52640 results (0.266 seconds)

CVSS: 6.2EPSS: 0%CPEs: 1EXPL: 1

06 Dec 2023 — Attacker can supply image that combined with specific MPI length leads to Arbitrary Code Execution via overwritten return address on stack. • https://github.com/desowin/zsitool/blob/master/exploit.md • CWE-121: Stack-based Buffer Overflow •

CVSS: 7.6EPSS: 0%CPEs: 3EXPL: 0

16 Nov 2023 — A physical attacker may leverage improper protection against voltage glitching in Qualcomm’s Secure Boot implementation in chipsets MSM8916 and APQ8016 to execute arbitrary code in the device due to a badly secured hash value check. • https://cyberintel.es/cve/notCVE-2023-0001/ • CWE-1247: Improper Protection Against Voltage and Clock Glitches •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

21 Jan 2025 — The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'qcld_wpcfb_file_upload' function in all versions up to, and including, 13.5.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0

21 Jan 2025 — The script input feature of SpagoBI 3.5.1 allows arbitrary code execution. • https://github.com/MarioTesoro/CVE-2024-54794 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1

20 Jan 2025 — A vulnerability classified as problematic has been found in CampCodes School Management Software 1.0. This affects an unknown part of the file /chat/group/send of the component Chat History. The manipulation of the argument message leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/KhukuriRimal/Vulnerabilities/blob/main/CampCodes%20-%20Stored%20Cross%20Site%20Scripting-%20Account%20Takeover%20Possibility.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0

20 Jan 2025 — The a+HRD from aEnrich Technology has an Insecure Deserialization vulnerability, allowing remote attackers with database modification privileges and regular system privileges to perform arbitrary code execution. • https://www.twcert.org.tw/en/cp-139-8375-59abd-2.html • CWE-502: Deserialization of Untrusted Data •

CVSS: 5.3EPSS: 0%CPEs: -EXPL: 0

20 Jan 2025 — A vulnerability was found in Facile Sistemas Cloud Apps up to 20250107. It has been classified as problematic. Affected is an unknown function of the file /account/forgotpassword of the component Password Reset Handler. The manipulation of the argument reterros leads to cross site scripting. It is possible to launch the attack remotely. • https://vuldb.com/?ctiid.292596 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: -EPSS: 0%CPEs: -EXPL: 1

20 Jan 2025 — Those two defects combined then allows to inject arbitrary OS commands inside shell_exec() calls, thus achieving arbitrary code execution. • https://packetstorm.news/files/id/188748 •

CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0

19 Jan 2025 — A vulnerability was found in Mobotix M15 4.3.4.83 and classified as problematic. This issue affects some unknown processing of the file /control/player?center&eventlist&pda&dummy_for_reload=1736177631&p_evt. The manipulation of the argument p_qual leads to cross site scripting. The attack may be initiated remotely. • https://vuldb.com/?ctiid.292541 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.0EPSS: 0%CPEs: -EXPL: 0

19 Jan 2025 — An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. •