Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2024-10895
Counter Up – Animated Number Counter & Milestone Showcase <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description: The Counter Up – Animated Number Counter & Milestone Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lgx-counter' shortcode in all versions up to, and including, 2.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10580
Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission
Description: The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized form submissions due to a missing capability check on the submit_form() function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated attackers to submit unpublished forms.

CVSS: MEDIUM (5.3)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10521
WordPress Contact Forms by Cimatti <= 1.9.2 - Cross-Site Request Forgery via process_bulk_action Function
Description: The WordPress Contact Forms by Cimatti plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.2. This is due to missing or incorrect nonce validation on the process_bulk_action function. This makes it possible for unauthenticated attackers to delete forms via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS: MEDIUM (4.3)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10492
Keycloak-quarkus-server: keycloak path trasversal
Description: A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, an LDAP provider configuration and set up a Vault read file, which will only inform whether that file exists or not.

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10451
Org.keycloak:keycloak-quarkus-server: sensitive data exposure in keycloak build process
Description: A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specified directly in environment variables during the build process is also stored as a default values, making it accessible during runtime. Indirect usage of environment variables for SPI options and Quarkus properties is also vulnerable due to unconditional expansion by PropertyMapper logic, capturing sensitive data as default values in all Keycloak versions up to 26.0.2.

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10270
Org.keycloak:keycloak-services: keycloak denial of service
Description: A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

EPSS Score: 0.09%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-10175
Pricing Tables For WPBakery Page Builder (formerly Visual Composer) <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via wdo_pr...
Description: The Pricing Tables For WPBakery Page Builder (formerly Visual Composer) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wdo_pricing_tables shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS: MEDIUM (6.4)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-0232
Sqlite: use-after-free bug in jsonparseaddnodearray
Description: A heap use-after-free issue has been identified in SQLite in the jsonParseAddNodeArray() function in sqlite3.c. This flaw allows a local attacker to leverage a victim to pass specially crafted malicious input to the application, potentially causing a crash and leading to a denial of service.

EPSS Score: 0.04%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2024-0217
Packagekitd: use-after-free in idle function callback
Description: A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted. As a result, some memory access could occur on memory regions that were previously freed. Once freed, a memory region can be reused for other allocations and any previously stored data in this memory region is considered lost.

EPSS Score: 0.08%

Source: CVE
November 28th, 2024 (5 months ago)

CVE-2023-6832
Business Logic Errors in microweber/microweber
Description: Business Logic Errors in GitHub repository microweber/microweber prior to 2.0.

CVSS: MEDIUM (6.0)

EPSS Score: 0.05%

Source: CVE
November 28th, 2024 (5 months ago)