Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2023-34487 |
Description: itsourcecode Online Hotel Management System Project In PHP v1.0.0 is vulnerable to SQL Injection. SQL injection points exist in the login password input box. This vulnerability can be exploited through time-based blind injection.
CVSS: LOW (0.0) EPSS Score: 0.21%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-34486 |
|
|
CVE-2023-3447 |
Description: The Active Directory Integration / LDAP Integration plugin for WordPress is vulnerable to LDAP Injection in versions up to, and including, 4.1.5. This is due to insufficient escaping on the supplied username value. This makes it possible for unauthenticated attackers to extract potentially sensitive information from the LDAP directory.
CVSS: HIGH (8.6) EPSS Score: 0.16%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-33466 |
Description: Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).
CVSS: LOW (0.0) EPSS Score: 0.37%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-33411 |
Description: A web server in the Intelligent Platform Management Interface (IPMI) baseboard management controller (BMC) implementation on Supermicro X11 and M11 based devices, with firmware versions up to 3.17.02, allows remote unauthenticated users to perform directory traversal, potentially disclosing sensitive information.
CVSS: LOW (0.0) EPSS Score: 0.21%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-33335 |
|
|
CVE-2023-33276 |
Description: The web interface of Gira Giersiepen Gira KNX/IP-Router 3.1.3683.0 and 3.3.8.0 responds with a "404 - Not Found" status code if a path is accessed that does not exist. However, the value of the path is reflected in the response. As the application will reflect the supplied path without context-sensitive HTML encoding, it is vulnerable to reflective cross-site scripting (XSS).
CVSS: LOW (0.0) EPSS Score: 0.09%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-32610 |
|
|
CVE-2023-31999 |
Description: All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to the user's session in some way that will allow the server to validate it.
v7.2.0 changes the default behavior to store the state in a cookie with the http-only and same-site=lax attributes set. The state is now by default generated for every user. Note that this contains a breaking change in the checkStateFunction function, which now accepts the full Request object.
CVSS: LOW (0.0) EPSS Score: 0.15%
November 27th, 2024 (5 months ago)
|
|
CVE-2023-31997 |
Description: UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.
CVSS: LOW (0.0) EPSS Score: 0.04%
November 27th, 2024 (5 months ago)
|