Lucene search

K

HubSpot – CRM, Email Marketing, Live Chat, Forms & Analytics Security Vulnerabilities

cve
cve

CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

5.2AI Score

0.0004EPSS

2024-06-12 03:15 PM
17
nvd
nvd

CVE-2024-37297

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

0.0004EPSS

2024-06-12 03:15 PM
cvelist
cvelist

CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

0.0004EPSS

2024-06-12 03:05 PM
1
vulnrichment
vulnrichment

CVE-2024-37297 WooCommerce has a Cross-Site Scripting Vulnerability in checkout & registration forms

WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be...

5.4CVSS

6AI Score

0.0004EPSS

2024-06-12 03:05 PM
metasploit
metasploit

Telerik Report Server Auth Bypass and Deserialization RCE

This module chains an authentication bypass vulnerability (CVE-2024-4358) with a deserialization vulnerability (CVE-2024-1800) to obtain remote code execution against Telerik Report Server version 10.0.24.130 and prior. The authentication bypass flaw allows an unauthenticated user to create a new.....

9.9CVSS

10AI Score

0.938EPSS

2024-06-12 12:58 PM
8
thn
thn

Lessons from the Snowflake Breaches

Last week, the notorious hacker gang, ShinyHunters, sent shockwaves across the globe by allegedly plundering 1.3 terabytes of data from 560 million users. This colossal breach, with a price tag of $500,000, could expose the personal information of a massive swath of a live event company's...

7.4AI Score

2024-06-12 11:25 AM
1
vulnrichment
vulnrichment

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

7.2AI Score

0.0005EPSS

2024-06-12 11:05 AM
2
cvelist
cvelist

CVE-2024-5674 Newsletter - API v1 and v2 addon for Newsletter <= 2.4.5 - Missing Authorization to Email Subscribers Management

The Newsletter - API v1 and v2 addon plugin for WordPress is vulnerable to unauthorized subscribers management due to PHP type juggling issue on the check_api_key function in all versions up to, and including, 2.4.5. This makes it possible for unauthenticated attackers to list, create or delete...

6.5CVSS

0.0005EPSS

2024-06-12 11:05 AM
4
schneier
schneier

Using AI for Political Polling

Public polling is a critical function of modern political campaigns and movements, but it isn't what it once was. Recent US election cycles have produced copious postmortems explaining both the successes and the flaws of public polling. There are two main reasons polling fails. First, nonresponse.....

6.5AI Score

2024-06-12 11:02 AM
2
nvd
nvd

CVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS

0.001EPSS

2024-06-12 10:15 AM
4
cve
cve

CVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS

8.7AI Score

0.001EPSS

2024-06-12 10:15 AM
23
nvd
nvd

CVE-2023-51413

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

0.0004EPSS

2024-06-12 10:15 AM
5
cve
cve

CVE-2023-51413

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

5.4AI Score

0.0004EPSS

2024-06-12 10:15 AM
43
cvelist
cvelist

CVE-2024-4845 Icegram Express <= 5.7.22 - Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

8.8CVSS

0.001EPSS

2024-06-12 09:33 AM
3
cvelist
cvelist

CVE-2023-51413 WordPress Piotnet Forms plugin <= 1.0.29 - Broken Access Control vulnerability

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

0.0004EPSS

2024-06-12 09:13 AM
3
vulnrichment
vulnrichment

CVE-2023-51413 WordPress Piotnet Forms plugin <= 1.0.29 - Broken Access Control vulnerability

Missing Authorization vulnerability in Piotnet Forms.This issue affects Piotnet Forms: from n/a through...

5.3CVSS

7.2AI Score

0.0004EPSS

2024-06-12 09:13 AM
hackread
hackread

Critical Outlook RCE Vulnerability Exploits Preview Pane – Patch Now!

A critical vulnerability (CVE-2024-30103) in Microsoft Outlook allows attackers to execute malicious code simply by opening an email. This "zero-click" exploit doesn't require user interaction and poses a serious threat. Learn how this vulnerability works and how to stay...

8.8CVSS

7.5AI Score

0.001EPSS

2024-06-12 08:59 AM
13
thn
thn

New Phishing Campaign Deploys WARMCOOKIE Backdoor Targeting Job Seekers

Cybersecurity researchers have disclosed details of an ongoing phishing campaign that leverages recruiting- and job-themed lures to deliver a Windows-based backdoor named WARMCOOKIE. "WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional...

7AI Score

2024-06-12 08:47 AM
1
osv
osv

BIT-suitecrm-2024-36406

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, unchecked input allows for open re-direct. Versions 7.14.4 and 8.6.1 contain a fix for this...

5.4CVSS

6.8AI Score

0.001EPSS

2024-06-12 07:39 AM
osv
osv

BIT-suitecrm-2024-36407

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is.....

6.5CVSS

7AI Score

0.0005EPSS

2024-06-12 07:39 AM
1
osv
osv

BIT-suitecrm-2024-36408

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the Alerts controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

7.9AI Score

0.001EPSS

2024-06-12 07:39 AM
osv
osv

BIT-suitecrm-2024-36409

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

7.9AI Score

0.001EPSS

2024-06-12 07:38 AM
osv
osv

BIT-suitecrm-2024-36410

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

7.9AI Score

0.001EPSS

2024-06-12 07:38 AM
1
osv
osv

BIT-suitecrm-2024-36411

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax displayView controller. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.6CVSS

7.9AI Score

0.001EPSS

2024-06-12 07:38 AM
1
osv
osv

BIT-suitecrm-2024-36412

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

10CVSS

7.7AI Score

0.001EPSS

2024-06-12 07:38 AM
osv
osv

BIT-suitecrm-2024-36413

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the import module error view allows for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.9CVSS

6.1AI Score

0.0004EPSS

2024-06-12 07:37 AM
osv
osv

BIT-suitecrm-2024-36414

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in the connectors file verification allows for a server-side request forgery attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

7.7CVSS

6.8AI Score

0.0005EPSS

2024-06-12 07:37 AM
1
osv
osv

BIT-suitecrm-2024-36415

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in uploaded file verification in products allows for remote code execution. Versions 7.14.4 and 8.6.1 contain a fix for this...

9.1CVSS

7.6AI Score

0.001EPSS

2024-06-12 07:37 AM
osv
osv

BIT-suitecrm-2024-36416

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.6CVSS

6.8AI Score

0.0005EPSS

2024-06-12 07:37 AM
1
osv
osv

BIT-suitecrm-2024-36417

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, an unverified IFrame can be added some some inputs, which could allow for a cross-site scripting attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

9CVSS

6.2AI Score

0.001EPSS

2024-06-12 07:36 AM
1
osv
osv

BIT-suitecrm-2024-36418

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in connectors allows an authenticated user to perform a remote code execution attack. Versions 7.14.4 and 8.6.1 contain a fix for this...

8.5CVSS

7.6AI Score

0.0004EPSS

2024-06-12 07:36 AM
osv
osv

BIT-suitecrm-2024-36419

SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A vulnerability in versions prior to 8.6.1 allows for Host Header Injection when directly accessing the /legacy route. Version 8.6.1 contains a patch for the...

4.3CVSS

7.1AI Score

0.001EPSS

2024-06-12 07:36 AM
cve
cve

CVE-2024-5739

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app...

6.1CVSS

5.7AI Score

0.0004EPSS

2024-06-12 07:15 AM
19
nvd
nvd

CVE-2024-5739

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app...

6.1CVSS

0.0004EPSS

2024-06-12 07:15 AM
2
cvelist
cvelist

CVE-2024-5739

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS (UXSS) vulnerability. This vulnerability allows for cross-site scripting (XSS) where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app...

6.1CVSS

0.0004EPSS

2024-06-12 07:00 AM
2
thn
thn

Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability

Microsoft has released security updates to address 51 flaws as part of its Patch Tuesday updates for June 2024. Of the 51 vulnerabilities, one is rated Critical and 50 are rated Important. This is in addition to 17 vulnerabilities resolved in the Chromium-based Edge browser over the past month....

9.8CVSS

8.7AI Score

0.05EPSS

2024-06-12 04:26 AM
28
nvd
nvd

CVE-2024-4564

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...

6.4CVSS

0.001EPSS

2024-06-12 04:15 AM
1
cve
cve

CVE-2024-4564

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...

6.4CVSS

5.7AI Score

0.001EPSS

2024-06-12 04:15 AM
17
osv
osv

Malicious code in virtuoso-web-chat (npm)

-= Per source details. Do not edit below this line.=- Source: ghsa-malware (09f5be1f1f3cad8c43378afb0ddb0aed39e00e1e3169ff5e1559ab4c39d1bf06) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

7AI Score

2024-06-12 04:14 AM
cvelist
cvelist

CVE-2024-4564 CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The CoDesigner WooCommerce Builder for Elementor – Customize Checkout, Shop, Email, Products & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Shop Slider, Tabs Classic, and Image Comparison widgets in all versions up to, and including, 4.4.1 due to...

6.4CVSS

0.001EPSS

2024-06-12 03:33 AM
openvas
openvas

Ubuntu: Security Advisory (USN-6820-2)

The remote host is missing an update for...

8CVSS

7.5AI Score

0.0004EPSS

2024-06-12 12:00 AM
wpvulndb
wpvulndb

Easy Forms for Mailchimp <= 6.9.0 - Missing Authorization

Description The Easy Forms for Mailchimp plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 6.9.0. This makes it possible for unauthenticated attackers to perform an unauthorized...

7.3CVSS

6.7AI Score

0.0005EPSS

2024-06-12 12:00 AM
nessus
nessus

Amazon Linux 2 : cri-tools (ALAS-2024-2568)

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2568 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of...

8.2AI Score

0.0004EPSS

2024-06-12 12:00 AM
1
nessus
nessus

RHEL 8 / 9 : OpenShift Container Platform 4.12.59 (RHSA-2024:3715)

The remote Redhat Enterprise Linux 8 / 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:3715 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private...

6.7AI Score

0.0004EPSS

2024-06-12 12:00 AM
1
nessus
nessus

FreeBSD : plasma[56]-plasma-workspace -- Unauthorized users can access session manager (479df73e-2838-11ef-9cab-4ccc6adda413)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 479df73e-2838-11ef-9cab-4ccc6adda413 advisory. David Edmundson reports: KSmserver, KDE's XSMP manager, incorrectly allows connections via...

7.9AI Score

EPSS

2024-06-12 12:00 AM
1
hackread
hackread

Creating Secure CRM Pipelines in Construction: Best Practices and Essential Strategies

Secure your construction company's CRM pipeline to protect client data and streamline operations. A specialized CRM enhances communication, reduces errors, and supports scalable growth with advanced security features and automation...

7.3AI Score

2024-06-11 10:21 PM
3
osv
osv

linux-nvidia vulnerabilities

It was discovered that the ATA over Ethernet (AoE) driver in the Linux kernel contained a race condition, leading to a use-after-free vulnerability. An attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2023-6270) It was discovered that the Atheros...

8CVSS

8AI Score

0.0004EPSS

2024-06-11 08:05 PM
1
github
github

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...

6.6AI Score

0.0004EPSS

2024-06-11 07:29 PM
osv
osv

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...

7AI Score

0.0004EPSS

2024-06-11 07:29 PM
qualysblog
qualysblog

Microsoft and Adobe Patch Tuesday, June 2024 Security Update Review

Microsoft's June Patch Tuesday is here, bringing fixes for vulnerabilities impacting its multiple products. This month's release highlights the ongoing battle against cybersecurity threats, from critical updates to important fixes. Let's dive into the crucial insights from Microsoft's Patch...

9.8CVSS

9.3AI Score

0.003EPSS

2024-06-11 06:18 PM
13
Total number of security vulnerabilities163813