Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-45387
[github.com/apache/trafficcontrol/v8] SQL injection in Apache Traffic Control
Description: An SQL injection vulnerability in Traffic Ops in Apache Traffic Control <= 8.0.1, >= 8.0.0 allows a privileged user with role "admin", "federation", "operations", "portal", or "steering" to execute arbitrary SQL against the database by sending a specially-crafted PUT request. Users are recommended to upgrade to version Apache Traffic Control 8.0.2 if you run an affected version of Traffic Ops. References https://nvd.nist.gov/vuln/detail/CVE-2024-45387 https://lists.apache.org/thread/t38nk5n7t8w3pb66z7z4pqfzt4443trr http://www.openwall.com/lists/oss-security/2024/12/23/3 https://github.com/apache/trafficcontrol/releases/tag/v8.0.2 https://github.com/advisories/GHSA-vq94-9pfv-ccqr

CVSS: CRITICAL (9.9)

EPSS Score: 0.04%

Source: Github Advisory Database (Go)
December 23rd, 2024 (4 months ago)

CVE-2024-56333
Remote code execution in onyxia-api
Description: Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential consequences such as unauthorized access to other user environments and denial of service attacks. This issue has been patched in api versions 4.2.0, 3.1.1, and 2.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS: CRITICAL (9.4)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-56330
Session VNC may be accessed by other sessions on the same host in stardust
Description: Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication (ICC) is not disabled. This would allow users within a container to access another containers agent, therefore compromising access.The problem has been patched in any Stardust build past 12/20/24. Users are advised to upgrade. Users may also manually disable ICC if they are unable to upgrade.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-54215
WordPress Revy plugin <= 1.18 - Unauthenticated SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp Revy.This issue affects Revy: from n/a through 1.18.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-54214
WordPress Revy plugin <= 1.18 - Unauthenticated Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Roninwp Revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through 1.18.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-51466
IBM Cognos Analytics expression language injection
Description: IBM Cognos Analytics 11.2.0 through 11.2.4 FP4 and 12.0.0 through 12.0.4 is vulnerable to an Expression Language (EL) Injection vulnerability. A remote attacker could exploit this vulnerability to expose sensitive information, consume memory resources, and/or cause the server to crash when using a specially crafted EL statement.

CVSS: CRITICAL (9.0)

EPSS Score: 0.13%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-43234
WordPress Woffice theme <= 5.4.14 - Unauthenticated Account Takeover vulnerability
Description: Authentication Bypass Using an Alternate Path or Channel vulnerability in WofficeIO Woffice allows Authentication Bypass.This issue affects Woffice: from n/a through 5.4.14.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-43222
WordPress Sweet Date - More than a Wordpress Dating Theme theme <= 3.7.3 - Privilege Escalation vulnerability
Description: Missing Authorization vulnerability in SeventhQueen Sweet Date.This issue affects Sweet Date: from n/a through 3.7.3.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-12728
A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).
Description: A weak credentials vulnerability potentially allows privileged system access via SSH to Sophos Firewall older than version 20.0 MR3 (20.0.3).

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)

CVE-2024-12727
A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to...
Description: A pre-auth SQL injection vulnerability in the email protection feature of Sophos Firewall versions older than 21.0 MR1 (21.0.1) allows access to the reporting database and can lead to remote code execution if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 21st, 2024 (4 months ago)