In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 22-23, 2024.
During this period, The National Vulnerability Database published 183, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 16
Medium: 48
Low: 1
Severity Not Assigned: 113
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-3518
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-shortcode-custom-list.php#L1971
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3069819%40media-library-assistant%2Ftrunk&old=3060779%40media-library-assistant%2Ftrunk&sfp_email=&sfph_mail=#file3
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7af1a03-8382-4593-a41f-8cdb1bb9e53b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-4443
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/fields/class-fieldtypes-select.php#L110
https://plugins.trac.wordpress.org/changeset/3089626/
https://www.wordfence.com/threat-intel/vulnerabilities/id/982fb304-08d6-4195-97a3-f18e94295492?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2088
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.
References: https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php#L620
https://plugins.trac.wordpress.org/changeset/3084635/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php?contextall=1
https://www.wordfence.com/threat-intel/vulnerabilities/id/70724bc7-c1f4-4965-8bba-99b2ed21d34b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-4157
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.
References: https://plugins.trac.wordpress.org/changeset/3081740/fluentform
https://www.wordfence.com/threat-intel/vulnerabilities/id/8def156a-f2f2-4640-a1c9-c21c74e1f308?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-5147
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via the 'grid_style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L105
https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L112
https://plugins.trac.wordpress.org/changeset/3090236#file6
https://www.wordfence.com/threat-intel/vulnerabilities/id/f006bb33-d017-445b-9c02-bd848c199671?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3495
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L22
https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L8
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3089374%40country-state-city-auto-dropdown%2Ftrunk&old=3068802%40country-state-city-auto-dropdown%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/17dcacaf-0e2a-4bef-b944-fb7e43d25777?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-5031
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: The Memberpress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.11.29 via the 'mepr-user-file' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References: https://memberpress.com/change-log/
https://www.wordfence.com/threat-intel/vulnerabilities/id/80064e3b-6996-49eb-a475-0ffe0e894f9e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-4262
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3088562%40piotnet-addons-for-elementor&old=3048934%40piotnet-addons-for-elementor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/812cc8f1-f89e-47c4-b029-f6a3dbc55d70?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-20239
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36077
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024 Patch 3 (14.173.3 through 14.173.7), November 2023 Patch 8 (14.159.4 through 14.159.13), August 2023 Patch 13 (14.139.3 through 14.139.20), May 2023 Patch 15 (14.129.3 through 14.129.22), February 2023 Patch 13 (14.113.1 through 14.113.18), November 2022 Patch 13 (14.97.2 through 14.97.18), August 2022 Patch 16 (14.78.3 through 14.78.23), and May 2022 Patch 17 (14.67.7 through 14.67.31). This has been fixed in May 2024 (14.187.4), February 2024 Patch 4 (14.173.8), November 2023 Patch 9 (14.159.14), August 2023 Patch 14 (14.139.21), May 2023 Patch 16 (14.129.23), February 2023 Patch 14 (14.113.19), November 2022 Patch 14 (14.97.19), August 2022 Patch 17 (14.78.25), and May 2022 Patch 18 (14.67.34).
References: https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-20360
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-51636
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Avira Prime Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avira Prime. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Avira Spotlight Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-21600.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-469/
CWE-ID: CWE-59
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-51637
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Sante PACS Server PG Patient Query SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server PG. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the DICOM service, which listens on TCP port 11122 by default. When parsing the NAME element of the PATIENT record, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-21579.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-468/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-27264
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. IBM X-Force ID: 284563.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/284563
https://www.ibm.com/support/pages/node/7154595
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-4267
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the 'open_file' function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.
References: https://huntr.com/bounties/5a127724-cc13-4ea6-b81f-41546a7fff81
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-4453
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
. Was ZDI-CAN-23896.
References: https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
https://www.zerodayinitiative.com/advisories/ZDI-24-467/
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-4454
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: WithSecure Elements Endpoint Protection Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of WithSecure Elements Endpoint Protection. User interaction on the part of an administrator is required to exploit this vulnerability.
The specific flaw exists within the WithSecure plugin hosting service. By creating a symbolic link, an attacker can abuse the service to create a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23035.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-491/
CWE-ID: CWE-59
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-29849
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-29850
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-29851
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows high-privileged users to steal NTLM hash of Enterprise manager service account.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-29853
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An authentication bypass vulnerability in Veeam Agent for Microsoft Windows allows for local privilege escalation.
References: https://veeam.com/kb4582
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 22-23, 2024.
During this period, The National Vulnerability Database published 183, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 5
High: 16
Medium: 48
Low: 1
Severity Not Assigned: 113
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-3518
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: The Media Library Assistant plugin for WordPress is vulnerable to SQL Injection via the plugin's shortcode(s) in all versions up to, and including, 3.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-shortcode-custom-list.php#L1971
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3069819%40media-library-assistant%2Ftrunk&old=3060779%40media-library-assistant%2Ftrunk&sfp_email=&sfph_mail=#file3
https://www.wordfence.com/threat-intel/vulnerabilities/id/a7af1a03-8382-4593-a41f-8cdb1bb9e53b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
2. CVE-2024-4443
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/business-directory-plugin/trunk/includes/fields/class-fieldtypes-select.php#L110
https://plugins.trac.wordpress.org/changeset/3089626/
https://www.wordfence.com/threat-intel/vulnerabilities/id/982fb304-08d6-4195-97a3-f18e94295492?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
3. CVE-2024-2088
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxs_getExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets.
References: https://plugins.trac.wordpress.org/browser/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php#L620
https://plugins.trac.wordpress.org/changeset/3084635/social-networks-auto-poster-facebook-twitter-g/trunk/inc/nxs_functions_wp.php?contextall=1
https://www.wordfence.com/threat-intel/vulnerabilities/id/70724bc7-c1f4-4965-8bba-99b2ed21d34b?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
4. CVE-2024-4157
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 1.6
Impact Score: 5.9
Description: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.1.15 via deserialization of untrusted input in the extractDynamicValues function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. Successful exploitation requires the attacker to have "View Form" and "Manage Form" permissions, which must be explicitly set by an administrator. However, this requirement can be bypassed when this vulnerability is chained with CVE-2024-2771.
References: https://plugins.trac.wordpress.org/changeset/3081740/fluentform
https://www.wordfence.com/threat-intel/vulnerabilities/id/8def156a-f2f2-4640-a1c9-c21c74e1f308?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
5. CVE-2024-5147
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The WPZOOM Addons for Elementor (Templates, Widgets) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.37 via the 'grid_style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L105
https://plugins.trac.wordpress.org/browser/wpzoom-elementor-addons/trunk/includes/wpzoom-elementor-ajax-posts-grid.php#L112
https://plugins.trac.wordpress.org/changeset/3090236#file6
https://www.wordfence.com/threat-intel/vulnerabilities/id/f006bb33-d017-445b-9c02-bd848c199671?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
6. CVE-2024-3495
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References: https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L22
https://plugins.trac.wordpress.org/browser/country-state-city-auto-dropdown/trunk/includes/ajax-actions.php#L8
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3089374%40country-state-city-auto-dropdown%2Ftrunk&old=3068802%40country-state-city-auto-dropdown%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/17dcacaf-0e2a-4bef-b944-fb7e43d25777?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
7. CVE-2024-5031
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 3.1
Impact Score: 4.7
Description: The Memberpress plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 1.11.29 via the 'mepr-user-file' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References: https://memberpress.com/change-log/
https://www.wordfence.com/threat-intel/vulnerabilities/id/80064e3b-6996-49eb-a475-0ffe0e894f9e?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
8. CVE-2024-4262
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 2.7
Description: The Piotnet Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.4.28 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3088562%40piotnet-addons-for-elementor&old=3048934%40piotnet-addons-for-elementor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/812cc8f1-f89e-47c4-b029-f6a3dbc55d70?source=cve
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
9. CVE-2023-20239
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
10. CVE-2024-36077
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Qlik Sense Enterprise for Windows before 14.187.4 allows a remote attacker to elevate their privilege due to improper validation. The attacker can elevate their privilege to the internal system role, which allows them to execute commands on the server. This affects February 2024 Patch 3 (14.173.3 through 14.173.7), November 2023 Patch 8 (14.159.4 through 14.159.13), August 2023 Patch 13 (14.139.3 through 14.139.20), May 2023 Patch 15 (14.129.3 through 14.129.22), February 2023 Patch 13 (14.113.1 through 14.113.18), November 2022 Patch 13 (14.97.2 through 14.97.18), August 2022 Patch 16 (14.78.3 through 14.78.23), and May 2022 Patch 17 (14.67.7 through 14.67.31). This has been fixed in May 2024 (14.187.4), February 2024 Patch 4 (14.173.8), November 2023 Patch 9 (14.159.14), August 2023 Patch 14 (14.139.21), May 2023 Patch 16 (14.129.23), February 2023 Patch 14 (14.113.19), November 2022 Patch 14 (14.97.19), August 2022 Patch 17 (14.78.25), and May 2022 Patch 18 (14.67.34).
References: https://community.qlik.com/t5/Official-Support-Articles/High-Severity-Security-fixes-for-Qlik-Sense-Enterprise-for/ta-p/2452509
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
11. CVE-2024-20360
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability exists because the web-based management interface does not adequately validate user input. An attacker could exploit this vulnerability by authenticating to the application and sending crafted SQL queries to an affected system. A successful exploit could allow the attacker to obtain any data from the database, execute arbitrary commands on the underlying operating system, and elevate privileges to root. To exploit this vulnerability, an attacker would need at least Read Only user credentials.
References: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-sqli-WFFDnNOs
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
12. CVE-2023-51636
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: Avira Prime Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Avira Prime. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the Avira Spotlight Service. By creating a symbolic link, an attacker can abuse the service to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-21600.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-469/
CWE-ID: CWE-59
Common Platform Enumerations (CPE): Not Found
13. CVE-2023-51637
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Sante PACS Server PG Patient Query SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante PACS Server PG. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the implementation of the DICOM service, which listens on TCP port 11122 by default. When parsing the NAME element of the PATIENT record, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-21579.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-468/
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
14. CVE-2024-27264
Base Score: 7.4
Base Severity: HIGH
Exploitability Score: 1.4
Impact Score: 5.9
Description: IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. IBM X-Force ID: 284563.
References: https://exchange.xforce.ibmcloud.com/vulnerabilities/284563
https://www.ibm.com/support/pages/node/7154595
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
15. CVE-2024-4267
Base Score: 8.4
Base Severity: HIGH
Exploitability Score: 2.5
Impact Score: 5.9
Description: A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the 'open_file' function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.
References: https://huntr.com/bounties/5a127724-cc13-4ea6-b81f-41546a7fff81
CWE-ID: CWE-77
Common Platform Enumerations (CPE): Not Found
16. CVE-2024-4453
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: GStreamer EXIF Metadata Parsing Integer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.
The specific flaw exists within the parsing of EXIF metadata. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow before allocating a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
. Was ZDI-CAN-23896.
References: https://gitlab.freedesktop.org/tpm/gstreamer/-/commit/e68eccff103ab0e91e6d77a892f57131b33902f5
https://www.zerodayinitiative.com/advisories/ZDI-24-467/
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
17. CVE-2024-4454
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 1.3
Impact Score: 5.9
Description: WithSecure Elements Endpoint Protection Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of WithSecure Elements Endpoint Protection. User interaction on the part of an administrator is required to exploit this vulnerability.
The specific flaw exists within the WithSecure plugin hosting service. By creating a symbolic link, an attacker can abuse the service to create a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-23035.
References: https://www.zerodayinitiative.com/advisories/ZDI-24-491/
CWE-ID: CWE-59
Common Platform Enumerations (CPE): Not Found
18. CVE-2024-29849
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows unauthenticated users to log in as any user to enterprise manager web interface.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
19. CVE-2024-29850
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows account takeover via NTLM relay.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
20. CVE-2024-29851
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Veeam Backup Enterprise Manager allows high-privileged users to steal NTLM hash of Enterprise manager service account.
References: https://veeam.com/kb4581
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
21. CVE-2024-29853
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: An authentication bypass vulnerability in Veeam Agent for Microsoft Windows allows for local privilege escalation.
References: https://veeam.com/kb4582
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found