| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated Cross Site Scripting (XSS) in WPFunnels Pro <= 2.9.4 versions. |
| Subscriber Broken Access Control in WPBakery Page Builder <= 8.7.2 versions. |
| Unauthenticated Broken Authentication in PowerPack Pro for Elementor < v2.13.0 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. |
| Unauthenticated PHP Object Injection in Reina <= 2.1 versions. |
| Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions. |
| Contributor Local File Inclusion in Element Pack Pro <= 9.0.6 versions. |
| Unauthenticated Local File Inclusion in Malmö <= 2.2 versions. |
| Unauthenticated Sensitive Data Exposure in Bricksforge <= 3.1.8.4 versions. |
| Subscriber Arbitrary File Upload in WishList Member X <= 3.29.0 versions. |
| Subscriber Broken Access Control in MetForm Pro <= 3.9.1 versions. |
| Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions. |
| Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions. |
| An improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox Cloud 5.0.4, FortiSandbox PaaS 5.0.4 may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code or commands via crafted HTTP requests. |
| GL-iNet GL-AR300M16 v4.3.11 was discovered to contain a command injection vulnerability via the module parameter in the M.get_system_log function. This vulnerability allows attackers to execute arbitrary commands via a crafted input. |
| telnetd in GNU inetutils through 2.7 allows an out-of-bounds write in the LINEMODE SLC (Set Local Characters) suboption handler because add_slc does not check whether the buffer is full. |
| OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege. |
| pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec() |
| textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization |
| A improper access control vulnerability in Fortinet FortiClientEMS 7.4.5 through 7.4.6 may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests. |
