OpenAirInterface CN5G AMF (oai-cn5g-amf) <= 2.0.0 contains a null dereference in its handling of unsupported NGAP protocol messages which allows an attacker with network-adjacent access to the AMF to carry out denial of service. When a procedure code/presence field tuple is received that is unsupported, OAI indexes into a null function pointer and subsequently dereferences it.

Improper file descriptor handling for closed connections in OpenAirInterface CN5G AMF (oai-cn5g-amf) up to v2.0.0 allows attackers to cause a Denial of Service (DoS) by repeatedly establishing SCTP connections with the N2 interface.

A NULL pointer dereference in the ngap_app::handle_receive routine of OpenAirInterface CN5G AMF (oai-cn5g-amf) up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted NGAP message.

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Web Services feature of newer Lexmark devices.

https://www.gnu.org/software/binutils/ nm >=2.43 is affected by: Incorrect Access Control. The type of exploitation is: local. The component is: `nm --without-symbol-version` function.

Northern.tech Mender Client 4.x before 4.0.5 has Insecure Permissions.

Northern.tech CFEngine Enterprise Mission Portal 3.24.0, 3.21.5, and below allows XSS. The fixed versions are 3.24.1 and 3.21.6.

Mjolnir is a moderation tool for Matrix. Mjolnir v1.9.0 responds to management commands from any room the bot is member of. This can allow users who aren't operators of the bot to use the bot's functions, including server administration components if enabled. Version 1.9.1 reverts the feature that introduced the bug, and version 1.9.2 reintroduces the feature safely. Downgrading to version 1.8.3 is recommended if upgrading to 1.9.1 or higher isn't possible.

Homarr before v0.14.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Notebook widget.

An issue in RAR Extractor - Unarchiver Free and Pro v.6.4.0 allows local attackers to inject arbitrary code potentially leading to remote control and unauthorized access to sensitive user data via the exploit_combined.dylib component on MacOS.

An issue in System.Linq.Dynamic.Core before 1.6.0 allows remote access to properties on reflection types and static properties/fields.

Cross-Site Request Forgery (CSRF) vulnerability in AnyRoad AnyRoad anyguide allows Cross Site Request Forgery.This issue affects AnyRoad: from n/a through <= 1.3.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Estatebud Estatebud – Properties & Listings estatebud-properties-listings allows Stored XSS.This issue affects Estatebud – Properties & Listings: from n/a through <= 5.5.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matthew BizLibrary bizlibrary allows Reflected XSS.This issue affects BizLibrary: from n/a through <= 1.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in razvypp SexBundle sexbundle allows Reflected XSS.This issue affects SexBundle: from n/a through <= 1.4.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brian Messenlehner WP-Announcements wp-announcements allows Reflected XSS.This issue affects WP-Announcements: from n/a through <= 1.8.

Missing Authorization vulnerability in realtyworkstation Realty Workstation realty-workstation allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Realty Workstation: from n/a through <= 1.0.45.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xkollsoftware Social2Blog social2blog allows Reflected XSS.This issue affects Social2Blog: from n/a through <= 0.2.990.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flashmaniac Nature FlipBook vertical-diamond-flipbook-flash allows Reflected XSS.This issue affects Nature FlipBook: from n/a through <= 1.7.

Missing Authorization vulnerability in Marketing Fire Widget Options widget-options allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widget Options: from n/a through <= 4.0.8.

Missing Authorization vulnerability in Farhan Noor ApplyOnline apply-online allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ApplyOnline: from n/a through <= 2.6.7.1.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Payments – Get Paid with PayPal, Square & Stripe paypal-payment-button-by-vcita allows Stored XSS.This issue affects Online Payments – Get Paid with PayPal, Square & Stripe: from n/a through <= 3.20.0.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enguerranws Related Post Shortcode related-post-shortcode allows Stored XSS.This issue affects Related Post Shortcode: from n/a through <= 1.2.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpweaver Weaver Themes Shortcode Compatibility weaver-themes-shortcode-compatibility allows Stored XSS.This issue affects Weaver Themes Shortcode Compatibility: from n/a through <= 1.0.4.

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.