| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Zed Attack Proxy (ZAP) ViewState add-on before version 4 contains an insecure deserialization vulnerability that allows attackers who control a proxied web server to achieve arbitrary code execution by embedding a malicious serialized Java object in the javax.faces.ViewState HTTP response parameter. The JSFViewState.decode() method base64-decodes the ViewState value and passes it directly to ObjectInputStream.readObject() without a deserialization filter, allowlist, or type restriction, causing the malicious object to be deserialized within the ZAP JVM when the Desktop UI renders the ViewState panel. |
| Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. |
| Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions. |
| Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions. |
| Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions. |
| Unauthenticated Content Injection in Auros Core <= 5.3.1 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions. |
| Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions. |
| Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions. |
| Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions. |
| Contributor Cross Site Scripting (XSS) in BNE Testimonials <= 2.0.8 versions. |
| Unauthenticated Backdoor in Enable CORS <= 2.0.3 versions. |
| Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone <= 2.3.2 versions. |
| Unauthenticated Broken Access Control in Five Star Restaurant Menu <= 2.5.2 versions. |
| Unauthenticated Broken Access Control in Intranet & Private Site – All-In-One Intranet <= 1.8.1 versions. |
| Unauthenticated Sensitive Data Exposure in Trinity Backup – Backup, Migrate, Restore, Clone & Schedule Backups <= 2.0.9 versions. |
| Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions. |
| Unauthenticated Broken Access Control in Paymob for WooCommerce <= 4.1.2 versions. |
| Subscriber Server Side Request Forgery (SSRF) in utm.codes <= 1.9.0 versions. |
| Unauthenticated Broken Authentication in CorvusPay WooCommerce Payment Gateway <= 2.7.4 versions. |