Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-10097 | 1 Grinnellplans | 1 Grinnellplans | 2023-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability was found in grinnellplans-php up to 3.0. It has been declared as critical. Affected by this vulnerability is the function interface_disp_page/interface_disp_page of the file read.php. The manipulation leads to sql injection. The attack can be launched remotely. The identifier of the patch is 57e4409e19203a94495140ff1b5a697734d17cfb. It is recommended to apply a patch to fix this issue. The identifier VDB-223801 was assigned to this vulnerability. | |||||
| CVE-2015-10098 | 1 Wpmudev | 1 Broken Link Checker | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function print_module_list/show_warnings_section_notice/status_text/ui_get_action_links. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.10.6 is able to address this issue. The name of the patch is f30638869e281461b87548e40b517738b4350e47. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225152. | |||||
| CVE-2016-15030 | 1 Twofactorauth Project | 1 Twofactorauth | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in Arno0x TwoFactorAuth. This affects an unknown part of the file login/login.php. The manipulation of the argument from leads to open redirect. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named 8549ad3cf197095f783643e41333586d6a4d0e54. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-223803. | |||||
| CVE-2016-15029 | 1 Mapicoin Project | 1 Mapicoin | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability has been found in Ydalb mapicoin up to 1.9.0 and classified as problematic. This vulnerability affects unknown code of the file webroot/stats.php. The manipulation of the argument link/search leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.10.0 is able to address this issue. The patch is identified as 67e87f0f0c1ac238fcd050f4c3db298229bc9679. It is recommended to upgrade the affected component. VDB-223402 is the identifier assigned to this vulnerability. | |||||
| CVE-2017-20159 | 1 Keynote Project | 1 Keynote | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability was found in rf Keynote up to 0.x on Rails. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/keynote/rumble.rb. The manipulation of the argument value leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.0.0 is able to address this issue. The patch is identified as 05be4356b0a6ca7de48da926a9b997beb5ffeb4a. It is recommended to upgrade the affected component. VDB-217142 is the identifier assigned to this vulnerability. | |||||
| CVE-2015-10089 | 1 Flame.js Project | 1 Flame.js | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability classified as problematic has been found in flame.js. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The patch is named e6c49b5f6179e31a534b7c3264e1d36aa99728ac. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222291. | |||||
| CVE-2017-20167 | 1 Minichan | 1 Minichan | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in Minichan. This affects an unknown part of the file reports.php. The manipulation of the argument headline leads to cross site scripting. It is possible to initiate the attack remotely. The identifier of the patch is fc0e732e58630cba318d6bf49d1388a7aa9d390e. It is recommended to apply a patch to fix this issue. The identifier VDB-217785 was assigned to this vulnerability. | |||||
| CVE-2015-10090 | 1 Inboundnow | 1 Landing-pages | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, has been found in Landing Pages Plugin up to 1.8.7 on WordPress. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.8.8 is able to address this issue. The name of the patch is c8e22c1340c11fedfb0a0a67ea690421bdb62b94. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-222320. | |||||
| CVE-2014-125105 | 1 Managewp | 1 Broken Link Checker | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Broken Link Checker Plugin up to 1.10.1 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function options_page of the file core/core.php of the component Settings Page. The manipulation of the argument exclusion_list/blc_custom_fields leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.10.2 is able to address this issue. The patch is named 90615fe9b0b6f9e6fb254d503c302e53a202e561. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230659. | |||||
| CVE-2015-10091 | 1 Bywatersolutions | 1 Bywater-koha-xslt | 2023-12-20 | N/A | 7.2 HIGH |
| A vulnerability has been found in ByWater Solutions bywater-koha-xslt and classified as critical. This vulnerability affects the function StringSearch of the file admin/systempreferences.pl. The manipulation of the argument name leads to sql injection. The attack can be initiated remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as 9513b93c828dfbc4413f9e0df63647401aaf4e58. It is recommended to apply a patch to fix this issue. VDB-222322 is the identifier assigned to this vulnerability. | |||||
| CVE-2015-10093 | 1 Mark User As Spammer Project | 1 Mark User As Spammer | 2023-12-20 | N/A | 5.4 MEDIUM |
| A vulnerability was found in Mark User as Spammer Plugin 1.0.0/1.0.1 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function user_row_actions of the file plugin/plugin.php. The manipulation of the argument url leads to cross site scripting. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.0.2 is able to address this issue. The identifier of the patch is e7059727274d2767c240c55c02c163eaa4ba6c62. It is recommended to upgrade the affected component. The identifier VDB-222325 was assigned to this vulnerability. | |||||
| CVE-2014-125099 | 1 Themeist | 1 I Recommend This | 2023-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability has been found in I Recommend This Plugin up to 3.7.2 on WordPress and classified as critical. Affected by this vulnerability is an unknown functionality of the file dot-irecommendthis.php. The manipulation leads to sql injection. The attack can be launched remotely. Upgrading to version 3.7.3 is able to address this issue. The identifier of the patch is 058b3ef5c7577bf557557904a53ecc8599b13649. It is recommended to upgrade the affected component. The identifier VDB-226309 was assigned to this vulnerability. | |||||
| CVE-2014-125097 | 1 Bestwebsoft | 1 Facebook Button | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability, which was classified as problematic, was found in BestWebSoft Facebook Like Button up to 2.33. Affected is the function fcbkbttn_settings_page of the file facebook-button-plugin.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 2.34 is able to address this issue. The patch is identified as b766da8fa100779409a953f0e46c2a2448cbe99c. It is recommended to upgrade the affected component. VDB-225354 is the identifier assigned to this vulnerability. | |||||
| CVE-2014-125067 | 1 Curiosity Project | 1 Curiosity | 2023-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in corincerami curiosity. Affected by this vulnerability is an unknown functionality of the file app/controllers/image_controller.rb. The manipulation of the argument sol leads to sql injection. The patch is named d64fddd74ca72714e73f4efe24259ca05c8190eb. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217639. | |||||
| CVE-2014-125074 | 1 Voyager Project | 1 Voyager | 2023-12-20 | N/A | 9.8 CRITICAL |
| A vulnerability was found in Nayshlok Voyager. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file Voyager/src/models/DatabaseAccess.java. The manipulation leads to sql injection. The identifier of the patch is f1249f438cd8c39e7ef2f6c8f2ab76b239a02fae. It is recommended to apply a patch to fix this issue. The identifier VDB-218005 was assigned to this vulnerability. | |||||
| CVE-2015-10094 | 1 Fastly | 1 Fastly | 2023-12-20 | N/A | 6.1 MEDIUM |
| A vulnerability was found in Fastly Plugin up to 0.97 on WordPress. It has been rated as problematic. Affected by this issue is the function post of the file lib/api.php. The manipulation of the argument url leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.98 is able to address this issue. The patch is identified as d7fe42538f4d4af500e3af9678b6b06fba731656. It is recommended to upgrade the affected component. VDB-222326 is the identifier assigned to this vulnerability. | |||||
| CVE-2020-36638 | 1 Adminserv Project | 1 Adminserv | 2023-12-20 | N/A | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ. It has been rated as problematic. This issue affects some unknown processing of the file resources/core/adminserv.php. The manipulation of the argument error leads to cross site scripting. The attack may be initiated remotely. The patch is named 9a45087814295de6fb3a3fe38f96293665234da1. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217043. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2020-36637 | 1 Adminserv Project | 1 Adminserv | 2023-12-20 | N/A | 6.1 MEDIUM |
| ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in Chris92de AdminServ. It has been declared as problematic. This vulnerability affects unknown code of the file resources/core/adminserv.php. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The patch is identified as 3ed17dab3b4d6e8bf1c82ddfbf882314365e9cd7. It is recommended to apply a patch to fix this issue. VDB-217042 is the identifier assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2023-3018 | 1 Oretnom23 | 1 Lost And Found Information System | 2023-12-20 | N/A | 8.8 HIGH |
| A vulnerability was found in SourceCodester Lost and Found Information System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/?page=user/list. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-230362 is the identifier assigned to this vulnerability. | |||||
| CVE-2013-4584 | 2 Debian, Horms | 2 Debian Linux, Perdition | 2023-12-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Perdition before 2.2 may have weak security when handling outbound connections, caused by an error in the STARTTLS IMAP and POP server. ssl_outgoing_ciphers not being applied to STARTTLS connections | |||||
| CVE-2023-47271 | 1 Sfu | 1 Pkp Web Application Library | 2023-12-20 | N/A | 5.3 MEDIUM |
| PKP-WAL (aka PKP Web Application Library or pkp-lib) before 3.3.0-16, as used in Open Journal Systems (OJS) and other products, does not verify that the file named in an XML document (used for the native import/export plugin) is an image file, before trying to use it for an issue cover image. | |||||
| CVE-2023-5512 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI. | |||||
| CVE-2023-5061 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 4.3 MEDIUM |
| An issue has been discovered in GitLab affecting all versions starting from 9.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. In certain situations, it may have been possible for developers to override predefined CI variables via the REST API. | |||||
| CVE-2023-49159 | 1 Sean-barton | 1 Commentluv | 2023-12-19 | N/A | 7.5 HIGH |
| Server-Side Request Forgery (SSRF) vulnerability in Elegant Digital Solutions CommentLuv.This issue affects CommentLuv: from n/a through 3.0.4. | |||||
| CVE-2023-3904 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 7.5 HIGH |
| An issue has been discovered in GitLab EE affecting all versions starting before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible to overflow the time spent on an issue that altered the details shown in the issue boards. | |||||
| CVE-2023-42883 | 1 Apple | 6 Ipados, Iphone Os, Macos and 3 more | 2023-12-19 | N/A | 5.5 MEDIUM |
| The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service. | |||||
| CVE-2023-6265 | 1 Draytek | 2 Vigor2960, Vigor2960 Firmware | 2023-12-19 | N/A | 8.1 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** Draytek Vigor2960 v1.5.1.4 and v1.5.1.5 are vulnerable to directory traversal via the mainfunction.cgi dumpSyslog 'option' parameter allowing an authenticated attacker with access to the web management interface to delete arbitrary files. Vigor2960 is no longer supported. | |||||
| CVE-2023-3511 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 3.5 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 8.17 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. It was possible for auditor users to fork and submit merge requests to private projects they're not a member of. | |||||
| CVE-2023-50472 | 1 Cjson Project | 1 Cjson | 2023-12-19 | N/A | 7.5 HIGH |
| cJSON v1.7.16 was discovered to contain a segmentation violation via the function cJSON_SetValuestring at cJSON.c. | |||||
| CVE-2023-50721 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`. | |||||
| CVE-2023-50720 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 5.3 MEDIUM |
| XWiki Platform is a generic wiki platform. Prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the email addresses of users even when obfuscation of email addresses is enabled. To demonstrate the vulnerability, search for `objcontent:email*` using XWiki's regular search interface. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1 by not indexing email address properties when obfuscation is enabled. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-50719 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 7.5 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 7.2-milestone-2 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the Solr-based search in XWiki discloses the password hashes of all users to anyone with view right on the respective user profiles. By default, all user profiles are public. This vulnerability also affects any configurations used by extensions that contain passwords like API keys that are viewable for the attacker. Normally, such passwords aren't accessible but this vulnerability would disclose them as plain text. This has been patched in XWiki 14.10.15, 15.5.2 and 15.7RC1. There are no known workarounds for this vulnerability. | |||||
| CVE-2023-50089 | 1 Netgear | 2 Wnr2000, Wnr2000 Firmware | 2023-12-19 | N/A | 9.8 CRITICAL |
| A Command Injection vulnerability exists in NETGEAR WNR2000v4 version 1.0.0.70. When using HTTP for SOAP authentication, command execution occurs during the process after successful authentication. | |||||
| CVE-2023-6680 | 1 Gitlab | 1 Gitlab | 2023-12-19 | N/A | 8.1 HIGH |
| An improper certificate validation issue in Smartcard authentication in GitLab EE affecting all versions from 11.6 prior to 16.4.4, 16.5 prior to 16.5.4, and 16.6 prior to 16.6.2 allows an attacker to authenticate as another user given their public key if they use Smartcard authentication. Smartcard authentication is an experimental feature and has to be manually enabled by an administrator. | |||||
| CVE-2023-41151 | 2 Microsoft, Softing | 4 Windows, Opc, Opc Ua C\+\+ Software Development Kit and 1 more | 2023-12-19 | N/A | 7.5 HIGH |
| An uncaught exception issue discovered in Softing OPC UA C++ SDK before 6.30 for Windows operating system may cause the application to crash when the server wants to send an error packet, while socket is blocked on writing. | |||||
| CVE-2023-49185 | 1 Doofinder | 1 Doofinder | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder WP & WooCommerce Search allows Reflected XSS.This issue affects Doofinder WP & WooCommerce Search: from n/a through 2.1.7. | |||||
| CVE-2023-50728 | 2 Octokit, Probot | 4 App, Octokit, Webhooks and 1 more | 2023-12-19 | N/A | 7.5 HIGH |
| octokit/webhooks is a GitHub webhook events toolset for Node.js. Starting in 9.26.0 and prior to 9.26.3, 10.9.2, 11.1.2, and 12.0.4, there is a problem caused by an issue with error handling in the @octokit/webhooks library because the error can be undefined in some cases. The resulting request was found to cause an uncaught exception that ends the nodejs process. The bug is fixed in octokit/webhooks.js 9.26.3, 10.9.2, 11.1.2, and 12.0.4, app.js 14.02, octokit.js 3.1.2, and Protobot 12.3.3. | |||||
| CVE-2023-50469 | 1 Szlbt | 2 Lbt-t300-t310, Lbt-t300-t310 Firmware | 2023-12-19 | N/A | 9.8 CRITICAL |
| Shenzhen Libituo Technology Co., Ltd LBT-T300-T310 v2.2.2.6 was discovered to contain a buffer overflow via the ApCliEncrypType parameter at /apply.cgi. | |||||
| CVE-2023-49184 | 1 Wpdeveloper | 1 Parallax Slider Block | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Parallax Slider Block allows Stored XSS.This issue affects Parallax Slider Block: from n/a through 1.2.4. | |||||
| CVE-2023-49183 | 1 Nextscripts | 1 Social Networks Auto Poster | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NextScripts NextScripts: Social Networks Auto-Poster allows Reflected XSS.This issue affects NextScripts: Social Networks Auto-Poster: from n/a through 4.4.2. | |||||
| CVE-2023-50266 | 1 Bazarr | 1 Bazarr | 2023-12-19 | N/A | 5.3 MEDIUM |
| Bazarr manages and downloads subtitles. In version 1.2.4, the proxy method in bazarr/bazarr/app/ui.py does not validate the user-controlled protocol and url variables and passes them to requests.get() without any sanitization, which leads to a blind server-side request forgery (SSRF). This issue allows for crafting GET requests to internal and external resources on behalf of the server. 1.3.1 contains a partial fix, which limits the vulnerability to HTTP/HTTPS protocols. | |||||
| CVE-2023-50265 | 1 Bazarr | 1 Bazarr | 2023-12-19 | N/A | 7.5 HIGH |
| Bazarr manages and downloads subtitles. Prior to 1.3.1, the /api/swaggerui/static endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1. | |||||
| CVE-2023-50264 | 1 Bazarr | 1 Bazarr | 2023-12-19 | N/A | 7.5 HIGH |
| Bazarr manages and downloads subtitles. Prior to 1.3.1, Bazarr contains an arbitrary file read in /system/backup/download/ endpoint in bazarr/app/ui.py does not validate the user-controlled filename variable and uses it in the send_file function, which leads to an arbitrary file read on the system. This issue is fixed in version 1.3.1. | |||||
| CVE-2023-4020 | 1 Silabs | 1 Gecko Software Development Kit | 2023-12-19 | N/A | 9.1 CRITICAL |
| An unvalidated input in a library function responsible for communicating between secure and non-secure memory in Silicon Labs TrustZone implementation allows reading/writing of memory in the secure region of memory from the non-secure region of memory. | |||||
| CVE-2023-49182 | 1 Marzocca | 1 List All Posts By Authors Nested Categories And Titles | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fabio Marzocca List all posts by Authors, nested Categories and Titles allows Reflected XSS.This issue affects List all posts by Authors, nested Categories and Titles: from n/a through 2.7.10. | |||||
| CVE-2023-50723 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the `XWiki.ConfigurableClassMacros` and `XWiki.ConfigurableClass` pages. | |||||
| CVE-2023-50722 | 1 Xwiki | 1 Xwiki | 2023-12-19 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed through a URL parameter is only executed when the user who is visiting the crafted URL has edit right on at least one configuration section. While any user of the wiki could easily create such a section, this vulnerability doesn't require the attacker to have an account or any access on the wiki. It is sufficient to trick any admin user of the XWiki installation to visit the crafted URL. This vulnerability allows full remote code execution with programming rights and thus impacts the confidentiality, integrity and availability of the whole XWiki installation. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patch can be manually applied to the document `XWiki.ConfigurableClass`. | |||||
| CVE-2023-36878 | 1 Microsoft | 1 Edge Chromium | 2023-12-19 | N/A | 4.3 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2023-49181 | 1 Wp-eventmanager | 1 Wp Event Manager | 2023-12-19 | N/A | 5.4 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Event Manager WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce allows Stored XSS.This issue affects WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce: from n/a through 3.1.40. | |||||
| CVE-2023-49187 | 1 Spoonthemes | 1 Adifier | 2023-12-19 | N/A | 6.1 MEDIUM |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spoonthemes Adifier - Classified Ads WordPress Theme allows Reflected XSS.This issue affects Adifier - Classified Ads WordPress Theme: from n/a before 3.1.4. | |||||