CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0916 – Unauthenticated Remote Code Execution in UvDesk Community
https://notcve.org/view.php?id=CVE-2024-0916
Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. La carga de archivos no autenticados permite la ejecución remota de código. Este problema afecta a UvDesk Community: desde 1.0.0 hasta 1.1.3. • https://github.com/uvdesk/core-framework/pull/706 https://pentraze.com/vulnerability-reports • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-51210
https://notcve.org/view.php?id=CVE-2023-51210
SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function. Vulnerabilidad de inyección SQL en Webkul Bundle Product 6.0.1 permite a un atacante remoto ejecutar código arbitrario a través de los parámetros id_product en la función UpdateProductQuantity. • https://medium.com/%40nasir.synack/uncovering-critical-vulnerability-cve-2023-51210-in-prestashop-plugin-bundle-product-pack-ad7fb08bdc91 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36235
https://notcve.org/view.php?id=CVE-2023-36235
An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter. Un problema en webkul qloapps anterior a v1.6.0 permite a un atacante obtener información confidencial a través del parámetro id_order. • https://github.com/Ek-Saini/security/blob/main/IDOR-Qloapps https://github.com/webkul/hotelcommerce/pull/537 https://qloapps.com • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36236
https://notcve.org/view.php?id=CVE-2023-36236
Cross Site Scripting vulnerability in webkil Bagisto v.1.5.0 and before allows an attacker to execute arbitrary code via a crafted SVG file uplad. Vulnerabilidad de cross site scripting en webkil Bagisto v.1.5.0 y anteriores permite a un atacante ejecutar código arbitrario a través de una carga de archivo SVG manipulado. • https://bagisto.com/en https://github.com/Ek-Saini/security/blob/main/XSS_via_fileupload-bagisto https://github.com/bagisto/bagisto/pull/4764/commits/7bbf0c4bb565fc2601f031f9bbcdfa06e24dbd45 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-37636
https://notcve.org/view.php?id=CVE-2023-37636
A stored cross-site scripting (XSS) vulnerability in UVDesk Community Skeleton v1.1.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Message field when creating a ticket. Una vulnerabilidad de Cross-Site Scripting (XSS) almacenada en UVDesk Community Skeleton v1.1.1 permite a los atacantes ejecutar scripts web o HTML arbitrarios a través de un payload manipulado que se inyecta en el campo Mensaje al crear un ticket. • https://www.esecforte.com/cve-2023-37636-stored-cross-site-scripting • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •