CyberAlerts

CVE-2024-48840

Description: Unauthorized Access vulnerabilities allow Remote Code Execution.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2024-48839

Remote Code Execution, RCE

Description: Improper Input Validation vulnerability allows Remote Code Execution.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2024-47939

Stack-based buffer overflow vulnerability exists in multiple Ricoh laser printers and MFPs which implement Web Image Monitor. If this vulnerability...

Description: Stack-based buffer overflow vulnerability exists in multiple Ricoh laser printers and MFPs which implement Web Image Monitor. If this vulnerability is exploited, receiving a specially crafted request created and sent by an attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. As for the details of affected product names and versions, refer to the information provided by the vendor under [References].

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2024-11317

PHP Session Fixation

Description: Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2023-34464

XWiki vulnerable to stored cross-site scripting via any wiki document and the displaycontent/rendercontent template

Description: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax.

CVSS: CRITICAL (9.1)

EPSS Score: 0.07%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2023-30945

Description: Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well.

CVSS: CRITICAL (9.8)

EPSS Score: 0.18%

Source: CVE

December 6th, 2024 (4 months ago)

CVE-2024-6246

Wyze Cam v3 Realtek Wi-Fi Driver Heap-Based Buffer Overflow Remote Code Execution Vulnerability

Description: Wyze Cam v3 Realtek Wi-Fi Driver Heap-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Realtek Wi-Fi kernel module. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-22310.

CVSS: CRITICAL (9.6)

EPSS Score: 0.07%

Source: CVE

December 5th, 2024 (5 months ago)

CVE-2024-54221

WordPress FAT Services Booking plugin <= 5.6 - Unauthenticated SQL Injection vulnerability

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp FAT Services Booking.This issue affects FAT Services Booking: from n/a through 5.6.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE

December 5th, 2024 (5 months ago)

CVE-2024-50942

qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.

Description: qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE

December 5th, 2024 (5 months ago)

CVE-2024-39165

QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the...

Description: QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE

December 5th, 2024 (5 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-48840	Unauthorized Access Description: Unauthorized Access vulnerabilities allow Remote Code Execution.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 CVSS: CRITICAL (9.3) EPSS Score: 0.04% Source: CVE December 6th, 2024 (4 months ago)
CVE-2024-48839	Remote Code Execution, RCE Description: Improper Input Validation vulnerability allows Remote Code Execution.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 CVSS: CRITICAL (10.0) EPSS Score: 0.04% Source: CVE December 6th, 2024 (4 months ago)
CVE-2024-47939	Stack-based buffer overflow vulnerability exists in multiple Ricoh laser printers and MFPs which implement Web Image Monitor. If this vulnerability... Description: Stack-based buffer overflow vulnerability exists in multiple Ricoh laser printers and MFPs which implement Web Image Monitor. If this vulnerability is exploited, receiving a specially crafted request created and sent by an attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition. As for the details of affected product names and versions, refer to the information provided by the vendor under [References]. CVSS: CRITICAL (9.8) EPSS Score: 0.05% Source: CVE December 6th, 2024 (4 months ago)
CVE-2024-11317	PHP Session Fixation Description: Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product.  Affected products: ABB ASPECT - Enterprise v3.08.02; NEXUS Series v3.08.02; MATRIX Series v3.08.02 CVSS: CRITICAL (10.0) EPSS Score: 0.04% Source: CVE December 6th, 2024 (4 months ago)
CVE-2023-34464	XWiki vulnerable to stored cross-site scripting via any wiki document and the displaycontent/rendercontent template Description: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax. CVSS: CRITICAL (9.1) EPSS Score: 0.07% Source: CVE December 6th, 2024 (4 months ago)
CVE-2023-30945	CVE-2023-30945 Description: Multiple Services such as VHS(Video History Server) and VCD(Video Clip Distributor) and Clips2 were discovered to be vulnerable to an unauthenticated arbitrary file read/write vulnerability due to missing input validation on filenames. A malicious attacker could read sensitive files from the filesystem or write/delete arbitrary files on the filesystem as well. CVSS: CRITICAL (9.8) EPSS Score: 0.18% Source: CVE December 6th, 2024 (4 months ago)
CVE-2024-6246	Wyze Cam v3 Realtek Wi-Fi Driver Heap-Based Buffer Overflow Remote Code Execution Vulnerability Description: Wyze Cam v3 Realtek Wi-Fi Driver Heap-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Realtek Wi-Fi kernel module. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the kernel. Was ZDI-CAN-22310. CVSS: CRITICAL (9.6) EPSS Score: 0.07% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-54221	WordPress FAT Services Booking plugin <= 5.6 - Unauthenticated SQL Injection vulnerability Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roninwp FAT Services Booking.This issue affects FAT Services Booking: from n/a through 5.6. CVSS: CRITICAL (9.3) EPSS Score: 0.04% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-50942	qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. Description: qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. CVSS: CRITICAL (9.8) EPSS Score: 0.05% Source: CVE December 5th, 2024 (5 months ago)
CVE-2024-39165	QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the... Description: QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. CVSS: CRITICAL (9.8) EPSS Score: 0.04% Source: CVE December 5th, 2024 (5 months ago)