Cappricio-Securities

36 exploits Active since Feb 2000
CVE-2024-5947 NOMISEC MEDIUM SCANNER
Deep Sea Electronics DSE855 Firmware - Unauthenticated Information Disclosure via Configuration Backup
Deep Sea Electronics DSE855 Configuration Backup Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Deep Sea Electronics DSE855 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-22679.
CVSS 6.5
CVE-2024-0235 NOMISEC MEDIUM SCANNER
EventON WordPress Plugin < 2.2.7 - Unauthenticated Email Address Disclosure via AJAX Action
The EventON WordPress plugin before 4.5.5, EventON WordPress plugin before 2.2.7 do not have authorisation in an AJAX action, allowing unauthenticated users to retrieve email addresses of any users on the blog
CVSS 5.3
CVE-2024-0352 NOMISEC HIGH SCANNER
likeshop < 2.5.7.20210311 - Unrestricted File Upload via FileServer::userFormImage
A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250120.
CVSS 7.3
CVE-2023-4568 NOMISEC MEDIUM SCANNER
PaperCut NG <22.0.12 - Unauthenticated RCE
PaperCut NG allows for unauthenticated XMLRPC commands to be run by default. Versions 22.0.12 and below are confirmed to be affected, but later versions may also be affected due to lack of a vendor supplied patch.
CVSS 6.5
CVE-2023-29489 NOMISEC MEDIUM SCANNER
cPanel < 11.102.0.31 - Cross-Site Scripting via Invalid Webcall ID
An issue was discovered in cPanel before 11.109.9999.116. XSS can occur on the cpsrvd error page via an invalid webcall ID, aka SEC-669. The fixed versions are 11.109.9999.116, 11.108.0.13, 11.106.0.18, and 11.102.0.31.
CVSS 5.3
CVE-2022-0165 NOMISEC MEDIUM SCANNER
WordPress KingComposer <2.9.6 - Open Redirect
The Page Builder KingComposer WordPress plugin through 2.9.6 does not validate the id parameter before redirecting the user to it via the kc_get_thumbn AJAX action available to both unauthenticated and authenticated users
CVSS 6.1
CVE-2021-42063 NOMISEC MEDIUM SCANNER
SAP Knowledge Warehouse 7.30-7.50 - Cross-Site Scripting
A security vulnerability has been discovered in the SAP Knowledge Warehouse - versions 7.30, 7.31, 7.40, 7.50. The usage of one SAP KW component within a Web browser enables unauthorized attackers to conduct XSS attacks, which might lead to disclose sensitive data.
CVSS 6.1
CVE-2019-9670 NOMISEC CRITICAL SCANNER
Synacor Zimbra Collaboration Suite <8.7.11p10 - XXE
mailboxd component in Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10 has an XML External Entity injection (XXE) vulnerability, as demonstrated by Autodiscover/Autodiscover.xml.
CVSS 9.8
CVE-2018-11784 NOMISEC MEDIUM SCANNER
Apache Tomcat 7.0.23-7.0.90, 8.5.0-8.5.33, 9.0.0.M1-9.0.11 - Open Redirect via Default Servlet
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
CVSS 4.3
CVE-2012-5321 NOMISEC SCANNER
TikiWiki CMS/Groupware 8.3 - Frame Injection via URL Parameter
tiki-featured_link.php in TikiWiki CMS/Groupware 8.3 allows remote attackers to load arbitrary web site pages into frames and conduct phishing attacks via the url parameter, aka "frame injection."
CVE-2009-0347 NOMISEC SCANNER
Autonomy Ultraseek - Open Redirect via cs.html url Parameter
Open redirect vulnerability in cs.html in the Autonomy (formerly Verity) Ultraseek search engine allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the url parameter.