CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!
Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-13770 |
Description: The Puzzles | WP Magazine / Review with Store WordPress Theme + RTL theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2.4 via deserialization of untrusted input 'view_more_posts' AJAX action. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. The developer opted to remove the software from the repository, so an update is not available and it is recommended to find a replacement software.
CVSS: HIGH (8.1) EPSS Score: 0.07%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-13606 |
Description: The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.8 via the 'jssupportticketdata' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/jssupportticketdata directory which can contain file attachments included in support tickets.
CVSS: HIGH (7.5) EPSS Score: 0.09%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-1351 |
Description: Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which may result in untrusted connections to succeed. This may effectively reduce the security guarantees provided by TLS and open connections that should have been closed due to failing certificate validation. This issue affects MongoDB Server v7.0 versions prior to and including 7.0.5, MongoDB Server v6.0 versions prior to and including 6.0.13, MongoDB Server v5.0 versions prior to and including 5.0.24 and MongoDB Server v4.4 versions prior to and including 4.4.28.
Required Configuration : A server process will allow incoming connections to skip peer certificate validation if the server process was started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without a net.tls.CAFile configured.
CVSS: HIGH (8.8) EPSS Score: 0.22%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-13346 |
Description: The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS: HIGH (7.3) EPSS Score: 0.07%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-13345 |
Description: The Avada Builder plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
CVSS: HIGH (7.3) EPSS Score: 0.07%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-12013 |
Description: A CWE-1392 “Use of Default Credentials” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. The device exposes an FTP server with default and easy-to-guess admin credentials. A remote attacker capable of interacting with the FTP server could gain access and perform changes over resources exposed by the service such as configuration files where password hashes are saved or where network settings are stored.
CVSS: HIGH (7.6) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-12011 |
Description: A CWE-126 “Buffer Over-read” was discovered affecting the 130.8005 TCP/IP Gateway running firmware version 12h. The information disclosure can be triggered by leveraging a memory leak affecting the web server. A remote unauthenticated attacker can exploit this vulnerability in order to leak valid authentication tokens from the process memory associated to users currently logged to the system and bypass the authentication mechanism.
CVSS: HIGH (7.6) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-11347 |
Description: Integer Overflow or Wraparound vulnerability in Lexmark International CX, XC, CS, et. Al. (Postscript interpreter modules) allows Forced Integer Overflow.The vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-11346 |
Description: : Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Lexmark International CX, XC, CS, et. Al. (Postscript interpreter modules) allows Resource Injection.This issue affects CX, XC, CS, et. Al.: from 001.001:0 through 081.231, from *.*.P001 through *.*.P233, from *.*.P001 through *.*.P759, from *.*.P001 through *.*.P836.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|
|
CVE-2024-11345 |
Description: A heap-based memory vulnerability has been identified in the Postscript interpreter in various Lexmark devices. The vulnerability can be leveraged by an attacker to execute arbitrary code.
CVSS: HIGH (7.3) EPSS Score: 0.04%
February 14th, 2025 (5 months ago)
|