An unauthenticated privilege-escalation issue exists in the bbPress plugin before 2.6.5 for WordPress when New User Registration is enabled.
Max CVSS
9.8
EPSS Score
83.25%
Published
2020-05-29
Updated
2021-12-13
parser/js/js-scanner.c in JerryScript 2.2.0 mishandles errors during certain out-of-memory conditions, as demonstrated by a scanner_reverse_info_list NULL pointer dereference and a scanner_scan_all assertion failure.
Max CVSS
7.5
EPSS Score
0.18%
Published
2020-05-28
Updated
2021-07-21
In GNOME glib-networking through 2.64.2, the implementation of GTlsClientConnection skips hostname verification of the server's TLS certificate if the application fails to specify the expected server identity. This is in contrast to its intended documented behavior, to fail the certificate verification. Applications that fail to provide the server identity, including Balsa before 2.5.11 and 2.6.x before 2.6.1, accept a TLS certificate if the certificate is valid for any host.
Max CVSS
6.5
EPSS Score
0.57%
Published
2020-05-28
Updated
2021-06-22
An issue was discovered in the Accordion plugin before 2.2.9 for WordPress. The unprotected AJAX wp_ajax_accordions_ajax_import_json action allowed any authenticated user with Subscriber or higher permissions the ability to import a new accordion and inject malicious JavaScript as part of the accordion.
Max CVSS
5.4
EPSS Score
0.05%
Published
2020-05-28
Updated
2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The live editor feature did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The live_editor_panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
Max CVSS
8.8
EPSS Score
0.11%
Published
2020-05-28
Updated
2020-05-28
An issue was discovered in the SiteOrigin Page Builder plugin before 2.10.16 for WordPress. The action_builder_content function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The panels_data $_POST variable allows for malicious JavaScript to be executed in the victim's browser.
Max CVSS
8.8
EPSS Score
0.11%
Published
2020-05-28
Updated
2020-05-28
An issue was discovered in the Real-Time Find and Replace plugin before 4.0.2 for WordPress. The far_options_page function did not do any nonce verification, allowing for requests to be forged on behalf of an administrator. The find and replace rules could be updated with malicious JavaScript, allowing for that be executed later in the victims browser.
Max CVSS
8.8
EPSS Score
0.11%
Published
2020-05-28
Updated
2020-05-28
In Windows Master (aka Windows Optimization Master) 7.99.13.604, the driver file (WoptiHWDetect.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0xF1002558
Max CVSS
7.8
EPSS Score
0.04%
Published
2020-05-29
Updated
2020-05-29
Fork before 5.8.3 allows XSS via navigation_title or title.
Max CVSS
6.1
EPSS Score
0.08%
Published
2020-05-27
Updated
2020-05-27
ext/fts3/fts3_snippet.c in SQLite before 3.32.0 has a NULL pointer dereference via a crafted matchinfo() query.
Max CVSS
5.5
EPSS Score
0.09%
Published
2020-05-27
Updated
2022-05-13
SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c.
Max CVSS
5.5
EPSS Score
0.11%
Published
2020-05-27
Updated
2022-05-13
ext/fts3/fts3.c in SQLite before 3.32.0 has a use-after-free in fts3EvalNextRow, related to the snippet feature.
Max CVSS
7.0
EPSS Score
0.06%
Published
2020-05-27
Updated
2022-05-13
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the widgetId parameter to host-monitoring/src/toolbar.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget.
Max CVSS
6.1
EPSS Score
0.13%
Published
2020-05-27
Updated
2020-05-28
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the widgetId parameter to service-monitoring/src/index.php. This vulnerability is fixed in versions 1.6.4, 18.10.3, 19.04.3, and 19.0.1 of the Centreon host-monitoring widget; 1.6.4, 18.10.5, 19.04.3, 19.10.2 of the Centreon service-monitoring widget; and 1.0.3, 18.10.1, 19.04.1, 19.10.1 of the Centreon tactical-overview widget.
Max CVSS
6.1
EPSS Score
0.13%
Published
2020-05-27
Updated
2020-05-28
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.
Max CVSS
7.5
EPSS Score
0.12%
Published
2020-05-27
Updated
2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
Max CVSS
7.5
EPSS Score
0.11%
Published
2020-05-27
Updated
2020-05-27
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
Max CVSS
5.9
EPSS Score
0.15%
Published
2020-05-26
Updated
2020-05-29
lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification for X.509 certificates.
Max CVSS
5.9
EPSS Score
0.10%
Published
2020-05-26
Updated
2020-05-28
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
Max CVSS
5.9
EPSS Score
0.26%
Published
2020-05-26
Updated
2022-11-14
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
Max CVSS
6.1
EPSS Score
0.08%
Published
2020-05-25
Updated
2020-05-26
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
Max CVSS
9.1
EPSS Score
0.20%
Published
2020-05-25
Updated
2020-05-26
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
Max CVSS
7.4
EPSS Score
0.09%
Published
2020-05-25
Updated
2021-02-24
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.
Max CVSS
5.4
EPSS Score
0.05%
Published
2020-05-25
Updated
2020-05-27
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
Max CVSS
8.8
EPSS Score
0.07%
Published
2020-05-25
Updated
2020-05-27
A Remote code execution vulnerability exists in DEXT5Upload in DEXT5 through 2.7.1402870. An attacker can upload a PHP file via dext5handler.jsp handler because the uploaded file is stored under dext5uploadeddata/.
Max CVSS
9.8
EPSS Score
1.23%
Published
2020-05-25
Updated
2020-05-27
944 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!