Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-54262
WordPress Import Export For WooCommerce plugin <= 1.5 - Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in Siddharth Nagar Import Export For WooCommerce allows Upload a Web Shell to a Web Server.This issue affects Import Export For WooCommerce: from n/a through 1.5.

CVSS: CRITICAL (9.9)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-54261
WordPress TAX SERVICE Electronic HDM plugin <= 1.1.2 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE Electronic HDM allows SQL Injection.This issue affects TAX SERVICE Electronic HDM: from n/a through 1.1.2.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-54239
WordPress Eyewear prescription form plugin <= 4.0.18 - Arbitrary Option Update to Privilege Escalation vulnerability
Description: Missing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through 4.0.18.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-54234
WordPress Limit Login Attempts plugin <= 5.5 - SQL Injection vulnerability
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wp-buy Limit Login Attempts allows SQL Injection.This issue affects Limit Login Attempts: from n/a through 5.5.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-52057
Potential arbitrary SQL query execution in Queuing Service while parsing malicious remote commands or configuration files
Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Professional (Queuing Service) allows SQL Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0, from 6.1.0 before 6.1.2.17, from 6.0.0 before 6.0.*, from 5.2.0 before 5.3.*.

CVSS: CRITICAL (9.1)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-21577
ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary...
Description: ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create a workflow that results in executing arbitrary code on the server.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-21576
ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and...
Description: ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-11986
Stored XSS in CrushFTP
Description: Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'.

CVSS: CRITICAL (9.6)

EPSS Score: 0.04%

Source: CVE
December 14th, 2024 (4 months ago)

CVE-2024-55879
XWiki allows RCE from script right in configurable sections
Description: XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.

CVSS: CRITICAL (9.1)

EPSS Score: 0.05%

Source: CVE
December 13th, 2024 (4 months ago)

CVE-2024-55877
XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
Description: XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.

CVSS: CRITICAL (10.0)

EPSS Score: 0.05%

Source: CVE
December 13th, 2024 (4 months ago)