Latest Common Vulnerabilities and Exposures
The Common Vulnerabilities and Exposures system (CVE) is a list of publicly reported cybersecurity vulnerabilities and exposures. It provides a standard method for identifying vulnerabilities and mitigations. CVE is a service of the MITRE Corporation, a not-for-profit organization that operates federally funded research and development centers (FFRDCs).
mosparo/mosparo
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Open Redirect in GitHub repository mosparo/mosparo prior to 1.0.2.
salesagility/SuiteCRM
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Improper Access Control in GitHub repository salesagility/suitecrm prior to 7.14.1.
salesagility/SuiteCRM
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Cross-site Scripting (XSS) - Stored in GitHub repository salesagility/suitecrm prior to 7.14.1.
salesagility/SuiteCRM
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
SQL Injection in GitHub repository salesagility/suitecrm prior to 7.14.1.
FreeOpcUa/opcua-asyncio
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Versions of the package asyncua before 0.9.96 are vulnerable to Denial of Service (DoS) such that an attacker can send a malformed packet and as a result, the server will enter into an infinite loop and consume excessive memory.
FreeOpcUa/opcua-asyncio
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Versions of the package asyncua before 0.9.96 are vulnerable to Improper Authentication such that it is possible to access Address Space without encryption and authentication. **Note:** This issue is a result of missing checks for services that require an active session.
nbluis/static-server
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
All versions of the package static-server are vulnerable to Directory Traversal due to improper input sanitization passed via the validPath function of server.js.
xiph/vorbis
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Buffer Overflow vulnerability in Vorbis-tools v.1.4.2 allows a local attacker to execute arbitrary code and cause a denial of service during the conversion of wav files to ogg files.
pretix/pretix
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
An issue was discovered in pretix before 2023.7.1. Incorrect parsing of configuration files causes the application to trust unchecked X-Forwarded-For headers even though it has not been configured to do so. This can lead to IP address spoofing by users of the application.
vim/vim
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969.
CVSS v3:
N/A
CVSS v2:
N/A
A vulnerability was found in Most Popular Posts Widget Plugin up to 0.8 on WordPress. It has been classified as critical. Affected is the function add_views/show_views of the file functions.php. The manipulation leads to sql injection. It is possible to launch the attack remotely. Upgrading to version 0.9 is able to address this issue. The patch is identified as a99667d11ac8d320006909387b100e9a8b5c12e1. It is recommended to upgrade the affected component. VDB-241026 is the identifier assigned to this vulnerability.
gitlab-org/gitlab
on GitLab
CVSS v3:
N/A
CVSS v2:
N/A
An issue has been discovered in Ultimate-licensed GitLab EE affecting all versions starting 13.12 prior to 16.2.8, 16.3.0 prior to 16.3.5, and 16.4.0 prior to 16.4.1 that could allow an attacker to impersonate users in CI pipelines through direct transfer group imports.
Dolibarr/dolibarr
on GitHub
CVSS v3:
6.1 MEDIUM
CVSS v2:
N/A
Cross-site Scripting (XSS) - Generic in GitHub repository dolibarr/dolibarr prior to 18.0.
webmproject/libvpx
on GitHub
CVSS v3:
7.5 HIGH
CVSS v2:
N/A
VP9 in libvpx before 1.13.1 mishandles widths, leading to a crash related to encoding.
Hamza417/Inure
on GitHub
CVSS v3:
5.5 MEDIUM
CVSS v2:
N/A
Missing Authorization in GitHub repository hamza417/inure prior to build94.
gitlab-org/gitlab
on GitLab
CVSS v3:
8.8 HIGH
CVSS v2:
N/A
A vulnerability was discovered in GitLab CE and EE affecting all versions starting 16.0 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. An authenticated attacker could perform arbitrary pipeline execution under the context of another user.
microweber/microweber
on GitHub
CVSS v3:
7.5 HIGH
CVSS v2:
N/A
Use of Hard-coded Credentials in GitHub repository microweber/microweber prior to 2.0.
thorsten/phpMyFAQ
on GitHub
CVSS v3:
6.1 MEDIUM
CVSS v2:
N/A
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
thorsten/phpMyFAQ
on GitHub
CVSS v3:
5.4 MEDIUM
CVSS v2:
N/A
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
thorsten/phpMyFAQ
on GitHub
CVSS v3:
5.4 MEDIUM
CVSS v2:
N/A
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
thorsten/phpMyFAQ
on GitHub
CVSS v3:
6.1 MEDIUM
CVSS v2:
N/A
Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.
thorsten/phpMyFAQ
on GitHub
CVSS v3:
9.8 CRITICAL
CVSS v2:
N/A
Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.8.
postcss/postcss
on GitHub
CVSS v3:
N/A
CVSS v2:
N/A
An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be \r discrepancies, as demonstrated by @font-face{ font:(\r/*);} in a rule.
composer/composer
on GitHub
CVSS v3:
8.8 HIGH
CVSS v2:
N/A
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.