Total
5268 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-29509 | 1 Xwiki | 1 Xwiki | 2025-02-06 | 10 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `documentTree` macro parameters in This macro is installed by default in `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | ||||
| CVE-2023-29210 | 1 Xwiki | 1 Xwiki | 2025-02-06 | 10 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | ||||
| CVE-2023-29212 | 1 Xwiki | 1 Xwiki | 2025-02-06 | 10 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10. | ||||
| CVE-2023-29214 | 1 Xwiki | 1 Xwiki | 2025-02-06 | 10 Critical |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10. | ||||
| CVE-2024-37228 | 1 Instawp | 1 Instawp Connect | 2025-02-06 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38. | ||||
| CVE-2023-2017 | 1 Shopware | 1 Shopware | 2025-02-05 | 8.8 High |
| Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. | ||||
| CVE-2022-36963 | 1 Solarwinds | 1 Orion Platform | 2025-02-05 | 7.2 High |
| The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands. | ||||
| CVE-2024-37899 | 1 Xwiki | 1 Xwiki | 2025-02-05 | 9.1 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a | ||||
| CVE-2024-49271 | 1 Unlimited-elements | 2 Unlimited Elements For Elementor, Unlimited Elements For Elementor \(free Widgets\, Addons\, Templates\) | 2025-02-05 | 9.1 Critical |
| : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) allows : Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through 1.5.121. | ||||
| CVE-2025-0844 | 1 Needyamin | 1 Library Card System | 2025-02-04 | 4.3 Medium |
| A vulnerability was found in needyamin Library Card System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file signup.php of the component Registration Page. The manipulation of the argument firstname/lastname/email/borrow/user_address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | ||||
| CVE-2023-29566 | 2 Dawnsparks-node-tesseract Project, Huedawn-tesseract Project | 2 Dawnsparks-node-tesseract, Huedawn-tesseract | 2025-02-04 | 9.8 Critical |
| huedawn-tesseract 0.3.3 and dawnsparks-node-tesseract 0.4.0 to 0.4.1 was discovered to contain a remote code execution (RCE) vulnerability via the child_process function. | ||||
| CVE-2023-26060 | 1 Nokia | 1 Netact | 2025-02-04 | 6.8 Medium |
| An issue was discovered in Nokia NetAct before 22 FP2211. On the Working Set Manager page, users can create a Working Set with a name that has a client-side template injection payload. Input validation is missing during creation of the working set. For an external attacker, it is very difficult to exploit this, because a few dynamically created parameters such as Jsession-id, a CSRF token, and an Nxsrf token would be needed. The attack can realistically only be performed by an internal user. | ||||
| CVE-2023-2259 | 1 Alf | 1 Alf | 2025-02-04 | 7.2 High |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | ||||
| CVE-2024-55504 | 2025-02-04 | 5.5 Medium | ||
| An issue in RAR Extractor - Unarchiver Free and Pro v.6.4.0 allows local attackers to inject arbitrary code potentially leading to remote control and unauthorized access to sensitive user data via the exploit_combined.dylib component on MacOS. | ||||
| CVE-2024-11036 | 1 Gamipress | 1 Gamipress | 2025-02-04 | 7.3 High |
| The The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipress_get_user_earnings AJAX action in all versions up to, and including, 7.1.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2023-30404 | 1 Aigital | 2 Wireless-n Repeater Mini Router, Wireless-n Repeater Mini Router Firmware | 2025-02-03 | 9.8 Critical |
| Aigital Wireless-N Repeater Mini_Router v0.131229 was discovered to contain a remote code execution (RCE) vulnerability via the sysCmd parameter in the formSysCmd function. This vulnerability is exploited via a crafted HTTP request. | ||||
| CVE-2024-42911 | 2025-02-03 | 7.4 High | ||
| ECOVACS Robotics Deebot T20 OMNI and T20e OMNI before 1.24.0 was discovered to contain a WiFi Remote Code Execution vulnerability. | ||||
| CVE-2024-37061 | 1 Lfprojects | 1 Mlflow | 2025-02-03 | 8.8 High |
| Remote Code Execution can occur in versions of the MLflow platform running version 1.11.0 or newer, enabling a maliciously crafted MLproject to execute arbitrary code on an end user’s system when run. | ||||
| CVE-2024-6923 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2025-01-31 | 5.5 Medium |
| There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. | ||||
| CVE-2024-11600 | 1 Visualmodo | 1 Borderless | 2025-01-31 | 7.2 High |
| The Borderless – Widgets, Elements, Templates and Toolkit for Elementor & Gutenberg plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.5.9 via the 'write_config' function. This is due to a lack of sanitization on an imported JSON file. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | ||||