Lucene search

K

Classified Listing Store & Membership Addon Security Vulnerabilities

cve
cve

CVE-2024-6013

A vulnerability was found in itsourcecode Online Book Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_delete.php. The manipulation of the argument bookisbn leads to sql injection. The attack may be initiated remotely. The exploit has been...

6.3CVSS

7.4AI Score

0.0004EPSS

2024-06-15 04:15 PM
22
cvelist
cvelist

CVE-2024-6013 itsourcecode Online Book Store admin_delete.php sql injection

A vulnerability was found in itsourcecode Online Book Store 1.0. It has been rated as critical. This issue affects some unknown processing of the file admin_delete.php. The manipulation of the argument bookisbn leads to sql injection. The attack may be initiated remotely. The exploit has been...

6.3CVSS

0.0004EPSS

2024-06-15 04:00 PM
3
nuclei
nuclei

Business Directory Plugin <= 6.4.2 - SQL Injection

The Business Directory Plugin Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient...

9.8CVSS

8.2AI Score

0.029EPSS

2024-06-15 03:35 PM
cve
cve

CVE-2024-6008

A vulnerability, which was classified as critical, was found in itsourcecode Online Book Store up to 1.0. Affected is an unknown function of the file /edit_book.php. The manipulation of the argument image leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

6.3CVSS

7.4AI Score

0.0004EPSS

2024-06-15 03:15 PM
23
nvd
nvd

CVE-2024-6008

A vulnerability, which was classified as critical, was found in itsourcecode Online Book Store up to 1.0. Affected is an unknown function of the file /edit_book.php. The manipulation of the argument image leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

6.3CVSS

0.0004EPSS

2024-06-15 03:15 PM
3
cvelist
cvelist

CVE-2024-6008 itsourcecode Online Book Store edit_book.php sql injection

A vulnerability, which was classified as critical, was found in itsourcecode Online Book Store up to 1.0. Affected is an unknown function of the file /edit_book.php. The manipulation of the argument image leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

6.3CVSS

0.0004EPSS

2024-06-15 03:00 PM
2
vulnrichment
vulnrichment

CVE-2024-6008 itsourcecode Online Book Store edit_book.php sql injection

A vulnerability, which was classified as critical, was found in itsourcecode Online Book Store up to 1.0. Affected is an unknown function of the file /edit_book.php. The manipulation of the argument image leads to sql injection. It is possible to launch the attack remotely. The exploit has been...

6.3CVSS

6.8AI Score

0.0004EPSS

2024-06-15 03:00 PM
2
cve
cve

CVE-2024-37317

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is...

4.6CVSS

4.8AI Score

0.0004EPSS

2024-06-14 04:15 PM
21
nvd
nvd

CVE-2024-37317

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is...

4.6CVSS

0.0004EPSS

2024-06-14 04:15 PM
4
vulnrichment
vulnrichment

CVE-2024-37317 Nextcloud Notes app can be tricked into using a received share created before the user logged in

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is...

4.6CVSS

7.1AI Score

0.0004EPSS

2024-06-14 03:25 PM
2
cvelist
cvelist

CVE-2024-37317 Nextcloud Notes app can be tricked into using a received share created before the user logged in

The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is...

4.6CVSS

0.0004EPSS

2024-06-14 03:25 PM
nvd
nvd

CVE-2024-33375

LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's...

0.0004EPSS

2024-06-14 03:15 PM
cve
cve

CVE-2024-33375

LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's...

7.2AI Score

0.0004EPSS

2024-06-14 03:15 PM
20
nextcloud
nextcloud

Notes app can be tricked into using a received share created before the user logged in

Description Impact If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. Patches It is recommended that the Nextcloud Notes app is upgraded to 4.9.3 Workarounds Disable Notes app ...

4.6CVSS

6.5AI Score

0.0004EPSS

2024-06-14 02:31 PM
16
veracode
veracode

Cross-site Scripting (XSS)

typo3/cms is vulnerable to cross-site scripting (XSS). The vulnerability is due to improper handling of file extensions containing malicious sequences in the output table listing, which requires access to the server's file system either directly or through synchronization to...

6.4AI Score

2024-06-14 05:52 AM
1
cve
cve

CVE-2023-51516

Missing Authorization vulnerability in Business Directory Team Business Directory Plugin.This issue affects Business Directory Plugin: from n/a through...

5.4CVSS

5.6AI Score

0.0004EPSS

2024-06-14 02:15 AM
36
nvd
nvd

CVE-2023-51516

Missing Authorization vulnerability in Business Directory Team Business Directory Plugin.This issue affects Business Directory Plugin: from n/a through...

5.4CVSS

0.0004EPSS

2024-06-14 02:15 AM
4
cvelist
cvelist

CVE-2023-51516 WordPress Business Directory Plugin – Easy Listing Directories for WordPress plugin <= 6.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Business Directory Team Business Directory Plugin.This issue affects Business Directory Plugin: from n/a through...

5.4CVSS

0.0004EPSS

2024-06-14 12:58 AM
1
vulnrichment
vulnrichment

CVE-2023-51516 WordPress Business Directory Plugin – Easy Listing Directories for WordPress plugin <= 6.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Business Directory Team Business Directory Plugin.This issue affects Business Directory Plugin: from n/a through...

5.4CVSS

5.6AI Score

0.0004EPSS

2024-06-14 12:58 AM
1
packetstorm

7.2AI Score

0.0004EPSS

2024-06-14 12:00 AM
91
cvelist
cvelist

CVE-2024-33375

LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's...

0.0004EPSS

2024-06-14 12:00 AM
zdt

7.1AI Score

0.0004EPSS

2024-06-14 12:00 AM
11
exploitdb

7.4AI Score

0.0004EPSS

2024-06-14 12:00 AM
97
nvd
nvd

CVE-2024-36589

An issue in Annonshop.app DecentralizeJustice/anonymousLocker commit 2b2b4 to ba9fd and DecentralizeJustice/anonBackend commit 57837 to cd815 was discovered to store credentials in...

0.0004EPSS

2024-06-13 07:15 PM
4
cve
cve

CVE-2024-36589

An issue in Annonshop.app DecentralizeJustice/anonymousLocker commit 2b2b4 to ba9fd and DecentralizeJustice/anonBackend commit 57837 to cd815 was discovered to store credentials in...

7.4AI Score

0.0004EPSS

2024-06-13 07:15 PM
24
talosblog
talosblog

How we can separate botnets from the malware operations that rely on them

As I covered in last week's newsletter, law enforcement agencies from around the globe have been touting recent botnet disruptions affecting the likes of some of the largest threat actors and malware families. Operation Endgame, which Europol touted as the "largest ever operation against botnets,"....

7.1AI Score

2024-06-13 06:00 PM
2
wordfence
wordfence

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 3, 2024 to June 9, 2024)

_ Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? __Researchers can earn up to $10,400, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the...

10CVSS

9.9AI Score

EPSS

2024-06-13 03:35 PM
7
thn
thn

Arid Viper Launches Mobile Espionage Campaign with AridSpy Malware

The threat actor known as Arid Viper has been attributed to a mobile espionage campaign that leverages trojanized Android apps to deliver a spyware strain dubbed AridSpy. "The malware is distributed through dedicated websites impersonating various messaging apps, a job opportunity app, and a...

7.5AI Score

2024-06-13 01:55 PM
4
cvelist
cvelist

CVE-2024-26029 Form selector allows directory listing and running of arbitrary resources in libs, bin folders that are not usually accessible

Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not.....

7.5CVSS

0.001EPSS

2024-06-13 07:53 AM
vulnrichment
vulnrichment

CVE-2024-26029 Form selector allows directory listing and running of arbitrary resources in libs, bin folders that are not usually accessible

Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not.....

7.5CVSS

6.9AI Score

0.001EPSS

2024-06-13 07:53 AM
1
cvelist
cvelist

CVE-2024-36589

An issue in Annonshop.app DecentralizeJustice/anonymousLocker commit 2b2b4 to ba9fd and DecentralizeJustice/anonBackend commit 57837 to cd815 was discovered to store credentials in...

0.0004EPSS

2024-06-13 12:00 AM
wpvulndb
wpvulndb

The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid < 7.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Description The The Post Grid – Shortcode, Gutenberg Blocks and Elementor Addon for Post Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.5CVSS

5.8AI Score

0.0004EPSS

2024-06-13 12:00 AM
github
github

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Summary By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click)....

7.1CVSS

7.1AI Score

0.001EPSS

2024-06-12 07:39 PM
7
osv
osv

@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass

Summary By combining two vulnerabilities (an Open Redirect and session token sent as URL query parameter) in Strapi framework is its possible of an unauthenticated attacker to bypass authentication mechanisms and retrieve the 3rd party tokens. The attack requires user interaction (one click)....

7.1CVSS

7.1AI Score

0.001EPSS

2024-06-12 07:39 PM
5
cve
cve

CVE-2024-5906

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

5.5AI Score

0.0004EPSS

2024-06-12 05:15 PM
24
nvd
nvd

CVE-2024-5906

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

0.0004EPSS

2024-06-12 05:15 PM
2
cvelist
cvelist

CVE-2024-5906 Prisma Cloud Compute: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A cross-site scripting (XSS) vulnerability in Palo Alto Networks Prisma Cloud Compute software enables a malicious administrator with add/edit permissions for identity providers to store a JavaScript payload using the web interface on Prisma Cloud Compute. This enables a malicious administrator to....

0.0004EPSS

2024-06-12 04:22 PM
2
metasploit
metasploit

SolarWinds Serv-U Unauthenticated Arbitrary File Read

This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are...

8.6CVSS

7.3AI Score

0.343EPSS

2024-06-12 03:25 PM
9
nvd
nvd

CVE-2024-36840

SQL Injection vulnerability in Boelter Blue System Management v.1.3 allows a remote attacker to execute arbitrary code and obtain sensitive information via the id parameter to news_details.php and location_details.php; and the section parameter to...

0.0004EPSS

2024-06-12 03:15 PM
cve
cve

CVE-2024-36840

SQL Injection vulnerability in Boelter Blue System Management v.1.3 allows a remote attacker to execute arbitrary code and obtain sensitive information via the id parameter to news_details.php and location_details.php; and the section parameter to...

8.3AI Score

0.0004EPSS

2024-06-12 03:15 PM
19
redhatcve
redhatcve

CVE-2024-37168

A flaw was found in grps-js, which implements the core functionality of gRPC purely in JavaScript, without a C++ addon. Prior to versions 1.10.9, 1.9.15, and 1.8.22, there are two separate code paths in which memory can be allocated per message in excess of the grpc.max_receive_message_length...

5.3CVSS

5.1AI Score

0.0005EPSS

2024-06-12 02:53 PM
3
cve
cve

CVE-2024-5674

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

6.5AI Score

0.0005EPSS

2024-06-12 11:15 AM
30
nvd
nvd

CVE-2024-5674

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

0.0005EPSS

2024-06-12 11:15 AM
6
vulnrichment
vulnrichment

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

7.2AI Score

0.0005EPSS

2024-06-12 11:05 AM
4
cvelist
cvelist

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

0.0005EPSS

2024-06-12 11:05 AM
5
cve
cve

CVE-2024-2092

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

5AI Score

0.001EPSS

2024-06-12 10:15 AM
24
nvd
nvd

CVE-2024-2092

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

0.001EPSS

2024-06-12 10:15 AM
4
cvelist
cvelist

CVE-2024-2092 Elementor Addon Elements <= 1.13.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Widget

The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Twitter Widget in all versions up to, and including, 1.13.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

5.4CVSS

0.001EPSS

2024-06-12 09:33 AM
2
Total number of security vulnerabilities82384