5.3
CVE-2023-47803 -
A vulnerability regarding improper limitation of a pathname to a restricted directory ('Path Traversal') is found in the Language Settings functionality. This allows remote attackers to read specific files containing non-sensitive information via unspecified vectors. The following models with Synolβ¦
7.2
CVE-2023-47802 -
A vulnerability regarding improper neutralization of special elements used in an OS command ('OS Command Injection') is found in the IP block functionality. This allows remote authenticated users with administrator privileges to execute arbitrary commands via unspecified vectors. The following modeβ¦
6.1
CVE-2024-5730 - Pagerank Tools <= 1.1.5 - Reflected XSS
The Pagerank tools WordPress plugin through 1.1.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.1
CVE-2024-5729 - Simple AL Slider <= 1.2.10 - Reflected XSS
The Simple AL Slider WordPress plugin through 1.2.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
5.4
CVE-2024-5728 - Animated AL List <= 1.0.6 - Reflected XSS
The Animated AL List WordPress plugin through 1.0.6 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
4.7
CVE-2024-5727 - Widget4Call <= 1.0.7 - Reflected XSS
The Widget4Call WordPress plugin through 1.0.7 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
6.5
CVE-2024-5570 - Simple Photoswipe <= 0.1 - Subscriber+ Arbitrary Settings Update
The Simple Photoswipe WordPress plugin through 0.1 does not have authorisation check when updating its settings, which could allow any authenticated users, such as subscriber to update them
3.7
CVE-2024-30109 - Lack of Clickjacking Protection vulnerability affects DRYiCE AEX v10
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
8.1
CVE-2024-37282 -
It was identified that under certain specific preconditions, an API key that was originally created with a specific privileges could be subsequently used to create new API keys that have elevated privileges.
6.4
CVE-2024-6296 - Stackable β Page Builder Gutenberg Blocks <= 3.13.1 - Authenticated (Contributor+) DOM-Based Storedβ¦
The Stackable β Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βdata-captionβ parameter in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackerβ¦