Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2023-20896 |
Description: The VMware vCenter Server contains an out-of-bounds read vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger an out-of-bounds read by sending a specially crafted packet leading to denial-of-service of certain services (vmcad, vmdird, and vmafdd).
CVSS: MEDIUM (5.9) EPSS Score: 0.07%
December 6th, 2024 (4 months ago)
|
|
CVE-2024-9404 |
Description: Moxa’s IP Cameras are affected by a medium-severity vulnerability, CVE-2024-9404, which could lead to a denial-of-service condition or cause a service crash. This vulnerability allows attackers to exploit the Moxa service, commonly referred to as moxa_cmd, originally designed for deployment. Because of insufficient input validation, this service may be manipulated to trigger a denial-of-service.
This vulnerability poses a significant remote threat if the affected products are exposed to publicly accessible networks. Attackers could potentially disrupt operations by shutting down the affected systems. Due to the critical nature of this security risk, we strongly recommend taking immediate action to prevent potential exploitation.
CVSS: MEDIUM (6.9) EPSS Score: 0.04%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-8962 |
Description: The WPBITS Addons For Elementor Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
CVSS: MEDIUM (6.4) EPSS Score: 0.07%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-7488 |
Description: Improper Input Validation vulnerability in RestApp Inc. Online Ordering System allows Integer Attacks.This issue affects Online Ordering System: through 04.12.2024.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-6247 |
Description: Wyze Cam v3 Wi-Fi SSID OS Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Wyze Cam v3 IP cameras. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of SSIDs embedded in scanned QR codes. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-22337.
CVSS: MEDIUM (6.8) EPSS Score: 0.05%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-54157 |
Description: In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
CVSS: MEDIUM (4.3) EPSS Score: 0.04%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-54156 |
Description: In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
CVSS: MEDIUM (4.2) EPSS Score: 0.05%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-54132 |
Description: The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from a GitHub Actions workflow artifact named .. when downloaded using gh run download. The artifact name and --dir flag are used to determine the artifact’s download path. When the artifact is named .., the resulting files within the artifact are extracted exactly 1 directory higher than the specified --dir flag value. This vulnerability is fixed in 2.63.1.
CVSS: MEDIUM (6.3) EPSS Score: 0.04%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-54002 |
Description: Dependency-Track is a Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain. Performing a login request against the /api/v1/user/login endpoint with a username that exist in the system takes significantly longer than performing the same action with a username that is not known by the system. The observable difference in request duration can be leveraged by actors to enumerate valid names of managed users. LDAP and OpenID Connect users are not affected. The issue has been fixed in Dependency-Track 4.12.2.
CVSS: MEDIUM (5.3) EPSS Score: 0.04%
December 5th, 2024 (5 months ago)
|
|
CVE-2024-5020 |
Description: Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled FancyBox JavaScript library (versions 1.3.4 to 3.5.7) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS: MEDIUM (6.4) EPSS Score: 0.13%
December 5th, 2024 (5 months ago)
|