnerable to protection mechanism bypass due to the use of client side validation in versions up to, and including, 8.4.3. This is due to the plugin checking if an IP had been blocklist via client-side scripts rather than server-side. This makes it possible for unauthenticated attackers to bypass any login restrictions that may prevent a brute force attack. | -- | Jan 31, 2023 | n/a |
| CVE-2017-0904 | The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery. | MEDIUM | Nov 13, 2017 | n/a |
| CVE-2017-0909 | The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery. | HIGH | Nov 16, 2017 | n/a |
| CVE-2021-45729 | The Privilege Escalation vulnerability discovered in the WP Google Map WordPress plugin (versions <= 1.8.0) allows authenticated low-role users to create, edit, and delete maps. | MEDIUM | Feb 1, 2022 | n/a |
| CVE-2022-45853 | The privilege escalation vulnerability in the Zyxel GS1900-8 firmware version V2.70(AAHH.3) and the GS1900-8HP firmware version V2.70(AAHI.3) could allow an authenticated, local attacker with administrator privileges to execute some system commands as \'root\' on a vulnerable device via SSH. | -- | Jun 6, 2023 | n/a |
| CVE-2013-0267 | The Privileges portion of the web GUI and the XMLRPC API in Apache VCL 2.3.x before 2.3.2, 2.2.x before 2.2.2 and 2.1 allow remote authenticated users with nodeAdmin, manageGroup, resourceGrant, or userGrant permissions to gain privileges, cause a denial of service, or conduct cross-site scripting (XSS) attacks by leveraging improper data validation. | MEDIUM | Feb 21, 2018 | n/a |
| CVE-2007-5502 | The PRNG implementation for the OpenSSL FIPS Object Module 1.1.1 does not perform auto-seeding during the FIPS self-test, which generates random data that is more predictable than expected and makes it easier for attackers to bypass protection mechanisms that rely on the randomness. | Medium | Sep 5, 2008 | n/a |
| CVE-2021-26918 | The ProBot bot through 2021-02-08 for Discord might allow attackers to interfere with the intended purpose of the Send an image when a user joins the server feature (or possibly have unspecified other impact) because the uploader web service allows double extensions (such as .html.jpg) with the text/html content type. NOTE: there may not be cases in which an uploader web service is customer controlled; however, the nature of the issue has substantial interaction with customer controlled configuration. NOTE: the vendor states This is just an uploader (like any other one) which uploads files to cloud storage and accepts various file types. There is no kind of vulnerability and it won\'t compromise either the client side or the server side. | HIGH | Feb 16, 2021 | n/a |
| CVE-2017-16806 | The Process function in RemoteTaskServer/WebServer/HttpServer.cs in Ulterius before 1.9.5.0 allows HTTP server directory traversal. | MEDIUM | Nov 15, 2017 | n/a |
| CVE-2007-3719 | The process scheduler in the Linux kernel 2.6.16 gives preference to \"interactive\" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in \"Secretly Monopolizing the CPU Without Superuser Privileges.\" | -- | Nov 15, 2008 | n/a |
| CVE-2021-4413 | The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This is due to missing or incorrect nonce validation on the save() function. This makes it possible for unauthenticated attackers to save field icons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Jul 12, 2023 | n/a |
| CVE-2021-4349 | The Process Steps Template Designer plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.1. This makes it possible for unauthenticated attackers to conduct unspecified attacks via forged request granted they can trick a site administrator into performing an action such as clicking on a link. | -- | Jun 7, 2023 | n/a |
| CVE-2016-6831 | The process-execute and process-spawn procedures did not free memory correctly when the execve() call failed, resulting in a memory leak. This could be abused by an attacker to cause resource exhaustion or a denial of service. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released). | MEDIUM | Jan 10, 2017 | n/a |
| CVE-2016-6830 | The process-execute and process-spawn procedures in CHICKEN Scheme used fixed-size buffers for holding the arguments and environment variables to use in its execve() call. This would allow user-supplied argument/environment variable lists to trigger a buffer overrun. This affects all releases of CHICKEN up to and including 4.11 (it will be fixed in 4.12 and 5.0, which are not yet released). | HIGH | Jan 10, 2017 | n/a |
| CVE-2019-16737 | The processCommandSetMac() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | HIGH | Dec 13, 2019 | n/a |
| CVE-2019-17364 | The processCommandUploadLog() function of libcommon.so in Petwant PF-103 firmware 4.22.2.42 and Petalk AI 3.2.2.30 allows remote attackers to execute arbitrary system commands as the root user. | HIGH | Dec 13, 2019 | n/a |
| CVE-2018-16554 | The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because of inconsistency between float and double in a sprintf format string during TAG_GPS_ALT handling. | MEDIUM | Sep 15, 2018 | n/a |
| CVE-2018-17088 | The ProcessGpsInfo function of the gpsinfo.c file of jhead 3.00 may allow a remote attacker to cause a denial-of-service attack or unspecified other impact via a malicious JPEG file, because there is an integer overflow during a check for whether a location exceeds the EXIF data length. This is analogous to the CVE-2016-3822 integer overflow in exif.c. This gpsinfo.c vulnerability is unrelated to the CVE-2018-16554 gpsinfo.c vulnerability. | MEDIUM | Sep 16, 2018 | n/a |
| CVE-2018-18956 | The ProcessMimeEntity function in util-decode-mime.c in Suricata 4.x before 4.0.6 allows remote attackers to cause a denial of service (segfault and daemon crash) via crafted input to the SMTP parser, as exploited in the wild in November 2018. | MEDIUM | Nov 7, 2018 | n/a |
| CVE-2017-12427 | The ProcessMSLScript function in coders/msl.c in ImageMagick before 6.9.9-5 and 7.x before 7.0.6-5 allows remote attackers to cause a denial of service (memory leak) via a crafted file, related to the WriteMSLImage function. | Medium | Aug 4, 2017 | n/a |
| CVE-2016-3179 | The processRequest function in minissdpd.c in MiniSSDPd 1.2.20130907-3 allows local users to cause a denial of service (invalid free and daemon crash) via vectors related to error handling. | LOW | Mar 27, 2017 | n/a |
