Medium · CVSS 5.4
A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka 'Microsoft Office SharePoint XSS Vulnerability'. This CVE ID is unique from CVE-2020-0923, CVE-2020-0924, CVE-2020-0925, CVE-2020-0926, CVE-2020-0927, CVE-2020-0930, CVE-2020-0933, CVE-2020-0954, CVE-2020-0973.
Published Apr 15, 2020 · Updated Feb 28, 2025
Unknown · CVSS Not scored
Cross Site Scripting vulnerability found in ZblogCN ZblogPHP v.1.0 allows a local attacker to execute arbitrary code via a crafted payload in title parameter of the module management model.
Published Apr 4, 2023 · Updated Feb 18, 2025
Unknown · CVSS Not scored
An issue found in Jsish v.3.0.11 and before allows an attacker to cause a denial of service via the StringReplaceCmd function in the src/jsiChar.c file.
Published Apr 4, 2023 · Updated Feb 18, 2025
Unknown · CVSS Not scored
An issue found in Espruino Espruino 6ea4c0a allows an attacker to execute arbitrrary code via oldFunc parameter of the jswrap_object.c:jswrap_function_replacewith endpoint.
Published Apr 4, 2023 · Updated Feb 18, 2025
Unknown · CVSS Not scored
Buffer Overflow vulnerabilty found in Nginx NJS v.0feca92 allows a remote attacker to execute arbitrary code via the njs_module_read in the njs_module.c file.
Published Apr 4, 2023 · Updated Feb 18, 2025
High · CVSS 8.8
Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Critical · CVSS 9.8
Directory Traversal vulnerability found in B3log Wide allows a an attacker to escalate privileges via symbolic links.
Published Apr 4, 2023 · Updated Feb 14, 2025
Critical · CVSS 9.8
Buffer Overflow found in Nginx NJS allows a remote attacker to execute arbitrary code via the njs_object_property parameter of the njs/njs_vm.c function.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the <iframe>src parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
High · CVSS 7.5
An issue found in Jsish v.3.0.11 and before allows an attacker to cause a denial of service via the Jsi_Strlen function in the src/jsiChar.c file.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the editor parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in KOHGYLW Kiftd v.1.0.18 allows a remote attacker to execute arbitrary code via the <ifram> tag in the upload file page.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.5
An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in KiteCMS v.1.1 allows a remote attacker to execute arbitrary code via the comment parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Critical · CVSS 9.8
SQL Injection vulnerability found in PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via sql parameter of the the SysSiteAdminControl.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in KiteCMS v.1.1 allows a remote attacker to execute arbitrary code via the registering user parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Critical · CVSS 9.8
SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via basic_title parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Critical · CVSS 9.8
SQL Injection vulnerability found in San Luan PublicCMS v.4.0 allows a remote attacker to execute arbitrary code via the sql parameter.
Published Apr 4, 2023 · Updated Feb 14, 2025
Medium · CVSS 5.4
Cross Site Scripting vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via javascript code in the markdown editor.
Published Apr 4, 2023 · Updated Feb 13, 2025
High · CVSS 8.8
SQL injection vulnerability found in PHPMyWind v.5.6 allows a remote attacker to gain privileges via the delete function of the administrator management page.
Published Apr 4, 2023 · Updated Feb 13, 2025
Critical · CVSS 9.6
Cross Site Scripting vulnerability found in Netgate pfSense 2.4.4 and ACME package v.0.6.3 allows attackers to execute arbitrary code via the RootFolder field of acme_certificates.php.
Published Apr 4, 2023 · Updated Feb 13, 2025
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in Zentao allows a remote attacker to execute arbitrary code via the lang parameter
Published Apr 4, 2023 · Updated Feb 13, 2025
High · CVSS 7.5
Buffer Overflow vulnerability found in Espruino 2v05.41 allows an attacker to cause a denial of service via the function jsvGarbageCollectMarkUsed in file src/jsvar.c.
Published Apr 4, 2023 · Updated Feb 13, 2025
High · CVSS 7.5
An issue found in Jsish v.3.0.11 allows a remote attacker to cause a denial of service via the Jsi_ValueIsNumber function in ./src/jsiValue.c file.
Published Apr 4, 2023 · Updated Feb 13, 2025
High · CVSS 8.8
SQL injection vulnerability found in Tailor Management System v.1 allows a remote authenticated attacker to execute arbitrary code via the customer parameter of the email.php page.
Published Apr 6, 2023 · Updated Feb 12, 2025
High · CVSS 8.8
SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the id parameter.
Published Apr 6, 2023 · Updated Feb 12, 2025
High · CVSS 8.8
SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the title parameter.
Published Apr 6, 2023 · Updated Feb 12, 2025
High · CVSS 7.5
Directory Traversal vulnerability found in Pfsense v.2.1.3 and Pfsense Suricata v.1.4.6 pkg v.1.0.1 allows a remote attacker to obtain sensitive information via the file parameter to suricata/suricata_logs_browser.php.
Published Apr 6, 2023 · Updated Feb 12, 2025
High · CVSS 8.8
SQL injection vulnerability found in Tailor Mangement System v.1 allows a remote attacker to execute arbitrary code via the customer parameter of the orderadd.php file
Published Apr 10, 2023 · Updated Feb 12, 2025
High · CVSS 8.8
SQL injection vulnerability found in Tailor Management System v.1 allows a remote attacker to execute arbitrary code via the detail parameter of the document.php page.
Published Apr 6, 2023 · Updated Feb 11, 2025
Low · CVSS 3.7
The ShipStation.com plugin 1.1 and earlier for CS-Cart allows remote attackers to insert arbitrary information into the database (via action=shipnotify) because access to this endpoint is completely unchecked. The attacker must guess an order number.
Published Apr 11, 2023 · Updated Feb 11, 2025
Medium · CVSS 5.5
Buffer Overflow vulnerability found in SQLite3 v.3.27.1 and before allows a local attacker to cause a denial of service via a crafted script.
Published Apr 11, 2023 · Updated Feb 11, 2025
High · CVSS 8.8
Cross Site Request Forgery vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the background system settings.
Published Apr 11, 2023 · Updated Feb 11, 2025
Critical · CVSS 9.8
File Upload vulnerability found in Milken DoyoCMS v.2.3 allows a remote attacker to execute arbitrary code via the upload file type parameter.
Published Apr 11, 2023 · Updated Feb 11, 2025
Medium · CVSS 6.5
A reflected XSS via POST vulnerability in report scheduler of Sophos Web Appliance versions older than 4.3.10.4 allows execution of JavaScript code in the victim browser via a malicious form that must be manually submitted by the victim while logged in to SWA.
Published Apr 4, 2023 · Updated Feb 11, 2025
High · CVSS 8.6
LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. NOTE: in 2.24 and later versions, safe mode is removed, and the product no longer tries to block code execution when external files are used.
Published Apr 15, 2023 · Updated Feb 6, 2025
Medium · CVSS 6.5
libdwarf before 20201017 has a one-byte out-of-bounds read because of an invalid pointer dereference via an invalid line table in a crafted object.
Published Apr 15, 2023 · Updated Feb 6, 2025
Medium · CVSS 6.5
libdwarf before 20201201 allows a dwarf_print_lines.c NULL pointer dereference and application crash via a DWARF5 line-table header that has an invalid FORM for a pathname.
Published Apr 15, 2023 · Updated Feb 6, 2025
Critical · CVSS 9.8
The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code.
Published Apr 15, 2023 · Updated Feb 6, 2025
Critical · CVSS 9.8
Insecure Permission vulnerability found in Yoyager v.1.4 and before allows a remote attacker to execute arbitrary code via a crafted .php file to the media component.
Published Apr 26, 2023 · Updated Feb 3, 2025
Medium · CVSS 6.1
Cross Site Scripting (XSS) vulnerability in HongCMS 3.0 allows attackers to run arbitrary code via the callback parameter to /ajax/myshop.
Published Apr 28, 2023 · Updated Jan 31, 2025
Medium · CVSS 6.1
Cross Site Scripting (XSS) vulnerability in BoxBilling 4.19, 4.19.1, 4.20, and 4.21 allows remote attackers to run arbitrary code via the message field on the submit new ticket form.
Published Apr 28, 2023 · Updated Jan 31, 2025
Medium · CVSS 5.3
IBM Counter Fraud Management for Safer Payments 5.7.0.00 through 5.7.0.10, 6.0.0.00 through 6.0.0.07, 6.1.0.00 through 6.1.0.05, and 6.2.0.00 through 6.2.1.00 could allow an authenticated attacker under special circumstances to send multiple specially crafted API requests that could cause the application to crash. IBM X-Force ID: 188052.
Published Apr 28, 2023 · Updated Jan 30, 2025
Medium · CVSS 6.1
In Wagtail before versions 2.7.3 and 2.8.2, a potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this check to a high degree of accuracy could potentially use timing differences to gain knowledge of the password. This is [understood to be feasible on a local network, but not on the public internet](https://groups.google.com/d/msg/django-developers/iAaq0pvHXuA/fpUuwjK3i2wJ).
Privacy settings that restrict access to pages/documents on a per-user or per-group basis (as opposed to a shared password) are unaffected by this vulnerability.
This has been patched in 2.7.3, 2.8.2, 2.9.
Published Apr 30, 2020 · Updated Nov 19, 2024
Medium · CVSS 5.8
In Wagtail before versions 2.8.1 and 2.7.2, a cross-site scripting (XSS) vulnerability exists on the page revision
comparison view within the Wagtail admin interface. A user with a limited-permission editor account for the Wagtail
admin could potentially craft a page revision history that, when viewed by a user with higher privileges, could perform
actions with that user's credentials. The vulnerability is not exploitable by an ordinary site visitor without access to
the Wagtail admin.
Patched versions have been released as Wagtail 2.7.2 (for the LTS 2.7 branch) and Wagtail 2.8.1 (for the current 2.8 branch).
Published Apr 14, 2020 · Updated Nov 19, 2024
Medium · CVSS 5.1
A vulnerability has been identified in LOGO! Soft Comfort (All versions < V8.4). A zip slip vulnerability could be triggered while importing a compromised project file
to the affected software. Chained with other vulnerabilities this vulnerability could
ultimately lead to a system takeover by an attacker.
Published Apr 22, 2021 · Updated Nov 19, 2024
Unknown · CVSS Not scored
SysAid On-Premise 20.1.11, by default, allows the AJP protocol port, which is vulnerable to a GhostCat attack. Additionally, it allows unauthenticated access to upload files, which can be used to execute commands on the system by chaining it with a GhostCat attack. NOTE: This may be a duplicate of CVE-2020-1938
Published Apr 21, 2020 · Updated Nov 18, 2024
Low · CVSS 3
vulnerability within the Multimedia Viewer feature of Cisco Webex Meetings could allow an authenticated, remote attacker to bypass security protections. The vulnerability is due to missing security warning dialog boxes when a room host views shared multimedia files. An authenticated, remote attacker could exploit this vulnerability by using the host role to share files within the Multimedia sharing feature and convincing a former room host to view that file. A warning dialog normally appears cautioning users before the file is displayed; however, the former host would not see that warning dialog, and any shared multimedia would be rendered within the user's browser. The attacker could leverage this behavior to conduct additional attacks by including malicious files within a targeted room host's browser window.
Published Apr 13, 2020 · Updated Nov 15, 2024
High · CVSS 7.5
A vulnerability in the Constrained Application Protocol (CoAP) implementation of Cisco IoT Field Network Director could allow an unauthenticated remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to insufficient input validation of incoming CoAP traffic. An attacker could exploit this vulnerability by sending a malformed CoAP packet to an affected device. A successful exploit could allow the attacker to force the CoAP server to stop, interrupting communication to the IoT endpoints.
Published Apr 15, 2020 · Updated Nov 15, 2024
High · CVSS 7.5
A vulnerability in the Tool for Auto-Registered Phones Support (TAPS) of Cisco Unified Communications Manager (UCM) and Cisco Unified Communications Manager Session Management Edition (SME) could allow an unauthenticated, remote attacker to conduct directory traversal attacks on an affected device. The vulnerability is due to insufficient validation of user-supplied input to the TAPS interface of the affected device. An attacker could exploit this vulnerability by sending a crafted request to the TAPS interface. A successful exploit could allow the attacker to read arbitrary files in the system.
Published Apr 15, 2020 · Updated Nov 15, 2024