Intel(R) CSME, Server Platform Services, Trusted Execution Engine And Intel(R) Active Management Technology Security Vulnerabilities

Tuesday, July 2, 2024 Security Releases

Summary The Node.js project will release new versions of the 22.x, 20.x, 18.x releases lines on or shortly after, Tuesday, July 2, 2024 in order to address: 1 high severity issues. 2 medium severity issues. 3 low severity issues. Node.js fetch will be upgraded to undici v6.19.2 on Node.js 18.x...

CVE-2024-6363

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5790

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5790

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6363

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5666

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5666

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5666 Extensions for Elementor <= 2.0.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter

The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5790 Happy Addons for Elementor <= 3.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gradient Heading Widget

The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6363 Stock Ticker <= 3.24.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock_ticker Shortcode

The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2024-5889

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5942

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....

CVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....

CVE-2024-5942

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....

CVE-2024-5889

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-6265

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....

CVE-2024-5598

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive...

CVE-2024-5192

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...

CVE-2024-5192

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...

CVE-2024-5598

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive...

CVE-2024-5598 Advanced File Manager <= 5.2.4 - Sensitive Information Exposure via Directory Listing

The Advanced File Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.2.4 via the 'fma_local_file_system' function. This makes it possible for unauthenticated attackers to extract sensitive data including backups or other sensitive...

CVE-2024-6265 UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress <= 1.2.10 - Unauthenticated SQL Injection via 'uwp_sort_by'

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uwp_sort_by’ parameter in all versions up to, and including, 1.2.10 due to insufficient escaping on the user supplied....

CVE-2024-5889 Events Manager <= 6.4.8 - Reflected Cross-Site Scripting

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2024-5942 Page and Post Clone <= 6.0 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure

The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access....

CVE-2024-5192 Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells <= 3.3.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload

The Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mimes’ parameter in all versions up to, and including, 3.3.1 due to insufficient...

CVE-2023-48795 affecting package moby-engine for versions less than 20.10.27-1

CVE-2023-48795 affecting package moby-engine for versions less than 20.10.27-1. A patched version of the package is...

CVE-2024-23653 affecting package moby-engine for versions less than 20.10.27-3

CVE-2024-23653 affecting package moby-engine for versions less than 20.10.27-3. A patched version of the package is...

CVE-2024-6104 vulnerabilities

Vulnerabilities for packages: gh, prometheus, guac, influxd, rekor, gomplate, pulumi-kubernetes-operator, kargo, cosign, neuvector-sigstore-interface, slsa-verifier, policy-controller, opentelemetry-collector-contrib, vexctl, flux-notification-controller, scorecard, snyk-cli, vault-csi-provider,...

GHSA-95PR-FXF5-86GV vulnerabilities

Vulnerabilities for packages: falco, neuvector-sigstore-interface, slsa-verifier, policy-controller, vexctl, spire-server, gitsign, tekton-chains, tkn, skaffold, apko, goreleaser, kubescape, zarf, ko, zot, aactl, wolfictl, melange, flux-source-controller,...

CVE-2023-44487 vulnerabilities

Vulnerabilities for packages: cilium-envoy, nodetaint, gomplate, aws-efs-csi-driver, tctl, node-problem-detector, newrelic-infrastructure-agent, src, telegraf, skaffold, envoy-ratelimit, prometheus-adapter, buildkitd, oauth2-proxy, kpt, grpcurl, pulumi-language-java, pulumi-language-yaml, pulumi,.....

CVE-2024-29018 vulnerabilities

Vulnerabilities for packages: prometheus, buf, up, kargo, grype, spire-server, loki, telegraf, tkn, conftest, buildkitd, goreleaser, kubescape, cadvisor, ctop, crossplane, ko, docker-compose, zot, aactl, syft, wolfictl, melange, dagger, trivy, datadog-agent,...

GHSA-MQ39-4GV4-MVPX vulnerabilities

Vulnerabilities for packages: prometheus, buf, up, kargo, grype, spire-server, loki, telegraf, tkn, conftest, buildkitd, goreleaser, kubescape, cadvisor, ctop, crossplane, ko, docker-compose, zot, aactl, syft, wolfictl, melange, dagger, trivy, datadog-agent,...

GHSA-8R3F-844C-MC37 vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines, trust-manager, nodetaint, buf, gomplate, prometheus-operator, helm-operator, prometheus-postgres-exporter, grpc-health-probe, vexctl, kubernetes-dns-node-cache, grafana-agent-operator, aws-efs-csi-driver, containerd, cilium, tctl,...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: cni-plugins, kubeflow-pipelines, nodetaint, docker-credential-acr-env, gomplate, nats-server, delve, regclient, prometheus-operator, helm-operator, prometheus-postgres-exporter, vexctl, docker-cli, kubernetes-dns-node-cache, dask-gateway, aws-efs-csi-driver, mage,...

CVE-2024-27304 vulnerabilities

Vulnerabilities for packages: k3s, caddy, temporal-server, ferretdb, argo-workflows, kots, spicedb, kine, src, step-ca, telegraf, keda, vault, amass, kube-bench,...

GHSA-MRWW-27VC-GGHV vulnerabilities

Vulnerabilities for packages: k3s, caddy, temporal-server, ferretdb, argo-workflows, kots, spicedb, kine, src, step-ca, telegraf, keda, vault, amass, kube-bench,...

GHSA-VQ7J-GX56-RXJH vulnerabilities

Vulnerabilities for packages: kind, falco,...

CVE-2024-20994 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-21047 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-21062 vulnerabilities

Vulnerabilities for packages:...

GHSA-5XQ9-RCPJ-P52V vulnerabilities

Vulnerabilities for packages:...

GHSA-88H4-JW57-85V9 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-21885 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-21886 vulnerabilities

Vulnerabilities for packages:...

GHSA-49WX-9H9F-8C9G vulnerabilities

Vulnerabilities for packages:...

CVE-2024-31080 vulnerabilities

Vulnerabilities for packages:...

CVE-2024-21506 vulnerabilities

Vulnerabilities for packages: kubeflow-pipelines-visualization-server, py3-pymongo,...

CVE-2024-28219 vulnerabilities

Vulnerabilities for packages: pytorch, kubeflow-pipelines-visualization-server,...

GHSA-M87M-MMVP-V9QM vulnerabilities

Vulnerabilities for packages:...

GHSA-2C7C-3MJ9-8FQH vulnerabilities

Vulnerabilities for packages: cilium-envoy, rekor, falco, istio-pilot-discovery, cosign, slsa-verifier, vexctl, dex, tekton-pipelines, kots, argo-cd, spire-server, gitsign, traefik, flux-kustomize-controller, tekton-chains, tkn, vault, cert-manager, cloudflared, oauth2-proxy, kubescape, sops,...