The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2022-0287 | The myCred WordPress plugin before 2.4.4.1 does not have any authorisation in place in its mycred-tools-select-user AJAX action, allowing any authenticated user, such as subscriber to call and retrieve all email addresses from the blog | MEDIUM | Apr 25, 2022 | n/a |
CVE-2023-1546 | The MyCryptoCheckout WordPress plugin before 2.124 does not escape some URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting | -- | May 2, 2023 | n/a |
CVE-2022-1960 | The MyCSS WordPress plugin through 1.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | MEDIUM | Jun 27, 2022 | n/a |
CVE-2023-28885 | The MyLink infotainment system (build 2021.3.26) in General Motors Chevrolet Equinox 2021 vehicles allows attackers to cause a denial of service (temporary failure of Media Player functionality) via a crafted MP3 file. | -- | Mar 27, 2023 | n/a |
CVE-2023-32290 | The myMail app through 14.30 for iOS sends cleartext credentials in a situation where STARTTLS is expected by a server. | -- | May 8, 2023 | n/a |
CVE-2024-9656 | The Mynx Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 0.27.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | -- | Oct 15, 2024 | n/a |
CVE-2015-2020 | The MyScript SDK before 1.3 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function. | HIGH | Mar 29, 2018 | n/a |
CVE-2015-4669 | The MySQL root user in Xsuite 2.3.0 and 2.4.3.0 does not have a password set, which allows local users to access databases on the system. | HIGH | Sep 25, 2017 | n/a |
CVE-2014-3413 | The MySQL server in Juniper Networks Junos Space before 13.3R1.8 has an unspecified account with a hardcoded password, which allows remote attackers to obtain sensitive information and consequently obtain administrative control by leveraging database access. | HIGH | Apr 5, 2018 | n/a |
CVE-2016-4338 | The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | MEDIUM | Jan 26, 2017 | n/a |
CVE-2023-5509 | The myStickymenu WordPress plugin before 2.6.5 does not adequately authorize some ajax calls, allowing any logged-in user to perform the actions. | -- | Nov 27, 2023 | n/a |
CVE-2017-9093 | The my_skip_input_data_fn function in imagew-jpeg.c in libimageworsener.a in ImageWorsener 1.3.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted image. | MEDIUM | May 19, 2017 | n/a |
CVE-2016-7145 | The m_authenticate function in ircd/m_authenticate.c in nefarious2 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter. | HIGH | Mar 8, 2017 | n/a |
CVE-2016-7144 | The m_authenticate function in modules/m_sasl.c in UnrealIRCd before 3.2.10.7 and 4.x before 4.0.6 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter. | MEDIUM | Jan 20, 2017 | n/a |
CVE-2016-7142 | The m_sasl module in InspIRCd before 2.0.23, when used with a service that supports SASL_EXTERNAL authentication, allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted SASL message. | MEDIUM | Sep 28, 2016 | n/a |
CVE-2021-4046 | The m_txtNom y m_txtCognoms parameters in TCMAN GIM v8.01 allow an attacker to perform persistent XSS attacks. This vulnerability could be used to carry out a number of browser-based attacks including browser hijacking or theft of sensitive data. | LOW | Feb 11, 2022 | n/a |
CVE-2023-47131 | The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file. | -- | Feb 9, 2024 | n/a |
CVE-2024-28200 | The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild. | -- | Jul 2, 2024 | n/a |
CVE-2024-5322 | The N-central server is vulnerable to session rebinding of already authenticated users when using Entra SSO, which can lead to authentication bypass. This vulnerability is present in all Entra-supported deployments of N-central prior to 2024.3. | -- | Jul 2, 2024 | n/a |
CVE-2021-24223 | The N5 Upload Form WordPress plugin through 1.0 suffers from an arbitrary file upload issue in page where a Form from the plugin is embed, as any file can be uploaded. The uploaded filename might be hard to guess as it\'s generated with md5(uniqid(rand())), however, in the case of misconfigured servers with Directory listing enabled, accessing it is trivial. | HIGH | Apr 12, 2021 | n/a |
CVE-2023-27562 | The n8n package 0.218.0 for Node.js allows Directory Traversal. | -- | May 10, 2023 | n/a |
CVE-2023-27563 | The n8n package 0.218.0 for Node.js allows Escalation of Privileges. | -- | May 10, 2023 | n/a |
CVE-2023-27564 | The n8n package 0.218.0 for Node.js allows Information Disclosure. | -- | May 10, 2023 | n/a |
CVE-2021-23020 | The NAAS 3.x before 3.10.0 API keys were generated using an insecure pseudo-random string and hashing algorithm which could lead to predictable keys. | LOW | Jun 1, 2021 | n/a |
CVE-2024-4462 | The Nafeza Prayer Time plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | -- | Jun 4, 2024 | n/a |
CVE-2023-4602 | The Namaste! LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \'course_id\' parameter in versions up to, and including, 2.6.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | -- | Nov 15, 2023 | n/a |
CVE-2023-0548 | The Namaste! LMS WordPress plugin before 2.5.9.4 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | -- | Mar 4, 2023 | n/a |
CVE-2023-0844 | The Namaste! LMS WordPress plugin before 2.6 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | -- | Mar 16, 2023 | n/a |
CVE-2022-2072 | The Name Directory WordPress plugin before 1.25.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting. Furthermore, as the payload is also saved into the database after the request, it leads to a Stored XSS as well | -- | Jul 29, 2022 | n/a |
CVE-2022-2071 | The Name Directory WordPress plugin before 1.25.4 does not have CSRF check when importing names, and is also lacking sanitisation as well as escaping in some of the imported data, which could allow attackers to make a logged in admin import arbitrary names with XSS payloads in them. | -- | Jul 29, 2022 | n/a |
CVE-2018-0823 | The Named Pipe File System in Windows 10 version 1709 and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way the Named Pipe File System handles objects, aka Named Pipe File System Elevation of Privilege Vulnerability. | MEDIUM | Feb 22, 2018 | n/a |
CVE-2017-15011 | The named pipes in qtsingleapp in Qt 5.x, as used in qBittorrent and SugarSync, are configured for remote access and allow remote attackers to cause a denial of service (application crash) via an unspecified string. | MEDIUM | Oct 3, 2017 | n/a |
CVE-2021-27645 | The nameserver caching daemon (nscd) in the GNU C Library (aka glibc or libc6) 2.29 through 2.33, when processing a request for netgroup lookup, may crash due to a double-free, potentially resulting in degraded service or Denial of Service on the local system. This is related to netgroupcache.c. | MEDIUM | Feb 27, 2021 | n/a |
CVE-2016-10195 | The name_parse function in evdns.c in libevent before 2.1.6-beta allows remote attackers to have unspecified impact via vectors involving the label_len variable, which triggers an out-of-bounds stack read. | HIGH | Mar 21, 2017 | n/a |
CVE-2022-0679 | The Narnoo Distributor WordPress plugin through 2.5.1 fails to validate and sanitize the lib_path parameter before it is passed into a call to require() via the narnoo_distributor_lib_request AJAX action (available to both unauthenticated and authenticated users) which results in the disclosure of arbitrary files as the content of the file is then displayed in the response as JSON data. This could also lead to RCE with various tricks but depends on the underlying system and it\'s configuration. | MEDIUM | Apr 4, 2022 | n/a |
CVE-2017-9819 | The National Payments Corporation of India BHIM application 1.3 for Android does not properly restrict use of the OTP feature, which makes it easier for attackers to bypass authentication. | HIGH | Aug 24, 2018 | n/a |
CVE-2017-9818 | The National Payments Corporation of India BHIM application 1.3 for Android relies on a four-digit passcode, which makes it easier for attackers to obtain access. | MEDIUM | Aug 24, 2018 | n/a |
CVE-2017-9821 | The National Payments Corporation of India BHIM application 1.3 for Android relies on three hardcoded strings (AK-NPCIMB, IM-NPCIBM, and VK-NPCIBM) for SMS validation, which makes it easier for attackers to bypass authentication. | HIGH | Aug 24, 2018 | n/a |
CVE-2017-9820 | The National Payments Corporation of India BHIM application 1.3 for Android uses a custom keypad for which the input element is available to the Accessibility service, which makes it easier for attackers to bypass authentication. | HIGH | Aug 24, 2018 | n/a |
CVE-2017-1000251 | The native Bluetooth stack in the Linux Kernel (BlueZ), starting at the Linux kernel version 3.3-rc1 and up to and including 4.13.1, are vulnerable to a stack overflow vulnerability in the processing of L2CAP configuration responses resulting in Remote code execution in kernel space. | HIGH | Sep 12, 2017 | n/a |
CVE-2023-48700 | The Nautobot Device Onboarding plugin uses the netmiko and NAPALM libraries to simplify the onboarding process of a new device into Nautobot down to, in many cases, an IP Address and a Location. Starting in version 2.0.0 and prior to version 3.0.0, credentials provided to onboarding task are visible via Job Results from an execution of an Onboarding Task. Version 3.0.0 fixes this issue; no known workarounds are available. Mitigation recommendations include deleting all Job Results for any onboarding task to remove clear text credentials from database entries that were run while on v2.0.X, upgrading to v3.0.0, and rotating any exposed credentials. | -- | Nov 22, 2023 | n/a |
CVE-2023-0146 | The Naver Map WordPress plugin through 1.1.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | -- | Feb 6, 2023 | n/a |
CVE-2024-5220 | The ND Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s upload feature in all versions up to, and including, 7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | May 28, 2024 | n/a |
CVE-2022-4623 | The ND Shortcodes WordPress plugin before 7.0 does not validate and escape numerous of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | -- | Jul 11, 2023 | n/a |
CVE-2023-1273 | The ND Shortcodes WordPress plugin before 7.0 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as subscriber to perform LFI attacks | -- | Jul 11, 2023 | n/a |
CVE-2019-15774 | The nd-booking plugin before 2.5 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | MEDIUM | Sep 4, 2019 | n/a |
CVE-2019-15772 | The nd-donations plugin before 1.4 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | MEDIUM | Sep 4, 2019 | n/a |
CVE-2019-15775 | The nd-learning plugin before 4.8 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | MEDIUM | Sep 4, 2019 | n/a |
CVE-2019-15819 | The nd-restaurant-reservations plugin before 1.5 for WordPress has no requirement for nd_rst_import_settings_php_function authentication. | HIGH | Sep 5, 2019 | n/a |
CVE-2019-15771 | The nd-shortcodes plugin before 6.0 for WordPress has a nopriv_ AJAX action that allows modification of the siteurl setting. | MEDIUM | Sep 4, 2019 | n/a |