| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX Product Feed for WooCommerce allows SQL Injection. This issue affects ELEX Product Feed for WooCommerce: from n/a through 3.1.2. |
| Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Beacon Lead Magnets and Lead Capture allows Cross Site Request Forgery. This issue affects Beacon Lead Magnets and Lead Capture: from n/a through 1.5.8. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lehel Mátyus Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL allows Stored XSS. This issue affects Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL: from n/a through 2.0.3. |
| Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager.
The vulnerability could allow authenticated users to change their password without providing their old password.
This issue affects Operations Bridge Manager: 24.2, 24.4. |
| Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128_ADD (0x06), ALTBN128_MUL (0x07), and ALTBN128_PAIRING (0x08). These precompiles were reimplemented in besu-native using gnark-crypto's bn254 implementation, as the former implementation used a library which was no longer maintained and not sufficiently performant. The new gnark implementation was initially added in version 0.9.0 of besu-native but was not utilized by Besu until version 0.9.2 in Besu 24.7.1. The issue is that there are EC points which may be crafted which are in the correct subgroup but are not on the curve and the besu-native gnark implementation was relying on subgroup checks to perform point-on-curve checks as well. The version of gnark-crypto used at the time did not do this check when performing subgroup checks. The result is that it was possible for Besu to give an incorrect result and fall out of consensus when executing one of these precompiles against a specially crafted input point. Additionally, homogenous Besu-only networks can potentially enshrine invalid state which would be incorrect and difficult to process with patched versions of besu which handle these calls correctly. The underlying defect has been patched in besu-native release 1.3.0. The fixed version of Besu is version 25.3.0. As a workaround for versions of Besu with the problem, the native precompile for altbn128 may be disabled in favor of the pure-java implementation. The pure java implementation is significantly slower, but does not have this consensus issue. |
| IXON VPN Client before 1.4.4 on Windows allows Local Privilege Escalation to SYSTEM because there is code execution from a configuration file that can be controlled by a low-privileged user. There is a race condition in which a temporary configuration file, in a world-writable directory, can be overwritten. |
| Cross-Site Request Forgery (CSRF) vulnerability in Smaily Smaily for WP allows Cross Site Request Forgery. This issue affects Smaily for WP: from n/a through 3.1.6. |
| Cross-Site Request Forgery (CSRF) vulnerability in Credova Financial Credova_Financial allows Cross Site Request Forgery. This issue affects Credova_Financial: from n/a through 2.5.0. |
| Endpoint /cgi-bin-igd/netcore_set.cgi which is used for changing device configuration is accessible without authentication. This poses a significant security threat allowing for e.g: administrator account hijacking or AP password changing.
The vendor was contacted early about this disclosure but did not respond in any way. |
| Cross-Site Request Forgery (CSRF) vulnerability in DAEXT Soccer Live Scores allows Cross Site Request Forgery. This issue affects Soccer Live Scores: from n/a through 1.0.5. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sarvesh M Rao WP Discord Invite allows Stored XSS. This issue affects WP Discord Invite: from n/a through 2.5.3. |
| BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or
series 5 prior to v9.0.166 contain an execution with unnecessary
privileges vulnerability, allowing for privilege escalation on the
device once code execution has been obtained. |
| Incorrect Authorization vulnerability in OpenText™ Operations Bridge Manager. The vulnerability could allows privilege escalation by authenticated users.This issue affects Operations Bridge Manager: 2023.05, 23.4, 24.2, 24.4. |
| IXON VPN Client before 1.4.4 on Linux and macOS allows Local Privilege Escalation to root because there is code execution from a configuration file that can be controlled by a low-privileged user. There is a race condition in which a temporary configuration file, in a world-writable directory, can be overwritten. |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Ultimate Member Ultimate Member allows Code Injection. This issue affects Ultimate Member: from n/a through 2.10.3. |
| Cross-Site Request Forgery (CSRF) vulnerability in themarketer2023 theMarketer allows Stored XSS. This issue affects theMarketer: from n/a through 1.4.7. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in motov.net Ebook Store allows DOM-Based XSS. This issue affects Ebook Store: from n/a through 5.8007. |
| Path Traversal vulnerability in ilmosys Open Close WooCommerce Store allows PHP Local File Inclusion. This issue affects Open Close WooCommerce Store: from n/a through 4.9.5. |
| Cross-Site Request Forgery (CSRF) vulnerability in Igor Benic Simple Giveaways allows Cross Site Request Forgery. This issue affects Simple Giveaways: from n/a through 2.48.2. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AppJetty WP jQuery DataTable allows Stored XSS. This issue affects WP jQuery DataTable: from n/a through 4.1.0. |
