Latest vulnerabilities [Thursday, February 01, 2024]

Latest vulnerabilities [Thursday, February 01, 2024]
{{titre}}

Last update performed on 02/01/2024 at 11:57:06 PM

(3) CRITICAL VULNERABILITIES [9.0, 10.0]

Source : github.com

Vulnerability ID : CVE-2024-24561

First published on : 01-02-2024 17:15:11
Last modified on : 01-02-2024 21:30:44

Description :
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. In versions 0.3.10 and earlier, the bounds check for slices does not account for the ability for start + length to overflow when the values aren't literals. If a slice() function uses a non-literal argument for the start or length variable, this creates the ability for an attacker to overflow the bounds check. This issue can be used to do OOB access to storage, memory or calldata addresses. It can also be used to corrupt the length slot of the respective array.

CVE ID : CVE-2024-24561
Source : security-advisories@github.com
CVSS Score : 9.8

References :
https://github.com/vyperlang/vyper/blob/b01cd686aa567b32498fefd76bd96b0597c6f099/vyper/builtins/functions.py#L404-L457 | source : security-advisories@github.com
https://github.com/vyperlang/vyper/issues/3756 | source : security-advisories@github.com
https://github.com/vyperlang/vyper/security/advisories/GHSA-9x7f-gwxq-6f2c | source : security-advisories@github.com

Vulnerability : CWE-119


Vulnerability ID : CVE-2024-23832

First published on : 01-02-2024 17:15:10
Last modified on : 01-02-2024 21:30:44

Description :
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for authentication. Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account. Every Mastodon version prior to 3.5.17 is vulnerable, as well as 4.0.x versions prior to 4.0.13, 4.1.x version prior to 4.1.13, and 4.2.x versions prior to 4.2.5.

CVE ID : CVE-2024-23832
Source : security-advisories@github.com
CVSS Score : 9.4

References :
https://github.com/mastodon/mastodon/commit/1726085db5cd73dd30953da858f9887bcc90b958 | source : security-advisories@github.com
https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw | source : security-advisories@github.com

Vulnerability : CWE-290


Source : hq.dhs.gov

Vulnerability ID : CVE-2024-1039

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
Gessler GmbH WEB-MASTER has a restoration account that uses weak hard coded credentials and if exploited could allow an attacker control over the web management of the device.

CVE ID : CVE-2024-1039
Source : ics-cert@hq.dhs.gov
CVSS Score : 9.8

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-1391


(6) HIGH VULNERABILITIES [7.0, 8.9]

Source : 3ds.com

Vulnerability ID : CVE-2023-6078

First published on : 01-02-2024 14:15:55
Last modified on : 01-02-2024 21:30:44

Description :
An OS Command Injection vulnerability exists in BIOVIA Materials Studio products from Release BIOVIA 2021 through Release BIOVIA 2023. Upload of a specially crafted perl script can lead to arbitrary command execution.

CVE ID : CVE-2023-6078
Source : 3DS.Information-Security@3ds.com
CVSS Score : 8.8

References :
https://www.3ds.com/vulnerability/advisories | source : 3DS.Information-Security@3ds.com

Vulnerability : CWE-78


Source : github.com

Vulnerability ID : CVE-2024-24570

First published on : 01-02-2024 17:15:11
Last modified on : 01-02-2024 21:30:44

Description :
Statamic is a Laravel and Git powered CMS. HTML files crafted to look like jpg files are able to be uploaded, allowing for XSS. This affects the front-end forms with asset fields without any mime type validation, asset fields in the control panel, and asset browser in the control panel. Additionally, if the XSS is crafted in a specific way, the "copy password reset link" feature may be exploited to gain access to a user's password reset token and gain access to their account. The authorized user is required to execute the XSS in order for the vulnerability to occur. In versions 4.46.0 and 3.4.17, the XSS vulnerability has been patched, and the copy password reset link functionality has been disabled.

CVE ID : CVE-2024-24570
Source : security-advisories@github.com
CVSS Score : 8.2

References :
https://github.com/statamic/cms/security/advisories/GHSA-vqxq-hvxw-9mv9 | source : security-advisories@github.com

Vulnerability : CWE-79


Source : patchstack.com

Vulnerability ID : CVE-2024-21750

First published on : 01-02-2024 10:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scribit Shortcodes Finder allows Reflected XSS.This issue affects Shortcodes Finder: from n/a through 1.5.5.

CVE ID : CVE-2024-21750
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/shortcodes-finder/wordpress-shortcodes-finder-plugin-1-5-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2024-22148

First published on : 01-02-2024 10:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Smart Editor JoomUnited allows Reflected XSS.This issue affects JoomUnited: from n/a through 1.3.3.

CVE ID : CVE-2024-22148
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/wp-smart-editor/wordpress-wp-smart-editor-plugin-1-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51540

First published on : 01-02-2024 11:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kunal Nagar Custom 404 Pro allows Stored XSS.This issue affects Custom 404 Pro: from n/a through 3.10.0.

CVE ID : CVE-2023-51540
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/custom-404-pro/wordpress-custom-404-pro-plugin-3-10-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51509

First published on : 01-02-2024 12:15:53
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login allows Reflected XSS.This issue affects RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login: from n/a through 5.2.4.1.

CVE ID : CVE-2023-51509
Source : audit@patchstack.com
CVSS Score : 7.1

References :
https://patchstack.com/database/vulnerability/custom-registration-form-builder-with-submission-manager/wordpress-registrationmagic-plugin-5-2-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


(43) MEDIUM VULNERABILITIES [4.0, 6.9]

Source : github.com

Vulnerability ID : CVE-2024-24557

First published on : 01-02-2024 17:15:10
Last modified on : 01-02-2024 21:30:44

Description :
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.

CVE ID : CVE-2024-24557
Source : security-advisories@github.com
CVSS Score : 6.9

References :
https://github.com/moby/moby/commit/3e230cfdcc989dc524882f6579f9e0dac77400ae | source : security-advisories@github.com
https://github.com/moby/moby/security/advisories/GHSA-xw73-rw38-6vjc | source : security-advisories@github.com

Vulnerability : CWE-345
Vulnerability : CWE-346


Vulnerability ID : CVE-2024-24752

First published on : 01-02-2024 16:17:14
Last modified on : 01-02-2024 21:30:44

Description :
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in `/tmp` with a random filename starting with `bref_upload_`. The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed. An attacker could fill the Lambda instance disk by performing multiple MultiPart requests containing files. This vulnerability is patched in 2.1.13.

CVE ID : CVE-2024-24752
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e | source : security-advisories@github.com
https://github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5 | source : security-advisories@github.com

Vulnerability : CWE-400


Vulnerability ID : CVE-2024-23645

First published on : 01-02-2024 18:15:53
Last modified on : 01-02-2024 21:30:44

Description :
GLPI is a Free Asset and IT Management Software package. A malicious URL can be used to execute XSS on reports pages. Upgrade to 10.0.12.

CVE ID : CVE-2024-23645
Source : security-advisories@github.com
CVSS Score : 6.5

References :
https://github.com/glpi-project/glpi/commit/6cf265936c4f6edf7dea7c78b12e46d75b94d9b0 | source : security-advisories@github.com
https://github.com/glpi-project/glpi/commit/fc1f6da9d158933b870ff374ed3a50ae98dcef4a | source : security-advisories@github.com
https://github.com/glpi-project/glpi/releases/tag/10.0.12 | source : security-advisories@github.com
https://github.com/glpi-project/glpi/security/advisories/GHSA-2gj5-qpff-ff3x | source : security-advisories@github.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51446

First published on : 01-02-2024 18:15:53
Last modified on : 01-02-2024 21:30:44

Description :
GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12.

CVE ID : CVE-2023-51446
Source : security-advisories@github.com
CVSS Score : 5.9

References :
https://github.com/glpi-project/glpi/commit/58c67d78f2e3ad08264213e9aaf56eab3c9ded35 | source : security-advisories@github.com
https://github.com/glpi-project/glpi/releases/tag/10.0.12 | source : security-advisories@github.com
https://github.com/glpi-project/glpi/security/advisories/GHSA-p995-jmfv-c7r8 | source : security-advisories@github.com

Vulnerability : CWE-74
Vulnerability : CWE-90


Vulnerability ID : CVE-2024-24569

First published on : 01-02-2024 19:15:08
Last modified on : 01-02-2024 21:30:44

Description :
The Pixee Java Code Security Toolkit is a set of security APIs meant to help secure Java code. `ZipSecurity#isBelowCurrentDirectory` is vulnerable to a partial-path traversal bypass. To be vulnerable to the bypass, the application must use toolkit version <=1.1.1, use ZipSecurity as a guard against path traversal, and have an exploit path. Although the control still protects attackers from escaping the application path into higher level directories (e.g., /etc/), it will allow "escaping" into sibling paths. For example, if your running path is /my/app/path you an attacker could navigate into /my/app/path-something-else. This vulnerability is patched in 1.1.2.

CVE ID : CVE-2024-24569
Source : security-advisories@github.com
CVSS Score : 5.4

References :
https://github.com/pixee/java-security-toolkit/blob/7c8e93e6fb2420fb6003c54a741e267c4f883bab/src/main/java/io/github/pixee/security/ZipSecurity.java#L82-L87 | source : security-advisories@github.com
https://github.com/pixee/java-security-toolkit/commit/b885b03c9cfae53d62d239037f9654d973dd54d9 | source : security-advisories@github.com
https://github.com/pixee/java-security-toolkit/security/advisories/GHSA-qh4g-4m4w-jgv2 | source : security-advisories@github.com

Vulnerability : CWE-22


Vulnerability ID : CVE-2024-24753

First published on : 01-02-2024 16:17:14
Last modified on : 01-02-2024 21:30:44

Description :
Bref enable serverless PHP on AWS Lambda. When Bref is used in combination with an API Gateway with the v2 format, it does not handle multiple values headers. If PHP generates a response with two headers having the same key but different values only the latest one is kept. If an application relies on multiple headers with the same key being set for security reasons, then Bref would lower the application security. For example, if an application sets multiple `Content-Security-Policy` headers, then Bref would just reflect the latest one. This vulnerability is patched in 2.1.13.

CVE ID : CVE-2024-24753
Source : security-advisories@github.com
CVSS Score : 4.8

References :
https://github.com/brefphp/bref/commit/f834027aaf88b3885f4aa8edf6944ae920daf2dc | source : security-advisories@github.com
https://github.com/brefphp/bref/security/advisories/GHSA-99f9-gv72-fw9r | source : security-advisories@github.com

Vulnerability : CWE-436


Vulnerability ID : CVE-2024-24755

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret.

CVE ID : CVE-2024-24755
Source : security-advisories@github.com
CVSS Score : 4.3

References :
https://github.com/discourse/discourse-group-membership-ip-block/commit/b394d61b0bdfd18a2d8310aa5cf26cccf8bd31c1 | source : security-advisories@github.com
https://github.com/discourse/discourse-group-membership-ip-block/security/advisories/GHSA-r38c-cp8w-664m | source : security-advisories@github.com

Vulnerability : CWE-200


Source : emc.com

Vulnerability ID : CVE-2024-22449

First published on : 01-02-2024 10:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Dell PowerScale OneFS versions 9.0.0.x through 9.6.0.x contains a missing authentication for critical function vulnerability. A low privileged local malicious user could potentially exploit this vulnerability to gain elevated access.

CVE ID : CVE-2024-22449
Source : security_alert@emc.com
CVSS Score : 6.6

References :
https://www.dell.com/support/kbdoc/en-us/000221707/dsa-2024-028-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-306


Vulnerability ID : CVE-2024-22430

First published on : 01-02-2024 10:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Dell PowerScale OneFS versions 8.2.x through 9.6.0.x contains an incorrect default permissions vulnerability. A local low privileges malicious user could potentially exploit this vulnerability, leading to denial of service.

CVE ID : CVE-2024-22430
Source : security_alert@emc.com
CVSS Score : 5.5

References :
https://www.dell.com/support/kbdoc/en-us/000221707/dsa-2024-028-security-update-for-dell-powerscale-onefs-for-multiple-security-vulnerabilities | source : security_alert@emc.com

Vulnerability : CWE-276


Source : patchstack.com

Vulnerability ID : CVE-2023-52175

First published on : 01-02-2024 10:15:08
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Uno (miunosoft) Auto Amazon Links – Amazon Associates Affiliate Plugin allows Stored XSS.This issue affects Auto Amazon Links – Amazon Associates Affiliate Plugin: from n/a through 5.1.1.

CVE ID : CVE-2023-52175
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/amazon-auto-links/wordpress-auto-amazon-links-amazon-associates-affiliate-plugin-5-0-5-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52188

First published on : 01-02-2024 10:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson Footer Putter allows Stored XSS.This issue affects Footer Putter: from n/a through 1.17.

CVE ID : CVE-2023-52188
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/footer-putter/wordpress-footer-putter-plugin-1-17-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52189

First published on : 01-02-2024 10:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jhayghost Ideal Interactive Map allows Stored XSS.This issue affects Ideal Interactive Map: from n/a through 1.2.4.

CVE ID : CVE-2023-52189
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/ideal-interactive-map/wordpress-ideal-interactive-map-plugin-1-2-4-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52191

First published on : 01-02-2024 10:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Torbjon Infogram – Add charts, maps and infographics allows Stored XSS.This issue affects Infogram – Add charts, maps and infographics: from n/a through 1.6.1.

CVE ID : CVE-2023-52191
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/infogram/wordpress-infogram-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52192

First published on : 01-02-2024 10:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Keap Keap Official Opt-in Forms allows Stored XSS.This issue affects Keap Official Opt-in Forms: from n/a through 1.0.11.

CVE ID : CVE-2023-52192
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/infusionsoft-official-opt-in-forms/wordpress-keap-official-opt-in-forms-plugin-1-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52193

First published on : 01-02-2024 10:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through 1.5.23.

CVE ID : CVE-2023-52193
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/live-composer-page-builder/wordpress-page-builder-live-composer-plugin-1-5-23-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52194

First published on : 01-02-2024 10:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Takayuki Miyauchi oEmbed Gist allows Stored XSS.This issue affects oEmbed Gist: from n/a through 4.9.1.

CVE ID : CVE-2023-52194
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/oembed-gist/wordpress-oembed-gist-plugin-4-9-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52195

First published on : 01-02-2024 10:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Posts to Page Kerry James allows Stored XSS.This issue affects Kerry James: from n/a through 1.7.

CVE ID : CVE-2023-52195
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/posts-to-page/wordpress-posts-to-page-plugin-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51532

First published on : 01-02-2024 11:15:08
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.

CVE ID : CVE-2023-51532
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51666

First published on : 01-02-2024 11:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PickPlugins Related Post allows Stored XSS.This issue affects Related Post: from n/a through 2.0.53.

CVE ID : CVE-2023-51666
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/related-post/wordpress-related-post-plugin-2-0-53-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51669

First published on : 01-02-2024 11:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Artios Media Product Code for WooCommerce allows Stored XSS.This issue affects Product Code for WooCommerce: from n/a through 1.4.4.

CVE ID : CVE-2023-51669
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/product-code-for-woocommerce/wordpress-product-code-for-woocommerce-plugin-1-4-4-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51674

First published on : 01-02-2024 11:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AAM Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More allows Stored XSS.This issue affects Advanced Access Manager – Restricted Content, Users & Roles, Enhanced Security and More: from n/a through 6.9.18.

CVE ID : CVE-2023-51674
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/advanced-access-manager/wordpress-advanced-access-manager-plugin-6-9-18-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51677

First published on : 01-02-2024 11:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magazine3 Schema & Structured Data for WP & AMP allows Stored XSS.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.23.

CVE ID : CVE-2023-51677
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/schema-and-structured-data-for-wp/wordpress-schema-structured-data-for-wp-amp-plugin-1-23-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51684

First published on : 01-02-2024 11:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Easy Digital Downloads Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy) allows Stored XSS.This issue affects Easy Digital Downloads – Sell Digital Files (eCommerce Store & Payments Made Easy): from n/a through 3.2.5.

CVE ID : CVE-2023-51684
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51689

First published on : 01-02-2024 11:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in naa986 Easy Video Player allows Stored XSS.This issue affects Easy Video Player: from n/a through 1.2.2.10.

CVE ID : CVE-2023-51689
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/easy-video-player/wordpress-easy-video-player-plugin-1-2-2-10-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51690

First published on : 01-02-2024 11:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Advanced iFrame allows Stored XSS.This issue affects Advanced iFrame: from n/a through 2023.8.

CVE ID : CVE-2023-51690
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/advanced-iframe/wordpress-advanced-iframe-plugin-2023-8-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51693

First published on : 01-02-2024 11:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Icons allows Stored XSS.This issue affects Themify Icons: from n/a through 2.0.1.

CVE ID : CVE-2023-51693
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/themify-icons/wordpress-themify-icons-plugin-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51694

First published on : 01-02-2024 11:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Epiphyt Embed Privacy allows Stored XSS.This issue affects Embed Privacy: from n/a through 1.8.0.

CVE ID : CVE-2023-51694
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/embed-privacy/wordpress-embed-privacy-plugin-1-8-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-52118

First published on : 01-02-2024 11:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Event Manager WP User Profile Avatar allows Stored XSS.This issue affects WP User Profile Avatar: from n/a through 1.0.

CVE ID : CVE-2023-52118
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/wp-user-profile-avatar/wordpress-wp-user-profile-avatar-plugin-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51514

First published on : 01-02-2024 12:15:53
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Codeboxr Team CBX Bookmark & Favorite allows Stored XSS.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.13.

CVE ID : CVE-2023-51514
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/cbxwpbookmark/wordpress-cbx-bookmark-favorite-plugin-1-7-13-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51520

First published on : 01-02-2024 12:15:54
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPdevelop / Oplugins WP Booking Calendar allows Stored XSS.This issue affects WP Booking Calendar: from n/a before 9.7.4.

CVE ID : CVE-2023-51520
Source : audit@patchstack.com
CVSS Score : 6.5

References :
https://patchstack.com/database/vulnerability/booking/wordpress-booking-calendar-plugin-9-7-4-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51534

First published on : 01-02-2024 11:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brave Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content allows Stored XSS.This issue affects Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content: from n/a through 0.6.2.

CVE ID : CVE-2023-51534
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/brave-popup-builder/wordpress-brave-popup-plugin-0-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51536

First published on : 01-02-2024 11:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks CRM Perks Forms – WordPress Form Builder allows Stored XSS.This issue affects CRM Perks Forms – WordPress Form Builder: from n/a through 1.1.2.

CVE ID : CVE-2023-51536
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/crm-perks-forms/wordpress-crm-perks-forms-plugin-1-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51548

First published on : 01-02-2024 11:15:10
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Neil Gee SlickNav Mobile Menu allows Stored XSS.This issue affects SlickNav Mobile Menu: from n/a through 1.9.2.

CVE ID : CVE-2023-51548
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/slicknav-mobile-menu/wordpress-slicknav-mobile-menu-plugin-1-9-2-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51685

First published on : 01-02-2024 11:15:11
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LJ Apps WP Review Slider allows Stored XSS.This issue affects WP Review Slider: from n/a through 12.7.

CVE ID : CVE-2023-51685
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/wp-facebook-reviews/wordpress-wp-review-slider-plugin-12-7-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51691

First published on : 01-02-2024 11:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gVectors Team Comments – wpDiscuz allows Stored XSS.This issue affects Comments – wpDiscuz: from n/a through 7.6.12.

CVE ID : CVE-2023-51691
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/wpdiscuz/wordpress-wpdiscuz-plugin-7-6-12-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51695

First published on : 01-02-2024 11:15:12
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease! allows Stored XSS.This issue affects Everest Forms – Build Contact Forms, Surveys, Polls, Application Forms, and more with Ease!: from n/a through 2.0.4.1.

CVE ID : CVE-2023-51695
Source : audit@patchstack.com
CVSS Score : 5.9

References :
https://patchstack.com/database/vulnerability/everest-forms/wordpress-everest-forms-plugin-2-0-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Vulnerability ID : CVE-2023-51506

First published on : 01-02-2024 12:15:53
Last modified on : 01-02-2024 13:41:44

Description :
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realmag777 WPCS – WordPress Currency Switcher Professional allows Stored XSS.This issue affects WPCS – WordPress Currency Switcher Professional: from n/a through 1.2.0.

CVE ID : CVE-2023-51506
Source : audit@patchstack.com
CVSS Score : 5.5

References :
https://patchstack.com/database/vulnerability/currency-switcher/wordpress-wpcs-plugin-1-2-0-cross-site-scripting-xss-vulnerability?_s_id=cve | source : audit@patchstack.com

Vulnerability : CWE-79


Source : wordfence.com

Vulnerability ID : CVE-2023-7069

First published on : 01-02-2024 04:15:49
Last modified on : 01-02-2024 13:41:44

Description :
The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2023.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE ID : CVE-2023-7069
Source : security@wordfence.com
CVSS Score : 6.4

References :
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3027702%40advanced-iframe&new=3027702%40advanced-iframe&sfp_email=&sfph_mail= | source : security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/2e32c51d-2d96-4545-956f-64f65c54b33b?source=cve | source : security@wordfence.com


Source : redhat.com

Vulnerability ID : CVE-2024-1141

First published on : 01-02-2024 15:15:08
Last modified on : 01-02-2024 21:30:44

Description :
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.

CVE ID : CVE-2024-1141
Source : secalert@redhat.com
CVSS Score : 5.5

References :
https://access.redhat.com/security/cve/CVE-2024-1141 | source : secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2258836 | source : secalert@redhat.com

Vulnerability : CWE-779


Source : hq.dhs.gov

Vulnerability ID : CVE-2024-1167

First published on : 01-02-2024 18:15:53
Last modified on : 01-02-2024 21:30:44

Description :
When SEW-EURODRIVE MOVITOOLS MotionStudio processes XML information unrestricted file access can occur.

CVE ID : CVE-2024-1167
Source : ics-cert@hq.dhs.gov
CVSS Score : 5.5

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01 | source : ics-cert@hq.dhs.gov
https://www.seweurodrive.com/contact_us/contact_us.html | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-611


Vulnerability ID : CVE-2024-1040

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device.

CVE ID : CVE-2024-1040
Source : ics-cert@hq.dhs.gov
CVSS Score : 4.4

References :
https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01 | source : ics-cert@hq.dhs.gov

Vulnerability : CWE-328


Source : hashicorp.com

Vulnerability ID : CVE-2024-0831

First published on : 01-02-2024 02:15:46
Last modified on : 01-02-2024 16:17:14

Description :
Vault and Vault Enterprise (β€œVault”) may expose sensitive information when enabling an audit device which specifies the `log_raw` option, which may log sensitive information to other audit devices, regardless of whether they are configured to use `log_raw`.

CVE ID : CVE-2024-0831
Source : security@hashicorp.com
CVSS Score : 4.5

References :
https://developer.hashicorp.com/vault/docs/upgrading/upgrade-to-1.15.x#audit-devices-could-log-raw-data-despite-configuration | source : security@hashicorp.com
https://discuss.hashicorp.com/t/hcsec-2024-01-vault-may-expose-sensitive-information-when-configuring-an-audit-log-device/62311 | source : security@hashicorp.com

Vulnerability : CWE-532


Source : 3ds.com

Vulnerability ID : CVE-2024-0935

First published on : 01-02-2024 14:15:56
Last modified on : 01-02-2024 21:30:44

Description :
An insertion of Sensitive Information into Log File vulnerability is affecting DELMIA Apriso Release 2019 through Release 2024

CVE ID : CVE-2024-0935
Source : 3DS.Information-Security@3ds.com
CVSS Score : 4.4

References :
https://www.3ds.com/vulnerability/advisories | source : 3DS.Information-Security@3ds.com

Vulnerability : CWE-532


(2) LOW VULNERABILITIES [0.1, 3.9]

Source : github.com

Vulnerability ID : CVE-2024-24754

First published on : 01-02-2024 16:17:14
Last modified on : 01-02-2024 21:30:44

Description :
Bref enable serverless PHP on AWS Lambda. When Bref is used with the Event-Driven Function runtime and the handler is a `RequestHandlerInterface`, then the Lambda event is converted to a PSR7 object. During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the `$files` or `$parsedBody` arrays. The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used. Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors. This vulnerability is patched in 2.1.13.

CVE ID : CVE-2024-24754
Source : security-advisories@github.com
CVSS Score : 3.7

References :
https://github.com/brefphp/bref/commit/c77d9f5abf021f29fa96b5720b7b84adbd199092 | source : security-advisories@github.com
https://github.com/brefphp/bref/security/advisories/GHSA-82vx-mm6r-gg8w | source : security-advisories@github.com

Vulnerability : CWE-436


Source : puppet.com

Vulnerability ID : CVE-2024-0325

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins.

CVE ID : CVE-2024-0325
Source : security@puppet.com
CVSS Score : 3.6

References :
https://perforce.com | source : security@puppet.com

Vulnerability : CWE-94


(16) NO SCORE VULNERABILITIES [0.0, 0.0]

Source : jpcert.or.jp

Vulnerability ID : CVE-2024-23941

First published on : 01-02-2024 04:15:49
Last modified on : 01-02-2024 13:41:44

Description :
Cross-site scripting vulnerability exists in Group Office prior to v6.6.182, prior to v6.7.64 and prior to v6.8.31, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

CVE ID : CVE-2024-23941
Source : vultures@jpcert.or.jp
CVSS Score : /

References :
https://github.com/Intermesh/groupoffice/ | source : vultures@jpcert.or.jp
https://jvn.jp/en/jp/JVN63567545/ | source : vultures@jpcert.or.jp
https://www.group-office.com/ | source : vultures@jpcert.or.jp


Vulnerability ID : CVE-2024-24548

First published on : 01-02-2024 07:15:09
Last modified on : 01-02-2024 13:41:44

Description :
Payment EX Ver1.1.5b and earlier allows a remote unauthenticated attacker to obtain the information of the user who purchases merchandise using Payment EX.

CVE ID : CVE-2024-24548
Source : vultures@jpcert.or.jp
CVSS Score : /

References :
https://jvn.jp/en/jp/JVN41129639/ | source : vultures@jpcert.or.jp


Source : mitre.org

Vulnerability ID : CVE-2023-51939

First published on : 01-02-2024 07:15:08
Last modified on : 01-02-2024 13:41:44

Description :
An issue in the cp_bbs_sig function in relic/src/cp/relic_cp_bbs.c of Relic relic-toolkit 0.6.0 allows a remote attacker to obtain sensitive information and escalate privileges via the cp_bbs_sig function.

CVE ID : CVE-2023-51939
Source : cve@mitre.org
CVSS Score : /

References :
https://gist.github.com/liang-junkai/1b59487c0f7002fa5da98035b53e409f | source : cve@mitre.org
https://github.com/liang-junkai/Relic-bbs-fault-injection | source : cve@mitre.org
https://github.com/relic-toolkit/relic/issues/284 | source : cve@mitre.org


Vulnerability ID : CVE-2024-22859

First published on : 01-02-2024 07:15:08
Last modified on : 01-02-2024 13:41:44

Description :
Cross-Site Request Forgery (CSRF) vulnerability in livewire before v3.0.4, allows remote attackers to execute arbitrary code getCsrfToken function.

CVE ID : CVE-2024-22859
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/livewire/livewire/commit/5d887316f2aaf83c0e380ac5e72766f19700fa3b | source : cve@mitre.org


Vulnerability ID : CVE-2023-37621

First published on : 01-02-2024 09:15:56
Last modified on : 01-02-2024 13:41:44

Description :
An issue in Fronius Datalogger Web v.2.0.5-4, allows remote attackers to obtain sensitive information via a crafted request.

CVE ID : CVE-2023-37621
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/MY0723/CNVD-2022-27366__CVE-2023-37621 | source : cve@mitre.org


Vulnerability ID : CVE-2024-24059

First published on : 01-02-2024 14:15:56
Last modified on : 01-02-2024 18:52:12

Description :
springboot-manager v1.6 is vulnerable to Arbitrary File Upload. The system does not filter the suffixes of uploaded files.

CVE ID : CVE-2024-24059
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#2-file-upload-vulnerability | source : cve@mitre.org


Vulnerability ID : CVE-2024-24060

First published on : 01-02-2024 14:15:56
Last modified on : 01-02-2024 18:52:09

Description :
springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/user.

CVE ID : CVE-2024-24060
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#11-stored-cross-site-scripting-sysuser | source : cve@mitre.org


Vulnerability ID : CVE-2024-24061

First published on : 01-02-2024 14:15:56
Last modified on : 01-02-2024 18:52:07

Description :
springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sysContent/add.

CVE ID : CVE-2024-24061
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#13-stored-cross-site-scripting-syscontentadd | source : cve@mitre.org


Vulnerability ID : CVE-2024-24062

First published on : 01-02-2024 14:15:56
Last modified on : 01-02-2024 18:52:05

Description :
springboot-manager v1.6 is vulnerable to Cross Site Scripting (XSS) via /sys/role.

CVE ID : CVE-2024-24062
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/By-Yexing/Vulnerability_JAVA/blob/main/2024/springboot-manager.md#12-stored-cross-site-scripting-sysrole | source : cve@mitre.org


Vulnerability ID : CVE-2024-24041

First published on : 01-02-2024 20:50:05
Last modified on : 01-02-2024 21:30:44

Description :
A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the location parameter at /travel-journal/write-journal.php.

CVE ID : CVE-2024-24041
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/tubakvgc/CVE/blob/main/Travel_Journal_App.md | source : cve@mitre.org
https://portswigger.net/web-security/cross-site-scripting | source : cve@mitre.org


Vulnerability ID : CVE-2024-24945

First published on : 01-02-2024 20:50:06
Last modified on : 01-02-2024 21:30:44

Description :
A stored cross-site scripting (XSS) vulnerability in Travel Journal Using PHP and MySQL with Source Code v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Share Your Moments parameter at /travel-journal/write-journal.php.

CVE ID : CVE-2024-24945
Source : cve@mitre.org
CVSS Score : /

References :
https://github.com/tubakvgc/CVE/blob/main/Travel_Journal_App.md | source : cve@mitre.org
https://portswigger.net/web-security/cross-site-scripting | source : cve@mitre.org


Vulnerability ID : CVE-2023-47256

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
ConnectWise ScreenConnect through 23.8.4 allows local users to connect to arbitrary relay servers via implicit trust of proxy settings

CVE ID : CVE-2023-47256
Source : cve@mitre.org
CVSS Score : /

References :
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.8-security-fix | source : cve@mitre.org


Vulnerability ID : CVE-2023-47257

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
ConnectWise ScreenConnect through 23.8.4 allows man-in-the-middle attackers to achieve remote code execution via crafted messages.

CVE ID : CVE-2023-47257
Source : cve@mitre.org
CVSS Score : /

References :
https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.8-security-fix | source : cve@mitre.org


Source : wordfence.com

Vulnerability ID : CVE-2024-0704

First published on : 01-02-2024 15:15:08
Last modified on : 01-02-2024 15:15:08

Description :
Rejected reason: very low impact - impractical to correct

CVE ID : CVE-2024-0704
Source : security@wordfence.com
CVSS Score : /

References :


Source : takeonme.org

Vulnerability ID : CVE-2023-5841

First published on : 01-02-2024 19:15:08
Last modified on : 01-02-2024 21:30:44

Description :
Due to a failure in validating the number of scanline samples of a OpenEXR file containing deep scanline data, Academy Software Foundation OpenEX image parsing library version 3.2.1 and prior is susceptible to a heap-based buffer overflow vulnerability.

CVE ID : CVE-2023-5841
Source : cve@takeonme.org
CVSS Score : /

References :
https://takeonme.org/cves/CVE-2023-5841.html | source : cve@takeonme.org

Vulnerability : CWE-122


Source : google.com

Vulnerability ID : CVE-2023-4472

First published on : 01-02-2024 22:15:55
Last modified on : 01-02-2024 22:39:14

Description :
Objectplanet Opinio version 7.22 and prior uses a cryptographically weak pseudo-random number generator (PRNG) coupled to a predictable seed, which could lead to an unauthenticated account takeover of any user on the application.

CVE ID : CVE-2023-4472
Source : mandiant-cve@google.com
CVSS Score : /

References :
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2024/MNDT-2024-0002.md | source : mandiant-cve@google.com
https://www.objectplanet.com/opinio/changelog.html | source : mandiant-cve@google.com

Vulnerability : CWE-335


This website uses the NVD API, but is not approved or certified by it.

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.