Lucene search

K

Contact Forms – Drag & Drop Contact Form Builder Security Vulnerabilities

cve
cve

CVE-2024-4899

The SEOPress WordPress plugin before 7.8 does not sanitise and escape some of its Post settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting...

5.5AI Score

0.0004EPSS

2024-06-24 06:15 AM
7
thn
thn

Multiple Threat Actors Deploying Open-Source Rafel RAT to Target Android Devices

Multiple threat actors, including cyber espionage groups, are employing an open-source Android remote administration tool called Rafel RAT to meet their operational objectives by masquerading it as Instagram, WhatsApp, and various e-commerce and antivirus apps. "It provides malicious actors with a....

7.5AI Score

2024-06-24 05:04 AM
21
fedora
fedora

[SECURITY] Fedora 39 Update: python-PyMySQL-1.1.1-1.fc39

This package contains a pure-Python MySQL client library. The goal of PyMyS QL is to be a drop-in replacement for MySQLdb and work on CPython, PyPy, IronPyth on and...

7.2AI Score

0.0004EPSS

2024-06-24 01:39 AM
nessus
nessus

Amazon Linux 2 : golang (ALAS-2024-2576)

The version of golang installed on the remote host is prior to 1.22.4-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2576 advisory. The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip...

9.8CVSS

8AI Score

0.001EPSS

2024-06-24 12:00 AM
nessus
nessus

Amazon Linux 2023 : golang, golang-bin, golang-misc (ALAS2023-2024-646)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-646 advisory. The archive/zip package's handling of certain types of invalid zip files differs from the behavior of most zip implementations. This misalignment could be exploited to create an zip file...

9.8CVSS

8AI Score

0.001EPSS

2024-06-24 12:00 AM
1
nessus
nessus

FreeBSD : emacs -- Arbitrary shell code evaluation vulnerability (4f6c4c07-3179-11ef-9da5-1c697a616631)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 4f6c4c07-3179-11ef-9da5-1c697a616631 advisory. GNU Emacs developers report: Emacs 29.4 is an emergency bugfix release intended to fix a security...

7.5AI Score

2024-06-24 12:00 AM
packetstorm

7.4AI Score

2024-06-24 12:00 AM
49
packetstorm

6.8CVSS

7.1AI Score

0.0004EPSS

2024-06-24 12:00 AM
45
packetstorm

7.4AI Score

2024-06-24 12:00 AM
45
nessus
nessus

RHEL 8 : python3.11 (RHSA-2024:4058)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:4058 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level...

7.8CVSS

7.4AI Score

0.0005EPSS

2024-06-24 12:00 AM
packetstorm

7.1AI Score

0.0004EPSS

2024-06-24 12:00 AM
46
hp
hp

AMD Client UEFI – Cross-Process Information Leak

AMD has informed HP of a potential security vulnerability identified in some AMD client processors, which might allow information disclosure. AMD released firmware updates to mitigate these vulnerabilities. AMD has released updates to mitigate the potential vulnerability. HP has identified...

5.5CVSS

7AI Score

0.001EPSS

2024-06-24 12:00 AM
nvd
nvd

CVE-2024-6273

A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as problematic. Affected by this vulnerability is the function save_patient of the file patient_side.php. The manipulation of the argument Full Name/Contact/Address leads to cross site scripting. The attack....

4.3CVSS

0.0004EPSS

2024-06-23 10:15 PM
1
cve
cve

CVE-2024-6273

A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as problematic. Affected by this vulnerability is the function save_patient of the file patient_side.php. The manipulation of the argument Full Name/Contact/Address leads to cross site scripting. The attack....

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-23 10:15 PM
14
cvelist
cvelist

CVE-2024-6273 SourceCodester Clinic Queuing System patient_side.php save_patient cross site scripting

A vulnerability was found in SourceCodester Clinic Queuing System 1.0. It has been declared as problematic. Affected by this vulnerability is the function save_patient of the file patient_side.php. The manipulation of the argument Full Name/Contact/Address leads to cross site scripting. The attack....

4.3CVSS

0.0004EPSS

2024-06-23 10:00 PM
4
osv
osv

Malicious code in openstad-component-forms (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (ce99b034a6f67b0bd613755012e00352d254a5b438c7d65a687a2e2e2458cd7e) The OpenSSF Package Analysis project identified 'openstad-component-forms' @ 1.0.0 (npm) as malicious. It is considered malicious because: The...

7.1AI Score

2024-06-22 10:19 AM
2
cve
cve

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-22 05:15 AM
19
nvd
nvd

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

0.0004EPSS

2024-06-22 05:15 AM
4
cvelist
cvelist

CVE-2024-4874 Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

0.0004EPSS

2024-06-22 04:32 AM
4
vulnrichment
vulnrichment

CVE-2024-4874 Bricks Builder <= 1.9.8 - Insecure Direct Object Reference

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

6.5AI Score

0.0004EPSS

2024-06-22 04:32 AM
1
nessus
nessus

SUSE SLES15 / openSUSE 15 Security Update : kernel (SUSE-SU-2024:2135-1)

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:2135-1 advisory. The SUSE Linux Enterprise 15 SP6 Azure kernel was updated to receive various security bugfixes. The following...

8CVSS

8.4AI Score

EPSS

2024-06-22 12:00 AM
2
nessus
nessus

FreeBSD : traefik -- Azure Identity Libraries Elevation of Privilege Vulnerability (82830965-3073-11ef-a17d-5404a68ad561)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 82830965-3073-11ef-a17d-5404a68ad561 advisory. The traefik authors report: There is a vulnerability in Azure Identity Libraries...

5.5CVSS

7AI Score

0.0004EPSS

2024-06-22 12:00 AM
1
malwarebytes
malwarebytes

First million breached Ticketmaster records released for free

The cybercriminal acting under the name "Sp1d3r" gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free. When Malwarebytes Labs first learned about this data breach, it...

7.2AI Score

2024-06-21 04:01 PM
6
nvd
nvd

CVE-2022-45803

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

8.8CVSS

0.001EPSS

2024-06-21 02:15 PM
2
cve
cve

CVE-2022-45803

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

8.8CVSS

6.5AI Score

0.001EPSS

2024-06-21 02:15 PM
20
cvelist
cvelist

CVE-2022-45803 WordPress Gutenberg Forms plugin <= 2.2.8.3 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

6.5CVSS

0.001EPSS

2024-06-21 01:35 PM
2
vulnrichment
vulnrichment

CVE-2022-45803 WordPress Gutenberg Forms plugin <= 2.2.8.3 - Auth. Broken Access Control vulnerability

Missing Authorization vulnerability in Nikolay Strikhar WordPress Form Builder Plugin – Gutenberg Forms.This issue affects WordPress Form Builder Plugin – Gutenberg Forms: from n/a through...

6.5CVSS

6.9AI Score

0.001EPSS

2024-06-21 01:35 PM
cve
cve

CVE-2024-35768

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

5.9CVSS

5.8AI Score

0.0004EPSS

2024-06-21 01:15 PM
22
nvd
nvd

CVE-2024-35768

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

4.8CVSS

0.0004EPSS

2024-06-21 01:15 PM
2
cvelist
cvelist

CVE-2024-35768 WordPress Page Builder: Live Composer plugin <= 1.5.42 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

5.9CVSS

0.0004EPSS

2024-06-21 12:27 PM
3
vulnrichment
vulnrichment

CVE-2024-35768 WordPress Page Builder: Live Composer plugin <= 1.5.42 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

5.9CVSS

6.8AI Score

0.0004EPSS

2024-06-21 12:27 PM
1
nvd
nvd

CVE-2024-35779

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

5.4CVSS

0.0004EPSS

2024-06-21 12:15 PM
2
cve
cve

CVE-2024-35779

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

6.5CVSS

6.5AI Score

0.0004EPSS

2024-06-21 12:15 PM
19
talosblog
talosblog

Unveiling SpiceRAT: SneakyChef's latest tool targeting EMEA and Asia

Cisco Talos discovered a new remote access trojan (RAT) dubbed SpiceRAT, used by the threat actor SneakyChef in a recent campaign targeting government agencies in EMEA and Asia. We observed that SneakyChef launched a phishing campaign, sending emails delivering SugarGh0st and SpiceRAT with the...

7.5AI Score

2024-06-21 12:00 PM
5
talosblog
talosblog

SneakyChef espionage group targets government agencies with SugarGh0st and more infection techniques

Cisco Talos recently discovered an ongoing campaign from SneakyChef, a newly discovered threat actor using SugarGh0st malware, as early as August 2023. In the newly discovered campaign, we observed a wider scope of targets spread across countries in EMEA and Asia, compared with previous...

7AI Score

2024-06-21 12:00 PM
4
cvelist
cvelist

CVE-2024-35779 WordPress Page Builder: Live Composer plugin <= 1.5.42 - Contributor+ Shortcode Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Live Composer Team Page Builder: Live Composer allows Stored XSS.This issue affects Page Builder: Live Composer: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-21 11:40 AM
4
githubexploit
githubexploit

Exploit for Unrestricted Upload of File with Dangerous Type in Elementor Website Builder

WordPress Plugin - Elementor 3.6.0 3.6.1 3.6.2 Thực thi mã từ...

8.8CVSS

7AI Score

0.96EPSS

2024-06-21 10:05 AM
102
veracode
veracode

Insecure Deserialization

typo3/cms is vulnerable to Insecure Deserialization. The vulnerability is due to the execution of source code from Phar files when they are invoked. Due to missing sanitization of user input, attackers can upload obfuscated Phar files ("bundle.txt") and manipulate URLs in TYPO3 backend forms to...

7.6AI Score

2024-06-21 09:59 AM
thn
thn

Oyster Backdoor Spreading via Trojanized Popular Software Downloads

A malvertising campaign is leveraging trojanized installers for popular software such as Google Chrome and Microsoft Teams to drop a backdoor called Oyster (aka Broomstick and CleanUpLoader). That's according to findings from Rapid7, which identified lookalike websites hosting the malicious...

7.5AI Score

2024-06-21 09:51 AM
11
github
github

FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

6.9AI Score

0.0004EPSS

2024-06-21 09:30 AM
3
osv
osv

FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

6.9AI Score

0.0004EPSS

2024-06-21 09:30 AM
3
malwarebytes
malwarebytes

Was T-Mobile compromised by a zero-day in Jira?

A moderator of the notorious data breach trading platform BreachForums is offering data for sale they claim comes from a data breach at T-Mobile. The moderator, going by the name of IntelBroker, describes the data as containing source code, SQL files, images, Terraform data, t-mobile.com...

10CVSS

8.2AI Score

0.001EPSS

2024-06-21 07:34 AM
9
cve
cve

CVE-2024-38873

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

7.2AI Score

0.0004EPSS

2024-06-21 07:15 AM
17
nvd
nvd

CVE-2024-38873

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the...

5.3CVSS

0.0004EPSS

2024-06-21 07:15 AM
2
nvd
nvd

CVE-2024-4475

The WP Logs Book WordPress plugin through 1.0.1 does not have CSRF check when clearing logs, which could allow attackers to make a logged in admin clear the logs them via a CSRF...

0.0004EPSS

2024-06-21 06:15 AM
3
cve
cve

CVE-2024-4382

The CB (legacy) WordPress plugin through 0.9.4.18 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting codes, timeframes, and bookings via CSRF...

6.5AI Score

0.0004EPSS

2024-06-21 06:15 AM
17
cve
cve

CVE-2024-4969

The Widget Bundle WordPress plugin through 2.0.0 does not have CSRF checks when logging Widgets, which could allow attackers to make logged in admin enable/disable widgets via a CSRF...

4.3CVSS

6.4AI Score

0.0005EPSS

2024-06-21 06:15 AM
18
cve
cve

CVE-2024-4755

The Google CSE WordPress plugin through 1.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

4.8CVSS

5.4AI Score

0.0004EPSS

2024-06-21 06:15 AM
19
nvd
nvd

CVE-2024-4384

The CSSable Countdown WordPress plugin through 1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite...

0.0004EPSS

2024-06-21 06:15 AM
1
nvd
nvd

CVE-2024-4477

The WP Logs Book WordPress plugin through 1.0.1 does not sanitise and escape some of its log data before outputting them back in an admin dashboard, leading to an Unauthenticated Stored Cross-Site...

5.4CVSS

0.0004EPSS

2024-06-21 06:15 AM
1
Total number of security vulnerabilities167594