Patch Tuesday — March 2024
2024-03-12 · 706 CVEs
CVEs published or modified the week of 2024-03-12, partitioned by vendor.
Microsoft (70 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-21334 | Critical | 9.8 | — | 2024-03-12 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability |
CVE-2024-21400 | Critical | 9.0 | — | 2024-03-12 | Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability |
CVE-2024-26198 | High | 8.8 | — | 2024-03-12 | Microsoft Exchange Server Remote Code Execution Vulnerability |
CVE-2024-26166 | High | 8.8 | — | 2024-03-12 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2024-26165 | High | 8.8 | — | 2024-03-12 | Visual Studio Code Elevation of Privilege Vulnerability |
CVE-2024-26164 | High | 8.8 | — | 2024-03-12 | Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability |
CVE-2024-26162 | High | 8.8 | — | 2024-03-12 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2024-26161 | High | 8.8 | — | 2024-03-12 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2024-26159 | High | 8.8 | — | 2024-03-12 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2024-21451 | High | 8.8 | — | 2024-03-12 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2024-21450 | High | 8.8 | — | 2024-03-12 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2024-21444 | High | 8.8 | — | 2024-03-12 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2024-21441 | High | 8.8 | — | 2024-03-12 | Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability |
CVE-2024-21440 | High | 8.8 | — | 2024-03-12 | Microsoft ODBC Driver Remote Code Execution Vulnerability |
CVE-2024-21435 | High | 8.8 | — | 2024-03-12 | Windows OLE Remote Code Execution Vulnerability |
CVE-2024-21411 | High | 8.8 | — | 2024-03-12 | Skype for Consumer Remote Code Execution Vulnerability |
CVE-2024-0670 | High | 8.8 | — | 2024-03-11 | Privilege escalation in windows agent plugin in Checkmk before 2.2.0p23, 2.1.0p40 and 2.0.0 (EOL) allows local user to escalate privileges |
CVE-2024-1222 | High | 8.6 | — | 2024-03-14 | This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. |
CVE-2020-11862 | High | 8.6 | — | 2024-03-13 | Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2. |
CVE-2024-21407 | High | 8.1 | — | 2024-03-12 | Windows Hyper-V Remote Code Execution Vulnerability |
CVE-2024-26199 | High | 7.8 | — | 2024-03-12 | Microsoft Office Elevation of Privilege Vulnerability |
CVE-2024-26182 | High | 7.8 | — | 2024-03-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-26178 | High | 7.8 | — | 2024-03-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-26176 | High | 7.8 | — | 2024-03-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-26173 | High | 7.8 | — | 2024-03-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-26170 | High | 7.8 | — | 2024-03-12 | Windows Composite Image File System (CimFS) Elevation of Privilege Vulnerability |
CVE-2024-26169 | High | 7.8 | KEV | 2024-03-12 | Windows Error Reporting Service Elevation of Privilege Vulnerability |
CVE-2024-21446 | High | 7.8 | — | 2024-03-12 | NTFS Elevation of Privilege Vulnerability |
CVE-2024-21442 | High | 7.8 | — | 2024-03-12 | Windows USB Print Driver Elevation of Privilege Vulnerability |
CVE-2024-21437 | High | 7.8 | — | 2024-03-12 | Windows Graphics Component Elevation of Privilege Vulnerability |
CVE-2024-21436 | High | 7.8 | — | 2024-03-12 | Windows Installer Elevation of Privilege Vulnerability |
CVE-2024-21434 | High | 7.8 | — | 2024-03-12 | Microsoft Windows SCSI Class System File Elevation of Privilege Vulnerability |
CVE-2024-21431 | High | 7.8 | — | 2024-03-12 | Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability |
CVE-2024-21426 | High | 7.8 | — | 2024-03-12 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
CVE-2024-21418 | High | 7.8 | — | 2024-03-12 | Software for Open Networking in the Cloud (SONiC) Elevation of Privilege Vulnerability |
CVE-2024-21330 | High | 7.8 | — | 2024-03-12 | Open Management Infrastructure (OMI) Elevation of Privilege Vulnerability |
CVE-2024-21419 | High | 7.6 | — | 2024-03-12 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
CVE-2024-26204 | High | 7.5 | — | 2024-03-12 | Outlook for Android Information Disclosure Vulnerability |
CVE-2024-26190 | High | 7.5 | — | 2024-03-12 | Microsoft QUIC Denial of Service Vulnerability |
CVE-2024-21438 | High | 7.5 | — | 2024-03-12 | Microsoft AllJoyn API Denial of Service Vulnerability |
CVE-2024-21427 | High | 7.5 | — | 2024-03-12 | Windows Kerberos Security Feature Bypass Vulnerability |
CVE-2024-21421 | High | 7.5 | — | 2024-03-12 | Azure SDK Spoofing Vulnerability |
CVE-2024-21392 | High | 7.5 | — | 2024-03-12 | .NET and Visual Studio Denial of Service Vulnerability |
CVE-2024-26203 | High | 7.3 | — | 2024-03-12 | Azure Data Studio Elevation of Privilege Vulnerability |
CVE-2024-21443 | High | 7.3 | — | 2024-03-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-1882 | High | 7.2 | — | 2024-03-14 | This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server. |
CVE-2024-1654 | High | 7.2 | — | 2024-03-14 | This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. |
CVE-2024-21390 | High | 7.1 | — | 2024-03-12 | Microsoft Authenticator Elevation of Privilege Vulnerability |
CVE-2024-21445 | High | 7.0 | — | 2024-03-12 | Windows USB Print Driver Elevation of Privilege Vulnerability |
CVE-2024-21439 | High | 7.0 | — | 2024-03-12 | Windows Telephony Server Elevation of Privilege Vulnerability |
CVE-2024-21433 | High | 7.0 | — | 2024-03-12 | Windows Print Spooler Elevation of Privilege Vulnerability |
CVE-2024-21432 | High | 7.0 | — | 2024-03-12 | Windows Update Stack Elevation of Privilege Vulnerability |
CVE-2024-21429 | Medium | 6.8 | — | 2024-03-12 | Windows USB Hub Driver Remote Code Execution Vulnerability |
CVE-2024-26201 | Medium | 6.6 | — | 2024-03-12 | Microsoft Intune Linux Agent Elevation of Privilege Vulnerability |
CVE-2024-1884 | Medium | 6.5 | — | 2024-03-14 | This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing. |
CVE-2024-26197 | Medium | 6.5 | — | 2024-03-12 | Windows Standards-Based Storage Management Service Denial of Service Vulnerability |
CVE-2024-26185 | Medium | 6.5 | — | 2024-03-12 | Windows Compressed Folder Tampering Vulnerability |
CVE-2024-1883 | Medium | 6.3 | — | 2024-03-14 | This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. |
CVE-2024-21430 | Medium | 5.7 | — | 2024-03-12 | Windows USB Attached SCSI (UAS) Protocol Remote Code Execution Vulnerability |
CVE-2024-26181 | Medium | 5.5 | — | 2024-03-12 | Windows Kernel Denial of Service Vulnerability |
CVE-2024-26177 | Medium | 5.5 | — | 2024-03-12 | Windows Kernel Information Disclosure Vulnerability |
CVE-2024-26174 | Medium | 5.5 | — | 2024-03-12 | Windows Kernel Information Disclosure Vulnerability |
CVE-2024-26160 | Medium | 5.5 | — | 2024-03-12 | Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability |
CVE-2024-21408 | Medium | 5.5 | — | 2024-03-12 | Windows Hyper-V Denial of Service Vulnerability |
CVE-2024-20671 | Medium | 5.5 | — | 2024-03-12 | Microsoft Defender Security Feature Bypass Vulnerability |
CVE-2024-21448 | Medium | 5.0 | — | 2024-03-12 | Microsoft Teams for Android Information Disclosure Vulnerability |
CVE-2024-1223 | Medium | 4.8 | — | 2024-03-14 | This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. |
CVE-2024-26163 | Medium | 4.7 | — | 2024-03-14 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
CVE-2024-27265 | Medium | 4.5 | — | 2024-03-14 | IBM Integration Bus for z/OS 10.1 through 10.1.0.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. |
CVE-2024-26246 | Low | 3.9 | — | 2024-03-14 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability |
Other vendors (636 CVEs across 245 vendors)
Google · 57 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27228 | Critical | 9.8 | — | 2024-03-11 | there is a possible out of bounds write due to a heap buffer overflow. |
CVE-2024-27227 | Critical | 9.8 | — | 2024-03-11 | A malicious DNS response can trigger a number of OOB reads, writes, and other memory issues |
CVE-2024-0039 | Critical | 9.8 | — | 2024-03-11 | In attp_build_value_cmd of att_protocol.cc, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27207 | Critical | 9.1 | — | 2024-03-11 | Exported broadcast receivers allowing malicious apps to bypass broadcast protection. |
CVE-2024-23717 | High | 8.8 | — | 2024-03-11 | In access_secure_service_from_temp_bond of btm_sec.cc, there is a possible way to achieve keystroke injection due to improper input validation. |
CVE-2024-27236 | High | 8.4 | — | 2024-03-11 | In aoc_unlocked_ioctl of aoc.c, there is a possible memory corruption due to type confusion. |
CVE-2024-27226 | High | 8.4 | — | 2024-03-11 | In tmu_config_gov_params of , there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27220 | High | 8.4 | — | 2024-03-11 | In lpm_req_handler of , there is a possible out of bounds memory access due to a missing bounds check. |
CVE-2024-27219 | High | 8.4 | — | 2024-03-11 | In tmu_set_pi of tmu.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27213 | High | 8.4 | — | 2024-03-11 | In BroadcastSystemMessage of servicemgr.cpp, there is a possible Remote Code Execution due to a use after free. |
CVE-2024-27209 | High | 8.4 | — | 2024-03-11 | there is a possible out of bounds write due to a heap buffer overflow. |
CVE-2024-27208 | High | 8.4 | — | 2024-03-11 | there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27205 | High | 8.4 | — | 2024-03-11 | there is a possible memory corruption due to a use after free. |
CVE-2024-27204 | High | 8.4 | — | 2024-03-11 | In tmu_set_gov_active of tmu.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-25993 | High | 8.4 | — | 2024-03-11 | In tmu_reset_tmu_trip_counter of , there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-25988 | High | 8.4 | — | 2024-03-11 | In SAEMM_DiscloseGuti of SAEMM_RadioMessageCodec.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-25985 | High | 8.4 | — | 2024-03-11 | In bigo_unlocked_ioctl of bigo.c, there is a possible UAF due to a missing bounds check. |
CVE-2024-22005 | High | 8.4 | — | 2024-03-11 | there is a possible Authentication Bypass due to improperly used crypto. |
CVE-2024-27233 | High | 7.8 | — | 2024-03-11 | In ppcfw_init_secpolicy of ppcfw.c, there is a possible permission bypass due to uninitialized data. |
CVE-2024-27224 | High | 7.8 | — | 2024-03-11 | In strncpy of strncpy.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27222 | High | 7.8 | — | 2024-03-11 | In onSkipButtonClick of FaceEnrollFoldPage.java, there is a possible way to access the file the app cannot access due to Intent Redirect GRANT_URI_PERMISSIONS Attack. |
CVE-2024-27221 | High | 7.8 | — | 2024-03-11 | In update_policy_data of , there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27212 | High | 7.8 | — | 2024-03-11 | In init_data of , there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-27210 | High | 7.8 | — | 2024-03-11 | In policy_check of fvp.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-25992 | High | 7.8 | — | 2024-03-11 | In tmu_tz_control of tmu.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-25986 | High | 7.8 | — | 2024-03-11 | In ppmp_unprotect_buf of drm_fw.c, there is a possible compromise of protected memory due to a logic error in the code. |
CVE-2024-22008 | High | 7.8 | — | 2024-03-11 | In config_gov_time_windows of tmu.c, there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-0051 | High | 7.8 | — | 2024-03-11 | In onQueueFilled of SoftMPEG4.cpp, there is a possible out of bounds write due to a heap buffer overflow. |
CVE-2024-0050 | High | 7.8 | — | 2024-03-11 | In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a missing validation check. |
CVE-2024-0049 | High | 7.8 | — | 2024-03-11 | In multiple locations, there is a possible out of bounds write due to a heap buffer overflow. |
CVE-2024-0048 | High | 7.8 | — | 2024-03-11 | In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. |
CVE-2024-0046 | High | 7.8 | — | 2024-03-11 | In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. |
CVE-2024-27211 | High | 7.7 | — | 2024-03-11 | In AtiHandleAPOMsgType of ati_Main.c, there is a possible OOB write due to a missing null check. |
CVE-2024-27229 | High | 7.5 | — | 2024-03-11 | In ss_SendCallBarringPwdRequiredIndMsg of ss_CallBarring.c, there is a possible null pointer deref due to a missing null check. |
CVE-2024-27206 | High | 7.5 | — | 2024-03-11 | there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-22011 | High | 7.5 | — | 2024-03-11 | In ss_ProcessRejectComponent of ss_MmConManagement.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-22009 | High | 7.1 | — | 2024-03-11 | In init_data of , there is a possible out of bounds write due to a missing bounds check. |
CVE-2024-25987 | Medium | 6.7 | — | 2024-03-11 | In pt_sysctl_command of pt.c, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2024-0044 | Medium | 6.7 | — | 2024-03-11 | In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. |
CVE-2024-0045 | Medium | 6.5 | — | 2024-03-11 | In smp_proc_sec_req of smp_act.cc, there is a possible out of bounds read due to improper input validation. |
CVE-2024-25990 | Medium | 6.4 | — | 2024-03-11 | In pktproc_perftest_gen_rx_packet_sktbuf_mode of link_rx_pktproc.c, there is a possible out of bounds write due to a race condition. |
CVE-2024-25984 | Medium | 6.2 | — | 2024-03-11 | In dumpBatteryDefend of dump_power.cpp, there is a possible out of bounds read due to a heap buffer overflow. |
CVE-2024-22007 | Medium | 6.2 | — | 2024-03-11 | In constraint_check of fvp.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-27234 | Medium | 5.9 | — | 2024-03-11 | In fvp_set_target of fvp.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-25989 | Medium | 5.9 | — | 2024-03-11 | In gpu_slc_liveness_update of pixel_gpu_slc.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-27237 | Medium | 5.5 | — | 2024-03-11 | In wipe_ns_memory of nsmemwipe.c, there is a possible incorrect size calculation due to a logic error in the code. |
CVE-2024-27235 | Medium | 5.5 | — | 2024-03-11 | In plugin_extern_func of , there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-27218 | Medium | 5.5 | — | 2024-03-11 | In update_freq_data of , there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-22010 | Medium | 5.5 | — | 2024-03-11 | In dvfs_plugin_caller of fvp.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-0047 | Medium | 5.5 | — | 2024-03-11 | In writeUserLP of UserManagerService.java, device policies are serialized with an incorrect tag due to a logic error in the code. |
CVE-2024-22006 | Medium | 5.3 | — | 2024-03-11 | OOB read in the TMU plugin that allows for memory disclosure in the power management subsystem of the device. |
CVE-2024-27230 | Medium | 5.1 | — | 2024-03-11 | In ProtocolPsKeepAliveStatusAdapter::getCode() of protocolpsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-27223 | Medium | 5.1 | — | 2024-03-11 | In EUTRAN_LCS_DecodeFacilityInformationElement of LPP_LcsManagement.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-27225 | Medium | 4.4 | — | 2024-03-11 | In sendHciCommand of bluetooth_hci.cc, there is a possible out of bounds read due to a heap buffer overflow. |
CVE-2024-25991 | Low | 3.3 | — | 2024-03-11 | In acpm_tmu_ipc_handler of tmu_plugin.c, there is a possible out of bounds read due to a missing bounds check. |
CVE-2024-0053 | Low | 3.3 | — | 2024-03-11 | In getCustomPrinterIcon of PrintManagerService.java, there is a possible way to view other user's images due to a confused deputy. |
CVE-2024-0052 | Low | 3.3 | — | 2024-03-11 | In multiple functions of healthconnect, there is a possible leakage of exercise route data due to a missing permission check. |
Linux · 48 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-47135 | High | 7.8 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: mt76: mt7921: fix possible AOOB issue in mt7921_mcu_tx_rate_report Fix possible array out of bound access in mt7921_mcu_tx_rate_report. |
CVE-2021-47131 | High | 7.8 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: net/tls: Fix use-after-free after the TLS device goes down and up When a netdev with active TLS offload goes down, tls_device_down is called to stop the offload and tear… |
CVE-2021-47123 | High | 7.8 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix ltout double free on completion race Always remove linked timeout on io_link_timeout_fn() from the master request link list, otherwise we may get use-after… |
CVE-2021-47118 | High | 7.8 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: pid: take a reference when initializing `cad_pid` During boot, kernel_init_freeable() initializes `cad_pid` to the init task's struct pid. |
CVE-2021-47111 | High | 7.8 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: xen-netback: take a reference to the RX task thread Do this in order to prevent the task from being freed if the thread returns (which can be triggered by the frontend)… |
CVE-2024-26619 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: riscv: Fix module loading free order Reverse order of kfree calls to resolve use-after-free error. |
CVE-2024-26616 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG] There is a bug report that, on a ext4-converted btrfs, scrub leads to various problems, inc… |
CVE-2024-26610 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means that if we copy to iwl_fw_ini_trigger_tlv::data + offset while… |
CVE-2024-26608 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net: qualcomm: rmnet: fix global oob in rmnet_policy"), my local fu… |
CVE-2023-52495 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: soc: qcom: pmic_glink_altmode: fix port sanity check The PMIC GLINK altmode driver currently supports at most two ports. |
CVE-2023-52494 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Add alignment check for event ring read pointer Though we do check the event ring read pointer by "is_valid_ring_ptr" to make sure it is in the buffer ra… |
CVE-2023-52491 | High | 7.8 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix use after free bug due to error path handling in mtk_jpeg_dec_device_run In mtk_jpeg_probe, &jpeg->job_timeout_work is bound with mtk_jpeg_job_timeo… |
CVE-2024-26620 | High | 7.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter or domain is assigned to the mdev. |
CVE-2021-47132 | High | 7.1 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: mptcp: fix sk_forward_memory corruption on retransmission MPTCP sk_forward_memory handling is a bit special, as such field is protected by the msk socket spin_lock, inst… |
CVE-2021-47110 | High | 7.1 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Disable kvmclock on all CPUs on shutdown Currenly, we disable kvmclock from machine_shutdown() hook and this only happens for boot CPU. |
CVE-2024-26630 | High | 7.1 | — | 2024-03-13 | In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache's xarray to compute its page offset, and check for its dirty… |
CVE-2024-26617 | High | 7.0 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race condition in other components which depen… |
CVE-2021-47134 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: efi/fdt: fix panic when no valid fdt found setup_arch() would invoke efi_init()->efi_get_fdt_params(). |
CVE-2021-47133 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: HID: amd_sfh: Fix memory leak in amd_sfh_work Kmemleak tool detected a memory leak in the amd_sfh driver. |
CVE-2021-47128 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks Commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") added an implementation… |
CVE-2021-47127 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ice: track AF_XDP ZC enabled queues in bitmap Commit c7a219048e45 ("ice: Remove xsk_buff_pool from VSI structure") silently introduced a regression and broke the Tx side… |
CVE-2021-47126 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Reported by syzbot: HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm.. |
CVE-2021-47125 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: sch_htb: fix refcount leak in htb_parent_to_leaf_offload The commit ae81feb7338c ("sch_htb: fix null pointer dereference on a null new_q") fixes a NULL pointer dereferen… |
CVE-2021-47124 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix link timeout refs WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28 RIP: 0010:refcount_warn_saturate+0x1… |
CVE-2021-47122 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in caif_device_notify In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. |
CVE-2021-47121 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in cfusbl_device_notify In case of caif_enroll_dev() fail, allocated link_support won't be assigned to the corresponding structure. |
CVE-2021-47120 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2") added a sanity check for an Apple trackpad… |
CVE-2021-47119 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data… |
CVE-2021-47117 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed We got follow bug_on when run fsstress with injecting IO fault: [130747.323114] kernel BUG at fs/… |
CVE-2021-47116 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_mb_init_backend on error path. |
CVE-2021-47114 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is in the middle of last cluster, then the part from isize to t… |
CVE-2021-47113 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: btrfs: abort in rename_exchange if we fail to insert the second ref Error injection stress uncovered a problem where we'd leave a dangling inode ref if we failed during… |
CVE-2021-47112 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: x86/kvm: Teardown PV features on boot CPU as well Various PV features (Async PF, PV EOI, steal time) work through memory shared with hypervisor and when we restore from… |
CVE-2021-47109 | Medium | 5.5 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: neighbour: allow NUD_NOARP entries to be forced GCed IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. |
CVE-2024-26629 | Medium | 5.5 | — | 2024-03-13 | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense and harmful. |
CVE-2024-26618 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit sme_alloc() early with existing storage When sme_alloc() is called with existing storage and we are not flushing we will always allocate new stora… |
CVE-2024-26615 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. |
CVE-2024-26612 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences "cache" and then checks if it's IS_ERR_OR_NULL(). |
CVE-2024-26611 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memory type is set to MEM_TYPE_XSK_BUFF_POOL, null pt… |
CVE-2023-52498 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: PM: sleep: Fix possible deadlocks in core system-wide PM code It is reported that in low-memory situations the system-wide resume core code deadlocks, because async_sche… |
CVE-2023-52493 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: Drop chan lock before queuing buffers Ensure read and write locks for the channel are not taken in succession by dropping the read lock from parse_xfer_e… |
CVE-2023-52490 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: mm: migrate: fix getting incorrect page mapping during page migration When running stress-ng testing, we found below kernel crash after a few hours: Unable to handle ke… |
CVE-2023-52488 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: serial: sc16is7xx: convert from _raw_ to _noinc_ regmap functions for FIFO The SC16IS7XX IC supports a burst mode to access the FIFOs where the initial register address… |
CVE-2023-52487 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix peer flow lists handling The cited change refactored mlx5e_tc_del_fdb_peer_flow() to only clear DUP flag when list of peer flows has become empty. |
CVE-2023-52486 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: drm: Don't unref the same fb many times by mistake due to deadlock handling If we get a deadlock after the fb lookup in drm_mode_page_flip_ioctl() we proceed to unref th… |
CVE-2023-52608 | Medium | 4.7 | — | 2024-03-13 | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Check mailbox/SMT channel for consistency On reception of a completion interrupt the shared memory area is accessed to retrieve the message header at… |
CVE-2021-47129 | Medium | 4.6 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: skip expectations for confirmed conntrack nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed conntrack entry. |
CVE-2021-47130 | Medium | 4.4 | — | 2024-03-15 | In the Linux kernel, the following vulnerability has been resolved: nvmet: fix freeing unallocated p2pmem In case p2p device was found but the p2p pool is empty, the nvme target is still trying to free the sgl from the p2p pool instead o… |
N/a · 44 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28354 | Critical | 10.0 | — | 2024-03-15 | There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. |
CVE-2024-25139 | Critical | 10.0 | — | 2024-03-14 | In TP-Link Omada er605 1.0.1 through (v2.6) 2.2.3, a cloud-brd binary is susceptible to an integer overflow that leads to a heap-based buffer overflow. |
CVE-2024-28383 | Critical | 9.8 | — | 2024-03-14 | Tenda AX12 v1.0 v22.03.01.16 was discovered to contain a stack overflow via the ssid parameter in the sub_431CF0 function. |
CVE-2024-28388 | Critical | 9.8 | — | 2024-03-14 | SQL injection vulnerability in SunnyToo stproductcomments module for PrestaShop v.1.0.5 and before, allows a remote attacker to escalate privileges and obtain sensitive information via the StProductCommentClass::getListcomments method. |
CVE-2024-28553 | Critical | 9.8 | — | 2024-03-12 | Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the entrys parameter fromAddressNat function. |
CVE-2024-28535 | Critical | 9.8 | — | 2024-03-12 | Tenda AC18 V15.03.05.05 has a stack overflow vulnerability in the mitInterface parameter of fromAddressNat function. |
CVE-2024-25331 | Critical | 9.3 | — | 2024-03-12 | DIR-822 Rev. |
CVE-2024-26503 | Critical | 9.1 | — | 2024-03-14 | Unrestricted File Upload vulnerability in Greek Universities Network Open eClass v.3.15 and earlier allows attackers to run arbitrary code via upload of crafted file to certbadge.php endpoint. |
CVE-2024-28353 | High | 8.8 | — | 2024-03-15 | There is a command injection vulnerability in the TRENDnet TEW-827DRU router with firmware version 2.10B01. |
CVE-2023-50677 | High | 8.8 | — | 2024-03-14 | An issue in NETGEAR-DGND4000 v.1.1.00.15_1.00.15 allows a remote attacker to escalate privileges via the next_file parameter to the /setup.cgi component. |
CVE-2024-28424 | High | 8.8 | — | 2024-03-14 | zenml v0.55.4 was discovered to contain an arbitrary file upload vulnerability in the load function at /materializers/cloudpickle_materializer.py. |
CVE-2024-25228 | High | 8.8 | — | 2024-03-14 | Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php. |
CVE-2024-27758 | High | 8.4 | — | 2024-03-12 | In RPyC before 6.0.0, when a server exposes a method that calls the attribute named __array__ for a client-provided netref (e.g., np.array(client_netref)), a remote attacker can craft a class that results in remote code execution. |
CVE-2024-28404 | High | 8.0 | — | 2024-03-15 | TOTOLINK X2000R before V1.0.0-B20231213.1013 contains a Stored Cross-site scripting (XSS) vulnerability in MAC Filtering under the Firewall Page. |
CVE-2024-28338 | High | 8.0 | — | 2024-03-12 | A login bypass in TOTOLINK A8000RU V7.1cu.643_B20200521 allows attackers to login to Administrator accounts via providing a crafted session cookie. |
CVE-2024-28340 | High | 7.5 | — | 2024-03-12 | An information leak in the currentsetting.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required. |
CVE-2023-32666 | High | 7.2 | — | 2024-03-14 | On-chip debug and test interface with improper access control in some 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local ac… |
CVE-2023-32282 | High | 7.2 | — | 2024-03-14 | Race condition in BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-25325 | High | 7.1 | — | 2024-03-12 | SQL injection vulnerability in Employee Management System v.1.0 allows a local attacker to obtain sensitive information via a crafted payload to the txtemail parameter in the login.php. |
CVE-2024-28816 | High | 7.1 | — | 2024-03-11 | Student Information Chatbot a0196ab allows SQL injection via the username to the login function in index.php. |
CVE-2023-35191 | Medium | 6.8 | — | 2024-03-14 | Uncontrolled resource consumption for some Intel(R) SPS firmware versions may allow a privileged user to potentially enable denial of service via network access. |
CVE-2023-32633 | Medium | 6.7 | — | 2024-03-14 | Improper input validation in the Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2023-28389 | Medium | 6.7 | — | 2024-03-14 | Incorrect default permissions in some Intel(R) CSME installer software before version 2328.5.5.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2023-39368 | Medium | 6.5 | — | 2024-03-14 | Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access. |
CVE-2023-28746 | Medium | 6.5 | — | 2024-03-14 | Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2024-28323 | Medium | 6.5 | — | 2024-03-14 | The bwdates-report-result.php file in Phpgurukul User Registration & Login and User Management System 3.1 contains a potential security vulnerability related to user input validation. |
CVE-2024-28418 | Medium | 6.5 | — | 2024-03-14 | Webedition CMS 9.2.2.0 has a File upload vulnerability via /webEdition/we_cmd.php |
CVE-2023-36238 | Medium | 6.5 | — | 2024-03-13 | Insecure Direct Object Reference (IDOR) in Bagisto v.1.5.1 allows an attacker to obtain sensitive information via the invoice ID parameter. |
CVE-2024-28417 | Medium | 6.3 | — | 2024-03-14 | Webedition CMS 9.2.2.0 has a Stored XSS vulnerability via /webEdition/we_cmd.php. |
CVE-2023-22655 | Medium | 6.1 | — | 2024-03-14 | Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-28623 | Medium | 6.1 | — | 2024-03-13 | RiteCMS v3.0.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component main_menu/edit_section. |
CVE-2023-43292 | Medium | 6.1 | — | 2024-03-12 | Cross Site Scripting vulnerability in My Food Recipe Using PHP with Source Code v.1.0 allows a local attacker to execute arbitrary code via a crafted payload to the Recipe Name, Procedure, and ingredients parameters. |
CVE-2023-49453 | Medium | 6.1 | — | 2024-03-12 | Reflected cross-site scripting (XSS) vulnerability in Racktables v0.22.0 and before, allows local attackers to execute arbitrary code and obtain sensitive information via the search component in index.php. |
CVE-2024-28823 | Medium | 6.1 | — | 2024-03-11 | Amazon AWS aws-js-s3-explorer (aka AWS JavaScript S3 Explorer) 1.0.0 allows XSS via a crafted S3 bucket name to index.html. |
CVE-2024-26475 | Medium | 5.5 | — | 2024-03-14 | An issue in radareorg radare2 v.0.9.7 through v.5.8.6 and fixed in v.5.8.8 allows a local attacker to cause a denial of service via the grub_sfs_read_extent function. |
CVE-2023-38575 | Medium | 5.5 | — | 2024-03-14 | Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. |
CVE-2024-28401 | Medium | 5.4 | — | 2024-03-15 | TOTOLINK X2000R before v1.0.0-B20231213.1013 contains a Store Cross-site scripting (XSS) vulnerability in Root Access Control under the Wireless Page. |
CVE-2024-28403 | Medium | 5.4 | — | 2024-03-15 | TOTOLINK X2000R before V1.0.0-B20231213.1013 is vulnerable to Cross Site Scripting (XSS) via the VPN Page. |
CVE-2024-26454 | Medium | 5.4 | — | 2024-03-15 | A Cross Site Scripting vulnerability in Healthcare-Chatbot through 9b7058a can occur via a crafted payload to the email1 or pwd1 parameter in login.php. |
CVE-2024-28662 | Medium | 5.4 | — | 2024-03-13 | A Cross Site Scripting vulnerability exists in Piwigo before 14.3.0 script because of missing sanitization in create_tag in admin/include/functions.php. |
CVE-2024-28339 | Medium | 5.4 | — | 2024-03-12 | An information leak in the debuginfo.htm component of Netgear CBR40 2.5.0.28, Netgear CBK40 2.5.0.28, and Netgear CBK43 2.5.0.28 allows attackers to obtain sensitive information without any authentication required. |
CVE-2023-43490 | Medium | 5.3 | — | 2024-03-14 | Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access. |
CVE-2024-26521 | Medium | 4.8 | — | 2024-03-12 | HTML Injection vulnerability in CE Phoenix v1.0.8.20 and before allows a remote attacker to execute arbitrary code, escalate privileges, and obtain sensitive information via a crafted payload to the english.php component. |
CVE-2023-27502 | Low | 3.3 | — | 2024-03-14 | Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2316.5.1.2 may allow an authenticated user to potentially enable information disclosure via local access. |
Dedecms · 23 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28673 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/mychannel_edit.php. |
CVE-2024-28671 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/stepselect_main.php. |
CVE-2024-28684 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/module_main.php |
CVE-2024-28675 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_edit.php |
CVE-2024-28665 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_add.php |
CVE-2024-28432 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_edit.php. |
CVE-2024-28431 | High | 8.8 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_del.php. |
CVE-2024-28682 | Medium | 6.3 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/sys_cache_up.php. |
CVE-2024-28678 | Medium | 6.3 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/article_description_main.php |
CVE-2024-28683 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via create file. |
CVE-2024-28681 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/plus_edit.php. |
CVE-2024-28680 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/diy_add.php. |
CVE-2024-28679 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via Photo Collection. |
CVE-2024-28677 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/article_keywords_main.php. |
CVE-2024-28676 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a cross-site scripting (XSS) vulnerability via /dede/article_edit.php. |
CVE-2024-28670 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_main.php. |
CVE-2024-28668 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/mychannel_add.php |
CVE-2024-28667 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/templets_one_edit.php |
CVE-2024-28430 | Medium | 6.1 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/catalog_edit.php. |
CVE-2024-28666 | Medium | 5.5 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/media_add.php |
CVE-2024-28429 | Medium | 5.5 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via the component /dede/archives_do.php |
CVE-2024-28672 | Medium | 5.4 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/media_edit.php. |
CVE-2024-28669 | Medium | 5.4 | — | 2024-03-13 | DedeCMS v5.7 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /dede/freelist_edit.php. |
Ibm · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-22346 | High | 8.4 | — | 2024-03-14 | Db2 for IBM i 7.2, 7.3, 7.4, and 7.5 infrastructure could allow a local user to gain elevated privileges due to an unqualified library call. |
CVE-2024-27266 | High | 8.2 | — | 2024-03-14 | IBM Maximo Application Suite 7.6.1.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. |
CVE-2023-38723 | Medium | 6.4 | — | 2024-03-13 | IBM Maximo Application Suite 7.6.1.3 is vulnerable to stored cross-site scripting. |
CVE-2021-38938 | Medium | 6.2 | — | 2024-03-15 | IBM Host Access Transformation Services (HATS) 9.6 through 9.6.1.4 and 9.7 through 9.7.0.3 stores user credentials in plain clear text which can be read by a local user. |
CVE-2023-47699 | Medium | 6.1 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. |
CVE-2023-47162 | Medium | 6.1 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. |
CVE-2023-47147 | Medium | 5.9 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 could allow an attacker to overwrite a log message under specific conditions. |
CVE-2023-46182 | Medium | 5.4 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 is vulnerable to cross-site scripting. |
CVE-2023-28517 | Medium | 5.4 | — | 2024-03-13 | IBM Sterling Partner Engagement Manager 6.1.2, 6.2.0, and 6.2.2 is vulnerable to cross-site scripting. |
CVE-2023-43043 | Medium | 5.1 | — | 2024-03-13 | IBM Maximo Application Suite - Maximo Mobile for EAM 8.10 and 8.11 could disclose sensitive information to a local user. |
CVE-2023-46179 | Medium | 4.3 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. |
CVE-2023-46181 | Medium | 4.0 | — | 2024-03-15 | IBM Sterling Secure Proxy 6.0.3 and 6.1.0 allows web pages to be stored locally which can be read by another user on the system. |
CVE-2023-32335 | Low | 3.7 | — | 2024-03-13 | IBM Maximo Application Suite 8.10, 8.11 and IBM Maximo Asset Management 7.6.1.3 stores sensitive information in URL parameters. |
Phoenix Contact · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25995 | Critical | 9.8 | — | 2024-03-12 | An unauthenticated remote attacker can modify configurations to perform a remote code execution, gain root rights or perform an DoS due to improper input validation. |
CVE-2024-26288 | High | 8.7 | — | 2024-03-12 | An unauthenticated remote attacker can influence the communication due to the lack of encryption of sensitive data via a MITM. |
CVE-2024-25999 | High | 8.4 | — | 2024-03-12 | An unauthenticated local attacker can perform a privilege escalation due to improper input validation in the OCPP agent service. |
CVE-2024-26002 | High | 7.8 | — | 2024-03-12 | An improper input validation in the Qualcom plctool allows a local attacker with low privileges to gain root access by changing the ownership of specific files. |
CVE-2024-26004 | High | 7.5 | — | 2024-03-12 | An unauthenticated remote attacker can DoS a control agent due to access of a uninitialized pointer which may prevent or disrupt the charging functionality. |
CVE-2024-26003 | High | 7.5 | — | 2024-03-12 | An unauthenticated remote attacker can DoS the control agent due to a out-of-bounds read which may prevent or disrupt the charging functionality. |
CVE-2024-26001 | High | 7.4 | — | 2024-03-12 | An unauthenticated remote attacker can write memory out of bounds due to improper input validation in the MQTT stack. |
CVE-2024-25998 | High | 7.3 | — | 2024-03-12 | An unauthenticated remote attacker can perform a command injection in the OCPP Service with limited privileges due to improper input validation. |
CVE-2024-26000 | Medium | 5.9 | — | 2024-03-12 | An unauthenticated remote attacker can read memory out of bounds due to improper input validation in the MQTT stack. The brute force attack is not always successful because of memory randomization. |
CVE-2024-25997 | Medium | 5.3 | — | 2024-03-12 | An unauthenticated remote attacker can perform a log injection due to improper input validation. |
CVE-2024-25996 | Medium | 5.3 | — | 2024-03-12 | An unauthenticated remote attacker can perform a remote code execution due to an origin validation error. |
CVE-2024-25994 | Medium | 5.3 | — | 2024-03-12 | An unauthenticated remote attacker can upload a arbitrary script file due to improper input validation. The upload destination is fixed and is write only. |
CVE-2024-26005 | Medium | 4.8 | — | 2024-03-12 | An unauthenticated remote attacker can gain service level privileges through an incomplete cleanup during service restart after a DoS. |
Apache · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-41313 | Critical | 9.8 | — | 2024-03-12 | The authentication method in Apache Doris versions before 2.0.0 was vulnerable to timing attacks. |
CVE-2024-28752 | Critical | 9.3 | — | 2024-03-15 | A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. |
CVE-2024-27894 | High | 8.5 | — | 2024-03-12 | The Pulsar Functions Worker includes a capability that permits authenticated users to create functions where the function's implementation is referenced by a URL. |
CVE-2024-27135 | High | 8.5 | — | 2024-03-12 | Improper input validation in the Pulsar Function Worker allows a malicious authenticated user to execute arbitrary Java code on the Pulsar Function worker, outside of the sandboxes designated for running user-provided functions. |
CVE-2024-27317 | High | 8.4 | — | 2024-03-12 | In Pulsar Functions Worker, authenticated users can upload functions in jar or nar files. |
CVE-2022-34321 | High | 8.2 | — | 2024-03-12 | Improper Authentication vulnerability in Apache Pulsar Proxy allows an attacker to connect to the /proxy-stats endpoint without authentication. |
CVE-2024-28746 | High | 8.1 | — | 2024-03-14 | Apache Airflow, versions 2.8.0 through 2.8.2, has a vulnerability that allows an authenticated user with limited permissions to access resources such as variables, connections, etc from the UI which they do not have permission to access. … |
CVE-2024-24549 | High | 7.5 | — | 2024-03-13 | Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. |
CVE-2024-28098 | Medium | 6.4 | — | 2024-03-12 | The vulnerability allows authenticated users with only produce or consume permissions to modify topic-level policies, such as retention, TTL, and offloading settings. |
CVE-2024-23672 | Medium | 6.3 | — | 2024-03-13 | Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. |
CVE-2024-23944 | Medium | 5.3 | — | 2024-03-15 | Information disclosure in persistent watchers handling in Apache ZooKeeper due to missing ACL check. |
Fortinet · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-48788 | Critical | 9.8 | KEV | 2024-03-12 | A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via… |
CVE-2023-42789 | Critical | 9.8 | — | 2024-03-12 | A out-of-bounds write in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13 allows… |
CVE-2023-47534 | Critical | 9.6 | — | 2024-03-12 | A improper neutralization of formula elements in a csv file in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, 7.0.0 through 7.0.10, 6.4.0 through 6.4.9, 6.2.0 through 6.2.9, 6.0.0 through 6.0.8 allows attacker to execute unauthorized… |
CVE-2023-42790 | High | 8.1 | — | 2024-03-12 | A stack-based buffer overflow in Fortinet FortiOS 7.4.0 through 7.4.1, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, 6.2.0 through 6.2.15, FortiProxy 7.4.0, 7.2.0 through 7.2.6, 7.0.0 through 7.0.12, 2.0.0 through 2.0.13… |
CVE-2023-36554 | High | 8.1 | — | 2024-03-12 | A improper access control in Fortinet FortiManager version 7.4.0, version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.10, version 6.4.0 through 6.4.13, 6.2 all versions allows attacker to execute unauthorized code or commands via specia… |
CVE-2024-23112 | High | 8.0 | — | 2024-03-12 | An authorization bypass through user-controlled key vulnerability [CWE-639] in FortiOS version 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.1 through 7.0.13, 6.4.7 through 6.4.14, and FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through… |
CVE-2023-46717 | High | 7.5 | — | 2024-03-12 | An improper authentication vulnerability [CWE-287] in FortiOS versions 7.4.1 and below, versions 7.2.6 and below, and versions 7.0.12 and below when configured with FortiAuthenticator in HA may allow a readonly user to gain read-write acce… |
CVE-2023-41842 | Medium | 6.7 | — | 2024-03-12 | A use of externally-controlled format string vulnerability [CWE-134] vulnerability in Fortinet allows a privileged attacker to execute unauthorized code or commands via specially crafted command arguments. |
CVE-2024-21761 | Medium | 4.3 | — | 2024-03-12 | An improper authorization vulnerability [CWE-285] in FortiPortal version 7.2.0, and versions 7.0.6 and below reports may allow a user to download other organizations reports via modification in the request payload. |
Leap13 · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2399 | Medium | 6.4 | — | 2024-03-15 | The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 4.10.23 due to insufficient input sanitization and output escaping on user su… |
CVE-2024-2239 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Premium Magic Scroll module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. |
CVE-2024-2238 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom Mouse Cursor module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. |
CVE-2024-2237 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Global Badge module in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping. |
CVE-2024-2000 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'navigation_dots' parameter of the Multi Scroll Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitization and… |
CVE-2024-1997 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_fbchat_app_id' parameter of the Messenger Chat Widget in all versions up to, and including, 2.9.12 due to insufficient input sanitiza… |
CVE-2024-1996 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's IHover widget link in all versions up to, and including, 2.9.12 due to insufficient input sanitization and output escaping on user su… |
CVE-2024-1680 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Settings URL of the Banner, Team Members, and Image Scroll widgets in all versions up to, and including, 4.10.21 due to insuff… |
CVE-2024-0326 | Medium | 6.4 | — | 2024-03-13 | The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Link Wrapper functionality in all versions up to, and including, 4.10.17 due to insufficient input sanitization and output… |
Siemens · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-22039 | Critical | 10.0 | — | 2024-03-12 | A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions < IP8), Cerberus PRO EN Fire Panel FC72x IP6 (All versions < IP6 SR3), Cerberus PRO EN Fire Panel FC72x IP7 (All versions < IP7 SR5), Cerberus PRO EN X20… |
CVE-2022-32257 | Critical | 9.8 | — | 2024-03-12 | A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.2). |
CVE-2024-27907 | High | 7.8 | — | 2024-03-12 | A vulnerability has been identified in Simcenter Femap (All versions < V2306.0000). |
CVE-2024-22045 | High | 7.6 | — | 2024-03-12 | A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). |
CVE-2024-22044 | High | 7.5 | — | 2024-03-12 | A vulnerability has been identified in SENTRON 3KC ATC6 Expansion Module Ethernet (3KC9000-8TL75) (All versions). |
CVE-2024-22041 | High | 7.5 | — | 2024-03-12 | A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x IP6 (All versions), Cerberus PRO EN Fire Panel FC72x IP7 (All versions), Cerberus PRO EN Fire Panel FC72x IP8 (All ver… |
CVE-2024-22040 | High | 7.5 | — | 2024-03-12 | A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All versions), Cerberus PRO EN Fire Panel FC72x IP6 (All versions), Cerberus PRO EN Fire Panel FC72x IP7 (All versions), Cerberus PRO EN Fire Panel FC72x IP8 (All ver… |
CVE-2023-45793 | Medium | 5.5 | — | 2024-03-12 | A vulnerability has been identified in Siveillance Control (All versions >= V2.8 < V3.1.1). |
CVE-2024-21483 | Medium | 4.6 | — | 2024-03-12 | A vulnerability has been identified in SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0) (All versions >= V3.2.3 < V3.2.4 only when manufactured between LQN231003... |
Cisco · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-20320 | High | 7.8 | — | 2024-03-13 | A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local attacker to elevate privileg… |
CVE-2024-20327 | High | 7.4 | — | 2024-03-13 | A vulnerability in the PPP over Ethernet (PPPoE) termination feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to crash the ppp_ma process, resulting i… |
CVE-2024-20318 | High | 7.4 | — | 2024-03-13 | A vulnerability in the Layer 2 Ethernet services of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the line card network processor to reset, resulting in a denial of service (DoS) condition. This vulner… |
CVE-2024-20262 | Medium | 6.5 | — | 2024-03-13 | A vulnerability in the Secure Copy Protocol (SCP) and SFTP feature of Cisco IOS XR Software could allow an authenticated, local attacker to create or overwrite files in a system directory, which could lead to a denial of service (DoS) cond… |
CVE-2024-20322 | Medium | 5.8 | — | 2024-03-13 | A vulnerability in the access control list (ACL) processing on Pseudowire interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due… |
CVE-2024-20315 | Medium | 5.8 | — | 2024-03-13 | A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to im… |
CVE-2024-20266 | Medium | 5.3 | — | 2024-03-13 | A vulnerability in the DHCP version 4 (DHCPv4) server feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to trigger a crash of the dhcpd process, resulting in a denial of service (DoS) condition. This vulne… |
CVE-2024-20319 | Medium | 4.3 | — | 2024-03-13 | A vulnerability in the UDP forwarding code of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to bypass configured management plane protection policies and access the Simple Network Management Plane (SNMP) server of… |
Code-projects · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-41505 | Critical | 9.8 | — | 2024-03-13 | An arbitrary file upload vulnerability in the Add Student's Profile Picture function of Student Enrollment In PHP v1.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. |
CVE-2024-24101 | Critical | 9.8 | — | 2024-03-12 | Code-projects Scholars Tracking System 1.0 is vulnerable to SQL Injection under Eligibility Information Update. |
CVE-2024-24093 | Critical | 9.8 | — | 2024-03-12 | SQL Injection vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via Personal Information Update information. |
CVE-2023-41504 | High | 8.8 | — | 2024-03-13 | SQL Injection vulnerability in Student Enrollment In PHP 1.0 allows attackers to run arbitrary code via the Student Search function. |
CVE-2024-24092 | High | 7.8 | — | 2024-03-12 | SQL Injection vulnerability in Code-projects.org Scholars Tracking System 1.0 allows attackers to run arbitrary code via login.php. |
CVE-2023-42308 | Medium | 6.1 | — | 2024-03-12 | Cross Site Scripting (XSS) vulnerability in Manage Fastrack Subjects in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via the "Subject Name" and "Subject Code" Section. |
CVE-2023-42307 | Medium | 6.1 | — | 2024-03-12 | Cross Site Scripting (XSS) vulnerability in Code-Projects Exam Form Submission 1.0 allows attackers to run arbitrary code via "Subject Name" and "Subject Code" section. |
CVE-2024-24097 | Medium | 5.4 | — | 2024-03-12 | Cross Site Scripting (XSS) vulnerability in Code-projects Scholars Tracking System 1.0 allows attackers to run arbitrary code via the News Feed. |
Binhnguyenplus · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-4731 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugn for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the init_endpoint() function hooked via 'init' in versions up to, and including, 4.4. |
CVE-2023-4729 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. |
CVE-2023-4728 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the publish_lp() function hooked via an AJAX action in versions up to, and including, 4.4. |
CVE-2023-4629 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the save_config() function in versions up to, and including, 4.3. |
CVE-2023-4628 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to Cross-Site Request Forgery due to a missing nonce check on the ladiflow_save_hook() function in versions up to, and including, 4.4. |
CVE-2023-4627 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_config() function in versions up to, and including, 4.4. |
CVE-2023-4626 | Medium | 4.3 | — | 2024-03-12 | The LadiApp plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ladiflow_save_hook() function in versions up to, and including, 4.3. |
Sap · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-22127 | Critical | 9.1 | — | 2024-03-12 | SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. |
CVE-2024-27902 | Medium | 5.4 | — | 2024-03-12 | Applications based on SAP GUI for HTML in SAP NetWeaver AS ABAP - versions 7.89, 7.93, do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. A successful attack can allow a malicious atta… |
CVE-2024-28163 | Medium | 5.3 | — | 2024-03-12 | Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on In… |
CVE-2024-25645 | Medium | 5.3 | — | 2024-03-12 | Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity… |
CVE-2024-25644 | Medium | 5.3 | — | 2024-03-12 | Under certain conditions SAP NetWeaver WSRM - version 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application… |
CVE-2024-22133 | Medium | 4.6 | — | 2024-03-12 | SAP Fiori Front End Server - version 605, allows altering of approver details on the read-only field when sending leave request information. |
CVE-2024-27900 | Medium | 4.3 | — | 2024-03-12 | Due to missing authorization check, attacker with business user account in SAP ABAP Platform - version 758, 795, can change the privacy setting of job templates from shared to private. |
Sciener · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7017 | Critical | 9.8 | — | 2024-03-15 | Sciener locks' firmware update mechanism do not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. |
CVE-2023-7006 | Critical | 9.1 | — | 2024-03-15 | The unlockKey character in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the locks integrity. |
CVE-2023-7009 | High | 8.2 | — | 2024-03-15 | Some Sciener-based locks support plaintext message processing over Bluetooth Low Energy, allowing unencrypted malicious commands to be passed to the lock. |
CVE-2023-7007 | High | 8.2 | — | 2024-03-15 | Sciener server does not validate connection requests from the GatewayG2, allowing an impersonation attack that provides the attacker the unlockKey field. |
CVE-2023-6960 | High | 7.5 | — | 2024-03-15 | TTLock App virtual keys and settings are only deleted client side, and if preserved, can access the lock after intended deletion. |
CVE-2023-7003 | Medium | 6.8 | — | 2024-03-15 | The AES key utilized in the pairing process between a lock using Sciener firmware and a wireless keypad is not unique, and can be reused to compromise other locks using the Sciener firmware. |
CVE-2023-7004 | Medium | 6.5 | — | 2024-03-15 | The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device, allowing for connection to a device that spoofs the MAC address of a lock, which compromises the legitimate locks in… |
Beaverbuilder · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1080 | Medium | 6.4 | — | 2024-03-13 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via the heading tag in all versions up to, and including, 2.7.4.4 due to insufficient input sanitization and output escap… |
CVE-2024-1074 | Medium | 6.4 | — | 2024-03-13 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the audio widget 'link_url' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization an… |
CVE-2024-0897 | Medium | 6.4 | — | 2024-03-13 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image URL parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output escap… |
CVE-2024-0896 | Medium | 6.4 | — | 2024-03-13 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button link parameter in all versions up to, and including, 2.7.4.2 due to insufficient input sanitization and output esc… |
CVE-2024-1038 | Medium | 5.4 | — | 2024-03-13 | The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via a 'playground.wordpress.net' parameter in all versions up to, and including, 2.7.4.2 due to insufficient input s… |
CVE-2024-0871 | Medium | 5.4 | — | 2024-03-13 | The Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Widget 'fl_builder_data[node_preview][link]' and 'fl_builder_data[settings][link_target]' parameters in all versions up to, and including, 2… |
Tenda · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2490 | High | 8.8 | — | 2024-03-15 | A vulnerability classified as critical was found in Tenda AC18 15.03.05.05. |
CVE-2024-2489 | High | 8.8 | — | 2024-03-15 | A vulnerability classified as critical has been found in Tenda AC18 15.03.05.05. |
CVE-2024-2488 | High | 8.8 | — | 2024-03-15 | A vulnerability was found in Tenda AC18 15.03.05.05. |
CVE-2024-2487 | High | 8.8 | — | 2024-03-15 | A vulnerability was found in Tenda AC18 15.03.05.05. |
CVE-2024-2486 | High | 8.8 | — | 2024-03-15 | A vulnerability was found in Tenda AC18 15.03.05.05. |
CVE-2024-2485 | High | 8.8 | — | 2024-03-15 | A vulnerability was found in Tenda AC18 15.03.05.05 and classified as critical. |
Delinea · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25652 | High | 7.6 | — | 2024-03-14 | In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE (with access to the Report functionality) to gain unauthorized access… |
CVE-2024-25649 | Medium | 6.7 | — | 2024-03-14 | In Delinea PAM Secret Server 11.4, it is possible for an attacker (with Administrator access to the Secret Server machine) to read the following data from a memory dump: the decrypted master key, database credentials (when SQL Server Authe… |
CVE-2024-25650 | Medium | 5.9 | — | 2024-03-14 | Insecure key exchange between Delinea PAM Secret Server 11.4 and the Distributed Engine 8.4.3 allows a PAM administrator to obtain the Symmetric Key (used to encrypt RabbitMQ messages) via crafted payloads to the /pre-authenticate, /authen… |
CVE-2024-25651 | Medium | 5.3 | — | 2024-03-14 | User enumeration can occur in the Authentication REST API in Delinea PAM Secret Server 11.4. |
CVE-2024-25653 | Medium | 4.3 | — | 2024-03-14 | Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web U… |
Dell · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0161 | High | 7.2 | — | 2024-03-13 | Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. |
CVE-2024-0163 | Medium | 5.3 | — | 2024-03-13 | Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain a TOCTOU race condition vulnerability. |
CVE-2024-0162 | Medium | 5.3 | — | 2024-03-13 | Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. |
CVE-2024-0173 | Low | 3.8 | — | 2024-03-13 | Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. |
CVE-2024-0154 | Low | 3.8 | — | 2024-03-13 | Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an improper parameter initialization vulnerability. |
Discourse · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27100 | Medium | 6.5 | — | 2024-03-15 | Discourse is an open source platform for community discussion. |
CVE-2024-27085 | Medium | 6.5 | — | 2024-03-15 | Discourse is an open source platform for community discussion. |
CVE-2024-28242 | Medium | 5.3 | — | 2024-03-15 | Discourse is an open source platform for community discussion. |
CVE-2024-24827 | Medium | 5.3 | — | 2024-03-15 | Discourse is an open source platform for community discussion. |
CVE-2024-24748 | Medium | 5.3 | — | 2024-03-15 | Discourse is an open source platform for community discussion. |
Mattermost · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2450 | High | 8.8 | — | 2024-03-15 | Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take… |
CVE-2024-2445 | Medium | 6.1 | — | 2024-03-15 | Mattermost Jira plugin versions shipped with Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to escape user-controlled outputs when generating HTML pages, which allows an attacke… |
CVE-2024-2446 | Medium | 4.3 | — | 2024-03-15 | Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to limit the number of @-mentions processed per message, allowing an authenticated attacker to crash the client applications of ot… |
CVE-2024-24975 | Low | 3.5 | — | 2024-03-15 | Uncontrolled Resource Consumption in Mattermost Mobile versions before 2.13.0 fails to limit the size of the code block that will be processed by the syntax highlighter, allowing an attacker to send a very large code block and crash the mo… |
CVE-2024-28053 | Low | 3.1 | — | 2024-03-15 | Resource Exhaustion in Mattermost Server versions 8.1.x before 8.1.10 fails to limit the size of the payload that can be read and parsed allowing an attacker to send a very large email payload and crash the server. |
Mitsubishi Electric Corporation · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1917 | Critical | 9.8 | — | 2024-03-15 | Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially c… |
CVE-2024-1916 | Critical | 9.8 | — | 2024-03-15 | Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially c… |
CVE-2024-1915 | Critical | 9.8 | — | 2024-03-15 | Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially crafte… |
CVE-2024-0803 | Critical | 9.8 | — | 2024-03-15 | Integer Overflow or Wraparound vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to execute malicious code on a target product by sending a specially c… |
CVE-2024-0802 | Critical | 9.8 | — | 2024-03-15 | Incorrect Pointer Scaling vulnerability in Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules allows a remote unauthenticated attacker to read arbitrary information from a target product or execute malicious co… |
Ni · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-23612 | High | 7.8 | — | 2024-03-11 | An improper error handling vulnerability in LabVIEW may result in remote code execution. |
CVE-2024-23611 | High | 7.8 | — | 2024-03-11 | An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. |
CVE-2024-23610 | High | 7.8 | — | 2024-03-11 | An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. |
CVE-2024-23609 | High | 7.8 | — | 2024-03-11 | An improper error handling vulnerability in LabVIEW may result in remote code execution. |
CVE-2024-23608 | High | 7.8 | — | 2024-03-11 | An out of bounds write due to a missing bounds check in LabVIEW may result in remote code execution. |
Open-metadata · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28255 | Critical | 9.8 | — | 2024-03-15 | OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. |
CVE-2024-28253 | Critical | 9.4 | — | 2024-03-15 | OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. |
CVE-2024-28848 | High | 8.8 | — | 2024-03-15 | OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. |
CVE-2024-28847 | High | 8.8 | — | 2024-03-15 | OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. |
CVE-2024-28254 | High | 8.8 | — | 2024-03-15 | OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. |
Themeisle · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2126 | Medium | 6.4 | — | 2024-03-13 | The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. |
CVE-2024-1684 | Medium | 6.4 | — | 2024-03-13 | The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contact form file field CSS metabox in all versions up to, and including, 2.6.3 due to i… |
CVE-2024-1499 | Medium | 6.4 | — | 2024-03-13 | The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings['title_tags'] parameter in all versions up to, and including, 2.10.30 due to insufficient input san… |
CVE-2024-1497 | Medium | 6.4 | — | 2024-03-13 | The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. |
CVE-2024-1691 | Medium | 6.1 | — | 2024-03-13 | The Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via file upload form, which allows SVG uploads, in all versions up to, and including, 2.6.3… |
Webtechstreet · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1358 | High | 8.8 | — | 2024-03-13 | The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. |
CVE-2024-1422 | Medium | 6.4 | — | 2024-03-13 | The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the modal popup widget's effect setting in all versions up to, and including, 1.12.12 due to insufficient input sanitization and output esca… |
CVE-2024-1393 | Medium | 6.4 | — | 2024-03-13 | The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'icon_align' attribute of the Content Switcher widget in all versions up to, and including, 1.12.12 due to insufficient input sanitizati… |
CVE-2024-1392 | Medium | 6.4 | — | 2024-03-13 | The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button1_icon' attribute of the Dual Button widget in all versions up to, and including, 1.12.12 due to insufficient input sanitization… |
CVE-2024-1391 | Medium | 6.4 | — | 2024-03-13 | The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘eae_custom_overlay_switcher’ attribute of the Thumbnail Slider widget in all versions up to, and including, 1.12.12 due to insufficient… |
Yooooomi · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28194 | Critical | 9.1 | — | 2024-03-13 | your_spotify is an open source, self hosted Spotify tracking dashboard. |
CVE-2024-28195 | High | 8.1 | — | 2024-03-13 | your_spotify is an open source, self hosted Spotify tracking dashboard. |
CVE-2024-28193 | Medium | 6.5 | — | 2024-03-13 | your_spotify is an open source, self hosted Spotify tracking dashboard. |
CVE-2024-28196 | Medium | 6.5 | — | 2024-03-13 | your_spotify is an open source, self hosted Spotify tracking dashboard. |
CVE-2024-28192 | Medium | 5.3 | — | 2024-03-13 | your_spotify is an open source, self hosted Spotify tracking dashboard. |
Apple · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-42938 | High | 7.8 | — | 2024-03-14 | A logic issue was addressed with improved checks. |
CVE-2024-23300 | High | 7.8 | — | 2024-03-12 | A use-after-free issue was addressed with improved memory management. |
CVE-2024-23298 | Medium | 5.5 | — | 2024-03-15 | A logic issue was addressed with improved state management. |
CVE-2024-1221 | Low | 3.1 | — | 2024-03-14 | This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. |
Badger Meter · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1301 | Critical | 9.8 | — | 2024-03-12 | SQL injection vulnerability in Badger Meter Monitool affecting versions 4.6.3 and earlier. |
CVE-2024-1302 | High | 7.3 | — | 2024-03-12 | Information exposure vulnerability in Badger Meter Monitool affecting versions up to 4.6.3 and earlier. |
CVE-2024-1303 | Medium | 6.5 | — | 2024-03-12 | Incorrectly limiting the path to a restricted directory vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. |
CVE-2024-1304 | Medium | 6.3 | — | 2024-03-12 | Cross-site scripting vulnerability in Badger Meter Monitool that affects versions up to 4.6.3 and earlier. |
Brizy · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1311 | High | 8.8 | — | 2024-03-13 | The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. |
CVE-2024-1296 | Medium | 6.4 | — | 2024-03-13 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block upload in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping on user suppli… |
CVE-2024-1293 | Medium | 6.4 | — | 2024-03-13 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the embedded media custom block in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. |
CVE-2024-1291 | Medium | 6.4 | — | 2024-03-13 | The Brizy – Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown URL parameter in all versions up to, and including, 2.4.40 due to insufficient input sanitization and output escaping. |
Exclusiveaddons · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2028 | Medium | 6.4 | — | 2024-03-13 | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Covid-19 Stats Widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. |
CVE-2024-1414 | Medium | 6.4 | — | 2024-03-13 | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. |
CVE-2024-1413 | Medium | 6.4 | — | 2024-03-13 | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Timer widget in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. |
CVE-2024-1234 | Medium | 6.4 | — | 2024-03-13 | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via data attribute in all versions up to, and including, 2.6.9 due to insufficient input sanitization and output escaping. |
Fortra · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25153 | Critical | 9.8 | — | 2024-03-13 | A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. |
CVE-2024-25155 | High | 7.2 | — | 2024-03-13 | In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. |
CVE-2024-25156 | Medium | 6.5 | — | 2024-03-14 | A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. |
CVE-2024-25154 | Medium | 5.3 | — | 2024-03-13 | Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. |
Opentext · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-38534 | High | 8.6 | — | 2024-03-13 | Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. |
CVE-2023-38536 | Medium | 6.4 | — | 2024-03-13 | HTML injection in OpenText™ Exceed Turbo X affecting version 12.5.1. |
CVE-2023-7248 | Medium | 5.0 | — | 2024-03-15 | Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests. The vulnerability would affect one of Vertica’s authentication functionalities by allowing specially crafted requests and sequenc… |
CVE-2023-38535 | Medium | 4.7 | — | 2024-03-13 | Use of Hard-coded Cryptographic Key vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.1 and 12.5.2. |
Red Hat · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2182 | Medium | 6.5 | — | 2024-03-12 | A flaw was found in the Open Virtual Network (OVN). |
CVE-2023-6725 | Medium | 5.5 | — | 2024-03-15 | An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. |
CVE-2024-1441 | Medium | 5.5 | — | 2024-03-11 | An off-by-one error flaw was found in the udevListInterfacesByStatus() function in libvirt when the number of interfaces exceeds the size of the `names` array. |
CVE-2024-1979 | Low | 3.5 | — | 2024-03-13 | A vulnerability was found in Quarkus. |
Wpwax · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2006 | High | 8.8 | — | 2024-03-13 | The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in… |
CVE-2024-1951 | High | 7.5 | — | 2024-03-13 | The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. |
CVE-2024-1950 | High | 7.5 | — | 2024-03-13 | The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. |
CVE-2023-50886 | Medium | 4.3 | — | 2024-03-15 | Cross-Site Request Forgery (CSRF), Incorrect Authorization vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.3.7. |
Arcserve · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0799 | Critical | 9.8 | — | 2024-03-13 | An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin. |
CVE-2024-0800 | High | 8.8 | — | 2024-03-13 | A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet. |
CVE-2024-0801 | High | 7.5 | — | 2024-03-13 | A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll. |
Cms Made Simple · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1527 | Critical | 9.8 | — | 2024-03-12 | Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. |
CVE-2024-1529 | High | 7.4 | — | 2024-03-12 | Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. |
CVE-2024-1528 | High | 7.4 | — | 2024-03-12 | CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. |
Debian · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-26614 | Medium | 5.5 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the following issue: pvqspinlock: lock 0xffff9d181cd5c66… |
CVE-2023-52489 | Medium | 4.7 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: mm/sparsemem: fix race in accessing memory_section->usage The below race is observed on a PFN which falls into the device memory region with the system memory configurat… |
CVE-2023-52492 | Medium | 4.4 | — | 2024-03-11 | In the Linux kernel, the following vulnerability has been resolved: dmaengine: fix NULL pointer in channel unregistration function __dma_async_device_channel_register() can fail. |
Hammadh · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1772 | High | 8.8 | — | 2024-03-13 | The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_dat… |
CVE-2024-0828 | Medium | 5.4 | — | 2024-03-13 | The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to unauthorized access of functionality due to a missing capability check on several functions in all versions up to, and including… |
CVE-2024-0827 | Medium | 4.3 | — | 2024-03-13 | The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.4. |
Livemesh · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25598 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Livemesh Addons for Elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through 8.3. |
CVE-2024-27986 | Medium | 6.5 | — | 2024-03-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5. |
CVE-2024-2079 | Medium | 6.4 | — | 2024-03-13 | The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'per_line_mobile' shortcode in all versions up to, and including, 3.8.1 due to insufficient input sanitization… |
Metagauss · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1321 | Medium | 5.3 | — | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 3.4.2. |
CVE-2024-1127 | Medium | 4.3 | — | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the booking_export_all() function in all versions up to, and including, 3.4.1. |
CVE-2024-1126 | Medium | 4.3 | — | 2024-03-13 | The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_attendees_email_by_event_id() function in all versions up to, and includi… |
Movistar · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2414 | High | 8.8 | — | 2024-03-13 | The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. |
CVE-2024-2415 | High | 7.8 | — | 2024-03-13 | Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. |
CVE-2024-2416 | Medium | 6.5 | — | 2024-03-13 | Cross-Site Request Forgery vulnerability in Movistar's 4G router affecting version ES_WLD71-T1_v2.0.201820. |
Palo Alto Networks · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2431 | Medium | 5.5 | — | 2024-03-13 | An issue in the Palo Alto Networks GlobalProtect app enables a non-privileged user to disable the GlobalProtect app in configurations that allow a user to disable GlobalProtect with a passcode. |
CVE-2024-2432 | Medium | 4.5 | — | 2024-03-13 | A privilege escalation (PE) vulnerability in the Palo Alto Networks GlobalProtect app on Windows devices enables a local user to execute programs with elevated privileges. |
CVE-2024-2433 | Medium | 4.3 | — | 2024-03-13 | An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded fil… |
Peering-manager · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28114 | High | 8.1 | — | 2024-03-12 | Peering Manager is a BGP session management tool. |
CVE-2024-28112 | Medium | 6.1 | — | 2024-03-12 | Peering Manager is a BGP session management tool. |
CVE-2024-28113 | Low | 3.5 | — | 2024-03-12 | Peering Manager is a BGP session management tool. |
Pluginus · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1795 | High | 8.8 | — | 2024-03-15 | The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to SQL Injection via the 'name' parameter in the woof shortcode in all versions up to, and including, 1.3.5.2 due to insufficient escaping on the u… |
CVE-2024-1796 | Medium | 6.4 | — | 2024-03-15 | The HUSKY – Products Filter for WooCommerce Professional plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'woof' shortcode in all versions up to, and including, 1.3.5.1 due to insufficient input sanitizati… |
CVE-2023-50861 | Medium | 4.3 | — | 2024-03-15 | Cross-Site Request Forgery (CSRF) vulnerability in realmag777 HUSKY – Products Filter for WooCommerce (formerly WOOF).This issue affects HUSKY – Products Filter for WooCommerce (formerly WOOF): from n/a through 1.3.4.3. |
Properfraction · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1806 | Medium | 6.4 | — | 2024-03-13 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to… |
CVE-2024-1535 | Medium | 6.4 | — | 2024-03-13 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to… |
CVE-2024-1409 | Medium | 6.4 | — | 2024-03-13 | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [reg-select-role] shortcode in all… |
Skyhigh · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0313 | Medium | 5.5 | — | 2024-03-14 | A malicious insider exploiting this vulnerability can circumvent existing security controls put in place by the organization. |
CVE-2024-0312 | Medium | 5.5 | — | 2024-03-14 | A malicious insider can uninstall Skyhigh Client Proxy without a valid uninstall password. |
CVE-2024-0311 | Medium | 5.5 | — | 2024-03-14 | A malicious insider can bypass the existing policy of Skyhigh Client Proxy without a valid release code. |
Sonicwall · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-22397 | High | 8.3 | — | 2024-03-14 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the SonicOS SSLVPN portal allows a remote authenticated attacker as a firewall 'admin' user to store and execute arbitrary JavaScript code. |
CVE-2024-22396 | Medium | 5.3 | — | 2024-03-14 | An Integer-based buffer overflow vulnerability in the SonicOS via IPSec allows a remote attacker in specific conditions to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a specially crafted IKEv2 payload. |
CVE-2024-22398 | Medium | 4.9 | — | 2024-03-14 | An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and de… |
Surya2developer · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2481 | Medium | 6.5 | — | 2024-03-15 | A vulnerability, which was classified as critical, was found in Surya2Developer Hostel Management System 1.0. |
CVE-2024-2483 | Medium | 4.3 | — | 2024-03-15 | A vulnerability, which was classified as problematic, has been found in Surya2Developer Hostel Management Service 1.0. |
CVE-2024-2482 | Low | 3.7 | — | 2024-03-15 | A vulnerability has been found in Surya2Developer Hostel Management Service 1.0 and classified as problematic. |
Vantage6 · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-24562 | Medium | 5.4 | — | 2024-03-14 | vantage6-UI is the official user interface for the vantage6 server. |
CVE-2024-24770 | Medium | 5.3 | — | 2024-03-14 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. |
CVE-2024-23823 | Medium | 4.2 | — | 2024-03-14 | vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. |
Wpdeveloper · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1536 | High | 7.4 | — | 2024-03-13 | The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's event calendar widget in all versions up to, and includi… |
CVE-2024-1854 | Medium | 6.4 | — | 2024-03-13 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId parameter in all versions up to, and including, 4.5.1 due to insufficient input sa… |
CVE-2024-1537 | Medium | 6.4 | — | 2024-03-13 | The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Data Table widget in all versions up to, and including… |
Argoproj · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28175 | Critical | 9.0 | — | 2024-03-13 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. |
CVE-2023-50726 | Medium | 6.4 | — | 2024-03-13 | Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. |
Artibot · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0447 | Medium | 5.0 | — | 2024-03-13 | The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the artibot_update function in all versions up to, and including, 1.1.6. |
CVE-2024-0449 | Medium | 4.4 | — | 2024-03-13 | The ArtiBot Free Chat Bot for WordPress WebSites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. |
Autopolis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0683 | High | 7.3 | — | 2024-03-13 | The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. |
CVE-2024-2395 | High | 7.3 | — | 2024-03-12 | The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.14. |
Bdthemes · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1508 | Medium | 6.4 | — | 2024-03-13 | The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings['title_tags']' attribute of the Mercury widget in all versions up to, and including, 3.13.2 due to insufficient inp… |
CVE-2024-1507 | Medium | 6.4 | — | 2024-03-13 | The Prime Slider – Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title_tags' attribute of the Rubix widget in all versions up to, and including, 3.13.3 due to insufficient input sanitizatio… |
Carmelo · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25250 | Critical | 9.8 | — | 2024-03-13 | SQL Injection vulnerability in code-projects Agro-School Management System 1.0 allows attackers to run arbitrary code via the Login page. |
CVE-2024-24105 | High | 7.8 | — | 2024-03-13 | SQL Injection vulnerability in Code-projects Computer Science Time Table System 1.0 allows attackers to run arbitrary code via adminFormvalidation.php. |
Cloudflare · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1765 | Medium | 5.9 | — | 2024-03-12 | Cloudflare Quiche (through version 0.19.1/0.20.0) was affected by an unlimited resource allocation vulnerability causing rapid increase of memory usage of the system running quiche server or client. |
CVE-2024-1410 | Low | 3.7 | — | 2024-03-12 | Cloudflare quiche was discovered to be vulnerable to unbounded storage of information related to connection ID retirement, which could lead to excessive resource consumption. |
Codecabin · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1582 | Medium | 6.4 | — | 2024-03-13 | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpgmza' shortcode in all versions up to, and including, 9.0.32 due to insufficient input sanitization and output e… |
CVE-2023-4839 | Medium | 4.4 | — | 2024-03-13 | The WP Go Maps for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 9.0.32 due to insufficient input sanitization and output escaping. |
Codename065 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6954 | Medium | 6.4 | — | 2024-03-13 | The Download Manager Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.2.85 due to insufficient input sanitization and output escaping on user suppli… |
CVE-2023-6785 | Medium | 5.3 | — | 2024-03-13 | The Download Manager plugin for WordPress is vulnerable to unauthorized file download of files added via the plugin in all versions up to, and including, 3.2.84. |
Cyberlord92 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2172 | Critical | 9.8 | — | 2024-03-13 | The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and includ… |
CVE-2024-0681 | Medium | 5.3 | — | 2024-03-13 | The Page Restriction WordPress (WP) – Protect WP Pages/Post plugin for WordPress is vulnerable to information disclosure in all versions up to, and including, 1.3.4. |
Devitemsllc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1421 | Medium | 6.4 | — | 2024-03-12 | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘border_type’ attribute of the Post Carousel widget in all versions up to, and including, 2.4.4 due to insufficient input… |
CVE-2024-1397 | Medium | 6.4 | — | 2024-03-12 | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on… |
Directus · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28239 | Medium | 5.4 | — | 2024-03-12 | Directus is a real-time API and App dashboard for managing SQL database content. |
CVE-2024-28238 | Low | 2.3 | — | 2024-03-12 | Directus is a real-time API and App dashboard for managing SQL database content. |
Edge22 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1479 | Medium | 5.3 | — | 2024-03-13 | The WP Show Posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the wpsp_display function. |
CVE-2024-1452 | Medium | 4.3 | — | 2024-03-13 | The GenerateBlocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.2 via Query Loop. |
File Manager · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6825 | Critical | 9.9 | — | 2024-03-13 | The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager… |
CVE-2023-7015 | Medium | 6.1 | — | 2024-03-13 | The File Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tb' parameter in all versions up to, and including, 8.3.4 due to insufficient input sanitization and output escaping. |
Gpac · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28318 | High | 7.1 | — | 2024-03-15 | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain a out of boundary write vulnerability via swf_get_string at scene_manager/swf_parse.c:325 |
CVE-2024-28319 | Medium | 6.2 | — | 2024-03-15 | gpac 2.3-DEV-rev921-g422b78ecf-master was discovered to contain an out of boundary read vulnerability via gf_dash_setup_period media_tools/dash_client.c:6374 |
Inisev · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0559 | Medium | 6.5 | — | 2024-03-11 | The Enhanced Text Widget WordPress plugin before 1.6.6 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Scr… |
CVE-2024-0561 | Medium | 5.4 | — | 2024-03-11 | The Ultimate Posts Widget WordPress plugin before 2.3.1 does not validate and escape some of its Widget options before outputting them back in attributes, which could allow high privilege users such as admin to perform Stored Cross-Site Sc… |
Mha Sistemas · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2480 | Medium | 6.3 | — | 2024-03-15 | A vulnerability classified as critical was found in MHA Sistemas arMHAzena 9.6.0.0. |
CVE-2024-2479 | Low | 3.5 | — | 2024-03-15 | A vulnerability classified as problematic has been found in MHA Sistemas arMHAzena 9.6.0.0. |
Najeebmedia · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0830 | Medium | 4.3 | — | 2024-03-13 | The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.0. |
CVE-2024-0829 | Medium | 4.3 | — | 2024-03-13 | The Comments Extra Fields For Post,Pages and CPT plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.0. |
Ndijkstra · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1645 | Medium | 4.3 | — | 2024-03-11 | The Mollie Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the exportRegistrations function in all versions up to, and including, 2.6.3. |
CVE-2024-1400 | Medium | 4.3 | — | 2024-03-11 | The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. |
Rejetto · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1226 | High | 7.5 | — | 2024-03-12 | The software does not neutralize or incorrectly neutralizes certain characters before the data is included in outgoing HTTP headers. |
CVE-2024-1227 | Medium | 6.5 | — | 2024-03-12 | An open redirect vulnerability, the exploitation of which could allow an attacker to create a custom URL and redirect a legitimate page to a malicious site. |
Roxnor · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1763 | Medium | 6.5 | — | 2024-03-13 | The Wp Social Login and Register Social Counter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp_social/v1/ REST API endpoint in all versions up to, and including, 3.0.0. |
CVE-2024-1585 | Medium | 6.4 | — | 2024-03-13 | The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 3.8.3 due to insufficient input sanitization and output escapi… |
Sky Co.,ltd. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-21805 | High | 7.8 | — | 2024-03-12 | Improper access control vulnerability exists in the specific folder of SKYSEA Client View versions from Ver.16.100 prior to Ver.19.2. |
CVE-2024-24964 | Medium | 6.3 | — | 2024-03-12 | Improper access control vulnerability exists in the resident process of SKYSEA Client View versions from Ver.11.220 prior to Ver.19.2. |
Themegrill · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1462 | Medium | 5.3 | — | 2024-03-13 | The Maintenance Page plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 1.0.8 via the REST API. |
CVE-2024-1370 | Medium | 5.3 | — | 2024-03-13 | The Maintenance Page plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the subscribe_download function hooked via AJAX action in all versions up to, and including, 1.0.8. |
Tibco Software Inc. · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1138 | High | 8.8 | — | 2024-03-12 | The FTL Server component of TIBCO Software Inc.'s TIBCO FTL - Enterprise Edition contains a vulnerability that allows a low privileged attacker with network access to execute a privilege escalation on the affected ftlserver. |
CVE-2024-1137 | Medium | 4.3 | — | 2024-03-12 | The Proxy and Client components of TIBCO Software Inc.'s TIBCO ActiveSpaces - Enterprise Edition contain a vulnerability that theoretically allows an Active Spaces client to passively observe data traffic to other clients. |
Ultimatemember · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1071 | Critical | 9.8 | — | 2024-03-13 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficie… |
CVE-2024-2123 | High | 7.2 | — | 2024-03-13 | The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and incl… |
Wago · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2015-10123 | High | 8.8 | — | 2024-03-13 | An unautheticated remote attacker could send specifically crafted packets to a affected device. |
CVE-2018-25090 | Medium | 5.4 | — | 2024-03-13 | An unauthenticated remote attacker can use an XSS attack due to improper neutralization of input during web page generation. |
Zemana · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2204 | Medium | 5.5 | — | 2024-03-15 | Zemana AntiLogger v2.74.204.664 is vulnerable to a Denial of Service (DoS) vulnerability by triggering the 0x80002004 and 0x80002010 IOCTL codes of the zam64.sys and zamguard64.sys drivers. |
CVE-2024-2180 | Medium | 5.5 | — | 2024-03-15 | Zemana AntiLogger v2.74.204.664 is vulnerable to a Memory Information Leak vulnerability by triggering the 0x80002020 IOCTL code of the zam64.sys and zamguard64.sys drivers |
Zoom · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-24693 | High | 7.2 | — | 2024-03-13 | Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access. |
CVE-2024-24692 | Medium | 5.3 | — | 2024-03-13 | Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access. |
Abocms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25227 | Critical | 9.8 | — | 2024-03-15 | SQL Injection vulnerability in ABO.CMS version 5.8, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via the tb_login parameter in admin login page. |
Advancedplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28390 | Critical | 9.8 | — | 2024-03-14 | An issue in Advanced Plugins ultimateimagetool module for PrestaShop before v.2.2.01, allows a remote attacker to escalate privileges and obtain sensitive information via Improper Access Control. |
Aio-libs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27305 | Medium | 5.3 | — | 2024-03-12 | aiosmtpd is a reimplementation of the Python stdlib smtpd.py based on asyncio. |
Ajexperience · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1068 | High | 7.2 | — | 2024-03-11 | The 404 Solution WordPress plugin before 2.35.8 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by high privilege users such as admins. |
Amd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2193 | Medium | 5.7 | — | 2024-03-15 | A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. |
Ameliabooking · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1484 | Medium | 6.1 | — | 2024-03-13 | The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the date parameters in all versions up to, and including, 1.0.98 due to insufficient input sanitization and… |
Appleple · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27279 | Medium | 6.5 | — | 2024-03-12 | Directory traversal vulnerability exists in a-blog cms Ver.3.1.x series Ver.3.1.9 and earlier, Ver.3.0.x series Ver.3.0.30 and earlier, Ver.2.11.x series Ver.2.11.59 and earlier, Ver.2.10.x series Ver.2.10.51 and earlier, and Ver.2.9 and e… |
Aweber · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1793 | High | 7.2 | — | 2024-03-13 | The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 7.3.14 due… |
Barrykooij · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0592 | Medium | 5.4 | — | 2024-03-13 | The Related Posts for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.1. |
Basix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25593 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms – Ultimate Form Builder allows Stored XSS.This issue affects NEX-Forms – Ultimate Form Builder: from n/a through 8.5.5. |
Bitapps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1640 | Medium | 5.3 | — | 2024-03-13 | The Contact Form Builder Plugin: Multi Step Contact Form, Payment Form, Custom Contact Form Plugin by Bit Form plugin for WordPress is vulnerable to unauthorized modification of data due to a insufficient user validation on the bitforms_up… |
Blossomthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2107 | Medium | 5.8 | — | 2024-03-12 | The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. |
Bluecoral · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0898 | Medium | 4.4 | — | 2024-03-13 | The Chat Bubble – Floating Chat with Contact Chat Icons, Messages, Telegram, Email, SMS, Call me back plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.3 due to ins… |
Bobbingwide · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2256 | Medium | 6.4 | — | 2024-03-14 | The oik plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes such as bw_contact_button and bw_button shortcodes in all versions up to, and including, 4.10.0 due to insufficient input sanitization an… |
Boldgrid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0386 | High | 7.2 | — | 2024-03-12 | The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Referer' HTTP header in all versions up to, and including, 1.6.21 due to insufficient input sanitization and output escaping. |
Bradwenqiang · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2478 | Medium | 6.3 | — | 2024-03-15 | A vulnerability was found in BradWenqiang HR 2.0. |
Brainstormforce · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1237 | Medium | 6.4 | — | 2024-03-13 | The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. |
Broadcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-43279 | Medium | 6.5 | — | 2024-03-12 | Null Pointer Dereference in mask_cidr6 component at cidr.c in Tcpreplay 4.4.4 allows attackers to crash the application via crafted tcprewrite command. |
Burstbv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1894 | Medium | 6.4 | — | 2024-03-13 | The Burst Statistics – Privacy-Friendly Analytics for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'burst_total_pageviews_count' custom meta field in all versions up to, and including, 1.5.6.1 due to… |
Canon Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2184 | Critical | 9.8 | — | 2024-03-11 | Buffer overflow in identifier field of WSD probe request process of Small Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execu… |
Castos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6444 | Medium | 5.3 | — | 2024-03-11 | The Seriously Simple Podcasting WordPress plugin before 3.0.0 discloses the Podcast owner's email address (which by default is the admin email address) via an unauthenticated crafted request. |
Catchsquare · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27189 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in catchsquare WP Social Widget allows Stored XSS.This issue affects WP Social Widget: from n/a through 2.2.5. |
Chatgptnextweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-49785 | Critical | 9.1 | — | 2024-03-12 | NextChat, also known as ChatGPT-Next-Web, is a cross-platform chat user interface for use with ChatGPT. |
Choijun · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2249 | Medium | 6.4 | — | 2024-03-14 | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the LinkWrapper attribute found in several widgets in all versions up to, and including, 1.3.7.4 due to insufficient input saniti… |
Chrisbadgett · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0377 | Medium | 5.3 | — | 2024-03-13 | The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. |
Cimg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-26540 | High | 7.8 | — | 2024-03-15 | A heap-based buffer overflow in Clmg before 3.3.3 can occur via a crafted file to cimg_library::CImg<unsigned char>::_load_analyze. |
Citrix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2049 | Medium | 6.5 | — | 2024-03-12 | Server-Side Request Forgery (SSRF) in Citrix SD-WAN Standard/Premium Editions on or after 11.4.0 and before 11.4.4.46 allows an attacker to disclose limited information from the appliance via Access to management IP. |
Ckan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27097 | Medium | 4.3 | — | 2024-03-13 | A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. |
Codeium · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28120 | Medium | 6.5 | — | 2024-03-11 | codeium-chrome is an open source code completion plugin for the chrome web browser. |
Codepeople · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2020 | High | 7.2 | — | 2024-03-13 | The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. |
Codeworkweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2130 | Medium | 6.4 | — | 2024-03-12 | The CWW Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Module2 widget in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping on user supplied attributes. |
Collabora · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25114 | Low | 2.6 | — | 2024-03-11 | Collabora Online is a collaborative online office suite based on LibreOffice technology. |
Comesio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1380 | Medium | 5.3 | — | 2024-03-13 | The Relevanssi – A Better Search plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relevanssi_export_log_check() function in all versions up to, and including, 4.22.0 (Free) and 2.25… |
Concerted Action · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25921 | High | 7.1 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Concerted Action Action Network allows Reflected XSS.This issue affects Action Network: from n/a through 1.4.2. |
Contest-gallery · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1487 | Medium | 5.4 | — | 2024-03-11 | The Photos and Files Contest Gallery WordPress plugin before 21.3.1 does not sanitize and escape some parameters, which could allow users with a role as low as author to perform Cross-Site Scripting attacks. |
Conversios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1203 | High | 8.8 | — | 2024-03-13 | The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'valueData' parameter in all versions up to, and including, 7.0.7 due to insuff… |
Cool Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27953 | Medium | 4.7 | — | 2024-03-13 | Missing Authorization vulnerability in Cool Plugins Cryptocurrency Widgets – Price Ticker & Coins List.This issue affects Cryptocurrency Widgets – Price Ticker & Coins List: from n/a through 2.6.8. |
Corewcf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28252 | High | 7.5 | — | 2024-03-15 | CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. |
Cozmoslabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-51522 | Medium | 4.3 | — | 2024-03-15 | Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.10.4. |
Cozyvision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1489 | Medium | 4.3 | — | 2024-03-13 | The SMS Alert Order Notifications – WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.9. |
Crmperks · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2030 | Medium | 6.4 | — | 2024-03-13 | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.3.3 due to insufficient input sanitization an… |
David De Boer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25099 | Medium | 6.5 | — | 2024-03-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in David de Boer Paytium: Mollie payment forms & donations allows Stored XSS.This issue affects Paytium: Mollie payment forms & donations: f… |
Dev.institute · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0687 | Medium | 5.3 | — | 2024-03-13 | The Restrict User Access – Ultimate Membership & Content Protection plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via API. |
Devolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2403 | Medium | 5.9 | — | 2024-03-13 | Improper cleanup in temporary file handling component in Devolutions Remote Desktop Manager 2024.1.12 and earlier on Windows allows an attacker that compromised a user endpoint, under specific circumstances, to access sensitive information… |
Djangoproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27351 | Medium | 5.3 | — | 2024-03-15 | In Django 3.2 before 3.2.25, 4.2 before 4.2.11, and 5.0 before 5.0.3, the django.utils.text.Truncator.words() method (with html=True) and the truncatewords_html template filter are subject to a potential regular expression denial-of-servic… |
Doofinder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25596 | Medium | 5.9 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Doofinder Doofinder for WooCommerce allows Stored XSS.This issue affects Doofinder for WooCommerce: from n/a through 2.1.8. |
Droitthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2252 | Medium | 5.4 | — | 2024-03-13 | The Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.1.5 due to insufficien… |
Duitku · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0631 | Medium | 5.3 | — | 2024-03-13 | The Duitku Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_duitku_response function in all versions up to, and including, 2.11.6. |
Etoile Web Design · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25597 | High | 7.1 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Etoile Web Design Ultimate Reviews allows Stored XSS.This issue affects Ultimate Reviews: from n/a through 3.2.8. |
Eve-ng · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2391 | Low | 2.4 | — | 2024-03-12 | A vulnerability was found in EVE-NG 5.0.1-13 and classified as problematic. |
Eyoucms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-42286 | Critical | 9.8 | — | 2024-03-14 | There is a PHP file inclusion vulnerability in the template configuration of eyoucms v1.6.4, allowing attackers to execute code or system commands through a carefully crafted malicious payload. |
Faronics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1618 | High | 7.8 | — | 2024-03-12 | A search path or unquoted item vulnerability in Faronics Deep Freeze Server Standard, which affects versions 8.30.020.4627 and earlier. |
Fedoraproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2400 | High | 8.8 | — | 2024-03-13 | Use after free in Performance Manager in Google Chrome prior to 122.0.6261.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
Feedwordpress_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0839 | Medium | 5.3 | — | 2024-03-13 | The FeedWordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2022.0222 due to missing validation on the user controlled 'guid' key. |
Feluelle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28423 | Critical | 9.8 | — | 2024-03-14 | Airflow-Diagrams v2.1.0 was discovered to contain an arbitrary file upload vulnerability in the unsafe_load function at cli.py. |
Flamescorpion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1843 | Medium | 4.3 | — | 2024-03-13 | The Auto Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the aalAddLink function in all versions up to, and including, 6.4.3. |
Fluentforms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6957 | Medium | 4.9 | — | 2024-03-13 | The Fluent Forms plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 5.1.9 due to insufficient input sanitization and output escaping. |
Fluid-cloudnative · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-51699 | Medium | 4.0 | — | 2024-03-15 | Fluid is an open source Kubernetes-native Distributed Dataset Orchestrator and Accelerator for data-intensive applications. |
Fmemodules · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28391 | Critical | 9.8 | — | 2024-03-14 | SQL injection vulnerability in FME Modules quickproducttable module for PrestaShop v.1.2.1 and before, allows a remote attacker to escalate privileges and obtain information via the readCsv(), displayAjaxProductChangeAttr, displayAjaxProdu… |
Follow-redirects · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28849 | Medium | 6.5 | — | 2024-03-14 | follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. |
Formfacade · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25934 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade allows Stored XSS.This issue affects FormFacade: from n/a through 1.0.0. |
Forwardflip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1862 | High | 8.1 | — | 2024-03-13 | The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and in… |
Freescout · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28186 | High | 7.1 | — | 2024-03-12 | FreeScout is an open source help desk and shared inbox built with PHP. |
Frenify · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0385 | Medium | 4.3 | — | 2024-03-13 | The Categorify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the categorifyAjaxAddCategory function in all versions up to, and including, 1.0.7.4. |
Frentix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28198 | Medium | 4.6 | — | 2024-03-11 | OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. |
Friendlyelec · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2495 | Medium | 5.2 | — | 2024-03-15 | Cryptographic key vulnerability encoded in the FriendlyWrt firmware affecting version 2022-11-16.51b3d35. |
Friendsofsymfony1 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28859 | Medium | 5.0 | — | 2024-03-15 | Symfony1 is a community fork of symfony 1.4 with DIC, form enhancements, latest Swiftmailer, better performance, composer compatible and PHP 8 support. |
Gacjie · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2406 | Medium | 5.4 | — | 2024-03-12 | A vulnerability, which was classified as critical, was found in Gacjie Server up to 1.0. |
Geminilabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2293 | Medium | 6.4 | — | 2024-03-13 | The Site Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user display name in all versions up to, and including, 6.11.4 due to insufficient input sanitization and output escaping. |
Geovision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-46070 | High | 7.5 | — | 2024-03-11 | GV-ASManager V6.0.1.0 contains a Local File Inclusion vulnerability in GeoWebServer via Path. |
Givewp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27987 | High | 7.1 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP GiveWP give.This issue affects GiveWP: from n/a through <= 3.3.1. |
Glpi-project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27756 | High | 8.8 | — | 2024-03-15 | GLPI through 10.0.12 allows CSV injection by an attacker who is able to create an asset with a crafted title. |
Go-vela · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28236 | High | 7.7 | — | 2024-03-12 | Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. |
Gonahkar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6809 | Medium | 6.4 | — | 2024-03-13 | The Custom fields shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user suppli… |
Gpriday · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1723 | Medium | 6.4 | — | 2024-03-13 | The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.58.7 due to insufficient input sanitization and output escaping. |
Hasthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1176 | Medium | 5.3 | — | 2024-03-13 | The HT Easy GA4 – Google Analytics WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the login() function in all versions up to, and including, 1.1.5. |
Heimavista · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2412 | Medium | 5.3 | — | 2024-03-13 | The disabling function of the user registration page for Heimavista Rpage and Epage is not properly implemented, allowing remote attackers to complete user registration on sites where user registration is supposed to be disabled. |
Hiroaki Miyashita · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25919 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiroaki Miyashita Custom Field Template allows Stored XSS.This issue affects Custom Field Template: from n/a through 2.6. |
Hitachi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6814 | Medium | 5.6 | — | 2024-03-12 | Insertion of Sensitive Information into Log File vulnerability in Hitachi Cosminexus Component Container allows local users to gain sensitive information.This issue affects Cosminexus Component Container: from 11-30 before 11-30-05, from 1… |
Hopsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28181 | High | 8.1 | — | 2024-03-14 | turbo_boost-commands is a set of commands to help you build robust reactive applications with Rails & Hotwire. |
Hp Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-5410 | High | 8.2 | — | 2024-03-12 | A potential security vulnerability has been reported in the system BIOS of certain HP PC products, which might allow memory tampering. |
I13websolution · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2015-10130 | Medium | 5.3 | — | 2024-03-13 | The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. |
Icopydoc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1365 | Medium | 6.1 | — | 2024-03-13 | The YML for Yandex Market plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the feed_id parameter in all versions up to, and including, 4.2.3 due to insufficient input sanitization and output escaping. |
Imdpen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2031 | Medium | 6.4 | — | 2024-03-12 | The Video Conferencing with Zoom plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'zoom_recordings_by_meeting' shortcode in all versions up to, and including, 4.4.4 due to insufficient input sanitization a… |
Implem Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-21584 | Medium | 6.1 | — | 2024-03-12 | Pleasanter 1.3.49.0 and earlier contains a cross-site scripting vulnerability. |
Intumit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2413 | Critical | 9.8 | — | 2024-03-13 | Intumit SmartRobot uses a fixed encryption key for authentication. |
Inunosinsi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28187 | High | 7.2 | — | 2024-03-11 | SOY CMS is an open source CMS (content management system) that allows you to build blogs and online shops. |
Jfrog · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2247 | High | 8.8 | — | 2024-03-13 | JFrog Artifactory versions below 7.77.7, 7.82.1, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism. |
Jmash · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27196 | High | 7.1 | — | 2024-03-15 | Cross Site Scripting (XSS) vulnerability in Joel Starnes postMash – custom post order allows Reflected XSS.This issue affects postMash – custom post order: from n/a through 1.2.0. |
Joseph C Dolson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25916 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Joseph C Dolson My Calendar allows Stored XSS.This issue affects My Calendar: from n/a through 3.4.23. |
Kadencewp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1541 | Medium | 6.4 | — | 2024-03-13 | The Gutenberg Blocks by Kadence Blocks – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htmlTag attribute in all versions up to, and including, 3.2.23 due to insufficient input sanitization… |
Kbjohnson90 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6969 | Medium | 4.3 | — | 2024-03-13 | The User Shortcodes Plus plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the user_meta shortcode due to missing validation on a user controlled key. |
Kirillmakarov · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2365 | Low | 1.6 | — | 2024-03-11 | A vulnerability classified as problematic was found in Musicshelf 1.0/1.1 on Android. |
Kodezen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1505 | High | 8.8 | — | 2024-03-13 | The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. |
Korenix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2371 | Medium | 6.2 | — | 2024-03-12 | Information exposure vulnerability in Korenix JetI/O 6550 affecting firmware version F208 Build:0817. |
Leantime · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27703 | Medium | 5.4 | — | 2024-03-13 | Cross Site Scripting vulnerability in Leantime 3.0.6 allows a remote attacker to execute arbitrary code via the to-do title parameter. |
Linkedin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28425 | High | 7.5 | — | 2024-03-14 | greykite v1.0.0 was discovered to contain an arbitrary file upload vulnerability in the load_obj function at /templates/pickle_utils.py. |
Logitech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2537 | Medium | 4.4 | — | 2024-03-15 | Improper Control of Dynamically-Managed Code Resources vulnerability in Logitech Logi Tune on MacOS allows Local Code Inclusion. |
Magesh-k21 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2514 | High | 7.3 | — | 2024-03-15 | A vulnerability classified as critical was found in MAGESH-K21 Online-College-Event-Hall-Reservation-System 1.0. |
Mainwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1642 | Medium | 4.3 | — | 2024-03-13 | The MainWP Dashboard – WordPress Manager for Multiple Websites Maintenance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.6.0.1. |
Mayurik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2418 | Medium | 6.3 | — | 2024-03-13 | A vulnerability was found in SourceCodester Best POS Management System 1.0. |
Munyweki · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25854 | Medium | 6.1 | — | 2024-03-11 | Cross Site Scripting (XSS) vulnerability in Sourcecodester Insurance Management System 1.0 allows attackers to run arbitrary code via the Subject and Description fields when submitting a support ticket. |
Mz-automation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-26529 | High | 7.5 | — | 2024-03-13 | An issue in mz-automation libiec61850 v.1.5.3 and before, allows a remote attacker to cause a denial of service (DoS) via the mmsServer_handleDeleteNamedVariableListRequest function of src/mms/iso_mms/server/mms_named_variable_list_service… |
Netweblogic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0614 | Medium | 4.4 | — | 2024-03-13 | The Events Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 6.4.6.4 due to insufficient input sanitization and output escaping. |
Newsletter2go · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1328 | Medium | 6.4 | — | 2024-03-12 | The Newsletter2Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter in all versions up to, and including, 4.0.14 due to insufficient input sanitization and output escaping. |
Nixos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27297 | Medium | 6.3 | — | 2024-03-11 | Nix is a package manager for Linux and other Unix systems. |
Omron Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27121 | High | 7.2 | — | 2024-03-12 | Path traversal vulnerability exists in Machine Automation Controller NJ Series and Machine Automation Controller NX Series. |
Palantir · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-30968 | Medium | 6.8 | — | 2024-03-12 | One of Gotham Gaia services was found to be vulnerable to a stored cross-site scripting (XSS) vulnerability that could have allowed an attacker to bypass CSP and get a persistent cross site scripting payload on the stack. |
Pawaryogesh1989 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0369 | Medium | 4.3 | — | 2024-03-13 | The Bulk Edit Post Titles plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulkUpdatePostTitles function in all versions up to, and including, 5.0.0. |
Payu India · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27193 | High | 7.1 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PayU India PayU India payu-india allows DOM-Based XSS.This issue affects PayU India: from n/a through <= 3.8.8. |
Pega · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-50168 | High | 7.7 | — | 2024-03-14 | Pega Platform from 6.x to 8.8.4 is affected by an XXE issue with PDF Generation. |
Phlex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28199 | High | 7.1 | — | 2024-03-11 | phlex is an open source framework for building object-oriented views in Ruby. |
Pickplugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7072 | High | 7.5 | — | 2024-03-12 | The Post Grid Combo – 36+ Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.68 via the 'get_posts' REST API Endpoint. |
Pinterest · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28251 | Medium | 5.6 | — | 2024-03-14 | Querybook is a Big Data Querying UI, combining collocated table metadata and a simple notebook interface. |
Plv8 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1713 | High | 7.2 | — | 2024-03-14 | A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum. |
Postalserver · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27938 | Medium | 5.3 | — | 2024-03-11 | Postal is an open source SMTP server. |
Projectdiscovery · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27920 | High | 7.4 | — | 2024-03-15 | projectdiscovery/nuclei is a fast and customisable vulnerability scanner based on simple YAML based DSL. |
Pterodactyl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27102 | Critical | 9.9 | — | 2024-03-13 | Wings is the server control plane for Pterodactyl Panel. |
Rafflepress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1935 | High | 7.2 | — | 2024-03-13 | The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and inclu… |
Raspap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2497 | Medium | 4.7 | — | 2024-03-15 | A vulnerability was found in RaspAP raspap-webgui 3.0.9 and classified as critical. |
Remyandrade · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2393 | Medium | 6.3 | — | 2024-03-12 | A vulnerability was found in SourceCodester CRUD without Page Reload 1.0. |
Rocklobster · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2242 | Medium | 6.1 | — | 2024-03-13 | The Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘active-tab’ parameter in all versions up to, and including, 5.9 due to insufficient input sanitization and output escaping. |
Root3 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27301 | High | 7.3 | — | 2024-03-14 | Support App is an opensource application specialized in managing Apple devices. |
Sagemcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1623 | High | 7.7 | — | 2024-03-14 | Insufficient session timeout vulnerability in the FAST3686 V2 Vodafone router from Sagemcom. |
Sandisk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-22167 | High | 7.9 | — | 2024-03-13 | A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. |
Santesoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1696 | High | 7.8 | — | 2024-03-11 | In Santesoft Sante FFT Imaging versions 1.4.1 and prior once a user opens a malicious DCM file on affected FFT Imaging installations, a local attacker could perform an out-of-bounds write, which could allow for arbitrary code execution. |
Scott Reilly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27192 | High | 7.1 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Scott Reilly Configure SMTP allows Reflected XSS.This issue affects Configure SMTP: from n/a through 3.1. |
Shapedplugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1363 | Medium | 6.4 | — | 2024-03-13 | The Easy Accordion – Best Accordion FAQ Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'accordion_content_source' attribute in all versions up to, and including, 2.3.4 due to insufficient inp… |
Shellcreeper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0906 | Medium | 5.3 | — | 2024-03-12 | The f(x) Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the API. |
Simple-membership-plugin · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1985 | Medium | 4.7 | — | 2024-03-13 | The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Display Name' parameter in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping. |
Sirv · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-50898 | Medium | 5.4 | — | 2024-03-15 | Missing Authorization vulnerability in sirv.Com Sirv.This issue affects Sirv: from n/a through 7.1.2. |
Snowflake · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28851 | Medium | 4.0 | — | 2024-03-15 | The Snowflake Hive metastore connector provides an easy way to query Hive-managed data via Snowflake. |
Softing · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0860 | High | 8.0 | — | 2024-03-14 | The affected product is vulnerable to a cleartext transmission of sensitive information vulnerability, which may allow an attacker to capture packets to craft their own requests. |
Soundcloud Inc., Lawrie Malen · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25936 | Medium | 6.5 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SoundCloud Inc., Lawrie Malen SoundCloud Shortcode allows Stored XSS.This issue affects SoundCloud Shortcode: from n/a through 4.0.1. |
Sourcecodester · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2394 | Medium | 4.7 | — | 2024-03-12 | A vulnerability was found in SourceCodester Employee Management System 1.0. |
Squirrly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1273 | Medium | 6.1 | — | 2024-03-11 | The Starbox WordPress plugin before 3.5.0 does not sanitise and escape some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks |
Standalonetech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1690 | Medium | 4.3 | — | 2024-03-13 | The TeraWallet – Best WooCommerce Wallet System With Cashback Rewards, Partial Payment, Wallet Refunds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the terawallet_export_user_search… |
Stimulusreflex · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28121 | High | 8.8 | — | 2024-03-12 | stimulus_reflex is a system to extend the capabilities of both Rails and Stimulus by intercepting user interactions and passing them to Rails over real-time websockets. |
Storeapps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-5663 | High | 8.8 | — | 2024-03-13 | The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparat… |
Strangerstudios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1279 | Medium | 4.3 | — | 2024-03-11 | The Paid Memberships Pro WordPress plugin before 2.12.9 does not prevent user with at least the contributor role from leaking other users' sensitive metadata. |
Strategy11 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1290 | Medium | 6.5 | — | 2024-03-11 | The User Registration WordPress plugin before 2.12 does not prevent users with at least the contributor role from rendering sensitive shortcodes, allowing them to generate, and leak, valid password reset URLs, which they can use to take ov… |
Stylemix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2106 | Medium | 5.3 | — | 2024-03-13 | The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 3.2.10. |
Sysbasics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-51369 | Medium | 4.3 | — | 2024-03-15 | Cross-Site Request Forgery (CSRF) vulnerability in SysBasics Customize My Account for WooCommerce.This issue affects Customize My Account for WooCommerce: from n/a through 1.8.3. |
The Libreswan Project (Www.libreswan.org) · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2357 | Medium | 6.5 | — | 2024-03-11 | The Libreswan Project was notified of an issue causing libreswan to restart under some IKEv2 retransmit scenarios when a connection is configured to use PreSharedKeys (authby=secret) and the connection cannot find a matching configured sec… |
Theme-fusion · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1668 | Medium | 6.5 | — | 2024-03-13 | The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. |
Themekraft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1158 | Medium | 4.3 | — | 2024-03-13 | The Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buddyfo… |
Themencode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25097 | Medium | 6.5 | — | 2024-03-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode LLC TNC PDF viewer allows Stored XSS.This issue affects TNC PDF viewer: from n/a through 2.8.0. |
Themeum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1751 | High | 8.8 | — | 2024-03-13 | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied… |
Tmccombs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28854 | High | 7.5 | — | 2024-03-15 | tls-listener is a rust lang wrapper around a connection listener to support TLS. |
Tms-outsource · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0591 | Medium | 6.1 | — | 2024-03-13 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'A' parameter in all versions up to, and including, 3.4.2.2 due to insufficient inpu… |
Toyoko Inn It Solution Co., Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27440 | Medium | 4.8 | — | 2024-03-13 | The Toyoko Inn official App for iOS versions prior to 1.13.0 and Toyoko Inn official App for Android versions prior 1.3.14 don't properly verify server certificates, which allows a man-in-the-middle attacker to spoof servers and obtain sen… |
Unknown · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7247 | Medium | 4.9 | — | 2024-03-11 | The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site. |
Veribo, Roland Murg · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-51525 | Medium | 4.3 | — | 2024-03-15 | Cross-Site Request Forgery (CSRF) vulnerability in Veribo, Roland Murg WP Simple Booking Calendar.This issue affects WP Simple Booking Calendar: from n/a through 2.0.8.4. |
Veronalabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2194 | High | 7.2 | — | 2024-03-13 | The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. |
Visualcomposer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-6880 | Medium | 6.4 | — | 2024-03-13 | The Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, a… |
Wokamoto · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0700 | Medium | 6.4 | — | 2024-03-13 | The Simple Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Tweet this text value in all versions up to, and including, 1.4.0.2 due to insufficient input sanitization and output escaping. |
Wowdevs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2286 | Medium | 6.4 | — | 2024-03-13 | The Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wrapper link URL value in all versi… |
Wp Codeus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-27952 | High | 7.1 | — | 2024-03-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2. |
Wp-eventmanager · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0976 | Medium | 6.1 | — | 2024-03-13 | The WP Event Manager – Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the plugin parameter in all versions up to, and including, 3.1.41 due to insuffic… |
Wpchill · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1083 | Medium | 5.3 | — | 2024-03-13 | The Simple Restrict plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.6 via the REST API. |
Wpmaspik · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25101 | Medium | 5.9 | — | 2024-03-13 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in yonifre Maspik – Spam Blacklist allows Stored XSS.This issue affects Maspik – Spam Blacklist: from n/a through 0.10.6. |
Wpmu Dev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25592 | Medium | 5.9 | — | 2024-03-15 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPMU DEV Broken Link Checker allows Stored XSS.This issue affects Broken Link Checker: from n/a through 2.2.3. |
Wpmudev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0368 | High | 8.6 | — | 2024-03-13 | The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. |
Wpvivid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1383 | Medium | 6.1 | — | 2024-03-13 | The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 0.9.32 due to insufficient input sanitization and output escaping. |
Zemena · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1853 | Medium | 5.5 | — | 2024-03-14 | Zemana AntiLogger v2.74.204.664 is vulnerable to an Arbitrary Process Termination vulnerability by triggering the 0x80002048 IOCTL code of the zam64.sys and zamguard64.sys drivers. |
Zephyrproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-7060 | High | 8.6 | — | 2024-03-15 | Zephyr OS IP packet handling does not properly drop IP packets arriving on an external interface with a source address equal to 127.0.01 or the destination address. |
Zitadel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28197 | High | 7.5 | — | 2024-03-11 | Zitadel is an open source identity management system. |