In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 13-14, 2024.
During this period, The National Vulnerability Database published 221, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 9
High: 36
Medium: 131
Low: 4
Severity Not Assigned: 41
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2413
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.
References: https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
2. CVE-2015-10123
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device.
References: https://cert.vde.com/en/advisories/VDE-2023-039/
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2123
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L44
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L53
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L65
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-list.php#L39
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-list.php#L53
https://plugins.trac.wordpress.org/changeset/3046611/ultimate-member#file746
https://www.wordfence.com/threat-intel/vulnerabilities/id/c8bc1653-8fee-468a-bb6d-f24959846ee5?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-2414
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the 'adb' service open on port 5555 and provides access to a shell with root privileges.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router
CWE-ID: CWE-419
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-2415
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL '/cgi-bin/gui.cgi'.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-2247
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: JFrog Artifactory versions below 7.77.7, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.
References: https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-25153
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
References: https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html
https://www.fortra.com/security/advisory/fi-2024-002
CWE-ID: CWE-472
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-25155
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.
References: https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html
https://www.fortra.com/security/advisory/fi-2024-003
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5663
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/news-announcement-scroll/tags/9.0.0/news-announcement-scroll.php#L261
https://plugins.trac.wordpress.org/changeset/2987837/news-announcement-scroll#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/b29113d6-7a9a-4e10-a446-147ec146ac93?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6825
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.
References: https://github.com/Studio-42/elFinder/blob/master/php/elFinderVolumeDriver.class.php#L6784
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023403%40wp-file-manager%2Ftrunk&old=2984933%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-0161
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 5.8
Description: Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.
References: https://www.dell.com/support/kbdoc/en-us/000222979/dsa-2024-006-security-update-for-dell-poweredge-server-bios-for-an-improper-smm-communication-buffer-verification-vulnerability
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-0368
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.
References: https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api
https://developers.hubspot.com/docs/api/webhooks#scopes
https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13
https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-0683
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level access and above, to generate and delete labels.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034198%40bulgarisation-for-woocommerce&new=3034198%40bulgarisation-for-woocommerce&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/be759c83-a9df-4858-a724-28006a595404?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-1071
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L666
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L858
https://plugins.trac.wordpress.org/changeset/3038036/ultimate-member/trunk/includes/core/class-member-directory-meta.php
https://wordpress.org/plugins/ultimate-member/
https://www.wordfence.com/threat-intel/vulnerabilities/id/005fa621-3c49-4c23-add5-d6b7a9110055?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-1203
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'valueData' parameter in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/enhanced-e-commerce-for-woocommerce-store/trunk/includes/data/class-tvc-ajax-file.php#L1850
https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb7d499-28ba-48ef-9798-b7c8cbb7aa3e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-1311
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/zip/archiver.php#L254
https://plugins.trac.wordpress.org/changeset/3034945/brizy/tags/2.4.41/editor/zip/archiver.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc023c1b-7ec6-45b6-b50a-f0d823065843?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-1358
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.
References: https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-1505
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.
References: https://plugins.trac.wordpress.org/changeset/3037880/academy#file473
https://www.wordfence.com/threat-intel/vulnerabilities/id/b150f90a-ccb7-4c19-a4b3-eaf9ec264ba8?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-1536
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's event calendar widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset/3037755/essential-addons-for-elementor-lite/tags/5.9.10/includes/Elements/Event_Calendar.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/12dc9e63-17bb-4755-be3c-ae8b26edd3cd?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-1751
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/tutor/tags/2.6.1/classes/Utils.php#L4555
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3049105%40tutor&new=3049105%40tutor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cee379-79f8-4a60-b1bb-ccab1e954512?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-1772
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/play-ht/trunk/includes/class-ajax-handler.php#L138
https://www.wordfence.com/threat-intel/vulnerabilities/id/83a595b7-379c-4202-abdd-d8ba4a30c6a4?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-1793
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 7.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://glimmer-handball-dae.notion.site/AWeber-Authenticated-SQLi-Admin-6e0d31c4a14c42f4996f9e201482d4cc?pvs=4
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L962
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L970
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L972
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042751%40aweber-web-form-widget&new=3042751%40aweber-web-form-widget&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3ae3bca-d363-4c4b-809f-0625385bc9a6?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-1862
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'.
References: https://plugins.trac.wordpress.org/browser/woocommerce-add-to-cart-custom-redirect/tags/1.2.13/woocommerce-custom-redirect.php#L204
https://plugins.trac.wordpress.org/changeset?old_path=/woocommerce-add-to-cart-custom-redirect/tags/1.2.13&old=3047408&new_path=/woocommerce-add-to-cart-custom-redirect/tags/1.2.14&new=3047408&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/36c6a116-37cc-4ade-b601-5f9d6aaf9217?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-1935
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.5/resources/views/rafflepress-giveaway.php
https://plugins.trac.wordpress.org/changeset?old_path=/rafflepress/tags/1.12.5&old=3043286&new_path=/rafflepress/tags/1.12.7&new=3043286&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/29b471ac-3a08-42da-9907-670c3b3bae92?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-1950
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-meta-box.php
https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-shortcode.php
https://plugins.trac.wordpress.org/changeset?old_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7&old=3045923&new_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.8&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed8636bf-229a-42a5-a19c-332679613dd2?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-1951
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/logo-showcase-ultimate/tags/1.3.8/classes/lcg-adl-metabox.php
https://plugins.trac.wordpress.org/browser/logo-showcase-ultimate/tags/1.3.8/classes/lcg-shortcode.php
https://plugins.trac.wordpress.org/changeset?old_path=/logo-showcase-ultimate/tags/1.3.8&old=3045923&new_path=/logo-showcase-ultimate/tags/1.3.9&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a63b2091-1502-4d9f-98c4-ce9d2f923dc4?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-2006
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/trunk/includes/classes/metabox.php#L43
https://plugins.trac.wordpress.org/changeset?old_path=/post-grid-carousel-ultimate/tags/1.6.7&old=3045923&new_path=/post-grid-carousel-ultimate/tags/1.6.8&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-2020
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.
References: https://wordpress.org/plugins/calculated-fields-form/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/45bfa9fb-f35b-4fd4-8553-cf87bf69df6b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-2172
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.
References: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
https://wordpress.org/plugins/miniorange-malware-protection/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-2194
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047756%40wp-statistics&new=3047756%40wp-statistics&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/e44e4bdd-d84e-4315-9232-48a3b240242d?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-20318
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: A vulnerability in the Layer 2 Ethernet services of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the line card network processor to reset, resulting in a denial of service (DoS) condition.
This vulnerability is due to the incorrect handling of specific Ethernet frames that are received on line cards that have the Layer 2 services feature enabled. An attacker could exploit this vulnerability by sending specific Ethernet frames through an affected device. A successful exploit could allow the attacker to cause the ingress interface network processor to reset, resulting in a loss of traffic over the interfaces that are supported by the network processor. Multiple resets of the network processor would cause the line card to reset, resulting in a DoS condition.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrl2vpn-jesrU3fc
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-20320
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local attacker to elevate privileges on an affected device.
This vulnerability is due to insufficient validation of arguments that are included with the SSH client CLI command. An attacker with low-privileged access to an affected device could exploit this vulnerability by issuing a crafted SSH client command to the CLI. A successful exploit could allow the attacker to elevate privileges to root on the affected device.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ssh-privesc-eWDMKew3
CWE-ID: CWE-266
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-20327
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: A vulnerability in the PPP over Ethernet (PPPoE) termination feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to crash the ppp_ma process, resulting in a denial of service (DoS) condition.
This vulnerability is due to the improper handling of malformed PPPoE packets that are received on a router that is running Broadband Network Gateway (BNG) functionality with PPPoE termination on a Lightspeed-based or Lightspeed-Plus-based line card. An attacker could exploit this vulnerability by sending a crafted PPPoE packet to an affected line card interface that does not terminate PPPoE. A successful exploit could allow the attacker to crash the ppp_ma process, resulting in a DoS condition for PPPoE traffic across the router.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pppma-JKWFgneW
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-27952
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2.
References: https://patchstack.com/database/vulnerability/advanced-sermons/wordpress-advanced-sermons-plugin-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-28195
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4
https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-0799
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-0800
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-0801
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-28194
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-gvcr-g265-j827
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-24693
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 5.8
Description: Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24009/
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-22167
Base Score: 7.9
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.8
Description: A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user's vault or has already gained access into a user's system. This attack is limited to the system in context and cannot be propagated.
References: https://www.westerndigital.com/support/product-security/wdc-24002-sandisk-privateaccess-desktop-app-v-6-4-10
CWE-ID: CWE-427
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-27102
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.
References: https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287
https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9
CWE-ID: CWE-22 CWE-362 CWE-363
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-28175
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
References: https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2020-11862
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2.
References: https://www.netiq.com/documentation/privileged-account-manager-37/npam_3702_releasenotes/data/npam_3702_releasenotes.html
CWE-ID: CWE-770
Common Platform Enumerations (CPE): Not Found
45. CVE-2023-38534
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC.
References: https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0796609
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between March 13-14, 2024.
During this period, The National Vulnerability Database published 221, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 9
High: 36
Medium: 131
Low: 4
Severity Not Assigned: 41
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-2413
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Intumit SmartRobot uses a fixed encryption key for authentication. Remote attackers can use this key to encrypt a string composed of the user's name and timestamp to generate an authentication code. With this authentication code, they can obtain administrator privileges and subsequently execute arbitrary code on the remote server using built-in system functionality.
References: https://www.twcert.org.tw/tw/cp-132-7697-ecf10-1.html
CWE-ID: CWE-321
Common Platform Enumerations (CPE): Not Found
2. CVE-2015-10123
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device.
References: https://cert.vde.com/en/advisories/VDE-2023-039/
CWE-ID: CWE-120
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2123
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the several parameters in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L44
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L53
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-grid.php#L65
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-list.php#L39
https://plugins.trac.wordpress.org/browser/ultimate-member/trunk/templates/members-list.php#L53
https://plugins.trac.wordpress.org/changeset/3046611/ultimate-member#file746
https://www.wordfence.com/threat-intel/vulnerabilities/id/c8bc1653-8fee-468a-bb6d-f24959846ee5?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-2414
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The primary channel is unprotected on Movistar 4G router affecting E version S_WLD71-T1_v2.0.201820. This device has the 'adb' service open on port 5555 and provides access to a shell with root privileges.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router
CWE-ID: CWE-419
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-2415
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Command injection vulnerability in Movistar 4G router affecting version ES_WLD71-T1_v2.0.201820. This vulnerability allows an authenticated user to execute commands inside the router by making a POST request to the URL '/cgi-bin/gui.cgi'.
References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-movistar-4g-router
CWE-ID: CWE-78
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-2247
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: JFrog Artifactory versions below 7.77.7, are vulnerable to DOM-based cross-site scripting due to improper handling of the import override mechanism.
References: https://jfrog.com/help/r/jfrog-release-information/jfrog-security-advisories
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-25153
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells.
References: https://filecatalyst.software/public/filecatalyst/Workflow/5.1.6.114/fcweb_releasenotes.html
https://www.fortra.com/security/advisory/fi-2024-002
CWE-ID: CWE-472
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-25155
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag.
References: https://filecatalyst.software/public/filecatalyst/Direct/3.8.9.90/whatsnew_direct.html
https://www.fortra.com/security/advisory/fi-2024-003
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-5663
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The News Announcement Scroll plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode in versions up to, and including, 9.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/news-announcement-scroll/tags/9.0.0/news-announcement-scroll.php#L261
https://plugins.trac.wordpress.org/changeset/2987837/news-announcement-scroll#file2
https://www.wordfence.com/threat-intel/vulnerabilities/id/b29113d6-7a9a-4e10-a446-147ec146ac93?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2023-6825
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: The File Manager and File Manager Pro plugins for WordPress are vulnerable to Directory Traversal in versions up to, and including version 7.2.1 (free version) and 8.3.4 (Pro version) via the target parameter in the mk_file_folder_manager_action_callback_shortcode function. This makes it possible for attackers to read the contents of arbitrary files on the server, which can contain sensitive information and to upload files into directories other than the intended directory for file uploads. The free version requires Administrator access for this vulnerability to be exploitable. The Pro version allows a file manager to be embedded via a shortcode and also allows admins to grant file handling privileges to other user levels, which could lead to this vulnerability being exploited by lower-level users.
References: https://github.com/Studio-42/elFinder/blob/master/php/elFinderVolumeDriver.class.php#L6784
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3023403%40wp-file-manager%2Ftrunk&old=2984933%40wp-file-manager%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/93f377a1-2c33-4dd7-8fd6-190d9148e804?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-0161
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 5.8
Description: Dell PowerEdge Server BIOS and Dell Precision Rack BIOS contain an Improper SMM communication buffer verification vulnerability. A local low privileged attacker could potentially exploit this vulnerability leading to arbitrary writes to SMRAM.
References: https://www.dell.com/support/kbdoc/en-us/000222979/dsa-2024-006-security-update-for-dell-poweredge-server-bios-for-an-improper-smm-communication-buffer-verification-vulnerability
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
12. CVE-2024-0368
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.8.3 via hardcoded API Keys. This makes it possible for unauthenticated attackers to extract sensitive data including PII.
References: https://developers.hubspot.com/docs/api/webhooks#manage-settings-via-api
https://developers.hubspot.com/docs/api/webhooks#scopes
https://plugins.trac.wordpress.org/browser/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php#L13
https://plugins.trac.wordpress.org/changeset/3047775/wordpress-popup/trunk/inc/providers/hubspot/hustle-hubspot-api.php?old=3025070&old_path=wordpress-popup/tags/7.8.3/inc/providers/hubspot/hustle-hubspot-api.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/e6d40b41-540d-476d-afde-970845543933?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
13. CVE-2024-0683
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The Bulgarisation for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several functions in all versions up to, and including, 3.0.14. This makes it possible for unauthenticated and authenticated attackers, with subscriber-level access and above, to generate and delete labels.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3034198%40bulgarisation-for-woocommerce&new=3034198%40bulgarisation-for-woocommerce&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/be759c83-a9df-4858-a724-28006a595404?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-1071
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L666
https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.8.2/includes/core/class-member-directory-meta.php?rev=3022076#L858
https://plugins.trac.wordpress.org/changeset/3038036/ultimate-member/trunk/includes/core/class-member-directory-meta.php
https://wordpress.org/plugins/ultimate-member/
https://www.wordfence.com/threat-intel/vulnerabilities/id/005fa621-3c49-4c23-add5-d6b7a9110055?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-1203
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'valueData' parameter in all versions up to, and including, 6.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/enhanced-e-commerce-for-woocommerce-store/trunk/includes/data/class-tvc-ajax-file.php#L1850
https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb7d499-28ba-48ef-9798-b7c8cbb7aa3e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-1311
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Brizy – Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the storeImages function in all versions up to, and including, 2.4.40. This makes it possible for authenticated attackers, with contributor access or above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
References: https://plugins.trac.wordpress.org/browser/brizy/trunk/editor/zip/archiver.php#L254
https://plugins.trac.wordpress.org/changeset/3034945/brizy/tags/2.4.41/editor/zip/archiver.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/dc023c1b-7ec6-45b6-b50a-f0d823065843?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-1358
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Elementor Addon Elements plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.12.12 via the render function. This makes it possible for authenticated attackers, with contributor access or higher, to include the contents of arbitrary PHP files on the server, which may expose sensitive information.
References: https://plugins.trac.wordpress.org/browser/addon-elements-for-elementor-page-builder/tags/1.12.12/modules/shape-separator/widgets/shape-separator.php#L89
https://plugins.trac.wordpress.org/changeset/3037925/addon-elements-for-elementor-page-builder/trunk/modules/shape-separator/widgets/shape-separator.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/20cd3fff-0488-4bc2-961b-2427925e6a96?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-1505
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.
References: https://plugins.trac.wordpress.org/changeset/3037880/academy#file473
https://www.wordfence.com/threat-intel/vulnerabilities/id/b150f90a-ccb7-4c19-a4b3-eaf9ec264ba8?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-1536
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 3.7
Description: The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's event calendar widget in all versions up to, and including, 5.9.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset/3037755/essential-addons-for-elementor-lite/tags/5.9.10/includes/Elements/Event_Calendar.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/12dc9e63-17bb-4755-be3c-ae8b26edd3cd?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-1751
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/tutor/tags/2.6.1/classes/Utils.php#L4555
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3049105%40tutor&new=3049105%40tutor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cee379-79f8-4a60-b1bb-ccab1e954512?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-1772
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Play.ht – Make Your Blog Posts Accessible With Text to Speech Audio plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.4 via deserialization of untrusted input from the play_podcast_data post meta. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/play-ht/trunk/includes/class-ajax-handler.php#L138
https://www.wordfence.com/threat-intel/vulnerabilities/id/83a595b7-379c-4202-abdd-d8ba4a30c6a4?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
22. CVE-2024-1793
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AWeber – Free Sign Up Form and Landing Page Builder Plugin for Lead Generation and Email Newsletter Growth plugin for WordPress is vulnerable to SQL Injection via the 'post_id' parameter in all versions up to, and including, 7.3.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://glimmer-handball-dae.notion.site/AWeber-Authenticated-SQLi-Admin-6e0d31c4a14c42f4996f9e201482d4cc?pvs=4
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L962
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L970
https://plugins.trac.wordpress.org/browser/aweber-web-form-widget/tags/7.3.12/php/aweber_webform_plugin.php#L972
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3042751%40aweber-web-form-widget&new=3042751%40aweber-web-form-widget&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/f3ae3bca-d363-4c4b-809f-0625385bc9a6?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
23. CVE-2024-1862
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: The WooCommerce Add to Cart Custom Redirect plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'wcr_dismiss_admin_notice' function in all versions up to, and including, 1.2.13. This makes it possible for authenticated attackers, with contributor access and above, to update the values of arbitrary site options to 'dismissed'.
References: https://plugins.trac.wordpress.org/browser/woocommerce-add-to-cart-custom-redirect/tags/1.2.13/woocommerce-custom-redirect.php#L204
https://plugins.trac.wordpress.org/changeset?old_path=/woocommerce-add-to-cart-custom-redirect/tags/1.2.13&old=3047408&new_path=/woocommerce-add-to-cart-custom-redirect/tags/1.2.14&new=3047408&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/36c6a116-37cc-4ade-b601-5f9d6aaf9217?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
24. CVE-2024-1935
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘parent_url’ parameter in all versions up to, and including, 1.12.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.5/resources/views/rafflepress-giveaway.php
https://plugins.trac.wordpress.org/changeset?old_path=/rafflepress/tags/1.12.5&old=3043286&new_path=/rafflepress/tags/1.12.7&new=3043286&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/29b471ac-3a08-42da-9907-670c3b3bae92?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
25. CVE-2024-1950
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.9.7 via deserialization of untrusted input via shortcode. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-meta-box.php
https://plugins.trac.wordpress.org/browser/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7/includes/classes/class-shortcode.php
https://plugins.trac.wordpress.org/changeset?old_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.7&old=3045923&new_path=/woo-product-carousel-slider-and-grid-ultimate/tags/1.9.8&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/ed8636bf-229a-42a5-a19c-332679613dd2?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
26. CVE-2024-1951
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Logo Showcase Ultimate – Logo Carousel, Logo Slider & Logo Grid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization via shortcode of untrusted input. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/logo-showcase-ultimate/tags/1.3.8/classes/lcg-adl-metabox.php
https://plugins.trac.wordpress.org/browser/logo-showcase-ultimate/tags/1.3.8/classes/lcg-shortcode.php
https://plugins.trac.wordpress.org/changeset?old_path=/logo-showcase-ultimate/tags/1.3.8&old=3045923&new_path=/logo-showcase-ultimate/tags/1.3.9&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a63b2091-1502-4d9f-98c4-ce9d2f923dc4?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
27. CVE-2024-2006
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.7 via deserialization of untrusted input in the outpost_shortcode_metabox_markup function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References: https://plugins.trac.wordpress.org/browser/post-grid-carousel-ultimate/trunk/includes/classes/metabox.php#L43
https://plugins.trac.wordpress.org/changeset?old_path=/post-grid-carousel-ultimate/tags/1.6.7&old=3045923&new_path=/post-grid-carousel-ultimate/tags/1.6.8&new=3045923&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/8cf1b234-862b-41a0-ab63-a986f8023613?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
28. CVE-2024-2020
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form page href parameter in all versions up to, and including, 5.1.56 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the professional version or higher.
References: https://wordpress.org/plugins/calculated-fields-form/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/45bfa9fb-f35b-4fd4-8553-cf87bf69df6b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
29. CVE-2024-2172
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Malware Scanner plugin and the Web Application Firewall plugin for WordPress (both by MiniOrange) are vulnerable to privilege escalation due to a missing capability check on the mo_wpns_init() function in all versions up to, and including, 4.7.2 (for Malware Scanner) and 2.1.1 (for Web Application Firewall). This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.
References: https://plugins.trac.wordpress.org/browser/miniorange-malware-protection/tags/4.7.2/handler/login.php#L89
https://wordpress.org/plugins/miniorange-malware-protection/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6347f588-a3fd-4909-ad57-9d78787b5728?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
30. CVE-2024-2194
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL search parameter in all versions up to, and including, 14.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3047756%40wp-statistics&new=3047756%40wp-statistics&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/e44e4bdd-d84e-4315-9232-48a3b240242d?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
31. CVE-2024-20318
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: A vulnerability in the Layer 2 Ethernet services of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the line card network processor to reset, resulting in a denial of service (DoS) condition.
This vulnerability is due to the incorrect handling of specific Ethernet frames that are received on line cards that have the Layer 2 services feature enabled. An attacker could exploit this vulnerability by sending specific Ethernet frames through an affected device. A successful exploit could allow the attacker to cause the ingress interface network processor to reset, resulting in a loss of traffic over the interfaces that are supported by the network processor. Multiple resets of the network processor would cause the line card to reset, resulting in a DoS condition.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xrl2vpn-jesrU3fc
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
32. CVE-2024-20320
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: A vulnerability in the SSH client feature of Cisco IOS XR Software for Cisco 8000 Series Routers and Cisco Network Convergence System (NCS) 540 Series and 5700 Series Routers could allow an authenticated, local attacker to elevate privileges on an affected device.
This vulnerability is due to insufficient validation of arguments that are included with the SSH client CLI command. An attacker with low-privileged access to an affected device could exploit this vulnerability by issuing a crafted SSH client command to the CLI. A successful exploit could allow the attacker to elevate privileges to root on the affected device.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-ssh-privesc-eWDMKew3
CWE-ID: CWE-266
Common Platform Enumerations (CPE): Not Found
33. CVE-2024-20327
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 4.0
Description: A vulnerability in the PPP over Ethernet (PPPoE) termination feature of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an unauthenticated, adjacent attacker to crash the ppp_ma process, resulting in a denial of service (DoS) condition.
This vulnerability is due to the improper handling of malformed PPPoE packets that are received on a router that is running Broadband Network Gateway (BNG) functionality with PPPoE termination on a Lightspeed-based or Lightspeed-Plus-based line card. An attacker could exploit this vulnerability by sending a crafted PPPoE packet to an affected line card interface that does not terminate PPPoE. A successful exploit could allow the attacker to crash the ppp_ma process, resulting in a DoS condition for PPPoE traffic across the router.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-pppma-JKWFgneW
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
34. CVE-2024-27952
Base Score: 7.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 3.7
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2.
References: https://patchstack.com/database/vulnerability/advanced-sermons/wordpress-advanced-sermons-plugin-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
35. CVE-2024-28195
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.9.0 do not protect the API and login flow against Cross-Site Request Forgery (CSRF). Attackers can use this to execute CSRF attacks on victims, allowing them to retrieve, modify or delete data on the affected YourSpotify instance. Using repeated CSRF attacks, it is also possible to create a new user on the victim instance and promote the new user to instance administrator if a legitimate administrator visits a website prepared by an attacker. Note: Real-world exploitability of this vulnerability depends on the browser version and browser settings in use by the victim. This issue has been addressed in version 1.9.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Yooooomi/your_spotify/commit/c3ae87673910c9903bb53088c8b71ed2c9aa54e4
https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-hfgf-99p3-6fjj
CWE-ID: CWE-352
Common Platform Enumerations (CPE): Not Found
36. CVE-2024-0799
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: An authentication bypass vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in the edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.EdgeLoginServiceImpl.doLogin() function within wizardLogin.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
37. CVE-2024-0800
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
38. CVE-2024-0801
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
References: https://www.tenable.com/security/research/tra-2024-07
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
39. CVE-2024-28194
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: your_spotify is an open source, self hosted Spotify tracking dashboard. YourSpotify versions < 1.8.0 use a hardcoded JSON Web Token (JWT) secret to sign authentication tokens. Attackers can use this well-known value to forge valid authentication tokens for arbitrary users. This vulnerability allows attackers to bypass authentication and authenticate as arbitrary YourSpotify users, including admin users. This issue has been addressed in version 1.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
References: https://github.com/Yooooomi/your_spotify/security/advisories/GHSA-gvcr-g265-j827
CWE-ID: CWE-798
Common Platform Enumerations (CPE): Not Found
40. CVE-2024-24693
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 0.8
Impact Score: 5.8
Description: Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.
References: https://www.zoom.com/en/trust/security-bulletin/zsb-24009/
CWE-ID: CWE-284
Common Platform Enumerations (CPE): Not Found
41. CVE-2024-22167
Base Score: 7.9
Base Severity: HIGH
Exploitability Score: 1.5
Impact Score: 5.8
Description: A potential DLL hijacking vulnerability in the SanDisk PrivateAccess application for Windows that could lead to arbitrary code execution in the context of the system user. This vulnerability is only exploitable locally if an attacker has access to a copy of the user's vault or has already gained access into a user's system. This attack is limited to the system in context and cannot be propagated.
References: https://www.westerndigital.com/support/product-security/wdc-24002-sandisk-privateaccess-desktop-app-v-6-4-10
CWE-ID: CWE-427
Common Platform Enumerations (CPE): Not Found
42. CVE-2024-27102
Base Score: 9.9
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 6.0
Description: Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to use this exploit, an attacker must have an existing "server" allocated and controlled by Wings. Details on the exploitation of this vulnerability are embargoed until March 27th, 2024 at 18:00 UTC. In order to mitigate this vulnerability, a full rewrite of the entire server filesystem was necessary. Because of this, the size of the patch is massive, however effort was made to reduce the amount of breaking changes. Users are advised to update to version 1.11.9. There are no known workarounds for this vulnerability.
References: https://github.com/pterodactyl/wings/commit/d1c0ca526007113a0f74f56eba99511b4e989287
https://github.com/pterodactyl/wings/security/advisories/GHSA-494h-9924-xww9
CWE-ID: CWE-22 CWE-362 CWE-363
Common Platform Enumerations (CPE): Not Found
43. CVE-2024-28175
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.3
Impact Score: 6.0
Description: Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD.
References: https://github.com/argoproj/argo-cd/commit/479b5544b57dc9ef767d49f7003f39602c480b71
https://github.com/argoproj/argo-cd/security/advisories/GHSA-jwv5-8mqv-g387
CWE-ID: CWE-79
Common Platform Enumerations (CPE): Not Found
44. CVE-2020-11862
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2.
References: https://www.netiq.com/documentation/privileged-account-manager-37/npam_3702_releasenotes/data/npam_3702_releasenotes.html
CWE-ID: CWE-770
Common Platform Enumerations (CPE): Not Found
45. CVE-2023-38534
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.0
Description: Improper authentication vulnerability in OpenText™ Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC.
References: https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0796609
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found