Description The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated....
5.9AI Score
0.0004EPSS
Thim Elementor Kit < 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Thim Elementor Kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to...
5.9AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for curl (EulerOS-SA-2024-1647)
The remote host is missing an update for the Huawei...
7.1AI Score
0.001EPSS
Easy Affiliate Links < 3.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Easy Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to....
5.9AI Score
0.0004EPSS
Description The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to 1.1.35 (exclusive) due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
5.9AI Score
0.0004EPSS
Description The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
5.9AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for samba (EulerOS-SA-2024-1665)
The remote host is missing an update for the Huawei...
7.2AI Score
0.027EPSS
Aiomatic < 1.9.4 - Missing Authorization
Description The Aiomatic plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.9.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized...
6.7AI Score
K000139646: MySQL Server vulnerabilities CVE-2024-21052 and CVE-2024-21053
Security Advisory Description Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.34 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise...
5.7AI Score
0.0004EPSS
canvasio3D Light <= 2.5.0 - Authenticated (Subscriber+) Arbitrary File Upload
Description The canvasio3D Light plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on...
8AI Score
0.0004EPSS
Better Elementor Addons < 1.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Better Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,....
5.9AI Score
0.0004EPSS
Move Addons for Elementor < 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
5.9AI Score
0.0004EPSS
Gold Addons for Elementor < 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The Gold Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
5.9AI Score
0.0004EPSS
raindrops < 1.700 - Authenticated (Contributor+) Stored Cross-Site Scripting
Description The raindrops theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.600 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level.....
5.9AI Score
0.0004EPSS
AI Engine: ChatGPT Chatbot < 2.2.70 - Authenticated (Editor+) Arbitrary File Upload
Description The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2.63. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected....
8AI Score
0.0004EPSS
Releases Ubuntu 16.04 ESM Ubuntu 14.04 ESM Packages linux - Linux kernel linux-aws - Linux kernel for Amazon Web Services (AWS) systems linux-kvm - Linux kernel for cloud environments linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty Details Zheng Wang discovered that...
5.9AI Score
0.0004EPSS
K000139654: Intel oneAPI vulnerabilities CVE-2023-24592 and CVE-2023-27383
Security Advisory Description CVE-2023-24592 Path traversal in the some Intel(R) oneAPI Toolkits and Component software before version 2023.1 may allow authenticated user to potentially enable escalation of privilege via local access. CVE-2023-27383 Protection mechanism failure in some...
6.5AI Score
0.0004EPSS
Huawei EulerOS: Security Advisory for gdb (EulerOS-SA-2024-1648)
The remote host is missing an update for the Huawei...
7.1AI Score
0.001EPSS
Magento Patch SUPEE-10752 - Multiple security enhancements vulnerabilities
Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more. Key Security Improvements: ...
8.8AI Score
Magento Patch SUPEE-10752 - Multiple security enhancements vulnerabilities
Magento Commerce 1.14.3.9 and Open Source 1.9.3.9 bring essential security enhancements with Patch SUPEE-10752. These updates address various vulnerabilities, including authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF), and more. Key Security Improvements: ...
8.8AI Score
Data Leakage Vulnerability in livewire/livewire
livewire/livewire versions greater than 2.2.4 and less than 2.2.6 are affected by a data leakage vulnerability. The $this->validate() method, which is expected to return only the validated dataset, was returning all properties of the Livewire component. This regression introduced a security risk...
7AI Score
Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...
6.9AI Score
0.0004EPSS
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...
4.4CVSS
7.7AI Score
0.0004EPSS
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...
6.9AI Score
0.0004EPSS
Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...
5.5CVSS
7.4AI Score
0.0004EPSS
Read private customer data reclaiming carts in Klaviyo Magento
A researcher identified an endpoint in a thirth party module Klaviyo Magento 2 which allows to read private customer data from stores. It works by reclaiming any guest-cart as your own and reading the private data for the orders in the Magento...
6.9AI Score
eZ Platform User data disclosure
In eZ Platform v2.3.x it is possible to bypass permission checks in a particular case. This means user data such as name and email (but not passwords or password hashes) can be read by unauthenticated users. This affects only v2.3.x. If you use v2.2.x or older you are not affected. To install, use....
7.3AI Score
Ez Platform Object Injection in legacy shop module
This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission...
7.2AI Score
Ez Platform Object Injection in legacy shop module
This Security Advisory is about a vulnerability in the Legacy shop module. A backend editor could perform object injection in discount rules. This would require backend access and permission to edit discount rules. While object injection in itself is a serious vulnerability, the permission...
7.2AI Score
EZsystems Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
EZsystems Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads
The eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper. 1. WEB SERVER CONFIGURATION The sample web server configuration in our documentation can in.....
7.5AI Score
Ez Platform and Legacy are prone to an insecure interpretation of PHP/PHAR uploads
The eZ Platform and Legacy are affected by an issue related to how uploaded PHP and PHAR files are handled, and consists of two parts: 1. Web server configuration, and 2. Disabling the PHAR stream wrapper. 1. WEB SERVER CONFIGURATION The sample web server configuration in our documentation can in.....
7.5AI Score
eZ Publish Legacy Passwordless login for LDAP users
This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy. Installations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may...
7.1AI Score
eZ Publish Legacy Passwordless login for LDAP users
This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy. Installations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may...
7.1AI Score
CVE-2024-35184 paperless-ngx's remote user auth via header works even when disabling it for API
Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the...
5.5AI Score
0.0004EPSS
CVE-2024-35183 wolfictl leaks GitHub tokens to remote non-GitHub git servers
wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...
5.1AI Score
0.0004EPSS
eZ Publish Information disclosure in backend content tree menu
This security advisory fixes an information disclosure vulnerability in the legacy admin content tree menu. If a view has been disabled in site.ini [SiteAccessRules] Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu...
6.6AI Score
eZ Publish Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
eZ Publish Remote code execution in file uploads
This Security Advisory is about a vulnerability in the way eZ Platform and eZ Publish Legacy handles file uploads, which can in the worst case lead to remote code execution (RCE), a very serious threat. An attacker would need access to uploading files to be able to exploit the vulnerability, so if....
7.9AI Score
eZ Platform REST API returns list of all SiteAccesses
This security advisory fixes a vulnerability in eZ Platform, and we recommend that you install it as soon as possible. The issue is that the REST API may be made to disclose the names of all available site accesses. The severity of this depends on your installation, please consider your response...
6.7AI Score
eZ Platform Rules to disable executable access are ignored on Platform.sh (eZ Cloud)
The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service). The consequence of this is....
7.1AI Score
eZ Platform Rules to disable executable access are ignored on Platform.sh (eZ Cloud)
The recommended Apache/Nginx virtual host configuration for eZ Platform includes a rewrite rule for blocking access to executable files in the var directory. This rule does not work when using eZ Platform Cloud (i.e. running eZ Platform on the Platform.sh cloud service). The consequence of this is....
7.1AI Score
Insufficient verification of data authenticity in the installer for Zoom Workplace VDI App for Windows may allow an authenticated user to conduct an escalation of privilege via local...
6.7CVSS
7.5AI Score
0.0004EPSS
A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /view/student_exam_mark_update_form.php. The manipulation of the argument exam leads to sql injection. The attack.....
6.3CVSS
7.9AI Score
0.0004EPSS
Buffer overflow in some Zoom Workplace Apps and SDK’s may allow an authenticated user to conduct a denial of service via network...
6.5CVSS
7.4AI Score
0.0004EPSS
ezsystems/ez-support-tools Failing access control in system info view
This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The....
6.7AI Score
ezsystems/ez-support-tools Failing access control in system info view
This Security Advisory is about a vulnerability in ezsystems/ez-support-tools v2.2, part of Ibexa DXP v3.2. Older versions are not affected. A user having insufficient permissions is able to access the system information tabs if they type in the direct link (the link is not shown in the menu). The....
6.7AI Score
endroid/qr-code-bundle File Disclosure via logo_path query parameter
Versions of endroid/qr-code-bundle prior to 3.4.2 are affected by a security vulnerability that allows disclosure of files through the logo_path query parameter. The vulnerability arises from the improper handling of non-image data as the logo, which could lead to unintended file...
6.8AI Score
Drupal Cross-Site Scripting (XSS) affecting CKEditor Third-party library
The Drupal project uses the CKEditor, library for WYSIWYG editing. CKEditor has released a security update that impacts Drupal. Vulnerabilities are possible if Drupal is configured to allow use of the CKEditor library for WYSIWYG editing. An attacker that can create or edit content (even without...
6.3AI Score