Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-10798
Royal Elementor Addons and Templates <= 1.7.1003 - Authenticated (Contributor+) Post Disclosure
Description: The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts created via Elementor that they should not have access to.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-9076
DedeCMS article_string_mix.php os command injection
Description: A vulnerability was found in DedeCMS up to 5.7.115. It has been rated as critical. This issue affects some unknown processing of the file /dede/article_string_mix.php. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. Eine Schwachstelle wurde in DedeCMS bis 5.7.115 ausgemacht. Sie wurde als kritisch eingestuft. Betroffen davon ist ein unbekannter Prozess der Datei /dede/article_string_mix.php. Durch das Beeinflussen mit unbekannten Daten kann eine os command injection-Schwachstelle ausgenutzt werden. Die Umsetzung des Angriffs kann dabei über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (5.1)

EPSS Score: 0.46%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-7747
Wallet for WooCommerce <= 1.5.6 - Authenticated (Subscriber+) Incorrect Conversion between Numeric Types
Description: The Wallet for WooCommerce plugin for WordPress is vulnerable to incorrect conversion between numeric types in all versions up to, and including, 1.5.6. This is due to a numerical logic flaw when transferring funds to another user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create funds during a transfer and distribute these funds to any number of other users or their own account, rendering products free. Attackers could also request to withdraw funds if the Wallet Withdrawal extension is used and the request is approved by an administrator.

CVSS: MEDIUM (6.5)

EPSS Score: 0.05%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-53737
WordPress WP Mailster plugin <= 1.8.16.0 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Mailster allows Stored XSS.This issue affects WP Mailster: from n/a through 1.8.16.0.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-53731
WordPress Fintelligence Calculator plugin <= 1.0.3 - Cross Site Scripting (XSS) vulnerability
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fintelligence Fintelligence Calculator allows Stored XSS.This issue affects Fintelligence Calculator: from n/a through 1.0.3.

CVSS: MEDIUM (6.5)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-52283
Description: Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project

CVSS: MEDIUM (5.7)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-49503
Reflected XSS in Setup Wizard, Organization Credentials in spacewalk-web
Description: A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SUSE manager allows attackers to execute Javascript code in the organization credentials sub page. This issue affects Container suse/manager/5.0/x86_64/server:5.0.2.7.8.1: before 5.0.15-150600.3.10.2; SUSE Manager Server Module 4.3: before 4.3.42-150400.3.52.1.

CVSS: MEDIUM (4.6)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-49502
Reflected XSS in Setup Wizard, HTTP Proxy credentials pane in spacewalk-web
Description: A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container suse/manager/5.0/x86_64/server:5.0.2.7.8.1: before 5.0.15-150600.3.10.2; SUSE Manager Server Module 4.3: before 4.3.42-150400.3.52.1.

CVSS: MEDIUM (4.6)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-22037
Database password leaked by systemd uyuni-server-attestation service
Description: The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.

CVSS: MEDIUM (5.5)

EPSS Score: 0.04%

Source: CVE
November 29th, 2024 (6 months ago)

CVE-2024-11970
code-projects Concert Ticket Ordering System tour(cor).php sql injection
Description: A vulnerability classified as critical has been found in code-projects Concert Ticket Ordering System 1.0. Affected is an unknown function of the file /tour(cor).php. The manipulation of the argument mai leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Es wurde eine kritische Schwachstelle in code-projects Concert Ticket Ordering System 1.0 entdeckt. Es betrifft eine unbekannte Funktion der Datei /tour(cor).php. Mittels Manipulieren des Arguments mai mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.

CVSS: MEDIUM (6.9)

EPSS Score: 0.06%

Source: CVE
November 29th, 2024 (6 months ago)