CVE & Exploit Intelligence Database

CVE-2023-49863 6.5 MEDIUM EPSS 0.00

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter.

CWE-610 Jan 10, 2024

CVE-2023-49862 6.5 MEDIUM EPSS 0.00

An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter.

CWE-610 Jan 10, 2024

CVE-2023-49738 7.5 HIGH EPSS 0.01

An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.

CWE-73 Jan 10, 2024

CVE-2023-47862 9.8 CRITICAL EPSS 0.01

A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability.

CWE-73 Jan 10, 2024

CVE-2023-47171 6.5 MEDIUM EPSS 0.00

An information disclosure vulnerability exists in the aVideoEncoder.json.php chunkFile path functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.

CWE-73 Jan 10, 2024

CVE-2024-20652 8.1 HIGH EPSS 0.03

Windows HTML Platforms Security Feature Bypass Vulnerability

CWE-73 Jan 09, 2024

CVE-2024-0265 6.3 MEDIUM 1 Writeup EPSS 0.01

A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /index.php of the component GET Parameter Handler. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249821 was assigned to this vulnerability.

CWE-73 Jan 07, 2024

CVE-2023-6569 8.2 HIGH EPSS 0.00

External Control of File Name or Path in h2oai/h2o-3

CWE-610 Dec 14, 2023

CVE-2023-36019 9.6 CRITICAL EPSS 0.01

Microsoft Power Platform Connector Spoofing Vulnerability

CWE-73 Dec 12, 2023

CVE-2023-6618 5.5 MEDIUM EPSS 0.00

A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page leads to file inclusion. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247255.

CWE-610 Dec 08, 2023

CVE-2023-5247 7.8 HIGH EPSS 0.00

Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition.

CWE-610 Nov 30, 2023

CVE-2023-40194 8.8 HIGH EPSS 0.00

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CWE-610 Nov 27, 2023

CVE-2023-39542 8.8 HIGH EPSS 0.00

A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

CWE-610 Nov 27, 2023

CVE-2023-35985 8.8 HIGH 2 PoCs Analysis EPSS 0.00

An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled.

CWE-610 Nov 27, 2023

CVE-2023-34982 5.5 MEDIUM EPSS 0.00

This external control vulnerability, if exploited, could allow a local OS-authenticated user with standard privileges to delete files with System privilege on the machine where these products are installed, resulting in denial of service.

CWE-610 Nov 15, 2023

CVE-2023-46851 4.9 MEDIUM EPSS 0.00

Allura Discussion and Allura Forum importing does not restrict URL values specified in attachments. Project administrators can run these imports, which could cause Allura to read local files and expose them.  Exposing internal files then can lead to other exploits, like session hijacking, or remote code execution. This issue affects Apache Allura from 1.0.1 through 1.15.0. Users are recommended to upgrade to version 1.16.0, which fixes the issue.  If you are unable to upgrade, set "disable_entry_points.allura.importers = forge-tracker, forge-discussion" in your .ini config file.

CWE-200 Nov 07, 2023

CVE-2023-20114 6.5 MEDIUM EPSS 0.00

A vulnerability in the file download feature of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to download arbitrary files from an affected system. This vulnerability is due to a lack of input sanitation. An attacker could exploit this vulnerability by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from the affected system.

CWE-20 Nov 01, 2023

CVE-2023-43074 5.2 MEDIUM EPSS 0.00

Dell Unity 5.3 contain(s) an Arbitrary File Creation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by crafting arbitrary files through a request to the server.

CWE-73 Oct 23, 2023

CVE-2023-36634 7.1 HIGH EPSS 0.00

An incomplete filtering of one or more instances of special elements vulnerability [CWE-792] in the command line interpreter of FortiAP-U 7.0.0, 6.2.0 through 6.2.5, 6.0 all versions, 5.4 all versions may allow an authenticated attacker to list and delete arbitrary files and directory via specially crafted command arguments.

CWE-73 Sep 13, 2023

CVE-2023-36764 8.8 HIGH EPSS 0.01

Microsoft SharePoint Server Elevation of Privilege Vulnerability

CWE-73 Sep 12, 2023