Export limit exceeded: 338131 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (338131 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-49633 | 1 Kashipara | 1 Billing Software | 2025-06-17 | 9.8 Critical |
| Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'buyer_address' parameter of the buyer_detail_submit.php resource does not validate the characters received and they are sent unfiltered to the database. | ||||
| CVE-2023-49625 | 1 Kashipara | 1 Billing Software | 2025-06-17 | 9.8 Critical |
| Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'id' parameter of the partylist_edit_submit.php resource does not validate the characters received and they are sent unfiltered to the database. | ||||
| CVE-2023-49624 | 1 Kashipara | 1 Billing Software | 2025-06-17 | 9.8 Critical |
| Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'cancelid' parameter of the material_bill.php resource does not validate the characters received and they are sent unfiltered to the database. | ||||
| CVE-2023-49622 | 1 Kashipara | 1 Billing Software | 2025-06-17 | 9.8 Critical |
| Billing Software v1.0 is vulnerable to multiple Unauthenticated SQL Injection vulnerabilities. The 'itemnameid' parameter of the material_bill.php?action=itemRelation resource does not validate the characters received and they are sent unfiltered to the database. | ||||
| CVE-2021-42028 | 1 Siemens-healthineers | 1 Syngo Fastview | 2025-06-17 | 7.8 High |
| A vulnerability has been identified in syngo fastView (All versions). The affected application lacks proper validation of user-supplied data when parsing BMP files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-14860) | ||||
| CVE-2021-40367 | 1 Siemens-healthineers | 1 Syngo Fastview | 2025-06-17 | 7.8 High |
| A vulnerability has been identified in syngo fastView (All versions). The affected application lacks proper validation of user-supplied data when parsing DICOM files. This could result in an out-of-bounds write past the end of an allocated structure. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-15097) | ||||
| CVE-2024-0210 | 1 Wireshark | 1 Wireshark | 2025-06-17 | 7.8 High |
| Zigbee TLV dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | ||||
| CVE-2024-0207 | 1 Wireshark | 1 Wireshark | 2025-06-17 | 7.8 High |
| HTTP3 dissector crash in Wireshark 4.2.0 allows denial of service via packet injection or crafted capture file | ||||
| CVE-2023-6747 | 1 Fooplugins | 1 Foogallery | 2025-06-17 | 6.4 Medium |
| The Best WordPress Gallery Plugin – FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom attributes in all versions up to, and including, 2.3.3 due to insufficient input sanitization and output escaping. This makes it possible for contributors and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-6629 | 1 Wpexperts | 1 Post Smtp | 2025-06-17 | 6.1 Medium |
| The POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘msg’ parameter in all versions up to, and including, 2.8.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2023-6524 | 1 Mappresspro | 1 Mappress | 2025-06-17 | 6.4 Medium |
| The MapPress Maps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the map title parameter in all versions up to and including 2.88.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor access or higher to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-52313 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-06-17 | 4.7 Medium |
| FPE in paddle.argmin and paddle.argmax in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service. | ||||
| CVE-2023-52311 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-06-17 | 9.6 Critical |
| PaddlePaddle before 2.6.0 has a command injection in _wget_download. This resulted in the ability to execute arbitrary commands on the operating system. | ||||
| CVE-2023-52304 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-06-17 | 8.2 High |
| Stack overflow in paddle.searchsorted in PaddlePaddle before 2.6.0. This flaw can lead to a denial of service, or even more damage. | ||||
| CVE-2023-52303 | 1 Paddlepaddle | 1 Paddlepaddle | 2025-06-17 | 4.7 Medium |
| Nullptr in paddle.put_along_axis in PaddlePaddle before 2.6.0. This flaw can cause a runtime crash and a denial of service. | ||||
| CVE-2023-50256 | 1 Froxlor | 1 Froxlor | 2025-06-17 | 7.5 High |
| Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. | ||||
| CVE-2023-46740 | 1 Linuxfoundation | 1 Cubefs | 2025-06-17 | 6.5 Medium |
| CubeFS is an open-source cloud-native file storage system. Prior to version 3.3.1, CubeFS used an insecure random string generator to generate user-specific, sensitive keys used to authenticate users in a CubeFS deployment. This could allow an attacker to predict and/or guess the generated string and impersonate a user thereby obtaining higher privileges. When CubeFS creates new users, it creates a piece of sensitive information for the user called the “accessKey”. To create the "accesKey", CubeFS uses an insecure string generator which makes it easy to guess and thereby impersonate the created user. An attacker could leverage the predictable random string generator and guess a users access key and impersonate the user to obtain higher privileges. The issue has been fixed in v3.3.1. There is no other mitigation than to upgrade. | ||||
| CVE-2023-46739 | 1 Linuxfoundation | 1 Cubefs | 2025-06-17 | 6.5 Medium |
| CubeFS is an open-source cloud-native file storage system. A vulnerability was found during in the CubeFS master component in versions prior to 3.3.1 that could allow an untrusted attacker to steal user passwords by carrying out a timing attack. The root case of the vulnerability was that CubeFS used raw string comparison of passwords. The vulnerable part of CubeFS was the UserService of the master component. The UserService gets instantiated when starting the server of the master component. The issue has been patched in v3.3.1. For impacted users, there is no other way to mitigate the issue besides upgrading. | ||||
| CVE-2024-21632 | 1 Recognizeapp | 1 Omniauth\ | 2025-06-17 | 8.6 High |
| omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue. | ||||
| CVE-2024-21629 | 1 Evm Project | 1 Evm | 2025-06-17 | 5.9 Medium |
| Rust EVM is an Ethereum Virtual Machine interpreter. In `rust-evm`, a feature called `record_external_operation` was introduced, allowing library users to record custom gas changes. This feature can have some bogus interactions with the call stack. In particular, during finalization of a `CREATE` or `CREATE2`, in the case that the substack execution happens successfully, `rust-evm` will first commit the substate, and then call `record_external_operation(Write(out_code.len()))`. If `record_external_operation` later fails, this error is returned to the parent call stack, instead of `Succeeded`. Yet, the substate commitment already happened. This causes smart contracts able to commit state changes, when the parent caller contract receives zero address (which usually indicates that the execution has failed). This issue only impacts library users with custom `record_external_operation` that returns errors. The issue is patched in release 0.41.1. No known workarounds are available. | ||||