Latest vulnerabilities [Monday, February 12, 2024 + weekend]

Latest vulnerabilities [Monday, February 12, 2024 + weekend]
{{titre}}

Last update performed on 02/12/2024 at 11:57:06 PM

(15) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : patchstack.com

Vulnerability ID : CVE-2024-25100

First published on : 12-02-2024 07:15:11
Last modified on : 12-02-2024 14:20:03

Description :
Deserialization of Untrusted Data vulnerability in WP Swings Coupon Referral Program.This issue affects Coupon Referral Program: from n/a through 1.7.2.

CVE ID : CVE-2024-25100
Source : audit@patchstack.com
CVSS Score : 10.0

References :
https://patchstack.com/database/vulnerability/coupon-referral-program/wordpress-coupon-referral-program-plugin-1-7-2-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-24797

First published on : 12-02-2024 08:15:41
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in G5Theme ERE Recently Viewed โ€“ Essential Real Estate Add-On.This issue affects ERE Recently Viewed โ€“ Essential Real Estate Add-On: from n/a through 1.3.

CVE ID : CVE-2024-24797
Source : audit@patchstack.com
CVSS Score : 9.8

References :
https://patchstack.com/database/vulnerability/ere-recently-viewed/wordpress-ere-recently-viewed-plugin-1-3-unauthenticated-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Source : github.com

Vulnerability ID : CVE-2024-25108

First published on : 12-02-2024 20:15:08
Last modified on : 12-02-2024 20:39:09

Description :
Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-25108
Source : security-advisories@github.com
CVSS Score : 9.9

References :
https://github.com/pixelfed/pixelfed/commit/7e47d6dccb0393a2e95c42813c562c854882b037 | source : security-advisories@github.com
https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf | source : security-advisories@github.com

Vulnerability : CWE-280
Vulnerability : CWE-285
Vulnerability : CWE-863


Vulnerability ID : CVE-2024-25110

First published on : 12-02-2024 20:15:08
Last modified on : 12-02-2024 20:39:09

Description :
The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-25110
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 | source : security-advisories@github.com
https://github.com/Azure/azure-uamqp-c/security/advisories/GHSA-c646-4whf-r67v | source : security-advisories@github.com

Vulnerability : CWE-94


Vulnerability ID : CVE-2024-24825

First published on : 09-02-2024 00:15:08
Last modified on : 09-02-2024 01:37:53

Description :
DIRAC is a distributed resource framework. In affected versions any user could get a token that has been requested by another user/agent. This may expose resources to unintended parties. This issue has been addressed in release version 8.0.37. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-24825
Source : security-advisories@github.com
CVSS Score : 9.1

References :
https://github.com/DIRACGrid/DIRAC/commit/f9ddab755b9a69acb85e14d2db851d8ac0c9648c | source : security-advisories@github.com
https://github.com/DIRACGrid/DIRAC/security/advisories/GHSA-59qj-jcjv-662j | source : security-advisories@github.com

Vulnerability : CWE-200


Source : hq.dhs.gov

Vulnerability ID : CVE-2023-46687

First published on : 09-02-2024 04:15:07
Last modified on : 09-02-2024 14:31:23

Description :
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could execute arbitrary commands in root context from a remote computer.

CVE ID : CVE-2023-46687
Source : ics-cert@hq.dhs.gov
CVSS Score : 9.8

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 | source : ics-cert@hq.dhs.gov
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-77


Source : fortinet.com

Vulnerability ID : CVE-2024-21762

First published on : 09-02-2024 09:15:08
Last modified on : 10-02-2024 02:00:01

Description :
A out-of-bounds write in Fortinet FortiOS versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, 6.0.0 through 6.0.17, FortiProxy versions 7.4.0 through 7.4.2, 7.2.0 through 7.2.8, 7.0.0 through 7.0.14, 2.0.0 through 2.0.13, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7 allows attacker to execute unauthorized code or commands via specifically crafted requests

CVE ID : CVE-2024-21762
Source : psirt@fortinet.com
CVSS Score : 9.8

References :
https://fortiguard.com/psirt/FG-IR-24-015 | source : psirt@fortinet.com

Vulnerability : CWE-787


Source : mitre.org

Vulnerability ID : CVE-2024-25674

First published on : 09-02-2024 09:15:08
Last modified on : 12-02-2024 14:30:40

Description :
An issue was discovered in MISP before 2.4.184. Organisation logo upload is insecure because of a lack of checks for the file extension and MIME type.

CVE ID : CVE-2024-25674
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/MISP/MISP/commit/312d2d5422235235ddd211dcb6bb5bb09c07791f | source : cve@mitre.org
https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184 | source : cve@mitre.org

Vulnerability : CWE-434

Vulnerable product(s) : cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25675

First published on : 09-02-2024 09:15:08
Last modified on : 12-02-2024 14:30:28

Description :
An issue was discovered in MISP before 2.4.184. A client does not need to use POST to start an export generation process. This is related to app/Controller/JobsController.php and app/View/Events/export.ctp.

CVE ID : CVE-2024-25675
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/MISP/MISP/commit/0ac2468c2896f4be4ef9219cfe02bff164411594 | source : cve@mitre.org
https://github.com/MISP/MISP/compare/v2.4.183...v2.4.184 | source : cve@mitre.org

Vulnerability : NVD-CWE-noinfo

Vulnerable product(s) : cpe:2.3:a:misp:misp:*:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25302

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:26:44

Description :
Sourcecodester Event Student Attendance System 1.0, allows SQL Injection via the 'student' parameter.

CVE ID : CVE-2024-25302
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/tubakvgc/CVE/blob/main/Event_Student_Attendance_System.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:rems:event_student_attendance_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25307

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:25:11

Description :
Code-projects Cinema Seat Reservation System 1.0 allows SQL Injection via the 'id' parameter at "/Cinema-Reservation/booking.php?id=1."

CVE ID : CVE-2024-25307
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Cinema%20Seat%20Reservation%20System/Cinema%20Seat%20Reservation%20System%20-%20SQL%20Injection.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:cinema_seat_reservation_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25314

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:24:04

Description :
Code-projects Hotel Managment System 1.0, allows SQL Injection via the 'sid' parameter in Hotel/admin/show.php?sid=2.

CVE ID : CVE-2024-25314
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Hotel%20Managment%20System/Hotel%20Managment%20System%20-%20SQL%20Injection-2.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:hotel_management_system_project:hotel_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25315

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:23:41

Description :
Code-projects Hotel Managment System 1.0, allows SQL Injection via the 'rid' parameter in Hotel/admin/roombook.php?rid=2.

CVE ID : CVE-2024-25315
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Hotel%20Managment%20System/Hotel%20Managment%20System%20-%20SQL%20Injection-1.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:hotel_management_system_project:hotel_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25316

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:23:16

Description :
Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2.

CVE ID : CVE-2024-25316
Source : cve@mitre.org
CVSS Score : 9.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Hotel%20Managment%20System/Hotel%20Managment%20System%20-%20SQL%20Injection-4.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:hotel_management_system_project:hotel_management_system:1.0:*:*:*:*:*:*:*


Source : usom.gov.tr

Vulnerability ID : CVE-2023-6677

First published on : 09-02-2024 14:15:08
Last modified on : 09-02-2024 14:26:32

Description :
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oduyo Financial Technology Online Collection allows SQL Injection.This issue affects Online Collection: before v.1.0.2.

CVE ID : CVE-2023-6677
Source : iletisim@usom.gov.tr
CVSS Score : 9.8

References :
https://www.usom.gov.tr/bildirim/tr-24-0100 | source : iletisim@usom.gov.tr

Vulnerability : CWE-89


(49) HIGH VULNERABILITIES [7.0, 8.9]

Source : github.com

Vulnerability ID : CVE-2024-24821

First published on : 09-02-2024 00:15:08
Last modified on : 09-02-2024 01:37:53

Description :
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh rm vendor/composer/installed.php vendor/composer/InstalledVersions.php composer install --no-scripts --no-plugins ```

CVE ID : CVE-2024-24821
Source : security-advisories@github.com
CVSS Score : 8.8

References :
https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 | source : security-advisories@github.com
https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h | source : security-advisories@github.com

Vulnerability : CWE-829


Vulnerability ID : CVE-2024-23324

First published on : 09-02-2024 23:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23324
Source : security-advisories@github.com
CVSS Score : 8.6

References :
https://github.com/envoyproxy/envoy/commit/29989f6cc8bfd8cd2ffcb7c42711eb02c7a5168a | source : security-advisories@github.com
https://github.com/envoyproxy/envoy/security/advisories/GHSA-gq3v-vvhj-96j6 | source : security-advisories@github.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-24820

First published on : 09-02-2024 00:15:08
Last modified on : 09-02-2024 01:37:53

Description :
Icinga Director is a tool designed to make Icinga 2 configuration handling easy. Not any of Icinga Director's configuration forms used to manipulate the monitoring environment are protected against cross site request forgery (CSRF). It enables attackers to perform changes in the monitoring environment managed by Icinga Director without the awareness of the victim. Users of the map module in version 1.x, should immediately upgrade to v2.0. The mentioned XSS vulnerabilities in Icinga Web are already fixed as well and upgrades to the most recent release of the 2.9, 2.10 or 2.11 branch must be performed if not done yet. Any later major release is also suitable. Icinga Director will receive minor updates to the 1.8, 1.9, 1.10 and 1.11 branches to remedy this issue. Upgrade immediately to a patched release. If that is not feasible, disable the director module for the time being.

CVE ID : CVE-2024-24820
Source : security-advisories@github.com
CVSS Score : 8.3

References :
https://blog.mozilla.org/en/mozilla/firefox-rolls-out-total-cookie-protection-by-default-to-all-users-worldwide/ | source : security-advisories@github.com
https://github.com/Icinga/icingaweb2-module-director/security/advisories/GHSA-3mwp-5p5v-j6q3 | source : security-advisories@github.com
https://github.com/Icinga/icingaweb2/issues?q=is%3Aissue++is%3Aclosed+4979+4960+4947 | source : security-advisories@github.com
https://github.com/nbuchwitz/icingaweb2-module-map/pull/86 | source : security-advisories@github.com
https://support.apple.com/en-is/guide/safari/sfri11471/16.0 | source : security-advisories@github.com
https://www.chromium.org/updates/same-site/ | source : security-advisories@github.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-23322

First published on : 09-02-2024 23:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Envoy is a high-performance edge/middle/service proxy. Envoy will crash when certain timeouts happen within the same interval. The crash occurs when the following are true: 1. hedge_on_per_try_timeout is enabled, 2. per_try_idle_timeout is enabled (it can only be done in configuration), 3. per-try-timeout is enabled, either through headers or configuration and its value is equal, or within the backoff interval of the per_try_idle_timeout. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23322
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/envoyproxy/envoy/commit/843f9e6a123ed47ce139b421c14e7126f2ac685e | source : security-advisories@github.com
https://github.com/envoyproxy/envoy/security/advisories/GHSA-6p83-mfmh-qv38 | source : security-advisories@github.com

Vulnerability : CWE-416


Vulnerability ID : CVE-2024-23325

First published on : 09-02-2024 23:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Envoy is a high-performance edge/middle/service proxy. Envoy crashes in Proxy protocol when using an address type that isnโ€™t supported by the OS. Envoy is susceptible to crashing on a host with IPv6 disabled and a listener config with proxy protocol enabled when it receives a request where the client presents its IPv6 address. It is valid for a client to present its IPv6 address to a target server even though the whole chain is connected via IPv4. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23325
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/envoyproxy/envoy/commit/bacd3107455b8d387889467725eb72aa0d5b5237 | source : security-advisories@github.com
https://github.com/envoyproxy/envoy/security/advisories/GHSA-5m7c-mrwr-pm26 | source : security-advisories@github.com

Vulnerability : CWE-248
Vulnerability : CWE-755


Vulnerability ID : CVE-2024-23327

First published on : 09-02-2024 23:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Envoy is a high-performance edge/middle/service proxy. When PPv2 is enabled both on a listener and subsequent cluster, the Envoy instance will segfault when attempting to craft the upstream PPv2 header. This occurs when the downstream request has a command type of LOCAL and does not have the protocol block. This issue has been addressed in releases 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23327
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/envoyproxy/envoy/commit/63895ea8e3cca9c5d3ab4c5c128ed1369969d54a | source : security-advisories@github.com
https://github.com/envoyproxy/envoy/security/advisories/GHSA-4h5x-x9vh-m29j | source : security-advisories@github.com

Vulnerability : CWE-476


Vulnerability ID : CVE-2024-23833

First published on : 12-02-2024 21:15:08
Last modified on : 12-02-2024 21:15:08

Description :
OpenRefine is a free, open source power tool for working with messy data and improving it. A jdbc attack vulnerability exists in OpenRefine(version<=3.7.7) where an attacker may construct a JDBC query which may read files on the host filesystem. Due to the newer MySQL driver library in the latest version of OpenRefine (8.0.30), there is no associated deserialization utilization point, so original code execution cannot be achieved, but attackers can use this vulnerability to read sensitive files on the target server. This issue has been addressed in version 3.7.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23833
Source : security-advisories@github.com
CVSS Score : 7.5

References :
https://github.com/OpenRefine/OpenRefine/commit/41ccf574847d856e22488a7c0987ad8efa12a84a | source : security-advisories@github.com
https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-6p92-qfqf-qwx4 | source : security-advisories@github.com

Vulnerability : CWE-22


Source : usom.gov.tr

Vulnerability ID : CVE-2023-6724

First published on : 09-02-2024 13:15:41
Last modified on : 09-02-2024 14:26:32

Description :
Authorization Bypass Through User-Controlled Key vulnerability in Software Engineering Consultancy Machine Equipment Limited Company Hearing Tracking System allows Authentication Abuse.This issue affects Hearing Tracking System: before for IOS 7.0, for Android Latest release 1.0.

CVE ID : CVE-2023-6724
Source : iletisim@usom.gov.tr
CVSS Score : 8.8

References :
https://www.usom.gov.tr/bildirim/tr-24-0099 | source : iletisim@usom.gov.tr

Vulnerability : CWE-639


Source : mitre.org

Vulnerability ID : CVE-2024-25304

First published on : 09-02-2024 13:15:41
Last modified on : 12-02-2024 14:29:11

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'apass' parameter at "School/index.php."

CVE ID : CVE-2024-25304
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-2.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25305

First published on : 09-02-2024 13:15:41
Last modified on : 12-02-2024 14:28:56

Description :
Code-projects Simple School Managment System 1.0 allows Authentication Bypass via the username and password parameters at School/index.php.

CVE ID : CVE-2024-25305
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20Authentication%20Bypass.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25306

First published on : 09-02-2024 13:15:42
Last modified on : 12-02-2024 14:28:41

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'aname' parameter at "School/index.php".

CVE ID : CVE-2024-25306
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-1.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25308

First published on : 09-02-2024 13:15:42
Last modified on : 12-02-2024 14:28:27

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'name' parameter at School/teacher_login.php.

CVE ID : CVE-2024-25308
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-6.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25309

First published on : 09-02-2024 13:15:42
Last modified on : 12-02-2024 14:28:15

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'pass' parameter at School/teacher_login.php.

CVE ID : CVE-2024-25309
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-7.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25312

First published on : 09-02-2024 13:15:42
Last modified on : 12-02-2024 14:27:37

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'id' parameter at "School/sub_delete.php?id=5."

CVE ID : CVE-2024-25312
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-5.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25313

First published on : 09-02-2024 13:15:42
Last modified on : 12-02-2024 14:27:16

Description :
Code-projects Simple School Managment System 1.0 allows Authentication Bypass via the username and password parameters at School/teacher_login.php.

CVE ID : CVE-2024-25313
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20Authentication%20Bypass%20-%202.md | source : cve@mitre.org

Vulnerability : CWE-287

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25310

First published on : 09-02-2024 14:15:08
Last modified on : 12-02-2024 14:24:40

Description :
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'id' parameter at "School/delete.php?id=5."

CVE ID : CVE-2024-25310
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Simple%20School%20Management%20System/Simple%20School%20Managment%20System%20-%20SQL%20Injection%20-3.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:code-projects:simple_school_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25318

First published on : 09-02-2024 14:15:09
Last modified on : 12-02-2024 21:37:44

Description :
Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'pid' parameter in Hotel/admin/print.php?pid=2.

CVE ID : CVE-2024-25318
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/tubakvgc/CVEs/blob/main/Hotel%20Managment%20System/Hotel%20Managment%20System%20-%20SQL%20Injection-3.md | source : cve@mitre.org

Vulnerability : CWE-89

Vulnerable product(s) : cpe:2.3:a:hotel_management_system_project:hotel_management_system:1.0:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25417

First published on : 11-02-2024 21:15:46
Last modified on : 12-02-2024 21:39:48

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/add_translation.php.

CVE ID : CVE-2024-25417
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/Carl0724/cms/blob/main/3.md | source : cve@mitre.org

Vulnerability : CWE-352

Vulnerable product(s) : cpe:2.3:a:flusity:flusity:2.33:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25418

First published on : 11-02-2024 21:15:46
Last modified on : 12-02-2024 21:39:57

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/delete_menu.php.

CVE ID : CVE-2024-25418
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/Carl0724/cms/blob/main/2.md | source : cve@mitre.org

Vulnerability : CWE-352

Vulnerable product(s) : cpe:2.3:a:flusity:flusity:2.33:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25419

First published on : 11-02-2024 21:15:46
Last modified on : 12-02-2024 21:40:04

Description :
flusity-CMS v2.33 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /core/tools/update_menu.php.

CVE ID : CVE-2024-25419
Source : cve@mitre.org
CVSS Score : 8.8

References :
https://github.com/Carl0724/cms/blob/main/1.md | source : cve@mitre.org

Vulnerability : CWE-352

Vulnerable product(s) : cpe:2.3:a:flusity:flusity:2.33:*:*:*:*:*:*:*


Vulnerability ID : CVE-2023-52427

First published on : 11-02-2024 04:15:08
Last modified on : 12-02-2024 21:39:34

Description :
In OpenDDS through 3.27, there is a segmentation fault for a DataWriter with a large value of resource_limits.max_samples. NOTE: the vendor's position is that the product is not designed to handle a max_samples value that is too large for the amount of memory on the system.

CVE ID : CVE-2023-52427
Source : cve@mitre.org
CVSS Score : 7.5

References :
https://github.com/OpenDDS/OpenDDS/issues/4388 | source : cve@mitre.org

Vulnerability : CWE-770

Vulnerable product(s) : cpe:2.3:a:objectcomputing:opendds:*:*:*:*:*:*:*:*
Vulnerable version(s) : 3.27


Source : wordfence.com

Vulnerability ID : CVE-2024-0594

First published on : 10-02-2024 07:15:07
Last modified on : 11-02-2024 22:29:15

Description :
The Awesome Support โ€“ WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-0594
Source : security@wordfence.com
CVSS Score : 8.8

References :
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L1279 | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0842

First published on : 09-02-2024 05:15:08
Last modified on : 09-02-2024 14:31:23

Description :
The Backuply โ€“ Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 1.2.5. This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.

CVE ID : CVE-2024-0842
Source : security@wordfence.com
CVSS Score : 7.5

References :
https://plugins.trac.wordpress.org/changeset/3033242/backuply/trunk/restore_ins.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f955d88-ab4c-4cf4-a23b-91119d412716?source=cve | source : security@wordfence.com


Source : patchstack.com

Vulnerability ID : CVE-2024-23513

First published on : 12-02-2024 08:15:40
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.5.

CVE ID : CVE-2024-23513
Source : audit@patchstack.com
CVSS Score : 8.7

References :
https://patchstack.com/database/vulnerability/propertyhive/wordpress-propertyhive-plugin-2-0-5-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-23512

First published on : 12-02-2024 09:15:11
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in wpxpo ProductX โ€“ WooCommerce Builder & Gutenberg WooCommerce Blocks.This issue affects ProductX โ€“ WooCommerce Builder & Gutenberg WooCommerce Blocks: from n/a through 3.1.4.

CVE ID : CVE-2024-23512
Source : audit@patchstack.com
CVSS Score : 8.7

References :
https://patchstack.com/database/vulnerability/product-blocks/wordpress-productx-plugin-3-1-4-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-24796

First published on : 12-02-2024 08:15:40
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in MagePeople Team Event Manager and Tickets Selling Plugin for WooCommerce โ€“ WpEvently โ€“ WordPress Plugin.This issue affects Event Manager and Tickets Selling Plugin for WooCommerce โ€“ WpEvently โ€“ WordPress Plugin: from n/a through 4.1.1.

CVE ID : CVE-2024-24796
Source : audit@patchstack.com
CVSS Score : 8.2

References :
https://patchstack.com/database/vulnerability/mage-eventpress/wordpress-wpevently-plugin-4-1-1-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-24926

First published on : 12-02-2024 08:15:41
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

CVE ID : CVE-2024-24926
Source : audit@patchstack.com
CVSS Score : 7.5

References :
https://patchstack.com/database/vulnerability/brooklyn/wordpress-brooklyn-theme-4-9-7-6-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2023-51488

First published on : 10-02-2024 09:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic, Inc. Crowdsignal Dashboard โ€“ Polls, Surveys & more allows Reflected XSS.This issue affects Crowdsignal Dashboard โ€“ Polls, Surveys & more: from n/a through 3.0.11.

CVE ID : CVE-2023-51488
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/polldaddy/wordpress-crowdsignal-polls-ratings-plugin-3-0-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24927

First published on : 12-02-2024 06:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme allows Reflected XSS.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.

CVE ID : CVE-2024-24927
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/brooklyn/wordpress-brooklyn-theme-4-9-7-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24932

First published on : 12-02-2024 06:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Djo VK Poster Group allows Reflected XSS.This issue affects VK Poster Group: from n/a through 2.0.3.

CVE ID : CVE-2024-24932
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/vk-poster-group/wordpress-vk-poster-group-plugin-2-0-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24933

First published on : 12-02-2024 06:15:09
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prasidhda Malla Honeypot for WP Comment allows Reflected XSS.This issue affects Honeypot for WP Comment: from n/a through 2.2.3.

CVE ID : CVE-2024-24933
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/honeypot-for-wp-comment/wordpress-honeypot-for-wp-comment-plugin-2-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Source : hq.dhs.gov

Vulnerability ID : CVE-2023-51761

First published on : 09-02-2024 04:15:08
Last modified on : 09-02-2024 14:31:23

Description :
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could bypass authentication and acquire admin capabilities.

CVE ID : CVE-2023-51761
Source : ics-cert@hq.dhs.gov
CVSS Score : 8.3

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 | source : ics-cert@hq.dhs.gov
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-287


Source : us.ibm.com

Vulnerability ID : CVE-2023-50957

First published on : 10-02-2024 16:15:07
Last modified on : 11-02-2024 22:29:15

Description :
IBM Storage Defender - Resiliency Service 2.0 could allow a privileged user to perform unauthorized actions after obtaining encrypted data from clear text key storage. IBM X-Force ID: 275783.

CVE ID : CVE-2023-50957
Source : psirt@us.ibm.com
CVSS Score : 8.0

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/275783 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-269


Vulnerability ID : CVE-2023-45191

First published on : 09-02-2024 01:15:08
Last modified on : 09-02-2024 01:37:53

Description :
IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 268755.

CVE ID : CVE-2023-45191
Source : psirt@us.ibm.com
CVSS Score : 7.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268755 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116045 | source : psirt@us.ibm.com

Vulnerability : CWE-307


Source : redhat.com

Vulnerability ID : CVE-2024-0229

First published on : 09-02-2024 07:16:00
Last modified on : 09-02-2024 14:31:23

Description :
An out-of-bounds memory access flaw was found in the X.Org server. This issue can be triggered when a device frozen by a sync grab is reattached to a different master device. This issue may lead to an application crash, local privilege escalation (if the server runs with extended privileges), or remote code execution in SSH X11 forwarding environments.

CVE ID : CVE-2024-0229
Source : secalert@redhat.com
CVSS Score : 7.8

References :
https://access.redhat.com/errata/RHSA-2024:0320 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0557 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0558 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0597 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0607 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0614 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0617 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0621 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0626 | source : secalert@redhat.com
https://access.redhat.com/errata/RHSA-2024:0629 | source : secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2024-0229 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2256690 | source : secalert@redhat.com

Vulnerability : CWE-788


Source : emc.com

Vulnerability ID : CVE-2024-0164

First published on : 12-02-2024 19:15:09
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contain an OS Command Injection Vulnerability in its svc_topstats utility. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary commands with elevated privileges.

CVE ID : CVE-2024-0164
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0165

First published on : 12-02-2024 19:15:09
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_acldb_dump utility. An authenticated attacker could potentially exploit this vulnerability, leading to execution of arbitrary operating system commands with root privileges.

CVE ID : CVE-2024-0165
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0166

First published on : 12-02-2024 19:15:09
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_tcpdump utility. An authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands with elevated privileges.

CVE ID : CVE-2024-0166
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com


Vulnerability ID : CVE-2024-0167

First published on : 12-02-2024 19:15:10
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in the svc_topstats utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability to overwrite arbitrary files on the file system with root privileges.

CVE ID : CVE-2024-0167
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0168

First published on : 12-02-2024 19:15:10
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains a Command Injection Vulnerability in svc_oscheck utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability to inject arbitrary operating system commands. This vulnerability allows an authenticated attacker to execute commands with root privileges.

CVE ID : CVE-2024-0168
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-0170

First published on : 12-02-2024 19:15:10
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_cava utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.

CVE ID : CVE-2024-0170
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22222

First published on : 12-02-2024 19:15:11
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_udoctor utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.

CVE ID : CVE-2024-22222
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22223

First published on : 12-02-2024 19:15:11
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability within its svc_cbr utility. An authenticated malicious user with local access could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.

CVE ID : CVE-2024-22223
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22224

First published on : 12-02-2024 19:15:11
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.

CVE ID : CVE-2024-22224
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22225

First published on : 12-02-2024 19:15:11
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_supportassist utility. An authenticated attacker could potentially exploit this vulnerability, leading to execution of arbitrary operating system commands with root privileges.

CVE ID : CVE-2024-22225
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22227

First published on : 12-02-2024 19:15:12
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_dc utility. An authenticated attacker could potentially exploit this vulnerability, leading to the ability execute commands with root privileges.

CVE ID : CVE-2024-22227
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Vulnerability ID : CVE-2024-22228

First published on : 12-02-2024 19:15:12
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains an OS Command Injection Vulnerability in its svc_cifssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges.

CVE ID : CVE-2024-22228
Source : security_alert@emc.com
CVSS Score : 7.8

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-78


Source : snyk.io

Vulnerability ID : CVE-2024-21490

First published on : 10-02-2024 05:15:08
Last modified on : 11-02-2024 22:29:15

Description :
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

CVE ID : CVE-2024-21490
Source : report@snyk.io
CVSS Score : 7.5

References :
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 | source : report@snyk.io
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos | source : report@snyk.io

Vulnerability : CWE-1333


Source : open-xchange.com

Vulnerability ID : CVE-2023-41704

First published on : 12-02-2024 09:15:10
Last modified on : 12-02-2024 14:19:54

Description :
Processing of CID references at E-Mail can be abused to inject malicious script code that passes the sanitization engine. Malicious script code could be injected to a users sessions when interacting with E-Mails. Please deploy the provided updates and patch releases. CID handing has been improved and resulting content is checked for malicious content. No publicly available exploits are known.

CVE ID : CVE-2023-41704
Source : security@open-xchange.com
CVSS Score : 7.1

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


(90) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : hq.dhs.gov

Vulnerability ID : CVE-2023-43609

First published on : 09-02-2024 04:15:07
Last modified on : 09-02-2024 14:31:23

Description :
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an unauthenticated user with network access could obtain access to sensitive information or cause a denial-of-service condition.

CVE ID : CVE-2023-43609
Source : ics-cert@hq.dhs.gov
CVSS Score : 6.9

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 | source : ics-cert@hq.dhs.gov
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-285


Vulnerability ID : CVE-2023-49716

First published on : 09-02-2024 04:15:08
Last modified on : 09-02-2024 14:31:23

Description :
In Emerson Rosemount GC370XA, GC700XA, and GC1500XA products, an authenticated user with network access could run arbitrary commands from a remote computer.

CVE ID : CVE-2023-49716
Source : ics-cert@hq.dhs.gov
CVSS Score : 6.9

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 | source : ics-cert@hq.dhs.gov
https://www.emerson.com/documents/automation/security-notification-emerson-gas-chromatographs-cyber-security-notification-icsa-24-030-01-en-10103910.pdf | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-77


Source : github.com

Vulnerability ID : CVE-2024-24828

First published on : 09-02-2024 23:15:09
Last modified on : 11-02-2024 22:29:15

Description :
pkg is tool design to bundle Node.js projects into an executables. Any native code packages built by `pkg` are written to a hardcoded directory. On unix systems, this is `/tmp/pkg/*` which is a shared directory for all users on the same local system. There is no uniqueness to the package names within this directory, they are predictable. An attacker who has access to the same local system has the ability to replace the genuine executables in the shared directory with malicious executables of the same name. A user may then run the malicious executable without realising it has been modified. This package is deprecated. Therefore, there will not be a patch provided for this vulnerability. To check if your executable build by pkg depends on native code and is vulnerable, run the executable and check if `/tmp/pkg/` was created. Users should transition to actively maintained alternatives. We would recommend investigating Node.js 21โ€™s support for single executable applications. Given the decision to deprecate the pkg package, there are no official workarounds or remediations provided by our team. Users should prioritize migrating to other packages that offer similar functionality with enhanced security.

CVE ID : CVE-2024-24828
Source : security-advisories@github.com
CVSS Score : 6.6

References :
https://github.com/vercel/pkg/security/advisories/GHSA-22r3-9w55-cj54 | source : security-advisories@github.com
https://nodejs.org/api/single-executable-applications.html | source : security-advisories@github.com

Vulnerability : CWE-276


Vulnerability ID : CVE-2024-25109

First published on : 09-02-2024 23:15:10
Last modified on : 11-02-2024 22:29:15

Description :
ManageWiki is a MediaWiki extension allowing users to manage wikis. Special:ManageWiki does not escape escape interface messages on the `columns` and `help` keys on the form descriptor. An attacker may exploit this and would have a cross site scripting attack vector. Exploiting this on-wiki requires the `(editinterface)` right. Users should apply the code changes in commits `886cc6b94`, `2ef0f50880`, and `6942e8b2c` to resolve this vulnerability. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-25109
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/miraheze/ManageWiki/commit/2ef0f50880d7695ca2874dc8dd515b2b9bbb02e5 | source : security-advisories@github.com
https://github.com/miraheze/ManageWiki/commit/6942e8b2c01dc33c2c41a471f91ef3f6ca726073 | source : security-advisories@github.com
https://github.com/miraheze/ManageWiki/commit/886cc6b94587f1c7387caa26ca9fe612e01836a0 | source : security-advisories@github.com
https://github.com/miraheze/ManageWiki/security/advisories/GHSA-4jr2-jhfm-2r84 | source : security-advisories@github.com
https://issue-tracker.miraheze.org/T11812 | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-21624

First published on : 09-02-2024 23:15:08
Last modified on : 11-02-2024 22:29:15

Description :
nonebot2 is a cross-platform Python asynchronous chatbot framework written in Python. This security advisory pertains to a potential information leak (e.g., environment variables) in instances where developers utilize `MessageTemplate` and incorporate user-provided data into templates. The identified vulnerability has been remedied in pull request #2509 and will be included in versions released from 2.2.0. Users are strongly advised to upgrade to these patched versions to safeguard against the vulnerability. A temporary workaround involves filtering underscores before incorporating user input into the message template.

CVE ID : CVE-2024-21624
Source : security-advisories@github.com
CVSS Score : 5.7

References :
https://github.com/nonebot/nonebot2/pull/2509 | source : security-advisories@github.com
https://github.com/nonebot/nonebot2/security/advisories/GHSA-59j8-776v-xxxg | source : security-advisories@github.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-24819

First published on : 09-02-2024 01:15:10
Last modified on : 09-02-2024 01:37:53

Description :
icingaweb2-module-incubator is a working project of bleeding edge Icinga Web 2 libraries. In affected versions the class `gipfl\Web\Form` is the base for various concrete form implementations [1] and provides protection against cross site request forgery (CSRF) by default. This is done by automatically adding an element with a CSRF token to any form, unless explicitly disabled, but even if enabled, the CSRF token (sent during a client's submission of a form relying on it) is not validated. This enables attackers to perform changes on behalf of a user which, unknowingly, interacts with a prepared link or website. The version 0.22.0 is available to remedy this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-24819
Source : security-advisories@github.com
CVSS Score : 5.3

References :
https://github.com/Icinga/icingaweb2-module-incubator/commit/db7dc49585fee0b4e96be666d7f6009a74a1ccb5 | source : security-advisories@github.com
https://github.com/Icinga/icingaweb2-module-incubator/security/advisories/GHSA-p8vv-9pqq-rm8p | source : security-advisories@github.com
https://github.com/search?q=gipfl%5CWeb%5CForm%3B&type=code | source : security-advisories@github.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-23639

First published on : 09-02-2024 01:15:09
Last modified on : 09-02-2024 01:37:53

Description :
Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade.

CVE ID : CVE-2024-23639
Source : security-advisories@github.com
CVSS Score : 5.1

References :
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests | source : security-advisories@github.com
https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-583g-g682-crxf | source : security-advisories@github.com

Vulnerability : CWE-15
Vulnerability : CWE-610
Vulnerability : CWE-664


Vulnerability ID : CVE-2024-24829

First published on : 09-02-2024 00:15:09
Last modified on : 09-02-2024 01:37:53

Description :
Sentry is an error tracking and performance monitoring platform. Sentryโ€™s integration platform provides a way for external services to interact with Sentry. One of such integrations, the Phabricator integration (maintained by Sentry) with version <=24.1.1 contains a constrained SSRF vulnerability. An attacker could make Sentry send POST HTTP requests to arbitrary URLs (including internal IP addresses) by providing an unsanitized input to the Phabricator integration. However, the body payload is constrained to a specific format. If an attacker has access to a Sentry instance, this allows them to: 1. interact with internal network; 2. scan local/remote ports. This issue has been fixed in Sentry self-hosted release 24.1.2, and has already been mitigated on sentry.io on February 8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-24829
Source : security-advisories@github.com
CVSS Score : 4.3

References :
https://github.com/getsentry/self-hosted/releases/tag/24.1.2 | source : security-advisories@github.com
https://github.com/getsentry/sentry/pull/64882 | source : security-advisories@github.com
https://github.com/getsentry/sentry/security/advisories/GHSA-rqxh-fp9p-p98r | source : security-advisories@github.com

Vulnerability : CWE-918


Vulnerability ID : CVE-2024-23323

First published on : 09-02-2024 23:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Envoy is a high-performance edge/middle/service proxy. The regex expression is compiled for every request and can result in high CPU usage and increased request latency when multiple routes are configured with such matchers. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVE ID : CVE-2024-23323
Source : security-advisories@github.com
CVSS Score : 4.3

References :
https://github.com/envoyproxy/envoy/commit/71eeee8f0f0132f39e402b0ee23b361ee2f4e645 | source : security-advisories@github.com
https://github.com/envoyproxy/envoy/security/advisories/GHSA-x278-4w4x-r7ch | source : security-advisories@github.com

Vulnerability : CWE-1176
Vulnerability : CWE-400


Source : us.ibm.com

Vulnerability ID : CVE-2023-32341

First published on : 09-02-2024 01:15:08
Last modified on : 09-02-2024 01:37:53

Description :
IBM Sterling B2B Integrator 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 could allow an authenticated user to cause a denial of service due to uncontrolled resource consumption. IBM X-Force ID: 255827.

CVE ID : CVE-2023-32341
Source : psirt@us.ibm.com
CVSS Score : 6.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/255827 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116081 | source : psirt@us.ibm.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2024-22332

First published on : 09-02-2024 01:15:09
Last modified on : 09-02-2024 01:37:53

Description :
The IBM Integration Bus for z/OS 10.1 through 10.1.0.2 AdminAPI is vulnerable to a denial of service due to file system exhaustion. IBM X-Force ID: 279972.

CVE ID : CVE-2024-22332
Source : psirt@us.ibm.com
CVSS Score : 6.5

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/279972 | source : psirt@us.ibm.com
https://https://www.ibm.com/support/pages/node/7116046 | source : psirt@us.ibm.com

Vulnerability : CWE-434


Vulnerability ID : CVE-2023-45187

First published on : 09-02-2024 01:15:08
Last modified on : 09-02-2024 01:37:53

Description :
IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.0.3 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 268749.

CVE ID : CVE-2023-45187
Source : psirt@us.ibm.com
CVSS Score : 6.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268749 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116045 | source : psirt@us.ibm.com

Vulnerability : CWE-613


Vulnerability ID : CVE-2024-22313

First published on : 10-02-2024 16:15:08
Last modified on : 11-02-2024 22:29:15

Description :
IBM Storage Defender - Resiliency Service 2.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 278749.

CVE ID : CVE-2024-22313
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/278749 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-798


Vulnerability ID : CVE-2024-22361

First published on : 10-02-2024 15:15:35
Last modified on : 11-02-2024 22:29:15

Description :
IBM Semeru Runtime 8.0.302.0 through 8.0.392.0, 11.0.12.0 through 11.0.21.0, 17.0.1.0 - 17.0.9.0, and 21.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 281222.

CVE ID : CVE-2024-22361
Source : psirt@us.ibm.com
CVSS Score : 5.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/281222 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116431 | source : psirt@us.ibm.com

Vulnerability : CWE-327


Vulnerability ID : CVE-2022-34310

First published on : 12-02-2024 18:15:07
Last modified on : 12-02-2024 20:39:15

Description :
IBM CICS TX Standard and Advanced 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229441.

CVE ID : CVE-2022-34310
Source : psirt@us.ibm.com
CVSS Score : 5.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/229441 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832922 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832924 | source : psirt@us.ibm.com

Vulnerability : CWE-327


Vulnerability ID : CVE-2022-34309

First published on : 12-02-2024 19:15:08
Last modified on : 12-02-2024 20:39:15

Description :
IBM CICS TX Standard and Advanced 11.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 229440.

CVE ID : CVE-2022-34309
Source : psirt@us.ibm.com
CVSS Score : 5.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/229440 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832814 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832918 | source : psirt@us.ibm.com

Vulnerability : CWE-327


Vulnerability ID : CVE-2023-45190

First published on : 09-02-2024 01:15:08
Last modified on : 09-02-2024 01:37:53

Description :
IBM Engineering Lifecycle Optimization 7.0.2 and 7.0.3 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 268754.

CVE ID : CVE-2023-45190
Source : psirt@us.ibm.com
CVSS Score : 5.1

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/268754 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116045 | source : psirt@us.ibm.com


Vulnerability ID : CVE-2024-22318

First published on : 09-02-2024 01:15:09
Last modified on : 09-02-2024 18:15:08

Description :
IBM i Access Client Solutions (ACS) 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.4 is vulnerable to NT LAN Manager (NTLM) hash disclosure by an attacker modifying UNC capable paths within ACS configuration files to point to a hostile server. If NTLM is enabled, the Windows operating system will try to authenticate using the current user's session. The hostile server could capture the NTLM hash information to obtain the user's credentials. IBM X-Force ID: 279091.

CVE ID : CVE-2024-22318
Source : psirt@us.ibm.com
CVSS Score : 5.1

References :
http://packetstormsecurity.com/files/177069/IBM-i-Access-Client-Solutions-Remote-Credential-Theft.html | source : psirt@us.ibm.com
https://exchange.xforce.ibmcloud.com/vulnerabilities/279091 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116091 | source : psirt@us.ibm.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2022-38714

First published on : 12-02-2024 18:15:08
Last modified on : 12-02-2024 20:39:15

Description :
IBM DataStage on Cloud Pak for Data 4.0.6 to 4.5.2 stores sensitive credential information that can be read by a privileged user. IBM X-Force ID: 235060.

CVE ID : CVE-2022-38714
Source : psirt@us.ibm.com
CVSS Score : 4.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/235060 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6618039 | source : psirt@us.ibm.com


Vulnerability ID : CVE-2022-22506

First published on : 12-02-2024 20:15:08
Last modified on : 12-02-2024 20:39:09

Description :
IBM Robotic Process Automation 21.0.2 contains a vulnerability that could allow user ids may be exposed across tenants. IBM X-Force ID: 227293.

CVE ID : CVE-2022-22506
Source : psirt@us.ibm.com
CVSS Score : 4.6

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/227293 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6591237 | source : psirt@us.ibm.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-22312

First published on : 10-02-2024 16:15:08
Last modified on : 11-02-2024 22:29:15

Description :
IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.

CVE ID : CVE-2024-22312
Source : psirt@us.ibm.com
CVSS Score : 4.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/278748 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-256


Vulnerability ID : CVE-2023-42016

First published on : 09-02-2024 01:15:08
Last modified on : 09-02-2024 01:37:53

Description :
IBM Sterling B2B Integrator Standard Edition 6.0.0.0 through 6.0.3.8 and 6.1.0.0 through 6.1.2.3 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. IBM X-Force ID: 265559.

CVE ID : CVE-2023-42016
Source : psirt@us.ibm.com
CVSS Score : 4.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/265559 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116083 | source : psirt@us.ibm.com

Vulnerability : CWE-614


Vulnerability ID : CVE-2022-34311

First published on : 12-02-2024 19:15:09
Last modified on : 12-02-2024 20:39:15

Description :
IBM CICS TX Standard and Advanced 11.1 could allow a user with physical access to the web browser to gain access to the user's session due to insufficiently protected credentials. IBM X-Force ID: 229446.

CVE ID : CVE-2022-34311
Source : psirt@us.ibm.com
CVSS Score : 4.3

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/229446 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832928 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/6832930 | source : psirt@us.ibm.com

Vulnerability : CWE-522


Source : mitre.org

Vulnerability ID : CVE-2024-25451

First published on : 09-02-2024 15:15:09
Last modified on : 12-02-2024 21:37:54

Description :
Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug via the AP4_DataBuffer::ReallocateBuffer() function.

CVE ID : CVE-2024-25451
Source : cve@mitre.org
CVSS Score : 6.5

References :
https://github.com/axiomatic-systems/Bento4/issues/872 | source : cve@mitre.org

Vulnerability : CWE-400

Vulnerable product(s) : cpe:2.3:a:axiosys:bento4:1.6.0-640:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25452

First published on : 09-02-2024 15:15:09
Last modified on : 12-02-2024 21:38:36

Description :
Bento4 v1.6.0-640 was discovered to contain an out-of-memory bug via the AP4_UrlAtom::AP4_UrlAtom() function.

CVE ID : CVE-2024-25452
Source : cve@mitre.org
CVSS Score : 5.5

References :
https://github.com/axiomatic-systems/Bento4/issues/873 | source : cve@mitre.org

Vulnerability : CWE-400

Vulnerable product(s) : cpe:2.3:a:axiosys:bento4:1.6.0-640:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25453

First published on : 09-02-2024 15:15:09
Last modified on : 12-02-2024 21:38:53

Description :
Bento4 v1.6.0-640 was discovered to contain a NULL pointer dereference via the AP4_StszAtom::GetSampleSize() function.

CVE ID : CVE-2024-25453
Source : cve@mitre.org
CVSS Score : 5.5

References :
https://github.com/axiomatic-systems/Bento4/issues/204 | source : cve@mitre.org
https://github.com/axiomatic-systems/Bento4/issues/874 | source : cve@mitre.org

Vulnerability : CWE-476

Vulnerable product(s) : cpe:2.3:a:axiosys:bento4:1.6.0-640:*:*:*:*:*:*:*


Vulnerability ID : CVE-2024-25454

First published on : 09-02-2024 15:15:09
Last modified on : 12-02-2024 21:39:19

Description :
Bento4 v1.6.0-640 was discovered to contain a NULL pointer dereference via the AP4_DescriptorFinder::Test() function.

CVE ID : CVE-2024-25454
Source : cve@mitre.org
CVSS Score : 5.5

References :
https://github.com/axiomatic-systems/Bento4/issues/875 | source : cve@mitre.org

Vulnerability : CWE-476

Vulnerable product(s) : cpe:2.3:a:axiosys:bento4:1.6.0-640:*:*:*:*:*:*:*


Source : patchstack.com

Vulnerability ID : CVE-2024-24712

First published on : 10-02-2024 08:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Heateor Heateor Social Login WordPress allows Stored XSS.This issue affects Heateor Social Login WordPress: from n/a through 1.1.30.

CVE ID : CVE-2024-24712
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/heateor-social-login/wordpress-heateor-social-login-plugin-1-1-30-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24713

First published on : 10-02-2024 08:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Auto Listings Auto Listings โ€“ Car Listings & Car Dealership Plugin for WordPress allows Stored XSS.This issue affects Auto Listings โ€“ Car Listings & Car Dealership Plugin for WordPress: from n/a through 2.6.5.

CVE ID : CVE-2024-24713
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/auto-listings/wordpress-auto-listings-plugin-2-6-5-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24801

First published on : 10-02-2024 08:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt OWL Carousel โ€“ WordPress Owl Carousel Slider allows Stored XSS.This issue affects OWL Carousel โ€“ WordPress Owl Carousel Slider: from n/a through 1.4.0.

CVE ID : CVE-2024-24801
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/lgx-owl-carousel/wordpress-owl-carousel-plugin-1-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24803

First published on : 10-02-2024 08:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPoperation Ultra Companion โ€“ Companion plugin for WPoperation Themes allows Stored XSS.This issue affects Ultra Companion โ€“ Companion plugin for WPoperation Themes: from n/a through 1.1.9.

CVE ID : CVE-2024-24803
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ultra-companion/wordpress-ultra-companion-plugin-1-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24804

First published on : 10-02-2024 08:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6.

CVE ID : CVE-2024-24804
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24831

First published on : 10-02-2024 08:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor allows Stored XSS.This issue affects Premium Addons for Elementor: from n/a through 4.10.16.

CVE ID : CVE-2024-24831
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/premium-addons-for-elementor/wordpress-premium-addons-for-elementor-plugin-4-10-16-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51404

First published on : 10-02-2024 09:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyAgilePrivacy My Agile Privacy โ€“ The only GDPR solution for WordPress that you can truly trust allows Stored XSS.This issue affects My Agile Privacy โ€“ The only GDPR solution for WordPress that you can truly trust: from n/a through 2.1.7.

CVE ID : CVE-2023-51404
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/myagileprivacy/wordpress-my-agile-privacy-plugin-2-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51415

First published on : 10-02-2024 09:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP GiveWP โ€“ Donation Plugin and Fundraising Platform allows Stored XSS.This issue affects GiveWP โ€“ Donation Plugin and Fundraising Platform: from n/a through 3.2.2.

CVE ID : CVE-2023-51415
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51480

First published on : 10-02-2024 09:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store allows Stored XSS.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a through 1.0.6.

CVE ID : CVE-2023-51480
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/profit-products-tables-for-woocommerce/wordpress-active-products-tables-for-woocommerce-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51485

First published on : 10-02-2024 09:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Hosting Pay with Vipps and MobilePay for WooCommerce allows Stored XSS.This issue affects Pay with Vipps and MobilePay for WooCommerce: from n/a through 1.14.13.

CVE ID : CVE-2023-51485
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/woo-vipps/wordpress-pay-with-vipps-for-woocommerce-plugin-1-14-13-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51492

First published on : 10-02-2024 09:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in If So Plugin If-So Dynamic Content Personalization allows Stored XSS.This issue affects If-So Dynamic Content Personalization: from n/a through 1.6.3.1.

CVE ID : CVE-2023-51492
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/if-so/wordpress-if-so-dynamic-content-personalization-plugin-1-6-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51493

First published on : 10-02-2024 09:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Custom Post Carousels with Owl allows Stored XSS.This issue affects Custom Post Carousels with Owl: from n/a through 1.4.6.

CVE ID : CVE-2023-51493
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/dd-post-carousel/wordpress-custom-post-carousels-with-owl-plugin-1-4-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23514

First published on : 10-02-2024 09:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ClickToTweet.Com Click To Tweet allows Stored XSS.This issue affects Click To Tweet: from n/a through 2.0.14.

CVE ID : CVE-2024-23514
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/click-to-tweet/wordpress-click-to-tweet-plugin-2-0-14-cross-site-scripting-xss-vulnerability-2?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23516

First published on : 10-02-2024 09:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Calculators World CC BMI Calculator allows Stored XSS.This issue affects CC BMI Calculator: from n/a through 2.0.1.

CVE ID : CVE-2024-23516
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/cc-bmi-calculator/wordpress-cc-bmi-calculator-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23517

First published on : 10-02-2024 09:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Start Booking Scheduling Plugin โ€“ Online Booking for WordPress allows Stored XSS.This issue affects Scheduling Plugin โ€“ Online Booking for WordPress: from n/a through 3.5.10.

CVE ID : CVE-2024-23517
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/calendar-booking/wordpress-scheduling-plugin-online-booking-for-wordpress-plugin-3-5-10-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24928

First published on : 12-02-2024 06:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arunas Liuiza Content Cards allows Stored XSS.This issue affects Content Cards: from n/a through 0.9.7.

CVE ID : CVE-2024-24928
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/content-cards/wordpress-content-cards-plugin-0-9-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24930

First published on : 12-02-2024 06:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes.Com Buttons Shortcode and Widget allows Stored XSS.This issue affects Buttons Shortcode and Widget: from n/a through 1.16.

CVE ID : CVE-2024-24930
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/buttons-shortcode-and-widget/wordpress-buttons-shortcode-and-widget-plugin-1-16-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24931

First published on : 12-02-2024 06:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in swadeshswain Before After Image Slider WP allows Stored XSS.This issue affects Before After Image Slider WP: from n/a through 2.2.

CVE ID : CVE-2024-24931
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/before-after-image-slider/wordpress-before-after-image-slider-wp-plugin-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-50875

First published on : 12-02-2024 07:15:08
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic Sensei LMS โ€“ Online Courses, Quizzes, & Learning allows Stored XSS.This issue affects Sensei LMS โ€“ Online Courses, Quizzes, & Learning: from n/a through 4.17.0.

CVE ID : CVE-2023-50875
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/sensei-lms/wordpress-sensei-lms-plugin-4-17-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51403

First published on : 12-02-2024 07:15:10
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nicdark Restaurant Reservations allows Stored XSS.This issue affects Restaurant Reservations: from n/a through 1.8.

CVE ID : CVE-2023-51403
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/nd-restaurant-reservations/wordpress-restaurant-reservations-plugin-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24889

First published on : 12-02-2024 07:15:10
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Geek Code Lab All 404 Pages Redirect to Homepage allows Stored XSS.This issue affects All 404 Pages Redirect to Homepage: from n/a through 1.9.

CVE ID : CVE-2024-24889
Source : audit@patchstack.com
CVSS Score : 6.1

References :
https://patchstack.com/database/vulnerability/all-404-pages-redirect-to-homepage/wordpress-all-404-pages-redirect-to-homepage-plugin-1-9-unauthenticated-stored-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24717

First published on : 10-02-2024 08:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark Kinchin Beds24 Online Booking allows Stored XSS.This issue affects Beds24 Online Booking: from n/a through 2.0.23.

CVE ID : CVE-2024-24717
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/beds24-online-booking/wordpress-beds24-online-booking-plugin-2-0-23-admin-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-47526

First published on : 12-02-2024 07:15:07
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chart Builder Team Chartify โ€“ WordPress Chart Plugin allows Stored XSS.This issue affects Chartify โ€“ WordPress Chart Plugin: from n/a through 2.0.6.

CVE ID : CVE-2023-47526
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/chart-builder/wordpress-chartify-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51370

First published on : 12-02-2024 07:15:09
Last modified on : 12-02-2024 14:20:03

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NinjaTeam WP Chat App allows Stored XSS.This issue affects WP Chat App: from n/a through 3.4.4.

CVE ID : CVE-2023-51370
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/wp-whatsapp/wordpress-wp-chat-app-plugin-3-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-46615

First published on : 12-02-2024 09:15:11
Last modified on : 12-02-2024 14:19:54

Description :
Deserialization of Untrusted Data vulnerability in Kalli Dan. KD Coming Soon.This issue affects KD Coming Soon: from n/a through 1.7.

CVE ID : CVE-2023-46615
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/kd-coming-soon/wordpress-kd-coming-soon-plugin-1-7-php-object-injection-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-24887

First published on : 12-02-2024 09:15:12
Last modified on : 12-02-2024 14:19:54

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Contest Gallery Photos and Files Contest Gallery โ€“ Contact Form, Upload Form, Social Share and Voting Plugin for WordPress.This issue affects Photos and Files Contest Gallery โ€“ Contact Form, Upload Form, Social Share and Voting Plugin for WordPress: from n/a through 21.2.8.4.

CVE ID : CVE-2024-24887
Source : audit@patchstack.com
CVSS Score : 5.4

References :
https://patchstack.com/database/vulnerability/contest-gallery/wordpress-photos-and-files-contest-gallery-plugin-21-2-8-4-csrf-leading-to-gallery-creation-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24875

First published on : 12-02-2024 09:15:12
Last modified on : 12-02-2024 14:19:54

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Yannick Lefebvre Link Library.This issue affects Link Library: from n/a through 7.5.13.

CVE ID : CVE-2024-24875
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/link-library/wordpress-link-library-plugin-7-5-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24884

First published on : 12-02-2024 09:15:12
Last modified on : 12-02-2024 14:19:54

Description :
Cross-Site Request Forgery (CSRF) vulnerability in ARI Soft Contact Form 7 Connector.This issue affects Contact Form 7 Connector: from n/a through 1.2.2.

CVE ID : CVE-2024-24884
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/ari-cf7-connector/wordpress-contact-form-7-connector-plugin-1-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24929

First published on : 12-02-2024 09:15:12
Last modified on : 12-02-2024 14:19:54

Description :
Cross-Site Request Forgery (CSRF) vulnerability in Ryan Duff, Peter Westwood WP Contact Form.This issue affects WP Contact Form: from n/a through 1.6.

CVE ID : CVE-2024-24929
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wp-contact-form/wordpress-wp-contact-form-plugin-1-6-cross-site-request-forgery-csrf-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24935

First published on : 12-02-2024 09:15:12
Last modified on : 12-02-2024 14:19:54

Description :
Cross-Site Request Forgery (CSRF) vulnerability in WpSimpleTools Basic Log Viewer.This issue affects Basic Log Viewer: from n/a through 1.0.4.

CVE ID : CVE-2024-24935
Source : audit@patchstack.com
CVSS Score : 4.3

References :
https://patchstack.com/database/vulnerability/wpsimpletools-log-viewer/wordpress-basic-log-viewer-plugin-1-0-4-cross-site-request-forgery-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-352


Source : open-xchange.com

Vulnerability ID : CVE-2023-41705

First published on : 12-02-2024 09:15:10
Last modified on : 12-02-2024 14:19:54

Description :
Processing of user-defined DAV user-agent strings is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of DAV user-agents now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known.

CVE ID : CVE-2023-41705
Source : security@open-xchange.com
CVSS Score : 6.5

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-41706

First published on : 12-02-2024 09:15:11
Last modified on : 12-02-2024 14:19:54

Description :
Processing time of drive search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing of user-defined drive search expressions is not limited No publicly available exploits are known.

CVE ID : CVE-2023-41706
Source : security@open-xchange.com
CVSS Score : 6.5

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-41707

First published on : 12-02-2024 09:15:11
Last modified on : 12-02-2024 14:19:54

Description :
Processing of user-defined mail search expressions is not limited. Availability of OX App Suite could be reduced due to high processing load. Please deploy the provided updates and patch releases. Processing time of mail search expressions now gets monitored, and the related request is terminated if a resource threshold is reached. No publicly available exploits are known.

CVE ID : CVE-2023-41707
Source : security@open-xchange.com
CVSS Score : 6.5

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2023-41703

First published on : 12-02-2024 09:15:10
Last modified on : 12-02-2024 14:19:54

Description :
User ID references at mentions in document comments were not correctly sanitized. Script code could be injected to a users session when working with a malicious document. Please deploy the provided updates and patch releases. User-defined content like comments and mentions are now filtered to avoid potentially malicious content. No publicly available exploits are known.

CVE ID : CVE-2023-41703
Source : security@open-xchange.com
CVSS Score : 6.1

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-41708

First published on : 12-02-2024 09:15:11
Last modified on : 12-02-2024 14:19:54

Description :
References to the "app loader" functionality could contain redirects to unexpected locations. Attackers could forge app references that bypass existing safeguards to inject malicious script code. Please deploy the provided updates and patch releases. References to apps are now controlled more strict to avoid relative references. No publicly available exploits are known.

CVE ID : CVE-2023-41708
Source : security@open-xchange.com
CVSS Score : 5.4

References :
https://documentation.open-xchange.com/appsuite/security/advisories/csaf/2023/oxas-adv-2023-0007.json | source : security@open-xchange.com
https://software.open-xchange.com/products/appsuite/doc/Release_Notes_for_Patch_Release_6259_7.10.6_2023-12-11.pdf | source : security@open-xchange.com

Vulnerability : CWE-79


Source : incibe.es

Vulnerability ID : CVE-2024-1439

First published on : 12-02-2024 11:15:08
Last modified on : 12-02-2024 14:19:54

Description :
Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent.

CVE ID : CVE-2024-1439
Source : cve-coordination@incibe.es
CVSS Score : 6.5

References :
https://www.incibe.es/en/incibe-cert/notices/aviso/inadequate-access-control-vulnerability-moodle | source : cve-coordination@incibe.es

Vulnerability : CWE-284


Source : gitlab.com

Vulnerability ID : CVE-2024-1250

First published on : 12-02-2024 21:15:08
Last modified on : 12-02-2024 21:15:08

Description :
An issue has been discovered in GitLab EE affecting all versions starting from 16.8 before 16.8.2. When a user is assigned a custom role with manage_group_access_tokens permission, they may be able to create group access tokens with Owner privileges, which may lead to privilege escalation.

CVE ID : CVE-2024-1250
Source : cve@gitlab.com
CVSS Score : 6.5

References :
https://gitlab.com/gitlab-org/gitlab/-/issues/439175 | source : cve@gitlab.com

Vulnerability : CWE-269


Source : emc.com

Vulnerability ID : CVE-2024-22230

First published on : 12-02-2024 19:15:12
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains a Cross-site scripting vulnerability. An authenticated attacker could potentially exploit this vulnerability, stealing session information, masquerading as the affected user or carry out any actions that this user could perform, or to generally control the victim's browser.

CVE ID : CVE-2024-22230
Source : security_alert@emc.com
CVSS Score : 6.4

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-0169

First published on : 12-02-2024 19:15:10
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains a cross-site scripting (XSS) vulnerability. An authenticated attacker could potentially exploit this vulnerability, leading users to download and execute malicious software crafted by this product's feature to compromise their systems.

CVE ID : CVE-2024-0169
Source : security_alert@emc.com
CVSS Score : 5.7

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-22221

First published on : 12-02-2024 19:15:11
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contains SQL Injection vulnerability. An authenticated attacker could potentially exploit this vulnerability, leading to exposure of sensitive information.

CVE ID : CVE-2024-22221
Source : security_alert@emc.com
CVSS Score : 4.5

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-89


Vulnerability ID : CVE-2023-28077

First published on : 10-02-2024 03:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Dell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user.

CVE ID : CVE-2023-28077
Source : security_alert@emc.com
CVSS Score : 4.4

References :
https://www.dell.com/support/kbdoc/en-us/000214287/dsa-2023-156-dell-bsafe-ssl-j-7-1-1-security-update | source : security_alert@emc.com

Vulnerability : CWE-1295


Source : vuldb.com

Vulnerability ID : CVE-2024-1353

First published on : 09-02-2024 01:15:09
Last modified on : 09-02-2024 01:37:53

Description :
A vulnerability, which was classified as critical, has been found in PHPEMS up to 1.0. Affected by this issue is the function index of the file app/weixin/controller/index.api.php. The manipulation of the argument picurl leads to deserialization. The exploit has been disclosed to the public and may be used. VDB-253226 is the identifier assigned to this vulnerability.

CVE ID : CVE-2024-1353
Source : cna@vuldb.com
CVSS Score : 6.3

References :
https://note.zhaoj.in/share/nxGzfEB6fFVY | source : cna@vuldb.com
https://vuldb.com/?ctiid.253226 | source : cna@vuldb.com
https://vuldb.com/?id.253226 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-1432

First published on : 11-02-2024 03:15:08
Last modified on : 11-02-2024 22:29:15

Description :
** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in DeepFaceLab pretrained DF.wf.288res.384.92.72.22 and classified as problematic. This issue affects the function apply_xseg of the file main.py. The manipulation leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-253391. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

CVE ID : CVE-2024-1432
Source : cna@vuldb.com
CVSS Score : 5.0

References :
https://github.com/bayuncao/vul-cve-12 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253391 | source : cna@vuldb.com
https://vuldb.com/?id.253391 | source : cna@vuldb.com

Vulnerability : CWE-502


Vulnerability ID : CVE-2024-1404

First published on : 09-02-2024 23:15:08
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability was found in Linksys WRT54GL 4.30.18 and classified as problematic. Affected by this issue is some unknown functionality of the file /SysInfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-253328. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1404
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/1 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253328 | source : cna@vuldb.com
https://vuldb.com/?id.253328 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-1405

First published on : 10-02-2024 06:15:46
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1405
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253329 | source : cna@vuldb.com
https://vuldb.com/?id.253329 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-1406

First published on : 10-02-2024 08:15:07
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1406
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253330 | source : cna@vuldb.com
https://vuldb.com/?id.253330 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-1430

First published on : 11-02-2024 01:15:07
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability has been found in Netgear R7000 1.0.11.136_10.2.120 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /currentsetting.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253381 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1430
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/R7000/1 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253381 | source : cna@vuldb.com
https://vuldb.com/?id.253381 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-1431

First published on : 11-02-2024 03:15:07
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability was found in Netgear R7000 1.0.11.136_10.2.120 and classified as problematic. Affected by this issue is some unknown functionality of the file /debuginfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253382 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1431
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/R7000/2 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253382 | source : cna@vuldb.com
https://vuldb.com/?id.253382 | source : cna@vuldb.com

Vulnerability : CWE-200


Source : hcl.com

Vulnerability ID : CVE-2023-50349

First published on : 09-02-2024 21:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.

CVE ID : CVE-2023-50349
Source : psirt@hcl.com
CVSS Score : 5.9

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Vulnerability ID : CVE-2023-45698

First published on : 10-02-2024 04:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.

CVE ID : CVE-2023-45698
Source : psirt@hcl.com
CVSS Score : 4.8

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Vulnerability ID : CVE-2023-45696

First published on : 10-02-2024 03:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

CVE ID : CVE-2023-45696
Source : psirt@hcl.com
CVSS Score : 4.0

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Source : wolfssl.com

Vulnerability ID : CVE-2023-6935

First published on : 09-02-2024 23:15:08
Last modified on : 11-02-2024 22:29:15

Description :
wolfSSL SP Math All RSA implementation is vulnerable to the Marvin Attack, new variation of a timing Bleichenbacher style attack, when built with the following options to configure: --enable-all CFLAGS="-DWOLFSSL_STATIC_RSA" The define โ€œWOLFSSL_STATIC_RSAโ€ enables static RSA cipher suites, which is not recommended, and has been disabled by default since wolfSSL 3.6.6. Therefore the default build since 3.6.6, even with "--enable-all", is not vulnerable to the Marvin Attack. The vulnerability is specific to static RSA cipher suites, and expected to be padding-independent. The vulnerability allows an attacker to decrypt ciphertexts and forge signatures after probing with a large number of test observations. However the serverโ€™s private key is not exposed.

CVE ID : CVE-2023-6935
Source : facts@wolfssl.com
CVSS Score : 5.9

References :
https://people.redhat.com/~hkario/marvin/ | source : facts@wolfssl.com
https://www.wolfssl.com/docs/security-vulnerabilities/ | source : facts@wolfssl.com

Vulnerability : CWE-203


Source : divd.nl

Vulnerability ID : CVE-2024-21875

First published on : 11-02-2024 09:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Allocation of Resources Without Limits or Throttling vulnerability in Badge leading to a denial of service attack.Team Hacker Hotel Badge 2024 on risc-v (billboard modules) allows Flooding.This issue affects Hacker Hotel Badge 2024: from 0.1.0 through 0.1.3.

CVE ID : CVE-2024-21875
Source : csirt@divd.nl
CVSS Score : 5.7

References :
https://csirt.divd.nl/CVE-2024-21875 | source : csirt@divd.nl
https://github.com/badgeteam/hackerhotel-2024-firmware-esp32c6/pull/64 | source : csirt@divd.nl

Vulnerability : CWE-770


Source : zabbix.com

Vulnerability ID : CVE-2024-22119

First published on : 09-02-2024 09:15:08
Last modified on : 09-02-2024 14:31:23

Description :
The cause of vulnerability is improper validation of form input field โ€œNameโ€ on Graph page in Items section.

CVE ID : CVE-2024-22119
Source : security@zabbix.com
CVSS Score : 5.5

References :
https://support.zabbix.com/browse/ZBX-24070 | source : security@zabbix.com

Vulnerability : CWE-20


Source : redhat.com

Vulnerability ID : CVE-2024-1151

First published on : 11-02-2024 15:15:07
Last modified on : 11-02-2024 22:29:15

Description :
A vulnerability was reported in the Open vSwitch sub-component in the Linux Kernel. The flaw occurs when a recursive operation of code push recursively calls into the code block. The OVS module does not validate the stack depth, pushing too many frames and causing a stack overflow. As a result, this can lead to a crash or other related issues.

CVE ID : CVE-2024-1151
Source : secalert@redhat.com
CVSS Score : 5.5

References :
https://access.redhat.com/security/cve/CVE-2024-1151 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2262241 | source : secalert@redhat.com
https://lore.kernel.org/all/20240207132416.1488485-1-aconole@redhat.com/ | source : secalert@redhat.com

Vulnerability : CWE-121


Vulnerability ID : CVE-2024-1062

First published on : 12-02-2024 13:15:09
Last modified on : 12-02-2024 14:19:54

Description :
A heap overflow flaw was found in 389-ds-base. This issue leads to a denial of service when writing a value larger than 256 chars in log_entry_attr.

CVE ID : CVE-2024-1062
Source : secalert@redhat.com
CVSS Score : 5.5

References :
https://access.redhat.com/security/cve/CVE-2024-1062 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2256711 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2261879 | source : secalert@redhat.com

Vulnerability : CWE-122


Vulnerability ID : CVE-2023-6681

First published on : 12-02-2024 14:15:08
Last modified on : 12-02-2024 14:19:54

Description :
A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.

CVE ID : CVE-2023-6681
Source : secalert@redhat.com
CVSS Score : 5.3

References :
https://access.redhat.com/security/cve/CVE-2023-6681 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2260843 | source : secalert@redhat.com


Vulnerability ID : CVE-2024-1459

First published on : 12-02-2024 21:15:08
Last modified on : 12-02-2024 21:15:08

Description :
A path traversal vulnerability was found in Undertow. This issue may allow a remote attacker to append a specially-crafted sequence to an HTTP request for an application deployed to JBoss EAP, which may permit access to privileged or restricted files and directories.

CVE ID : CVE-2024-1459
Source : secalert@redhat.com
CVSS Score : 5.3

References :
https://access.redhat.com/security/cve/CVE-2024-1459 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2259475 | source : secalert@redhat.com

Vulnerability : CWE-24


Source : wordfence.com

Vulnerability ID : CVE-2024-1122

First published on : 09-02-2024 05:15:08
Last modified on : 09-02-2024 14:31:23

Description :
The Event Manager, Events Calendar, Events Tickets for WooCommerce โ€“ Eventin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_data() function in all versions up to, and including, 3.3.50. This makes it possible for unauthenticated attackers to export event data.

CVE ID : CVE-2024-1122
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/changeset/3033231/wp-event-solution/tags/3.3.51/core/admin/hooks.php | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/0cbdf679-1657-4249-a433-8fe0cddd94be?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0596

First published on : 10-02-2024 07:15:08
Last modified on : 11-02-2024 22:29:15

Description :
The Awesome Support โ€“ WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editor_html() function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view password protected and draft posts.

CVE ID : CVE-2024-0596
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0657

First published on : 09-02-2024 05:15:08
Last modified on : 09-02-2024 14:31:23

Description :
The Internal Link Juicer: SEO Auto Linker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings such as 'ilj_settings_field_links_per_page' in all versions up to, and including, 2.23.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE ID : CVE-2024-0657
Source : security@wordfence.com
CVSS Score : 4.4

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033238%40internal-links&new=3033238%40internal-links&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/41d39fe4-b114-4612-92f6-75d6597610f7?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0595

First published on : 10-02-2024 07:15:08
Last modified on : 11-02-2024 22:29:15

Description :
The Awesome Support โ€“ WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails.

CVE ID : CVE-2024-0595
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982?source=cve | source : security@wordfence.com


Source : mattermost.com

Vulnerability ID : CVE-2024-1402

First published on : 09-02-2024 16:15:07
Last modified on : 09-02-2024 17:31:15

Description :
Mattermost fails to check if a custom emoji reaction exists when sending it to a post and to limit the amount of custom emojis allowed to be added in a post, allowing an attacker sending a huge amount of non-existent custom emojis in a post to crash the mobile app of a user seeing the post.

CVE ID : CVE-2024-1402
Source : responsibledisclosure@mattermost.com
CVSS Score : 4.3

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-400


(11) LOW VULNERABILITIES [0.1, 3.9]

Source : hcl.com

Vulnerability ID : CVE-2023-45718

First published on : 09-02-2024 22:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.

CVE ID : CVE-2023-45718
Source : psirt@hcl.com
CVSS Score : 3.9

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Vulnerability ID : CVE-2023-45716

First published on : 09-02-2024 22:15:07
Last modified on : 11-02-2024 22:29:15

Description :
Sametime is impacted by sensitive information passed in URL.

CVE ID : CVE-2023-45716
Source : psirt@hcl.com
CVSS Score : 1.7

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Source : mattermost.com

Vulnerability ID : CVE-2024-23319

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
Mattermost Jira Plugin fails to protect against logout CSRF allowing an attacker to post a specially crafted message that would disconnect a user's Jira connection in Mattermost only by viewing the message.

CVE ID : CVE-2024-23319
Source : responsibledisclosure@mattermost.com
CVSS Score : 3.5

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-352


Vulnerability ID : CVE-2024-24774

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.

CVE ID : CVE-2024-24774
Source : responsibledisclosure@mattermost.com
CVSS Score : 3.4

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-863


Vulnerability ID : CVE-2024-24776

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
Mattermost fails to check the required permissions in the POST /api/v4/channels/stats/member_count API resulting in channel member counts being leaked to a user without permissions.

CVE ID : CVE-2024-24776
Source : responsibledisclosure@mattermost.com
CVSS Score : 3.1

References :
https://mattermost.com/security-updates | source : responsibledisclosure@mattermost.com

Vulnerability : CWE-284


Source : vuldb.com

Vulnerability ID : CVE-2021-4437

First published on : 12-02-2024 20:15:07
Last modified on : 12-02-2024 20:39:09

Description :
A vulnerability, which was classified as problematic, has been found in dbartholomae lambda-middleware frameguard up to 1.0.4. Affected by this issue is some unknown functionality of the file packages/json-deserializer/src/JsonDeserializer.ts of the component JSON Mime-Type Handler. The manipulation leads to inefficient regular expression complexity. Upgrading to version 1.1.0 is able to address this issue. The patch is identified as f689404d830cbc1edd6a1018d3334ff5f44dc6a6. It is recommended to upgrade the affected component. VDB-253406 is the identifier assigned to this vulnerability.

CVE ID : CVE-2021-4437
Source : cna@vuldb.com
CVSS Score : 3.5

References :
https://github.com/dbartholomae/lambda-middleware/commit/f689404d830cbc1edd6a1018d3334ff5f44dc6a6 | source : cna@vuldb.com
https://github.com/dbartholomae/lambda-middleware/pull/57 | source : cna@vuldb.com
https://github.com/dbartholomae/lambda-middleware/releases/tag/%40lambda-middleware%2Fframeguard_v1.1.0 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253406 | source : cna@vuldb.com
https://vuldb.com/?id.253406 | source : cna@vuldb.com

Vulnerability : CWE-1333


Vulnerability ID : CVE-2024-1433

First published on : 11-02-2024 23:15:07
Last modified on : 12-02-2024 14:20:03

Description :
A vulnerability, which was classified as problematic, was found in KDE Plasma Workspace up to 5.93.0. This affects the function EventPluginsManager::enabledPlugins of the file components/calendar/eventpluginsmanager.cpp of the component Theme File Handler. The manipulation of the argument pluginId leads to path traversal. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-253407. NOTE: This requires write access to user's home or the installation of third party global themes.

CVE ID : CVE-2024-1433
Source : cna@vuldb.com
CVSS Score : 3.1

References :
https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253407 | source : cna@vuldb.com
https://vuldb.com/?id.253407 | source : cna@vuldb.com

Vulnerability : CWE-22


Source : emc.com

Vulnerability ID : CVE-2024-22226

First published on : 12-02-2024 19:15:12
Last modified on : 12-02-2024 20:39:09

Description :
Dell Unity, versions prior to 5.4, contain a path traversal vulnerability in its svc_supportassist utility. An authenticated attacker could potentially exploit this vulnerability, to gain unauthorized write access to the files stored on the server filesystem, with elevated privileges.

CVE ID : CVE-2024-22226
Source : security_alert@emc.com
CVSS Score : 3.3

References :
https://www.dell.com/support/kbdoc/en-us/000222010/dsa-2024-042-dell-unity-dell-unity-vsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-23


Source : ff5b8ace-8b95-4078-9743-eac1ca5451de

Vulnerability ID : CVE-2024-1245

First published on : 09-02-2024 20:15:54
Last modified on : 11-02-2024 22:29:15

Description :
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes since administrator entered file attributes are not sufficiently sanitized in the Edit Attributes page. A rogue administrator could put malicious code into the file tags or description attributes and, when another administrator opens the same file for editing, the malicious code could execute. The Concrete CMS Security team scored this 2.4 with CVSS v3 vector AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N.

CVE ID : CVE-2024-1245
Source : ff5b8ace-8b95-4078-9743-eac1ca5451de
CVSS Score : 2.4

References :
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes | source : ff5b8ace-8b95-4078-9743-eac1ca5451de
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory | source : ff5b8ace-8b95-4078-9743-eac1ca5451de

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-1247

First published on : 09-02-2024 19:15:24
Last modified on : 11-02-2024 22:29:15

Description :
Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS via the Role Name field since there is insufficient validation of administrator provided data for that field. A rogue administrator could inject malicious code into the Role Name field which might be executed when users visit the affected page. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator . Concrete versions below 9 do not include group types so they are not affected by this vulnerability.

CVE ID : CVE-2024-1247
Source : ff5b8ace-8b95-4078-9743-eac1ca5451de
CVSS Score : 2.0

References :
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes | source : ff5b8ace-8b95-4078-9743-eac1ca5451de
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory | source : ff5b8ace-8b95-4078-9743-eac1ca5451de

Vulnerability : CWE-20


Vulnerability ID : CVE-2024-1246

First published on : 09-02-2024 20:15:54
Last modified on : 11-02-2024 22:29:15

Description :
Concrete CMS in version 9 before 9.2.5 is vulnerable to reflected XSS via the Image URL Import Feature due to insufficient validation of administrator provided data. A rogue administrator could inject malicious code when importing images, leading to the execution of the malicious code on the website userโ€™s browser. The Concrete CMS Security team scored this 2 with CVSS v3 vector AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N. This does not affect Concrete versions prior to version 9.

CVE ID : CVE-2024-1246
Source : ff5b8ace-8b95-4078-9743-eac1ca5451de
CVSS Score : 2.0

References :
https://documentation.concretecms.org/9-x/developers/introduction/version-history/925-release-notes | source : ff5b8ace-8b95-4078-9743-eac1ca5451de
https://www.concretecms.org/about/project-news/security/2024-02-04-security-advisory | source : ff5b8ace-8b95-4078-9743-eac1ca5451de

Vulnerability : CWE-20


(56) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : mitre.org

Vulnerability ID : CVE-2023-31506

First published on : 09-02-2024 07:15:59
Last modified on : 09-02-2024 14:31:23

Description :
A cross-site scripting (XSS) vulnerability in Grav versions 1.7.44 and before, allows remote authenticated attackers to execute arbitrary web scripts or HTML via the onmouseover attribute of an ISINDEX element.

CVE ID : CVE-2023-31506
Source : cve@mitre.org
CVSS Score : /

References :
https://m3n0sd0n4ld.github.io/patoHackventuras/cve-2023-31506 | source : cve@mitre.org


Vulnerability ID : CVE-2023-39683

First published on : 09-02-2024 07:15:59
Last modified on : 09-02-2024 14:31:23

Description :
Cross Site Scripting (XSS) vulnerability in EasyEmail v.4.12.2 and before allows a local attacker to execute arbitrary code via the user input parameter(s). NOTE: Researcher claims issue is present in all versions prior and later than tested version.

CVE ID : CVE-2023-39683
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/zalify/easy-email/issues/321 | source : cve@mitre.org
https://github.com/zalify/easy-email/issues/373 | source : cve@mitre.org
https://medium.com/%40vificatem/cve-2023-39683-dom-xss-on-json-source-code-panel-in-zalify-easy-email-3fa08f3e0d49 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25003

First published on : 09-02-2024 07:16:00
Last modified on : 09-02-2024 14:31:23

Description :
KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the hostname, occurs due to insufficient bounds checking and input sanitization. This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

CVE ID : CVE-2024-25003
Source : cve@mitre.org
CVSS Score : /

References :
http://packetstormsecurity.com/files/177032/KiTTY-0.76.1.13-Buffer-Overflows.html | source : cve@mitre.org
https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25004

First published on : 09-02-2024 07:16:00
Last modified on : 09-02-2024 14:31:23

Description :
KiTTY versions 0.76.1.13 and before is vulnerable to a stack-based buffer overflow via the username, occurs due to insufficient bounds checking and input sanitization (at line 2600). This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution.

CVE ID : CVE-2024-25004
Source : cve@mitre.org
CVSS Score : /

References :
http://packetstormsecurity.com/files/177032/KiTTY-0.76.1.13-Buffer-Overflows.html | source : cve@mitre.org
https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004 | source : cve@mitre.org


Vulnerability ID : CVE-2023-46350

First published on : 09-02-2024 08:15:08
Last modified on : 09-02-2024 14:31:23

Description :
SQL injection vulnerability in InnovaDeluxe "Manufacturer or supplier alphabetical search" (idxrmanufacturer) module for PrestaShop versions 2.0.4 and before, allows remote attackers to escalate privileges and obtain sensitive information via the methods IdxrmanufacturerFunctions::getCornersLink, IdxrmanufacturerFunctions::getManufacturersLike and IdxrmanufacturerFunctions::getSuppliersLike.

CVE ID : CVE-2023-46350
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2024/02/08/idxrmanufacturer.html | source : cve@mitre.org


Vulnerability ID : CVE-2023-50026

First published on : 09-02-2024 08:15:08
Last modified on : 09-02-2024 14:31:23

Description :
SQL injection vulnerability in Presta Monster "Multi Accessories Pro" (hsmultiaccessoriespro) module for PrestaShop versions 5.1.1 and before, allows remote attackers to escalate privileges and obtain sensitive information via the method HsAccessoriesGroupProductAbstract::getAccessoriesByIdProducts().

CVE ID : CVE-2023-50026
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2024/02/08/hsmultiaccessoriespro.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-23749

First published on : 09-02-2024 08:15:08
Last modified on : 09-02-2024 14:31:23

Description :
KiTTY versions 0.76.1.13 and before is vulnerable to command injection via the filename variable, occurs due to insufficient input sanitization and validation, failure to escape special characters, and insecure system calls (at lines 2369-2390). This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution.

CVE ID : CVE-2024-23749
Source : cve@mitre.org
CVSS Score : /

References :
http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html | source : cve@mitre.org
https://blog.defcesco.io/CVE-2024-23749 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24308

First published on : 09-02-2024 08:15:08
Last modified on : 09-02-2024 14:31:23

Description :
SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php.

CVE ID : CVE-2024-24308
Source : cve@mitre.org
CVSS Score : /

References :
https://security.friendsofpresta.org/modules/2024/02/08/boostmyshopagent.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25677

First published on : 09-02-2024 09:15:08
Last modified on : 09-02-2024 14:26:32

Description :
In Min before 1.31.0, local files are not correctly treated as unique security origins, which allows them to improperly request cross-origin resources. For example, a local file may request other local files through an XML document.

CVE ID : CVE-2024-25677
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/minbrowser/min/security/advisories/GHSA-4w9v-7h8h-rv8x | source : cve@mitre.org


Vulnerability ID : CVE-2024-25678

First published on : 09-02-2024 10:15:08
Last modified on : 09-02-2024 14:26:32

Description :
In LiteSpeed QUIC (LSQUIC) Library before 4.0.4, DCID validation is mishandled.

CVE ID : CVE-2024-25678
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/litespeedtech/lsquic/commit/515f453556c99d27c4dddb5424898dc1a5537708 | source : cve@mitre.org
https://github.com/litespeedtech/lsquic/releases/tag/v4.0.4 | source : cve@mitre.org
https://www.rfc-editor.org/rfc/rfc9001 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25679

First published on : 09-02-2024 10:15:08
Last modified on : 09-02-2024 14:26:32

Description :
In PQUIC before 5bde5bb, retention of unused initial encryption keys allows attackers to disrupt a connection with a PSK configuration by sending a CONNECTION_CLOSE frame that is encrypted via the initial key computed. Network traffic sniffing is needed as part of exploitation.

CVE ID : CVE-2024-25679
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/p-quic/pquic/issues/35 | source : cve@mitre.org
https://github.com/p-quic/pquic/pull/39 | source : cve@mitre.org
https://www.rfc-editor.org/rfc/rfc9001#name-discarding-unused-keys | source : cve@mitre.org


Vulnerability ID : CVE-2024-25442

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
An issue in the HuginBase::PanoramaMemento::loadPTScript function of Hugin v2022.0.0 allows attackers to cause a heap buffer overflow via parsing a crafted image.

CVE ID : CVE-2024-25442
Source : cve@mitre.org
CVSS Score : /

References :
https://bugs.launchpad.net/hugin/+bug/2025032 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25443

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
An issue in the HuginBase::ImageVariable<double>::linkWith function of Hugin v2022.0.0 allows attackers to cause a heap-use-after-free via parsing a crafted image.

CVE ID : CVE-2024-25443
Source : cve@mitre.org
CVSS Score : /

References :
https://bugs.launchpad.net/hugin/+bug/2025035 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25445

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
Improper handling of values in HuginBase::PTools::Transform::transform of Hugin 2022.0.0 leads to an assertion failure.

CVE ID : CVE-2024-25445
Source : cve@mitre.org
CVSS Score : /

References :
https://bugs.launchpad.net/hugin/+bug/2025038 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25446

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
An issue in the HuginBase::PTools::setDestImage function of Hugin v2022.0.0 allows attackers to cause a heap buffer overflow via parsing a crafted image.

CVE ID : CVE-2024-25446
Source : cve@mitre.org
CVSS Score : /

References :
https://bugs.launchpad.net/hugin/+bug/2025037 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25447

First published on : 09-02-2024 15:15:08
Last modified on : 09-02-2024 17:31:15

Description :
An issue in the imlib_load_image_with_error_return function of imlib2 v1.9.1 allows attackers to cause a heap buffer overflow via parsing a crafted image.

CVE ID : CVE-2024-25447
Source : cve@mitre.org
CVSS Score : /

References :
https://git.enlightenment.org/old/legacy-imlib2/issues/20 | source : cve@mitre.org
https://github.com/derf/feh/issues/709 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25448

First published on : 09-02-2024 15:15:09
Last modified on : 09-02-2024 17:31:15

Description :
An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1 allows attackers to cause a heap buffer overflow via parsing a crafted image.

CVE ID : CVE-2024-25448
Source : cve@mitre.org
CVSS Score : /

References :
https://git.enlightenment.org/old/legacy-imlib2/issues/20 | source : cve@mitre.org
https://github.com/derf/feh/issues/711 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25450

First published on : 09-02-2024 15:15:09
Last modified on : 09-02-2024 17:31:15

Description :
imlib2 v1.9.1 was discovered to mishandle memory allocation in the function init_imlib_fonts().

CVE ID : CVE-2024-25450
Source : cve@mitre.org
CVSS Score : /

References :
https://git.enlightenment.org/old/legacy-imlib2/issues/20 | source : cve@mitre.org
https://github.com/derf/feh/issues/712 | source : cve@mitre.org


Vulnerability ID : CVE-2024-23724

First published on : 11-02-2024 01:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with the API on localhost TCP port 3001. NOTE: The discoverer reports that "The vendor does not view this as a valid vector."

CVE ID : CVE-2024-23724
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/RhinoSecurityLabs/CVEs/tree/master/CVE-2024-23724 | source : cve@mitre.org
https://github.com/TryGhost/Ghost/pull/19646 | source : cve@mitre.org
https://rhinosecuritylabs.com/blog/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25714

First published on : 11-02-2024 03:15:09
Last modified on : 11-02-2024 22:29:15

Description :
In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)

CVE ID : CVE-2024-25714
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e | source : cve@mitre.org


Vulnerability ID : CVE-2024-25715

First published on : 11-02-2024 03:15:09
Last modified on : 11-02-2024 22:29:15

Description :
Glewlwyd SSO server 2.x through 2.7.6 allows open redirection via redirect_uri.

CVE ID : CVE-2024-25715
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/babelouest/glewlwyd/commit/59239381a88c505ab38fe64fdd92f846defa5754 | source : cve@mitre.org
https://github.com/babelouest/glewlwyd/commit/c91c0155f2393274cc18efe77e06c6846e404c75 | source : cve@mitre.org


Vulnerability ID : CVE-2023-52428

First published on : 11-02-2024 05:15:08
Last modified on : 11-02-2024 22:29:15

Description :
In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

CVE ID : CVE-2023-52428
Source : cve@mitre.org
CVSS Score : /

References :
https://bitbucket.org/connect2id/nimbus-jose-jwt/commits/3b3b77e | source : cve@mitre.org
https://bitbucket.org/connect2id/nimbus-jose-jwt/issues/526/ | source : cve@mitre.org
https://connect2id.com/products/nimbus-jose-jwt | source : cve@mitre.org


Vulnerability ID : CVE-2024-25718

First published on : 11-02-2024 05:15:08
Last modified on : 11-02-2024 22:29:15

Description :
In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and does not replace it, even after expiry.

CVE ID : CVE-2024-25718
Source : cve@mitre.org
CVSS Score : /

References :
https://diff.hex.pm/diff/samly/1.3.0..1.4.0 | source : cve@mitre.org
https://github.com/dropbox/samly | source : cve@mitre.org
https://github.com/dropbox/samly/pull/13 | source : cve@mitre.org
https://github.com/dropbox/samly/pull/13/commits/812b5c3ad076dc9c9334c1a560c8e6470607d1eb | source : cve@mitre.org
https://github.com/handnot2/samly | source : cve@mitre.org
https://hex.pm/packages/samly | source : cve@mitre.org


Vulnerability ID : CVE-2024-25722

First published on : 11-02-2024 05:15:08
Last modified on : 11-02-2024 22:29:15

Description :
qanything_kernel/connector/database/mysql/mysql_client.py in qanything.ai QAnything before 1.2.0 allows SQL Injection.

CVE ID : CVE-2024-25722
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/netease-youdao/QAnything/commit/35753b892c2c4361b318d68dfa3e251c85ce889c | source : cve@mitre.org
https://github.com/netease-youdao/QAnything/compare/v1.1.1...v1.2.0 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25728

First published on : 11-02-2024 22:15:08
Last modified on : 11-02-2024 22:29:15

Description :
ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users.

CVE ID : CVE-2024-25728
Source : cve@mitre.org
CVSS Score : /

References :
https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/ | source : cve@mitre.org
https://www.expressvpn.com/blog/windows-app-dns-requests/ | source : cve@mitre.org


Vulnerability ID : CVE-2023-52429

First published on : 12-02-2024 03:15:32
Last modified on : 12-02-2024 14:20:03

Description :
dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.

CVE ID : CVE-2023-52429
Source : cve@mitre.org
CVSS Score : /

References :
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bd504bcfec41a503b32054da5472904b404341a4 | source : cve@mitre.org
https://www.spinics.net/lists/dm-devel/msg56625.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25739

First published on : 12-02-2024 03:15:32
Last modified on : 12-02-2024 14:20:03

Description :
create_empty_lvol in drivers/mtd/ubi/vtbl.c in the Linux kernel through 6.7.4 can attempt to allocate zero bytes, and crash, because of a missing check for ubi->leb_size.

CVE ID : CVE-2024-25739
Source : cve@mitre.org
CVSS Score : /

References :
https://groups.google.com/g/syzkaller/c/Xl97YcQA4hg | source : cve@mitre.org
https://www.spinics.net/lists/kernel/msg5074816.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25740

First published on : 12-02-2024 03:15:32
Last modified on : 12-02-2024 14:20:03

Description :
A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.

CVE ID : CVE-2024-25740
Source : cve@mitre.org
CVSS Score : /

References :
https://lore.kernel.org/lkml/0171b6cc-95ee-3538-913b-65a391a446b3%40huawei.com/T/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-25741

First published on : 12-02-2024 03:15:32
Last modified on : 12-02-2024 14:20:03

Description :
printer_write in drivers/usb/gadget/function/f_printer.c in the Linux kernel through 6.7.4 does not properly call usb_ep_queue, which might allow attackers to cause a denial of service or have unspecified other impact.

CVE ID : CVE-2024-25741
Source : cve@mitre.org
CVSS Score : /

References :
https://www.spinics.net/lists/linux-usb/msg252167.html | source : cve@mitre.org


Vulnerability ID : CVE-2024-25744

First published on : 12-02-2024 05:15:07
Last modified on : 12-02-2024 14:20:03

Description :
In the Linux kernel before 6.6.7, an untrusted VMM can trigger int80 syscall handling at any given point. This is related to arch/x86/coco/tdx/tdx.c and arch/x86/mm/mem_encrypt_amd.c.

CVE ID : CVE-2024-25744
Source : cve@mitre.org
CVSS Score : /

References :
https://cdn.kernel.org/pub/linux/kernel/v6.x/ChangeLog-6.6.7 | source : cve@mitre.org
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b82a8dbd3d2f4563156f7150c6f2ecab6e960b30 | source : cve@mitre.org


Vulnerability ID : CVE-2024-25360

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip.

CVE ID : CVE-2024-25360
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/leetsun/Hints/tree/main/moto-CX2L/4 | source : cve@mitre.org


Vulnerability ID : CVE-2024-23759

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.

CVE ID : CVE-2024-23759
Source : cve@mitre.org
CVSS Score : /

References :
https://herolab.usd.de/security-advisories/usd-2023-0046/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-23760

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
Cleartext Storage of Sensitive Information in Gambio 4.9.2.0 allows attackers to obtain sensitive information via error-handler.log.json and legacy-error-handler.log.txt under the webroot.

CVE ID : CVE-2024-23760
Source : cve@mitre.org
CVSS Score : /

References :
https://herolab.usd.de/security-advisories/usd-2023-0050/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-23761

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
Server Side Template Injection in Gambio 4.9.2.0 allows attackers to run arbitrary code via crafted smarty email template.

CVE ID : CVE-2024-23761
Source : cve@mitre.org
CVSS Score : /

References :
https://herolab.usd.de/security-advisories/usd-2023-0048/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-23762

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
Unrestricted File Upload vulnerability in Content Manager feature in Gambio 4.9.2.0 allows attackers to execute arbitrary code via upload of crafted PHP file.

CVE ID : CVE-2024-23762
Source : cve@mitre.org
CVSS Score : /

References :
https://herolab.usd.de/security-advisories/usd-2023-0049/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-23763

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
SQL Injection vulnerability in Gambio through 4.9.2.0 allows attackers to run arbitrary SQL commands via crafted GET request using modifiers[attribute][] parameter.

CVE ID : CVE-2024-23763
Source : cve@mitre.org
CVSS Score : /

References :
https://herolab.usd.de/security-advisories/usd-2023-0047/ | source : cve@mitre.org


Vulnerability ID : CVE-2024-24337

First published on : 12-02-2024 22:15:08
Last modified on : 12-02-2024 22:15:08

Description :
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.

CVE ID : CVE-2024-24337
Source : cve@mitre.org
CVSS Score : /

References :
https://nitipoom-jar.github.io/CVE-2024-24337/ | source : cve@mitre.org


Source : redhat.com

Vulnerability ID : CVE-2023-6716

First published on : 09-02-2024 09:15:07
Last modified on : 09-02-2024 09:15:07

Description :
Rejected reason: ** REJECT ** DO NOT USE THIS CVE RECORD. All references and descriptions in this record have been removed to prevent accidental usage.

CVE ID : CVE-2023-6716
Source : secalert@redhat.com
CVSS Score : /

References :


Source : apache.org

Vulnerability ID : CVE-2023-50291

First published on : 09-02-2024 18:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Insufficiently Protected Credentials vulnerability in Apache Solr. This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.3.0. One of the two endpoints that publishes the Solr process' Java system properties, /admin/info/properties, was only setup to hide system properties that had "password" contained in the name. There are a number of sensitive system properties, such as "basicauth" and "aws.secretKey" do not contain "password", thus their values were published via the "/admin/info/properties" endpoint. This endpoint populates the list of System Properties on the home screen of the Solr Admin page, making the exposed credentials visible in the UI. This /admin/info/properties endpoint is protected under the "config-read" permission. Therefore, Solr Clouds with Authorization enabled will only be vulnerable through logged-in users that have the "config-read" permission. Users are recommended to upgrade to version 9.3.0 or 8.11.3, which fixes the issue. A single option now controls hiding Java system property for all endpoints, "-Dsolr.hiddenSysProps". By default all known sensitive properties are hidden (including "-Dbasicauth"), as well as any property with a name containing "secret" or "password". Users who cannot upgrade can also use the following Java system property to fix the issue: '-Dsolr.redaction.system.pattern=.*(password|secret|basicauth).*'

CVE ID : CVE-2023-50291
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/09/4 | source : security@apache.org
https://solr.apache.org/security.html#cve-2023-50291-apache-solr-can-leak-certain-passwords-due-to-system-property-redaction-logic-inconsistencies | source : security@apache.org

Vulnerability : CWE-522


Vulnerability ID : CVE-2023-50292

First published on : 09-02-2024 18:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Incorrect Permission Assignment for Critical Resource, Improper Control of Dynamically-Managed Code Resources vulnerability in Apache Solr. This issue affects Apache Solr: from 8.10.0 through 8.11.2, from 9.0.0 before 9.3.0. The Schema Designer was introduced to allow users to more easily configure and test new Schemas and configSets. However, when the feature was created, the "trust" (authentication) of these configSets was not considered. External library loading is only available to configSets that are "trusted" (created by authenticated users), thus non-authenticated users are unable to perform Remote Code Execution. Since the Schema Designer loaded configSets without taking their "trust" into account, configSets that were created by unauthenticated users were allowed to load external libraries when used in the Schema Designer. Users are recommended to upgrade to version 9.3.0, which fixes the issue.

CVE ID : CVE-2023-50292
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/09/3 | source : security@apache.org
https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions | source : security@apache.org

Vulnerability : CWE-732


Vulnerability ID : CVE-2023-50298

First published on : 09-02-2024 18:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter. When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides. An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information, then send a streaming expression using the mock server's address in "zkHost". Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.

CVE ID : CVE-2023-50298
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/09/2 | source : security@apache.org
http://www.openwall.com/lists/oss-security/2024/02/09/3 | source : security@apache.org
https://solr.apache.org/security.html#cve-2023-50298-apache-solr-can-expose-zookeeper-credentials-via-streaming-expressions | source : security@apache.org

Vulnerability : CWE-200


Vulnerability ID : CVE-2023-50386

First published on : 09-02-2024 18:15:08
Last modified on : 11-02-2024 22:29:15

Description :
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In these versions, the following protections have been added: * Users are no longer able to upload files to a configSet that could be executed via a Java ClassLoader. * The Backup API restricts saving backups to directories that are used in the ClassLoader.

CVE ID : CVE-2023-50386
Source : security@apache.org
CVSS Score : /

References :
http://www.openwall.com/lists/oss-security/2024/02/09/1 | source : security@apache.org
https://solr.apache.org/security.html#cve-2023-50386-apache-solr-backuprestore-apis-allow-for-deployment-of-executables-in-malicious-configsets | source : security@apache.org

Vulnerability : CWE-434
Vulnerability : CWE-913


Source : wordfence.com

Vulnerability ID : CVE-2024-1420

First published on : 12-02-2024 15:15:07
Last modified on : 12-02-2024 15:15:07

Description :
Rejected reason: **REJECT** This is a duplicate of CVE-2024-1049. Please use CVE-2024-1049 instead.

CVE ID : CVE-2024-1420
Source : security@wordfence.com
CVSS Score : /

References :


Source : wpscan.com

Vulnerability ID : CVE-2023-6036

First published on : 12-02-2024 16:15:07
Last modified on : 12-02-2024 17:31:21

Description :
The Web3 WordPress plugin before 3.0.0 is vulnerable to an authentication bypass due to incorrect authentication checking in the login flow in functions 'handle_auth_request' and 'hadle_login_request'. This makes it possible for non authenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username.

CVE ID : CVE-2023-6036
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/7f30ab20-805b-422c-a9a5-21d39c570ee4/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6081

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE ID : CVE-2023-6081
Source : contact@wpscan.com
CVSS Score : /

References :
https://lynk.nl/ | source : contact@wpscan.com
https://wpscan.com/vulnerability/5f011911-5fd1-46d9-b468-3062b4ec6f1e/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6082

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The chartjs WordPress plugin through 2023.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE ID : CVE-2023-6082
Source : contact@wpscan.com
CVSS Score : /

References :
https://lynk.nl/ | source : contact@wpscan.com
https://wpscan.com/vulnerability/c3d43aac-66c8-4218-b3f0-5256f895eda3/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6294

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The Popup Builder WordPress plugin before 4.2.6 does not validate a parameter before making a request to it, which could allow users with the administrator role to perform SSRF attack in Multisite WordPress configurations.

CVE ID : CVE-2023-6294
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/eaeb5706-b19c-4266-b7df-889558ee2614/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6499

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The lasTunes WordPress plugin through 3.6.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVE ID : CVE-2023-6499
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/69592e52-92db-4e30-92ca-b7b3d5b9185d/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6501

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The Splashscreen WordPress plugin through 0.20 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack

CVE ID : CVE-2023-6501
Source : contact@wpscan.com
CVSS Score : /

References :
https://magos-securitas.com/txt/CVE-2023-6501.txt | source : contact@wpscan.com
https://wpscan.com/vulnerability/dd19189b-de04-44b6-8ac9-0c32399a8976/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-6591

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The Popup Box WordPress plugin before 20.9.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE ID : CVE-2023-6591
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/f296de1c-b70b-4829-aba7-4afa24f64c51/ | source : contact@wpscan.com


Vulnerability ID : CVE-2023-7233

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The GigPress WordPress plugin through 2.3.29 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE ID : CVE-2023-7233
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/585cb2f2-7adc-431f-89d4-4e947f16af18/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0248

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The EazyDocs WordPress plugin before 2.4.0 re-introduced CVE-2023-6029 (https://wpscan.com/vulnerability/7a0aaf85-8130-4fd7-8f09-f8edc929597e/) in 2.3.8, allowing any authenticated users, such as subscriber to delete arbitrary posts, as well as add and delete documents/sections. The issue was partially fixed in 2.3.9.

CVE ID : CVE-2024-0248
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/faf50bc0-64c5-4ccc-a8ac-e73ed44a74df/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0250

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The Analytics Insights for Google Analytics 4 (AIWP) WordPress plugin before 6.3 is vulnerable to Open Redirect due to insufficient validation on the redirect oauth2callback.php file. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites if they can successfully trick them into performing an action.

CVE ID : CVE-2024-0250
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/321b07d1-692f-48e9-a8e5-a15b38efa979/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0420

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The MapPress Maps for WordPress plugin before 2.88.15 does not sanitize and escape the map title when outputting it back in the admin dashboard, allowing Contributors and above roles to perform Stored Cross-Site Scripting attacks

CVE ID : CVE-2024-0420
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/b6187ef8-70f4-4911-abd7-42bf6b7e54b7/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0421

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The MapPress Maps for WordPress plugin before 2.88.16 does not ensure that posts to be retrieve via an AJAX action is a public map, allowing unauthenticated users to read arbitrary private and draft posts.

CVE ID : CVE-2024-0421
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/587acc47-1966-4baf-a380-6aa479a97c82/ | source : contact@wpscan.com


Vulnerability ID : CVE-2024-0566

First published on : 12-02-2024 16:15:08
Last modified on : 12-02-2024 17:31:21

Description :
The Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admin.

CVE ID : CVE-2024-0566
Source : contact@wpscan.com
CVSS Score : /

References :
https://wpscan.com/vulnerability/ca83db95-4a08-4615-aa8d-016022404c32/ | source : contact@wpscan.com


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! Youโ€™ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.