Calendar Security Vulnerabilities
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka...
8.1CVSS
8.5AI Score
0.034EPSS
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka...
8.1CVSS
8.6AI Score
0.101EPSS
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and...
8.1CVSS
8.5AI Score
0.034EPSS
FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka...
8.1CVSS
8.6AI Score
0.053EPSS
Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Notes). Supported versions that are affected are 12.1.1-12.1.3 and 12.2.3-12.2.8. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise...
8.2CVSS
8.2AI Score
0.002EPSS
Vulnerability in the Oracle Common Applications Calendar product of Oracle E-Business Suite (component: Notes). Supported versions that are affected are 12.1.1-12.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common...
8.2CVSS
8.2AI Score
0.002EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka...
8.1CVSS
8AI Score
0.05EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka...
8.8CVSS
8.3AI Score
0.008EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and...
8.8CVSS
8.3AI Score
0.008EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka...
8.8CVSS
8.3AI Score
0.008EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to...
8.8CVSS
8.3AI Score
0.008EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka...
8.8CVSS
8.3AI Score
0.008EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka...
8.8CVSS
8.3AI Score
0.011EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka...
8.8CVSS
8.3AI Score
0.011EPSS
Stored XSS exists in the Appointment Booking Calendar plugin before 1.3.35 for WordPress. In the cpabc_appointments.php file, the Calendar Name input could allow attackers to inject arbitrary JavaScript or...
4.8CVSS
5AI Score
0.004EPSS
The Appointment Booking Calendar plugin before 1.3.35 for WordPress allows user input (in fields such as Description or Name) in any booking form to be any formula, which then could be exported via the Bookings list tab in /wp-admin/admin.php?page=cpabc_appointments.php. The attacker could achieve....
7.8CVSS
8AI Score
0.011EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka...
9.8CVSS
9.1AI Score
0.004EPSS
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded...
9.8CVSS
9.2AI Score
0.007EPSS
Multiple Stored Cross-site scripting (XSS) vulnerabilities in the Webnus Modern Events Calendar Lite plugin through 5.1.6 for WordPress allows remote authenticated users (with minimal permissions) to inject arbitrary JavaScript, HTML, or CSS via Ajax actions. This affects mec_save_notifications...
5.4CVSS
5.4AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS...
6.1CVSS
6AI Score
0.002EPSS
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an.....
9.8CVSS
9.2AI Score
0.007EPSS
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an.....
9.8CVSS
9.3AI Score
0.004EPSS
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can...
9.8CVSS
9.4AI Score
0.004EPSS
Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file...
6.5CVSS
6.3AI Score
0.001EPSS
6.1CVSS
6.3AI Score
0.001EPSS
The appointment-booking-calendar plugin before 1.1.24 for WordPress has SQL injection, a different vulnerability than...
9.8CVSS
9.5AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
9.8CVSS
9.9AI Score
0.001EPSS
6.1CVSS
6.4AI Score
0.001EPSS
The the-events-calendar plugin before 4.8.2 for WordPress has XSS via the tribe_paged URL...
6.1CVSS
6AI Score
0.001EPSS
The Appointment Booking Calendar plugin 1.3.18 for WordPress allows XSS via the wp-admin/admin-post.php editionarea...
6.1CVSS
6AI Score
0.001EPSS
An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain...
6.5CVSS
5.3AI Score
0.005EPSS
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP'...
9.8CVSS
9.8AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in Event Editor in Synology Calendar before 2.3.0-0615 allows remote attackers to inject arbitrary web script or HTML via the title...
6.5CVSS
5.4AI Score
0.001EPSS
The Kieran O'Shea Calendar plugin before 1.3.11 for WordPress has Stored XSS via the event_title parameter in a wp-admin/admin.php?page=calendar add action, or the category name during category creation at the wp-admin/admin.php?page=calendar-categories...
5.4CVSS
5.2AI Score
0.001EPSS
Information exposure through process environment vulnerability in Synology Calendar before 2.3.3-0620 allows local users to obtain credentials via...
5.5CVSS
5.3AI Score
0.0004EPSS
Relative path traversal vulnerability in Attachment Uploader in Synology Calendar before 2.2.2-0532 allows remote authenticated users to upload arbitrary files via the filename...
6.5CVSS
6.2AI Score
0.001EPSS
SQL injection vulnerability in Booking Calendar plugin 8.4.3 for WordPress allows remote attackers to execute arbitrary SQL commands via the booking_id...
8.8CVSS
9.1AI Score
0.081EPSS
Cross-site scripting vulnerability in Event Calendar WD version 1.1.21 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified...
5.4CVSS
5AI Score
0.001EPSS
XSS exists in the the-holiday-calendar plugin before 1.11.3 for WordPress via the thc-month...
6.1CVSS
6AI Score
0.001EPSS
An information disclosure vulnerability exists in Windows Mail Client when a message is opened, aka "Windows Mail Client Information Disclosure Vulnerability." This affects Mail, Calendar, and People in Windows 8.1 App...
6.5CVSS
5.9AI Score
0.019EPSS
In Nextcloud Calendar before 1.5.8 and 1.6.1, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like.....
4.8CVSS
4.8AI Score
0.001EPSS
Improper authorization vulnerability in SYNO.Cal.Event in Calendar before 2.1.2-0511 allows remote authenticated users to create arbitrary events via the (1) cal_id or (2) original_cal_id...
6.5CVSS
6.2AI Score
0.001EPSS
An issue was discovered in the WpDevArt "Booking calendar, Appointment Booking System" plugin 2.2.2 for WordPress. Multiple parameters allow remote attackers to manipulate the values to change data such as...
7.5CVSS
7.5AI Score
0.002EPSS
Data input into EMS Master Calendar before 8.0.0.201805210 via URL parameters is not properly sanitized, allowing malicious attackers to send a crafted URL for...
6.1CVSS
6.1AI Score
0.005EPSS
Cross-site scripting (XSS) vulnerability in Notification Center in Synology Calendar before 2.1.1-0502 allows remote authenticated users to inject arbitrary web script or HTML via title...
6.5CVSS
5.1AI Score
0.001EPSS
A vulnerability in the auto discovery phase of Cisco Spark Hybrid Calendar Service could allow an unauthenticated, remote attacker to view sensitive information in the unencrypted headers of an HTTP method request. The attacker could use this information to conduct additional reconnaissance...
7.5CVSS
7.3AI Score
0.002EPSS
SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load...
9.8CVSS
9.8AI Score
0.003EPSS
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load...
9.8CVSS
9.8AI Score
0.003EPSS