CyberAlerts

CVE-2024-9672

Description: A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur.

CVSS: MEDIUM (6.3)

EPSS Score: 0.06%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-9651

Contact Form Plugin by Fluent Forms < 5.2.1 - Admin+ Stored XSS

Description: The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-8679

Library Management System <= 3.0.0 - Authenticated (Admin+) SQL Injection

Description: The Library Management System – Manage e-Digital Books Library plugin for WordPress is vulnerable to SQL Injection via the ‘value' parameter of the owt_lib_handler AJAX action in all versions up to, and including, 3.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS: MEDIUM (6.8)

EPSS Score: 0.05%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-8259

Unauthenticated SQLi in Eryaz IT's NatraCar B2B Dealer Management Program

Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported.

CVSS: MEDIUM (6.5)

EPSS Score: 0.09%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55638

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008

Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55637

Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007

Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55636

Drupal core - Less critical - Gadget chain - SA-CORE-2024-006

Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55635

Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005

Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55634

Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004

Description: A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.

CVSS: LOW (0.0)

EPSS Score: 0.04%

Source: CVE

December 10th, 2024 (4 months ago)

CVE-2024-55601

Hugo does not escape some attributes in internal templates

Description: Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE

December 10th, 2024 (4 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

CVE-2024-9672	Reflected XSS in PaperCut MF Description: A reflected cross-site scripting (XSS) vulnerability exists in PaperCut NG/MF. This issue can be used to execute specially created JavaScript payloads in the browser. A user must click on a malicious link for this issue to occur. CVSS: MEDIUM (6.3) EPSS Score: 0.06% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-9651	Contact Form Plugin by Fluent Forms < 5.2.1 - Admin+ Stored XSS Description: The Fluent Forms WordPress plugin before 5.2.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-8679	Library Management System <= 3.0.0 - Authenticated (Admin+) SQL Injection Description: The Library Management System – Manage e-Digital Books Library plugin for WordPress is vulnerable to SQL Injection via the ‘value' parameter of the owt_lib_handler AJAX action in all versions up to, and including, 3.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVSS: MEDIUM (6.8) EPSS Score: 0.05% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-8259	Unauthenticated SQLi in Eryaz IT's NatraCar B2B Dealer Management Program Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection.This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported. CVSS: MEDIUM (6.5) EPSS Score: 0.09% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55638	Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-008 Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55637	Drupal core - Moderately critical - Gadget chain - SA-CORE-2024-007 Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55636	Drupal core - Less critical - Gadget chain - SA-CORE-2024-006 Description: Deserialization of Untrusted Data vulnerability in Drupal Core allows Object Injection.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55635	Drupal core - Critical - Cross Site Scripting - SA-CORE-2024-005 Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Drupal Core allows Cross-Site Scripting (XSS).This issue affects Drupal Core: from 7.0 before 7.102. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55634	Drupal core - Moderately critical - Access bypass - SA-CORE-2024-004 Description: A vulnerability in Drupal Core allows Privilege Escalation.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8. CVSS: LOW (0.0) EPSS Score: 0.04% Source: CVE December 10th, 2024 (4 months ago)
CVE-2024-55601	Hugo does not escape some attributes in internal templates Description: Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.139.4, some HTML attributes in Markdown in the internal templates listed below not escaped in internal render hooks. Those whoa re impacted are Hugo users who do not trust their Markdown content files and are using one or more of these templates: `_default/_markup/render-link.html` from `v0.123.0`; `_default/_markup/render-image.html` from `v0.123.0`; `_default/_markup/render-table.html` from `v0.134.0`; and/or `shortcodes/youtube.html` from `v0.125.0`. This issue is patched in v0.139.4. As a workaround, one may replace an affected component with user defined templates or disable the internal templates. CVSS: MEDIUM (5.3) EPSS Score: 0.05% Source: CVE December 10th, 2024 (4 months ago)