| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Improper Restriction of XML External Entity Reference vulnerability in RTI Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. |
| A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when usingĀ DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue. |
| Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions. |
| Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint. |
| Dell PowerFlex Manager, version(s) Version prior to 4.8, contain(s) an Inclusion of Functionality from Untrusted Control Sphere vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. |
| Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
| Unauthenticated Local File Inclusion in Granola <= 1.13 versions. |
| Missing Authorization vulnerability in Shareaholic allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Shareaholic: from n/a through 9.7.11. |
| Incorrect Authorization vulnerability of `/v2` experimental interface in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
| Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions. |
| Unauthenticated Local File Inclusion in Ingenioso <= 1.14.0 versions. |
| Unauthenticated Local File Inclusion in Reprizo <= 1.0.8 versions. |
| Unauthenticated Local File Inclusion in Right Way <= 4.0 versions. |
| Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions. |
| Unauthenticated Local File Inclusion in Gat <= 1.16 versions. |
| Unauthenticated PHP Object Injection in Plumbing <= 1.6 versions. |
| Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in QuantumCloud Conversational Forms for ChatBot allows Path Traversal.
This issue affects Conversational Forms for ChatBot: from n/a through 1.1.8. |
| Unauthenticated Local File Inclusion in Joly <= 1.22.0 versions. |
| Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions. |