Latest vulnerabilities [Saturday, February 10, 2024]

Latest vulnerabilities [Saturday, February 10, 2024]
{{titre}}

Last update performed on 02/10/2024 at 11:57:06 PM

(0) CRITICAL VULNERABILITIES [9.0, 10.0]

(4) HIGH VULNERABILITIES [7.0, 8.9]

Source : wordfence.com

Vulnerability ID : CVE-2024-0594

First published on : 10-02-2024 07:15:07
Last modified on : 10-02-2024 07:15:07

Description :
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to union-based SQL Injection via the 'q' parameter of the wpas_get_users action in all versions up to, and including, 6.1.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE ID : CVE-2024-0594
Source : security@wordfence.com
CVSS Score : 8.8

References :
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L1279 | source : security@wordfence.com
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/8494a0f6-7079-4fba-9901-76932b002c5a?source=cve | source : security@wordfence.com


Source : us.ibm.com

Vulnerability ID : CVE-2023-50957

First published on : 10-02-2024 16:15:07
Last modified on : 10-02-2024 16:15:07

Description :
IBM Storage Defender - Resiliency Service 2.0 could allow a privileged user to perform unauthorized actions after obtaining encrypted data from clear text key storage. IBM X-Force ID: 275783.

CVE ID : CVE-2023-50957
Source : psirt@us.ibm.com
CVSS Score : 8.0

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/275783 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-269


Source : snyk.io

Vulnerability ID : CVE-2024-21490

First published on : 10-02-2024 05:15:08
Last modified on : 10-02-2024 05:15:08

Description :
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service. **Note:** This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).

CVE ID : CVE-2024-21490
Source : report@snyk.io
CVSS Score : 7.5

References :
https://security.snyk.io/vuln/SNYK-JS-ANGULAR-6091113 | source : report@snyk.io
https://stackblitz.com/edit/angularjs-vulnerability-ng-srcset-redos | source : report@snyk.io

Vulnerability : CWE-1333


Source : patchstack.com

Vulnerability ID : CVE-2023-51488

First published on : 10-02-2024 09:15:08
Last modified on : 10-02-2024 09:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Automattic, Inc. Crowdsignal Dashboard – Polls, Surveys & more allows Reflected XSS.This issue affects Crowdsignal Dashboard – Polls, Surveys & more: from n/a through 3.0.11.

CVE ID : CVE-2023-51488
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/polldaddy/wordpress-crowdsignal-polls-ratings-plugin-3-0-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


(26) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : patchstack.com

Vulnerability ID : CVE-2024-24712

First published on : 10-02-2024 08:15:07
Last modified on : 10-02-2024 08:15:07

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Team Heateor Heateor Social Login WordPress allows Stored XSS.This issue affects Heateor Social Login WordPress: from n/a through 1.1.30.

CVE ID : CVE-2024-24712
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/heateor-social-login/wordpress-heateor-social-login-plugin-1-1-30-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24713

First published on : 10-02-2024 08:15:07
Last modified on : 10-02-2024 08:15:07

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Auto Listings Auto Listings – Car Listings & Car Dealership Plugin for WordPress allows Stored XSS.This issue affects Auto Listings – Car Listings & Car Dealership Plugin for WordPress: from n/a through 2.6.5.

CVE ID : CVE-2024-24713
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/auto-listings/wordpress-auto-listings-plugin-2-6-5-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24801

First published on : 10-02-2024 08:15:08
Last modified on : 10-02-2024 08:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LogicHunt OWL Carousel – WordPress Owl Carousel Slider allows Stored XSS.This issue affects OWL Carousel – WordPress Owl Carousel Slider: from n/a through 1.4.0.

CVE ID : CVE-2024-24801
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/lgx-owl-carousel/wordpress-owl-carousel-plugin-1-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24803

First published on : 10-02-2024 08:15:08
Last modified on : 10-02-2024 08:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPoperation Ultra Companion – Companion plugin for WPoperation Themes allows Stored XSS.This issue affects Ultra Companion – Companion plugin for WPoperation Themes: from n/a through 1.1.9.

CVE ID : CVE-2024-24803
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ultra-companion/wordpress-ultra-companion-plugin-1-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24804

First published on : 10-02-2024 08:15:08
Last modified on : 10-02-2024 08:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in websoudan MW WP Form allows Stored XSS.This issue affects MW WP Form: from n/a through 5.0.6.

CVE ID : CVE-2024-24804
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/mw-wp-form/wordpress-mw-wp-form-plugin-5-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24831

First published on : 10-02-2024 08:15:09
Last modified on : 10-02-2024 08:15:09

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Leap13 Premium Addons for Elementor allows Stored XSS.This issue affects Premium Addons for Elementor: from n/a through 4.10.16.

CVE ID : CVE-2024-24831
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/premium-addons-for-elementor/wordpress-premium-addons-for-elementor-plugin-4-10-16-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51404

First published on : 10-02-2024 09:15:07
Last modified on : 10-02-2024 09:15:07

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MyAgilePrivacy My Agile Privacy – The only GDPR solution for WordPress that you can truly trust allows Stored XSS.This issue affects My Agile Privacy – The only GDPR solution for WordPress that you can truly trust: from n/a through 2.1.7.

CVE ID : CVE-2023-51404
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/myagileprivacy/wordpress-my-agile-privacy-plugin-2-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51415

First published on : 10-02-2024 09:15:07
Last modified on : 10-02-2024 09:15:07

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GiveWP GiveWP – Donation Plugin and Fundraising Platform allows Stored XSS.This issue affects GiveWP – Donation Plugin and Fundraising Platform: from n/a through 3.2.2.

CVE ID : CVE-2023-51415
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/give/wordpress-givewp-plugin-3-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51480

First published on : 10-02-2024 09:15:07
Last modified on : 10-02-2024 09:15:07

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 Active Products Tables for WooCommerce. Professional products tables for WooCommerce store allows Stored XSS.This issue affects Active Products Tables for WooCommerce. Professional products tables for WooCommerce store : from n/a through 1.0.6.

CVE ID : CVE-2023-51480
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/profit-products-tables-for-woocommerce/wordpress-active-products-tables-for-woocommerce-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51485

First published on : 10-02-2024 09:15:08
Last modified on : 10-02-2024 09:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Hosting Pay with Vipps and MobilePay for WooCommerce allows Stored XSS.This issue affects Pay with Vipps and MobilePay for WooCommerce: from n/a through 1.14.13.

CVE ID : CVE-2023-51485
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/woo-vipps/wordpress-pay-with-vipps-for-woocommerce-plugin-1-14-13-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51492

First published on : 10-02-2024 09:15:08
Last modified on : 10-02-2024 09:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in If So Plugin If-So Dynamic Content Personalization allows Stored XSS.This issue affects If-So Dynamic Content Personalization: from n/a through 1.6.3.1.

CVE ID : CVE-2023-51492
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/if-so/wordpress-if-so-dynamic-content-personalization-plugin-1-6-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51493

First published on : 10-02-2024 09:15:08
Last modified on : 10-02-2024 09:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Custom Post Carousels with Owl allows Stored XSS.This issue affects Custom Post Carousels with Owl: from n/a through 1.4.6.

CVE ID : CVE-2023-51493
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/dd-post-carousel/wordpress-custom-post-carousels-with-owl-plugin-1-4-6-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23514

First published on : 10-02-2024 09:15:09
Last modified on : 10-02-2024 09:15:09

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ClickToTweet.Com Click To Tweet allows Stored XSS.This issue affects Click To Tweet: from n/a through 2.0.14.

CVE ID : CVE-2024-23514
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/click-to-tweet/wordpress-click-to-tweet-plugin-2-0-14-cross-site-scripting-xss-vulnerability-2?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23516

First published on : 10-02-2024 09:15:09
Last modified on : 10-02-2024 09:15:09

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Calculators World CC BMI Calculator allows Stored XSS.This issue affects CC BMI Calculator: from n/a through 2.0.1.

CVE ID : CVE-2024-23516
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/cc-bmi-calculator/wordpress-cc-bmi-calculator-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-23517

First published on : 10-02-2024 09:15:09
Last modified on : 10-02-2024 09:15:09

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Start Booking Scheduling Plugin – Online Booking for WordPress allows Stored XSS.This issue affects Scheduling Plugin – Online Booking for WordPress: from n/a through 3.5.10.

CVE ID : CVE-2024-23517
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/calendar-booking/wordpress-scheduling-plugin-online-booking-for-wordpress-plugin-3-5-10-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-24717

First published on : 10-02-2024 08:15:08
Last modified on : 10-02-2024 08:15:08

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mark Kinchin Beds24 Online Booking allows Stored XSS.This issue affects Beds24 Online Booking: from n/a through 2.0.23.

CVE ID : CVE-2024-24717
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/beds24-online-booking/wordpress-beds24-online-booking-plugin-2-0-23-admin-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Source : us.ibm.com

Vulnerability ID : CVE-2024-22313

First published on : 10-02-2024 16:15:08
Last modified on : 10-02-2024 16:15:08

Description :
IBM Storage Defender - Resiliency Service 2.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. IBM X-Force ID: 278749.

CVE ID : CVE-2024-22313
Source : psirt@us.ibm.com
CVSS Score : 6.2

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/278749 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-798


Vulnerability ID : CVE-2024-22361

First published on : 10-02-2024 15:15:35
Last modified on : 10-02-2024 15:15:35

Description :
IBM Semeru Runtime 8.0.302.0 through 8.0.392.0, 11.0.12.0 through 11.0.21.0, 17.0.1.0 - 17.0.9.0, and 21.0.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 281222.

CVE ID : CVE-2024-22361
Source : psirt@us.ibm.com
CVSS Score : 5.9

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/281222 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7116431 | source : psirt@us.ibm.com

Vulnerability : CWE-327


Vulnerability ID : CVE-2024-22312

First published on : 10-02-2024 16:15:08
Last modified on : 10-02-2024 16:15:08

Description :
IBM Storage Defender - Resiliency Service 2.0 stores user credentials in plain clear text which can be read by a local user. IBM X-Force ID: 278748.

CVE ID : CVE-2024-22312
Source : psirt@us.ibm.com
CVSS Score : 4.4

References :
https://exchange.xforce.ibmcloud.com/vulnerabilities/278748 | source : psirt@us.ibm.com
https://www.ibm.com/support/pages/node/7115261 | source : psirt@us.ibm.com

Vulnerability : CWE-256


Source : wordfence.com

Vulnerability ID : CVE-2024-0596

First published on : 10-02-2024 07:15:08
Last modified on : 10-02-2024 07:15:08

Description :
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the editor_html() function in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view password protected and draft posts.

CVE ID : CVE-2024-0596
Source : security@wordfence.com
CVSS Score : 5.3

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4358e2a-b7f6-44b6-a38a-5b27cb15e1cd?source=cve | source : security@wordfence.com


Vulnerability ID : CVE-2024-0595

First published on : 10-02-2024 07:15:08
Last modified on : 10-02-2024 07:15:08

Description :
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpas_get_users() function hooked via AJAX in all versions up to, and including, 6.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve user data such as emails.

CVE ID : CVE-2024-0595
Source : security@wordfence.com
CVSS Score : 4.3

References :
https://plugins.trac.wordpress.org/browser/awesome-support/trunk/includes/functions-user.php#L765 | source : security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3033134%40awesome-support&new=3033134%40awesome-support&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/bfb77432-e58d-466e-a366-8b8d7f1b6982?source=cve | source : security@wordfence.com


Source : hcl.com

Vulnerability ID : CVE-2023-45698

First published on : 10-02-2024 04:15:07
Last modified on : 10-02-2024 04:15:07

Description :
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.

CVE ID : CVE-2023-45698
Source : psirt@hcl.com
CVSS Score : 4.8

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Vulnerability ID : CVE-2023-45696

First published on : 10-02-2024 03:15:07
Last modified on : 10-02-2024 03:15:07

Description :
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

CVE ID : CVE-2023-45696
Source : psirt@hcl.com
CVSS Score : 4.0

References :
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 | source : psirt@hcl.com


Source : emc.com

Vulnerability ID : CVE-2023-28077

First published on : 10-02-2024 03:15:07
Last modified on : 10-02-2024 03:15:07

Description :
Dell BSAFE SSL-J, versions prior to 6.5, and versions 7.0 and 7.1 contain a debug message revealing unnecessary information vulnerability. This may lead to disclosing sensitive information to a locally privileged user.

CVE ID : CVE-2023-28077
Source : security_alert@emc.com
CVSS Score : 4.4

References :
https://www.dell.com/support/kbdoc/en-us/000214287/dsa-2023-156-dell-bsafe-ssl-j-7-1-1-security-update | source : security_alert@emc.com

Vulnerability : CWE-1295


Source : vuldb.com

Vulnerability ID : CVE-2024-1405

First published on : 10-02-2024 06:15:46
Last modified on : 10-02-2024 06:15:46

Description :
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been classified as problematic. This affects an unknown part of the file /wlaninfo.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. The identifier VDB-253329 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1405
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/2 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253329 | source : cna@vuldb.com
https://vuldb.com/?id.253329 | source : cna@vuldb.com

Vulnerability : CWE-200


Vulnerability ID : CVE-2024-1406

First published on : 10-02-2024 08:15:07
Last modified on : 10-02-2024 08:15:07

Description :
A vulnerability was found in Linksys WRT54GL 4.30.18. It has been declared as problematic. This vulnerability affects unknown code of the file /SysInfo1.htm of the component Web Management Interface. The manipulation leads to information disclosure. The exploit has been disclosed to the public and may be used. VDB-253330 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE ID : CVE-2024-1406
Source : cna@vuldb.com
CVSS Score : 4.3

References :
https://github.com/leetsun/Hints/tree/main/linksys-wrt54gl/3 | source : cna@vuldb.com
https://vuldb.com/?ctiid.253330 | source : cna@vuldb.com
https://vuldb.com/?id.253330 | source : cna@vuldb.com

Vulnerability : CWE-200


(0) LOW VULNERABILITIES [0.1, 3.9]

(0) NO SCORE VULNERABILITIES [0.0, 0.0]

This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.