Vulnerability management.
List of latest published vulnerabilities.
- [webapps] pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE) February 20, 2023pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)
- [remote] MSNSwitch Firmware MNT.2408 - Remote Code Execution November 11, 2022MSNSwitch Firmware MNT.2408 - Remote Code Execution
- [remote] AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal November 11, 2022AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal
- [local] IOTransfer V4 - Unquoted Service Path November 11, 2022IOTransfer V4 - Unquoted Service Path
- [webapps] CVAT 2.0 - Server Side Request Forgery November 11, 2022CVAT 2.0 - Server Side Request Forgery
- [webapps] Open Web Analytics 1.7.3 - Remote Code Execution November 11, 2022Open Web Analytics 1.7.3 - Remote Code Execution
- [remote] SmartRG Router SR510n 2.6.13 - Remote Code Execution November 11, 2022SmartRG Router SR510n 2.6.13 - Remote Code Execution
- [webapps] Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated) October 17, 2022Wordpress Plugin ImageMagick-Engine 1.7.4 - Remote Code Execution (RCE) (Authenticated)
- [webapps] Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi October 6, 2022Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi
- [webapps] Feehi CMS 2.1.1 - Remote Code Execution (Authenticated) September 23, 2022Feehi CMS 2.1.1 - Remote Code Execution (Authenticated)
National Vulnerability Database
- CVE-2022-43663 March 20, 2023An integer conversion vulnerability exists in the SORBAx64.dll RecvPacket functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a buffer overflow. An attacker can send a malicious packet to trigger this vulnerability.
- CVE-2022-45124 March 20, 2023An information disclosure vulnerability exists in the User authentication functionality of WellinTech KingHistorian 35.01.00.05. A specially crafted network packet can lead to a disclosure of sensitive information. An attacker can sniff network traffic to leverage this vulnerability.
- CVE-2023-27578 March 20, 2023Galaxy is an open-source platform for data analysis. All supported versions of Galaxy are affected prior to 22.01, 22.05, and 23.0 are affected by an insufficient permission check. Unsupported versions are likely affected as far back as the functionality of Visualizations/Pages exists. Due to this issue, an attacker can modify or delete any Galaxy Visualization […]
- CVE-2023-28425 March 20, 2023Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.
- CVE-2023-0681 March 20, 2023Rapid7 InsightVM versions 6.6.178 and lower suffers from an open redirect vulnerability, whereby an attacker has the ability to redirect the user to a site of the attacker’s choice using the ‘page’ parameter of the ‘data/console/redirect’ component of the application. This issue was resolved in the February, 2023 release of version 6.6.179.
- CVE-2023-27586 March 20, 2023CairoSVG is an SVG converter based on Cairo, a 2D graphics library. Prior to version 2.7.0, Cairo can send requests to external hosts when processing SVG files. A malicious actor could send a specially crafted SVG file that allows them to perform a server-side request forgery or denial of service. Version 2.7.0 disables CairoSVG's ability […]
- CVE-2023-22288 March 20, 2023HTML Email Injection in Tribe29 Checkmk
- CVE-2023-1517 March 20, 2023Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.19.
- CVE-2023-0631 March 20, 2023The Paid Memberships Pro WordPress plugin before 2.9.12 does not prevent subscribers from rendering shortcodes that concatenate attributes directly into an SQL query.
- CVE-2023-0630 March 20, 2023The Slimstat Analytics WordPress plugin before 4.9.3.3 does not prevent subscribers from rendering shortcodes that concatenates attributes directly into an SQL query.