CVE Catalog

An authenticated SQL injection vulnerability exists in RuoYi versions through 4.7.9. The issue arises because the 'filterKeyword' method fails to adequately sanitize SQL injection keywords, leaving the application open to SQL injection attacks.

A SQL injection vulnerability has been identified in BigAnt Office Messenger version 5.6.06. The issue arises in the 'dev_code' parameter, allowing attackers to manipulate SQL queries and execute arbitrary commands on the server.

A code execution vulnerability exists in PHPYun versions prior to 7.0.2. The issue arises from backdoor-restricted arbitrary file writing and file inclusion, which can be exploited to execute malicious code.

A business logic flaw has been identified in Infoblox BloxOne version 2.4, stemming from vulnerabilities in the thick client. This flaw could potentially be exploited to manipulate the application's intended behavior.

A stored cross-site scripting vulnerability has been identified in Nagios XI version 2024R1.1.4. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'Name' parameter on the Account Settings page. The injected scripts are automatically executed when the affected page is accessed, potentially compromising other users' accounts.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal Views SVG Animation module, specifically in versions 0.0.0 prior to 1.0.1. This issue arises from improper input sanitization during web page generation, allowing malicious users to inject harmful scripts that could be executed in the context of the user's browser.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal SVG Embed module, specifically in versions from 0.0.0 prior to 2.1.2. This issue arises from improper input neutralization during web page generation, allowing for the injection of malicious scripts.

A vulnerability has been identified in the Drupal wkhtmltopdf module, affecting all versions. This issue allows for unrestricted file access, which could lead to the exposure of sensitive information.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Gutenberg module, specifically in versions 0.0.0 prior to 2.13.0 and 3.0.0 prior to 3.0.5. This vulnerability allows attackers to perform actions on behalf of users without their consent.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal Facets module, affecting versions from 0.0.0 prior to 2.0.9. This issue arises from improper input neutralization during web page generation, allowing for the injection of malicious scripts.

A vulnerability allowing incorrect authorization in Drupal Block permissions has been identified, affecting versions 1.0.0 prior to 1.2.0. This issue enables forceful browsing by improperly managing access rights to block functionalities.

A vulnerability allowing incorrect authorization has been identified in the Monster Menus module for Drupal. This issue, which affects versions from 0.0.0 prior to 9.3.2, allows for forceful browsing by exploiting authorization flaws.

A vulnerability allowing forceful browsing has been identified in the Drupal Persistent Login module, versions prior to 1.8.0 and 2.0.* prior to 2.2.2. This vulnerability arises from insufficient session expiration, which can be exploited to bypass normal access controls.

A session fixation vulnerability has been identified in the Drupal Two-factor Authentication (TFA) module, affecting versions 0.0.0 prior to 1.8.0. This vulnerability allows an attacker to fix a user's session, potentially leading to unauthorized actions or access.

A vulnerability allowing incorrect authorization has been identified in the Drupal Diff module, versions prior to 1.8.0. This issue can lead to functionality misuse.

A vulnerability allowing incorrect authorization has been identified in the Drupal Smart IP Ban module, specifically in versions 7.X-1.0 prior to 7.X-1.1. This vulnerability enables forceful browsing by exploiting authorization flaws.

A vulnerability allowing the insertion of sensitive information into sent data has been identified in the Drupal File Entity module (fieldable files) versions 7.X-* prior to 7.X-2.39. This vulnerability enables forceful browsing by manipulating the data sent during file entity interactions.

A type confusion vulnerability allowing HTTP denial-of-service has been identified in the Drupal Security Kit. This issue arises from the access of resources using incompatible types, which can be exploited to disrupt normal service. The vulnerability affects Security Kit versions 0.0.0 prior to 2.0.3.

A vulnerability allowing improper control of interaction frequency has been identified in Drupal Open Social versions prior to 12.3.8 and 12.4.0 through 12.4.5. This vulnerability can lead to functionality misuse.

A cross-site scripting (XSS) vulnerability has been identified in Drupal Open Social. This issue arises from improper input neutralization during web page generation, allowing for the injection of malicious scripts. The vulnerability affects Open Social versions prior to 12.3.8, 12.4.0 prior to 12.4.5, and 13.0.0 prior to 13.0.0-alpha11.

A vulnerability in the Drupal Paragraphs module, specifically in the Paragraphs table, has been identified. This issue arises from insufficient granularity of access control, which allows for content spoofing. The vulnerability affects versions 0.0.0 prior to 1.23.0 and 2.0.0 prior to 2.0.2.

A vulnerability allowing incorrect authorization has been identified in the Drupal Content Entity Clone module, versions 0.0.0 prior to 1.0.4. This vulnerability allows for forceful browsing by exploiting authorization flaws.

A vulnerability allowing incorrect authorization in the Drupal Freelinking module has been identified. This issue, which affects Freelinking versions 0.0.0 prior to 4.0.1, allows for forceful browsing by exploiting authorization flaws.

A vulnerability allowing the insertion of sensitive information into sent data has been identified in the Drupal Advanced Varnish module, affecting versions prior to 4.0.11. This issue can lead to forceful browsing.

A vulnerability allowing improper neutralization of directives in statically saved code, known as static code injection, has been identified in the Drupal Opigno module. This issue allows PHP local file inclusion. The vulnerability affects Opigno versions 7.X-1.0 prior to 7.X-1.23.

A static code injection vulnerability allowing PHP local file inclusion has been identified in the Opigno TinCan Question Type for Drupal. This issue affects versions 7.X-1.0 prior to 7.X-1.3.

A vulnerability allowing forceful browsing due to incorrect authorization has been identified in the Drupal Responsive and Off-Canvas Menu module, affecting versions 0.0.0 prior to 4.4.4. This vulnerability arises from inadequate authorization checks, which could be exploited to bypass restrictions and access unauthorized resources or actions.

A static code injection vulnerability allowing PHP local file inclusion has been identified in the Drupal Opigno Learning Path module, affecting versions from 0.0.0 prior to 3.1.2. This vulnerability arises from improper neutralization of directives in statically saved code.

A static code injection vulnerability allowing PHP local file inclusion has been identified in the Drupal Opigno module, affecting versions prior to 3.1.2. This issue arises from improper validation of uploaded files, which could lead to arbitrary file uploads and potentially allow remote code execution. The vulnerability requires the attacker to have a role with permission to create Opigno TinCan activities.

A static code injection vulnerability allowing PHP local file inclusion has been identified in the Drupal Opigno Group Manager module, affecting versions from 0.0.0 prior to 3.1.1. This vulnerability arises from improper neutralization of directives in statically saved code.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal View Password module, affecting versions prior to 6.0.4. This issue arises from improper input sanitization during web page generation, allowing malicious users to inject harmful scripts.

A Cross-Site Request Forgery (CSRF) vulnerability exists in Drupal Acquia DAM versions prior to 1.0.13 and from 1.1.0 prior to 1.1.0-beta3. This vulnerability allows attackers to perform actions on behalf of users without their consent.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Migrate Queue Importer module, affecting versions 0.0.0 prior to 2.1.1. This vulnerability allows attackers to perform actions on behalf of users without their consent.

A vulnerability allowing unauthenticated users to change passwords of any user, potentially leading to takeover of administrator accounts, exists in the WPBookit plugin for WordPress, in versions through 1.6.4. This issue arises from the plugin's authorization bypass, allowing users to manipulate access to objects and exploit system resources.

A type confusion vulnerability has been identified in Strawberry GraphQL versions 0.182.0 prior to 0.257.0. This issue arises in the relay integration when multiple GraphQL types are mapped to the same underlying model, particularly affecting Django, SQLAlchemy, and Pydantic ORM integrations. The vulnerability occurs when the global node field is used to query specific types, potentially leading to incorrect type resolution. This can result in unauthorized access to sensitive information or privileges if the alternate type contains restricted data.

A vulnerability allowing out-of-bounds read has been identified in the routing protocol daemon (RPD) of Juniper Networks Junos OS and Junos OS Evolved. This vulnerability allows an unauthenticated, network-based attacker to send malformed BGP packets to a device with packet receive trace options enabled, causing RPD to crash. The issue affects multiple Junos OS and Junos OS Evolved versions, requires an established BGP session, and can propagate through multiple ASes, impacting both iBGP and eBGP for IPv4 and IPv6.

A vulnerability allowing the insertion of sensitive information into sent data has been identified in the Drupal Image Sizes module, versions 0.0.0 prior to 3.0.2. This issue can lead to forceful browsing.

A vulnerability allowing incorrect authorization in Drupal's REST and JSON API Authentication modules has been identified. This issue, which affects versions 0.0.0 prior to 2.0.13, allows for forceful browsing by improperly managing user permissions.

A vulnerability allowing incorrect authorization in the Drupal Commerce View Receipt component has been identified. This issue, which affects versions 0.0.0 prior to 1.0.3, allows for forceful browsing by improperly managing user permissions.

A vulnerability in the Drupal Email Contact module, versions 0.0.0 prior to 2.0.4, has been identified. This issue arises from insufficient granularity in access control, which allows for forceful browsing. Users may exploit this vulnerability to bypass restrictions and access content or features that should be limited or unavailable to them.

A vulnerability allowing the exposure of sensitive information through data queries has been identified in Drupal's RESTful Web Services module, specifically in versions 7.X-2.0 prior to 7.X-2.10. This issue allows for forceful browsing, potentially leading to unauthorized access to sensitive data.

A vulnerability in Drupal REST Views prior to 3.0.1 allows for the insertion of sensitive information into sent data, facilitating forceful browsing. This issue arises from improper handling of data in REST Views, potentially leading to unauthorized access or manipulation of resources.

A vulnerability allowing incorrect authorization has been identified in the Drupal Advanced PWA Push Notifications module, versions prior to 1.5.0. This issue enables forceful browsing by improperly managing user permissions.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal TacJS module, affecting versions from 0.0.0 prior to 6.5.0. This issue arises from improper neutralization of input during web page generation, allowing for the injection of malicious scripts.

A vulnerability allowing privilege escalation has been identified in the Drupal Registration role, affecting versions prior to 2.0.1. This issue arises from incorrect privilege assignment, which could be exploited to gain elevated rights.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Drupal Symfony Mailer Lite module, affecting versions 0.0.0 prior to 1.0.6. This vulnerability allows attackers to perform actions on behalf of users without their consent.

A vulnerability allowing target influence via framing has been identified in the Drupal Node Access Rebuild Progressive module, specifically in versions 7.X-1.0 prior to 7.X-1.2. This issue arises from improper ownership management.

A vulnerability allowing incorrect privilege assignment has been identified in the Drupal Private Content module, affecting versions 0.0.0 prior to 2.1.0. This vulnerability allows target influence through framing.

A cross-site scripting (XSS) vulnerability has been identified in the Drupal Coffee module, affecting versions 0.0.0 prior to 1.4.0. This issue arises from improper neutralization of input during web page generation, allowing for the injection of malicious scripts.

A vulnerability allowing target influence via framing has been identified in the Drupal Node Access Rebuild Progressive module, affecting versions from 0.0.0 prior to 2.0.2. This issue arises from improper ownership management.