Unknown · CVSS Not scored
Stack-based buffer overflow in magentservice.exe in HP Diagnostics Server 8.x through 8.07 and 9.x through 9.21 allows remote attackers to execute arbitrary code via a malformed message packet.
Published Jan 25, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Multiple cross-site request forgery (CSRF) vulnerabilities in e107_admin/download.php in e107 1.0.2 allow remote attackers to hijack the authentication of administrators for requests that conduct SQL injection attacks via the (1) download_url, (2) download_url_extended, (3) download_author_email, (4) download_author_website, (5) download_image, (6) download_thumb, (7) download_visible, or (8) download_class parameter.
Published Jan 3, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SUSE WebYaST before 1.2 0.2.63-0.6.1 allows remote attackers to modify the hosts list, and subsequently conduct man-in-the-middle attacks, via a crafted /host request on TCP port 4984.
Published Jan 26, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
calendar/managesubscriptions.php in the Manage Subscriptions implementation in Moodle 2.4.x before 2.4.1 omits a capability check, which allows remote authenticated users to remove course-level calendar subscriptions by leveraging the student role and sending an iCalendar object.
Published Jan 27, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_to parameter.
Published Jan 12, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Opera before 12.12 does not properly allocate memory for GIF images, which allows remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via a malformed image.
Published Jan 2, 2013 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SumatraPDF 2.1.1/MuPDF 1.0 allows remote attackers to cause an Integer Overflow in the lex_number() function via a corrupt PDF file.
Published Jan 23, 2020 · Updated Sep 13, 2024
Medium · CVSS 4
A vulnerability, which was classified as problematic, has been found in ahmyi RivetTracker. This issue affects some unknown processing. The manipulation of the argument $_SERVER['PHP_SELF'] leads to cross site scripting. The attack may be initiated remotely. The patch is named f053c5cc2bc44269b0496b5f275e349928a92ef9. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217271.
Published Jan 3, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
General Electric D20ME devices are not properly configured and reveal plaintext passwords.
Published Jan 23, 2020 · Updated Aug 6, 2024
Medium · CVSS 4
A vulnerability was found in backdrop-contrib Basic Cart on Drupal. It has been classified as problematic. Affected is the function basic_cart_checkout_form_submit of the file basic_cart.cart.inc. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 1.x-1.1.1 is able to address this issue. The patch is identified as a10424ccd4b3b4b433cf33b73c1ad608b11890b4. It is recommended to upgrade the affected component. VDB-217950 is the identifier assigned to this vulnerability.
Published Jan 11, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Published Jan 18, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in actions/main.php in the DragonByte Technologies Forumon RPG module before 1.0.8 for vBulletin when creating a new monster, allow remote attackers to inject arbitrary web script or HTML via the (1) monster[title] or (2) monster[description] parameters.
Published Jan 11, 2018 · Updated Aug 6, 2024
Medium · CVSS 4
A vulnerability has been found in manikandan170890 php-form-builder-class and classified as problematic. Affected by this vulnerability is an unknown functionality of the file PFBC/Element/Textarea.php of the component Textarea Handler. The manipulation of the argument value leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 74897993818d826595fd5857038e6703456a594a. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218155.
Published Jan 12, 2023 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the Shout Reports in the DragonByte Technologies vBShout module before 6.0.6 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the (1) reportreason parameter in actions/doreport.php or (2) modnotes parameter in actions/updatereport.php.
Published Jan 11, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in vbshout.php in DragonByte Technologies vBShout module for vBulletin allows remote attackers to inject arbitrary web script or HTML via the shout parameter in a shout action.
Published Jan 11, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in downloads/actions/editdownload.php in the DragonByte Technologies vBDownloads module 1.3.2 and earlier for vBulletin allows remote attackers to inject arbitrary web script or HTML via the mirrors[] parameter.
Published Jan 11, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Limit Login Attempts plugin before 1.7.1 for WordPress does not clear auth cookies upon a lockout, which might make it easier for remote attackers to conduct brute-force authentication attempts.
Published Jan 6, 2021 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in accounts/admin/index.php in Vessio NetBill 1.2 allows remote attackers to hijack the authentication of administrators for requests that add accounts via a new-client action.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.
Published Jan 8, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the DragonByte Technologies vbActivity module before 3.0.1 for vBulletin allow remote attackers to inject arbitrary web script or HTML via the reason parameter in (1) actions/nominatemedal.php or (2) actions/requestmedal.php.
Published Jan 11, 2018 · Updated Aug 6, 2024
Unknown · CVSS Not scored
WordPress WP GPX Maps Plugin 1.1.21 allows remote attackers to execute arbitrary PHP code via improper file upload.
Published Jan 23, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.1, 3.1.2, 3.2.3, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Email Address or (2) Custom Permalink Structure fields in admin/settings.php; (3) path parameter to admin/upload.php; (4) err parameter to admin/theme.php; (5) error parameter to admin/pages.php; or (6) success or (7) err parameter to admin/index.php.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Vessio NetBill 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) full name or (2) file title to accounts/admin/index.php or (3) comment parameter in the support page to accounts/index2.php.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the groupid parameter in an editgroup action.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in fs-admin/fs-admin.php in the ForumPress WP Forum Server plugin before 1.7.4 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) groupid parameter in an editgroup action or (2) usergroup_id parameter in an edit_usergroup action.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
D-Link DSR-250N devices with firmware 1.05B73_WW allow Persistent Root Access because of the admin password for the admin account.
Published Jan 25, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the (1) tasks and (2) search views in Horde Kronolith H4 before 3.0.17 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote authenticated users to execute arbitrary commands as demonstrated by a ; (semicolon) to the ping command feature.
Published Jan 28, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Directory traversal vulnerability in a_getlog.cgi in Polycom HDX Video End Points before 3.0.4 and UC APL before 2.7.1.J allows remote attackers to read arbitrary files via a .. (dot dot) in the name parameter.
Published Jan 28, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in verify-user.php in b2ePMS 1.0 allows remote attackers to execute arbitrary SQL commands via the username field.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the SoundCloud Is Gold plugin 2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the width parameter in a soundcloud_is_gold_player_preview action to wp-admin/admin-ajax.php.
Published Jan 16, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The Organizer plugin 1.2.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors to (1) plugin_hook.php, (2) page/index.php, (3) page/dir.php (4) page/options.php, (5) page/resize.php, (6) page/upload.php, (7) page/users.php, or (8) page/view.php.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in w-CMS 2.01 allow remote attackers to inject arbitrary web script or HTML via (1) the p parameter in the getMenus function in codes/wcms.php; or the COMMENT parameter in (2) blog.php, (3) guestbook.php, or (4) forum.php in codes/. NOTE: some of these details are obtained from third party information.
Published Jan 31, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Opera before 12.10 follows Internet shortcuts that are referenced by a (1) IMG element or (2) other inline element, which makes it easier for remote attackers to conduct phishing attacks via a crafted web site, as exploited in the wild in November 2012.
Published Jan 2, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in modules/poll/index.php in DIY-CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the start parameter to mod.php.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the My Calendar plugin before 1.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO.
Published Jan 31, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Lorex LNC116 and LNC104 IP Cameras have a Remote Authentication Bypass Vulnerability
Published Jan 24, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in the advanced search in Wikidforum 2.10 allow remote attackers to execute arbitrary SQL commands via the (1) select_sort or (2) opt_search_select parameters. NOTE: this issue could not be reproduced by third parties.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Marinet CMS allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) galleryphoto.php or (2) gallery.php; or the roomid parameter to (3) room.php or (4) room2.php.
Published Jan 31, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in members.php in PHPBridges allows remote attackers to execute arbitrary SQL commands via the id parameter.
Published Jan 31, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The KillProcess method in the HP PKI ActiveX control (HPPKI.ocx) before 1.2.0.1 allows remote attackers to cause a denial of service (kill process) via the partial or full name of a process.
Published Jan 12, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in PHP Ticket System Beta 1 allows remote attackers to execute arbitrary SQL commands via the q parameter to index.php.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Heap-based buffer overflow in Opera before 12.11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a long HTTP response.
Published Jan 2, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site Scripting (XSS) in cPanel WebHost Manager (WHM) 11.34.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Published Jan 27, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in organizer/page/users.php in the Organizer plugin 1.2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) delete_id parameter or (2) extension parameter in an "Update Setting" action to wp-admin/admin.php.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Rapid7 Nexpose before 5.5.4 contains a session hijacking vulnerability which allows remote attackers to capture a user's session and gain unauthorized access.
Published Jan 25, 2020 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site request forgery (CSRF) vulnerability in mod.php in DiY-CMS 1.0 allows remote attackers to hijack the authentication of administrators for requests that create a poll via an add action to the poll module.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Opera before 12.11 allows remote attackers to determine the existence of arbitrary local files via vectors involving web script in an error page.
Published Jan 2, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Unspecified vulnerability in the NinjaXplorer component before 1.0.7 for Joomla! has unknown impact and attack vectors.
Published Jan 24, 2013 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in DiY-CMS 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) question parameter to in /modules/poll/add.php or (2) question or (3) answer parameter to modules/poll/edit.php.
Published Jan 24, 2013 · Updated Aug 6, 2024