CVEs

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

Advantech WISE-DeviceOn Server versions prior to 5.4 contain a stored cross-site scripting (XSS)...

SSH dissector crash in Wireshark 4.4.0 to 4.4.8 allows denial of service

Vulnerability in Drupal Owl Carousel 2.This issue affects Owl Carousel 2: *.*.

Vulnerability in Drupal API Key manager.This issue affects API Key manager: *.*.

NULL pointer dereference in TagSection.keys() in python-apt on APT-based Linux systems allows a local attacker to cause a denial of service (process crash) via a crafted deb822 file with a malformed non-UTF-8 key.

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.

Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 31.0.1, non-privileged users can modify tags on files they should not have access to via bulk tagging. This vulnerability is fixed in 31.0.1.

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.