CyberAlerts

CVE-2024-10961

Social Login <= 5.9.0 - Authentication Bypass

Description: The Social Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.9.0. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2024-10542

Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin ...

Description: The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function in all versions up to, and including, 6.43.2. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-49999

Description: Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setUmountUSBPartition.

CVSS: CRITICAL (9.8)

EPSS Score: 1.42%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-49432

Description: Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'deviceList' parameter at /goform/setMacFilterCfg.

CVSS: CRITICAL (9.8)

EPSS Score: 0.18%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-49046

Description: Stack Overflow vulnerability in Tenda AX1803 v.1.0.0.1 allows a remote attacker to execute arbitrary code via the devName parameter in the function formAddMacfilterRule.

CVSS: CRITICAL (9.8)

EPSS Score: 0.56%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-48812

Description: In TOTOLINK X6000R V9.4.0cu.852_B20230719, the shttpd file sub_4119A0 function obtains fields from the front-end through Uci_ Set_ The Str function that when passed to the CsteSystem function creates a command execution vulnerability.

CVSS: CRITICAL (9.8)

EPSS Score: 1.3%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-48801

Description: In TOTOLINK X6000R_Firmware V9.4.0cu.852_B20230719, the shttpd file sub_415534 function obtains fields from the front-end, connects them through the snprintf function, and passes them to the CsteSystem function, resulting in a command execution vulnerability.

CVSS: CRITICAL (9.8)

EPSS Score: 1.31%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-48176

Description: An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote attacker to gain escalated privileges via crafted jwt (JSON web token).

CVSS: CRITICAL (9.8)

EPSS Score: 0.29%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-46353

Description: In the module "Product Tag Icons Pro" (ticons) before 1.8.4 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The method TiconProduct::getTiconByProductAndTicon() has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVSS: CRITICAL (9.8)

EPSS Score: 0.14%

Source: CVE

November 27th, 2024 (6 months ago)

CVE-2023-46349

Description: In the module "Product Catalog (CSV, Excel) Export/Update" (updateproducts) < 3.8.5 from MyPrestaModules for PrestaShop, a guest can perform SQL injection. The method `productsUpdateModel::getExportIds()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection.

CVSS: CRITICAL (9.8)

EPSS Score: 0.14%

Source: CVE

November 27th, 2024 (6 months ago)

Threat and Vulnerability Intelligence Database

Example Searches: