Missing Authorization vulnerability in Ovic Team Ovic Addon Toolkit.This issue affects Ovic Addon Toolkit: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
CVE-2024-32432 WordPress Ovic Addon Toolkit plugin <= 2.6.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Ovic Team Ovic Addon Toolkit.This issue affects Ovic Addon Toolkit: from n/a through...
4.3CVSS
5AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through...
4.3CVSS
4.6AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through...
4.3CVSS
6.8AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through...
4.3CVSS
4.9AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through...
4.3CVSS
7AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Webangon The Pack Elementor addons allows Cross-Site Scripting (XSS).This issue affects The Pack Elementor addons: from n/a through...
7.1CVSS
6.6AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Webangon The Pack Elementor addons allows Cross-Site Scripting (XSS).This issue affects The Pack Elementor addons: from n/a through...
7.1CVSS
6.7AI Score
0.0004EPSS
Cross-Site Request Forgery (CSRF) vulnerability in Webangon The Pack Elementor addons allows Cross-Site Scripting (XSS).This issue affects The Pack Elementor addons: from n/a through...
7.1CVSS
6.8AI Score
0.0004EPSS
Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users
Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users' keystrokes to nefarious actors. The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent,...
7.2AI Score
Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through...
4.9CVSS
6.8AI Score
0.0004EPSS
Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through...
4.9CVSS
5.2AI Score
0.0004EPSS
Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through...
4.9CVSS
7AI Score
0.0004EPSS
Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through...
4.9CVSS
5.5AI Score
0.0004EPSS
Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through...
9.1CVSS
6.8AI Score
0.0004EPSS
Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through...
9.1CVSS
9.3AI Score
0.0004EPSS
Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through...
9.1CVSS
9.4AI Score
0.0004EPSS
eScan Antivirus Update Mechanism Exploited to Spread Backdoors and Miners
A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks. Cybersecurity firm Avast said the activity is the...
7.2AI Score
CoralRaider Malware Campaign Exploits CDN Cache to Spread Info-Stealers
A new ongoing malware campaign has been observed distributing three different stealers, such as CryptBot, LummaC2, and Rhadamanthys hosted on Content Delivery Network (CDN) cache domains since at least February 2024. Cisco Talos has attributed the activity with moderate confidence to a threat...
7.3AI Score
Description The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible...
5.3CVSS
6.8AI Score
0.0004EPSS
Oracle Linux 9 : golang (ELSA-2024-1963)
The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-1963 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK...
6.1AI Score
0.0004EPSS
RHEL 7 : openstack-swift (RHSA-2015:1681)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2015:1681 advisory. OpenStack Object Storage (swift) provides object storage in virtual containers, which allows users to store and retrieve files (arbitrary ...
6AI Score
0.004EPSS
Oracle Linux 8 : go-toolset:ol8 (ELSA-2024-1962)
The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-1962 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK...
6AI Score
0.0004EPSS
Simple Membership < 4.4.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode
Description The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'swpm_paypal_subscription_cancel_link' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes......
5.4CVSS
5.9AI Score
0.0004EPSS
Fedora 38 : xorg-x11-server-Xwayland (2024-1706127797)
The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-1706127797 advisory. A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when...
7.8CVSS
8AI Score
0.0005EPSS
RHEL 7 : openstack-swift (RHSA-2014:0941)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2014:0941 advisory. OpenStack Object Storage (Swift) provides object storage in virtual containers, which allows users to store and retrieve files (arbitrary ...
5.9AI Score
0.003EPSS
Fedora 39 : xorg-x11-server-Xwayland (2024-5af98298c7)
The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-5af98298c7 advisory. A heap-based buffer over-read vulnerability was found in the X.org server's ProcXIGetSelectedEvents() function. This issue occurs when...
7.8CVSS
7.3AI Score
0.0005EPSS
Suspected CoralRaider continues to expand victimology using three information stealers
_By Joey Chen, Chetan Raghuprasad and Alex Karkins. _ Cisco Talos discovered a new ongoing campaign since at least February 2024, operated by a threat actor distributing three famous infostealer malware, including Cryptbot, LummaC2 and Rhadamanthys. Talos also discovered a new PowerShell...
8.2AI Score
RHEL 8 : Red Hat OpenStack Platform 16.2 (etcd) (RHSA-2023:3445)
The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2023:3445 advisory. A highly-available key value store for shared configuration Security Fix(es): * Information discosure via debug function (CVE-2021-28235) ...
9.8CVSS
8.5AI Score
0.024EPSS
Debian dsa-5669 : guix - security update
The remote Debian 11 / 12 host has a package installed that is affected by a vulnerability as referenced in the dsa-5669 advisory. Nix is a package manager for Linux and other Unix systems. A fixed-output derivations on Linux can send file descriptors to files in the Nix store to another...
6.3CVSS
6.3AI Score
0.0004EPSS
Open Close WooCommerce Store < 4.9.2 - Missing Authorization
Description The Open Close WooCommerce Store – Best Business Schedules Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_switch_active and ajax_update_timezone functions in all versions up to, and including, 4.9.1. This...
4.3CVSS
4.4AI Score
0.0004EPSS
RHEL 9 : Red Hat OpenStack Platform 17.1.1 (RHSA-2023:5969)
The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5969 advisory. The etcd packages provide a highly available key-value store for shared configuration. Security Fix(es): * golang: net/http, x/net/http2:...
7.5CVSS
8.9AI Score
0.732EPSS
Russian FSB Counterintelligence Chief Gets 9 Years in Cybercrime Bribery Scheme
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was sentenced last week to nine years in a penal colony for accepting a USD $1.7 million bribe to ignore the activities of a prolific Russian cybercrime group that hacked thousands of e-commerce websites......
6.8AI Score
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session...
4.6CVSS
5.7AI Score
0.0004EPSS
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session...
4.6CVSS
4.5AI Score
0.0004EPSS
CVE-2024-4026 Cross-Site Scripting in the Holded application
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session...
4.6CVSS
5.7AI Score
0.0004EPSS
CVE-2024-4026 Cross-Site Scripting in the Holded application
Cross-Site Scripting (XSS) vulnerability in the Holded application. This vulnerability could allow an attacker to store a JavaScript payload within all editable parameters within the 'General' and 'Team ID' functionalities, which could result in a session...
4.6CVSS
4.7AI Score
0.0004EPSS
Ransomware Double-Dip: Re-Victimization in Cyber Extortion
**Between crossovers - Do threat actors play dirty or desperate? ** In our dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack, we noticed that some victims re-occur. Consequently, the question arises why we observe a re-victimization and whether....
6.8AI Score
ToddyCat is making holes in your infrastructure
We continue covering the activities of the APT group ToddyCat. In our previous article, we described tools for collecting and exfiltrating files (LoFiSe and PcExter). This time, we have investigated how attackers obtain constant access to compromised infrastructure, what information on the hosts...
7.6AI Score
Automattic: Authentication & Registration Bypass in Newspack Extended Access
Summary: The Newspack Extended Access plugin omits to validate JWT signing on the registration and login JSON endpoint. This permits registration of accounts with arbitrary (user-supplied) details, and auth bypass and account hijack if a target account email is known. Platform(s) Affected: Any...
7.6AI Score
RHEL 7 : python-django (RHSA-2015:1894)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:1894 advisory. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as...
6.5AI Score
0.024EPSS
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors. The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in...
10CVSS
7.9AI Score
0.957EPSS
What’s the deal with the massive backlog of vulnerabilities at the NVD?
The National Vulnerability Database is usually the single source of truth for all things related to security vulnerabilities. But now, they're facing an uphill battle against a massive backlog of vulnerabilities, some of which are still waiting to be analyzed, and others that still have an...
7AI Score
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the...
7.5CVSS
6.7AI Score
0.0004EPSS
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the...
7.5CVSS
7.7AI Score
0.0004EPSS
CVE-2024-3742 Electrolink FM/DAB/TV Transmitter Cleartext Storage of Sensitive Information
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the...
7.5CVSS
7.7AI Score
0.0004EPSS
CVE-2024-3742 Electrolink FM/DAB/TV Transmitter Cleartext Storage of Sensitive Information
Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the...
7.5CVSS
6.8AI Score
0.0004EPSS
TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall...
6AI Score
0.0004EPSS
TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in Access Control under the Wireless...
5.8AI Score
0.0004EPSS
TOTOLINK N300RT V2.1.8-B20201030.1539 contains a Store Cross-site scripting (XSS) vulnerability in IP/Port Filtering under the Firewall...
5.8AI Score
0.0004EPSS