Live-Hack-CVE/CVE-2021-36539 Instructure Canvas LMS didn't properly deny access to locked/unpublished files when the unprivileged user access the DocViewer based file preview URL (canvadoc_session_url). CVE project by @Sn0wAlice Create: 2023-02-01 01:47:26 +0000 UTC Push: 2023-02-01 01:47:28 +0000 UTC |

Live-Hack-CVE/CVE-2022-4672 The WordPress Simple Shopping Cart WordPress plugin before 4.6.2 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege user CVE project by @Sn0wAlice Create: 2023-02-01 01:47:22 +0000 UTC Push: 2023-02-01 01:47:24 +0000 UTC |

Live-Hack-CVE/CVE-2022-4718 The Landing Page Builder WordPress plugin before 1.4.9.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such a CVE project by @Sn0wAlice Create: 2023-02-01 01:47:18 +0000 UTC Push: 2023-02-01 01:47:20 +0000 UTC |

Live-Hack-CVE/CVE-2022-4716 The WP Popups WordPress plugin before 2.1.4.8 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins. CVE project by @Sn0wAlice Create: 2023-02-01 01:47:14 +0000 UTC Push: 2023-02-01 01:47:17 +0000 UTC |

Live-Hack-CVE/CVE-2022-4746 The FluentAuth WordPress plugin before 1.0.2 prioritizes getting a visitor's IP address from certain HTTP headers over PHP's REMOTE_ADDR, which makes it possible to bypass the IP-based blocks set by the plugin. CVE project by @Sn0wAlice Create: 2023-02-01 01:47:11 +0000 UTC Push: 2023-02-01 01:47:13 +0000 UTC |

Live-Hack-CVE/CVE-2022-46835 IdentitylQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentitylQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentitylQ 8.1 and all 8.1 patch levels prior to 8.1p7, Identity|Q 8.0 and all 8.0 patch levels prior to 8.0p6 allow access to arbitrary files in the application server filesystem due to a path traversal vuln CVE project by @Sn0wAlice Create: 2023-02-01 01:47:07 +0000 UTC Push: 2023-02-01 01:47:09 +0000 UTC |

Live-Hack-CVE/CVE-2022-45435 IdentityIQ 8.3 and all 8.3 patch levels prior to 8.3p2, IdentityIQ 8.2 and all 8.2 patch levels prior to 8.2p5, IdentityIQ 8.1 and all 8.1 patch levels prior to 8.1p7, IdentityIQ 8.0 and all 8.0 patch levels prior to 8.0p6, and all prior versions allow authenticated users assigned the Identity Administrator capability CVE project by @Sn0wAlice Create: 2023-02-01 01:47:04 +0000 UTC Push: 2023-02-01 01:47:06 +0000 UTC |

Live-Hack-CVE/CVE-2021-43446 ONLYOFFICE all versions as of 2021-11-08 is vulnerable to Cross Site Scripting (XSS). The "macros" feature of the document editor allows malicious cross site scripting payloads to be used. CVE project by @Sn0wAlice Create: 2023-02-01 01:47:00 +0000 UTC Push: 2023-02-01 01:47:02 +0000 UTC |

Live-Hack-CVE/CVE-2023-24163 SQL Inection vulnerability in Dromara hutool v5.8.11 allows attacker to execute arbitrary code via the aviator template engine. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:53 +0000 UTC Push: 2023-02-01 01:46:55 +0000 UTC |

Live-Hack-CVE/CVE-2023-24162 Deserialization vulnerability in Dromara Hutool v5.8.11 allows attacker to execute arbitrary code via the XmlUtil.readObjectFromXml parameter. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:49 +0000 UTC Push: 2023-02-01 01:46:52 +0000 UTC |

Live-Hack-CVE/CVE-2022-47780 SQL Injection vulnerability in Bangresto 1.0 via the itemID parameter. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:45 +0000 UTC Push: 2023-02-01 01:46:48 +0000 UTC |

Live-Hack-CVE/CVE-2022-47035 Buffer Overflow Vulnerability in D-Link DIR-825 v1.33.0.44ebdd4-embedded and below allows attacker to execute arbitrary code via the GetConfig method to the /CPE endpoint. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:42 +0000 UTC Push: 2023-02-01 01:46:44 +0000 UTC |

Live-Hack-CVE/CVE-2022-45598 Cross Site Scripting vulnerability in Joplin Desktop App before v2.9.17 allows attacker to execute arbitrary code via improper santization. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:38 +0000 UTC Push: 2023-02-01 01:46:40 +0000 UTC |

Live-Hack-CVE/CVE-2022-28331 On Windows, Apache Portable Runtime 1.7.0 and earlier may write beyond the end of a stack based buffer in apr_socket_sendv(). This is a result of integer overflow. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:34 +0000 UTC Push: 2023-02-01 01:46:37 +0000 UTC |

Live-Hack-CVE/CVE-2022-24963 Integer Overflow or Wraparound vulnerability in apr_encode functions of Apache Portable Runtime (APR) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime (APR) version 1.7.0. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:30 +0000 UTC Push: 2023-02-01 01:46:33 +0000 UTC |

Live-Hack-CVE/CVE-2020-20402 Westbrookadmin portfolioCMS v1.05 allows attackers to bypass password validation and access sensitive information via session fixation. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:27 +0000 UTC Push: 2023-02-01 01:46:29 +0000 UTC |

Live-Hack-CVE/CVE-2022-25147 Integer Overflow or Wraparound vulnerability in apr_base64 functions of Apache Portable Runtime Utility (APR-util) allows an attacker to write beyond bounds of a buffer. This issue affects Apache Portable Runtime Utility (APR-util) 1.6.1 and prior versions. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:23 +0000 UTC Push: 2023-02-01 01:46:25 +0000 UTC |

Live-Hack-CVE/CVE-2021-43447 ONLYOFFICE all versions as of 2021-11-08 is affected by Incorrect Access Control. An authentication bypass in the document editor allows attackers to edit documents without authentication. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:19 +0000 UTC Push: 2023-02-01 01:46:21 +0000 UTC |

Live-Hack-CVE/CVE-2022-3425 The Analyticator WordPress plugin before 6.5.6 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present. CVE project by @Sn0wAlice Create: 2023-02-01 01:46:15 +0000 UTC Push: 2023-02-01 01:46:18 +0000 UTC |

Live-Hack-CVE/CVE-2022-4715 The Structured Content WordPress plugin before 1.5.1 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as ad CVE project by @Sn0wAlice Create: 2023-02-01 01:46:12 +0000 UTC Push: 2023-02-01 01:46:14 +0000 UTC |