Lucene search

K

Mollie Payment Forms & Donations Security Vulnerabilities

nessus
nessus

Amazon Linux 2 : cri-tools (ALAS-2024-2568)

The version of cri-tools installed on the remote host is prior to 1.29.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2024-2568 advisory. An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of...

8.2AI Score

0.0004EPSS

2024-06-12 12:00 AM
3
nessus
nessus

FreeBSD : plasma[56]-plasma-workspace -- Unauthorized users can access session manager (479df73e-2838-11ef-9cab-4ccc6adda413)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 479df73e-2838-11ef-9cab-4ccc6adda413 advisory. David Edmundson reports: KSmserver, KDE's XSMP manager, incorrectly allows connections via...

7.9AI Score

EPSS

2024-06-12 12:00 AM
1
hackread
hackread

Securing Online Business Transactions: Essential Tools and Practices

Enhance your online transaction security with encryption, VPNs, and authentication. Understand threats, address vulnerabilities, and use secure payment gateways. Stay compliant with PCI DSS and regulatory standards to protect your business and build customer...

7.4AI Score

2024-06-11 10:47 PM
4
github
github

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...

9.8CVSS

6.6AI Score

0.001EPSS

2024-06-11 07:29 PM
3
osv
osv

Traefik has unexpected behavior with IPv4-mapped IPv6 addresses

Impact There is a vulnerability in Go managing various Is methods (IsPrivate, IsLoopback, etc) for IPv4-mapped IPv6 addresses. They didn't work as expected returning false for addresses which would return true in their traditional IPv4 forms. References CVE-2024-24790 Patches ...

9.8CVSS

7AI Score

0.001EPSS

2024-06-11 07:29 PM
1
qualysblog
qualysblog

Microsoft and Adobe Patch Tuesday, June 2024 Security Update Review

Microsoft's June Patch Tuesday is here, bringing fixes for vulnerabilities impacting its multiple products. This month's release highlights the ongoing battle against cybersecurity threats, from critical updates to important fixes. Let's dive into the crucial insights from Microsoft's Patch...

9.8CVSS

9.3AI Score

0.003EPSS

2024-06-11 06:18 PM
18
github
github

10 years of the GitHub Security Bug Bounty Program

Each year, we celebrate the GitHub Security Bug Bounty program, highlighting impressive bugs and researchers, rewards, live hacking events, and more. This year, we celebrate a new milestone: 10 years of the GitHub Security Bug Bounty program! While we've had some exciting growth over the last 10...

7AI Score

2024-06-11 04:00 PM
1
cve
cve

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

5.3CVSS

5.2AI Score

0.0004EPSS

2024-06-11 03:16 PM
22
nvd
nvd

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

5.3CVSS

0.0004EPSS

2024-06-11 03:16 PM
osv
osv

CVE-2024-37296

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

5.3CVSS

6.9AI Score

0.0004EPSS

2024-06-11 03:16 PM
cvelist
cvelist

CVE-2024-37296 Aimeos HTML client vulnerable to digital products download without proper payment status check

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

5.3CVSS

0.0004EPSS

2024-06-11 02:43 PM
2
vulnrichment
vulnrichment

CVE-2024-37296 Aimeos HTML client vulnerable to digital products download without proper payment status check

The Aimeos HTML client provides Aimeos HTML components for e-commerce projects. Starting in version 2020.04.1 and prior to versions 2020.10.27, 2021.10.21, 2022.10.12, 2023.10.14, and 2024.04.5, digital downloads sold in online shops can be downloaded without valid payment, e.g. if the payment...

5.3CVSS

6.6AI Score

0.0004EPSS

2024-06-11 02:43 PM
mskb
mskb

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487)

Update 24.1 for Microsoft Dynamics 365 Business Central (on-premises) 2024 Release Wave 1 (Application Build 24.1.19498, Platform Build 24.0.19487) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For...

8.8CVSS

8.9AI Score

0.001EPSS

2024-06-11 07:00 AM
3
mskb
mskb

Update 22.13 for Microsoft Dynamics 365 Business Central (on-premises) 2023 Release Wave 1 (Application Build 22.13.64344, Platform Build 22.0.64336)

Update 22.13 for Microsoft Dynamics 365 Business Central (on-premises) 2023 Release Wave 1 (Application Build 22.13.64344, Platform Build 22.0.64336) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For.....

8.8CVSS

8.8AI Score

0.001EPSS

2024-06-11 07:00 AM
3
mskb
mskb

Update 23.7 for Microsoft Dynamics 365 Business Central (on-premises) 2023 Release Wave 2 (Application Build 23.7.18957, Platform Build 23.0.18933)

Update 23.7 for Microsoft Dynamics 365 Business Central (on-premises) 2023 Release Wave 2 (Application Build 23.7.18957, Platform Build 23.0.18933) Overview This update replaces previously released updates. You should always install the latest update. This update also fixes vulnerabilities. For...

8.8CVSS

8.8AI Score

0.001EPSS

2024-06-11 07:00 AM
2
nvd
nvd

CVE-2024-4319

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for.....

5.3CVSS

0.0005EPSS

2024-06-11 06:15 AM
3
cve
cve

CVE-2024-4319

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for.....

5.3CVSS

5.2AI Score

0.0005EPSS

2024-06-11 06:15 AM
26
cvelist
cvelist

CVE-2024-4319 Advanced Contact form 7 DB <= 2.0.2 - Missing Authorization to Unauthenticated Information Disclosure

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for.....

5.3CVSS

0.0005EPSS

2024-06-11 05:33 AM
3
vulnrichment
vulnrichment

CVE-2024-4319 Advanced Contact form 7 DB <= 2.0.2 - Missing Authorization to Unauthenticated Information Disclosure

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the entry data for.....

5.3CVSS

6.8AI Score

0.0005EPSS

2024-06-11 05:33 AM
1
cve
cve

CVE-2024-34691

Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the...

6.5CVSS

6.8AI Score

0.0004EPSS

2024-06-11 03:15 AM
26
nvd
nvd

CVE-2024-34691

Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the...

6.5CVSS

0.0004EPSS

2024-06-11 03:15 AM
2
cvelist
cvelist

CVE-2024-34691 Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)

Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the...

6.5CVSS

0.0004EPSS

2024-06-11 02:22 AM
4
nessus
nessus

FreeBSD : Composer -- Multiple command injections via malicious git/hg branch names (5f608c68-276c-11ef-8caa-0897988a1c07)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 5f608c68-276c-11ef-8caa-0897988a1c07 advisory. Composer project reports: The status, reinstall and remove commands with packages ...

8.8CVSS

8AI Score

0.0004EPSS

2024-06-11 12:00 AM
1
nuclei
nuclei

Payment Gateway for Telcell < 2.0.4 - Open Redirect

The plugin does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect...

6.8AI Score

EPSS

2024-06-10 08:16 PM
2
impervablog
impervablog

Update: CVE-2024-4577 quickly weaponized to distribute “TellYouThePass” Ransomware

Introduction Recently, Imperva Threat Research reported on attacker activity leveraging the new PHP vulnerability, CVE-2024-4577. From as early as June 8th, we have detected attacker activity leveraging this vulnerability to deliver malware, which we have now identified to be a part of the...

10CVSS

8AI Score

EPSS

2024-06-10 06:05 PM
25
cve
cve

CVE-2024-35747

Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through...

5.3CVSS

5.4AI Score

0.0005EPSS

2024-06-10 05:16 PM
25
nvd
nvd

CVE-2024-35747

Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through...

5.3CVSS

0.0005EPSS

2024-06-10 05:16 PM
3
vulnrichment
vulnrichment

CVE-2024-35747 WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability

Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through...

5.3CVSS

7AI Score

0.0005EPSS

2024-06-10 04:37 PM
cvelist
cvelist

CVE-2024-35747 WordPress Contact Form Builder, Contact Widget plugin <= 2.1.7 - Bypass Vulnerability vulnerability

Improper Restriction of Excessive Authentication Attempts vulnerability in wpdevart Contact Form Builder, Contact Widget allows Functionality Bypass.This issue affects Contact Form Builder, Contact Widget: from n/a through...

5.3CVSS

0.0005EPSS

2024-06-10 04:37 PM
3
nvd
nvd

CVE-2024-4403

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted...

4.4CVSS

0.0004EPSS

2024-06-10 03:15 PM
3
cve
cve

CVE-2024-4403

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted...

4.4CVSS

4.7AI Score

0.0004EPSS

2024-06-10 03:15 PM
22
vulnrichment
vulnrichment

CVE-2024-4403 CSRF in restart_program in parisneo/lollms-webui

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted...

4.4CVSS

6.9AI Score

0.0004EPSS

2024-06-10 02:43 PM
2
cvelist
cvelist

CVE-2024-4403 CSRF in restart_program in parisneo/lollms-webui

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted...

4.4CVSS

0.0004EPSS

2024-06-10 02:43 PM
1
impervablog
impervablog

A European Summer of Sports is Upon Us – What Does it Mean for Security?

The recent Champions League final in London (congratulations, Real Madrid!) marked the opening shot to a hot European summer of major sporting events. We now approach the highly anticipated UEFA EURO 2024 football tournament in Germany and the Olympic Games in Paris 2024. And as we do, bad actors.....

7AI Score

2024-06-10 01:00 PM
13
securelist
securelist

Bypassing 2FA with phishing and OTP bots

Introduction Two-factor authentication (2FA) is a security feature we have come to expect as standard by 2024. Most of today's websites offer some form of it, and some of them won't even let you use their service until you enable 2FA. Individual countries have adopted laws that require certain...

7.2AI Score

2024-06-10 10:00 AM
10
cve
cve

CVE-2024-35742

Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...

7.3CVSS

5.5AI Score

0.0005EPSS

2024-06-10 08:15 AM
21
nvd
nvd

CVE-2024-35742

Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...

7.3CVSS

0.0005EPSS

2024-06-10 08:15 AM
2
cvelist
cvelist

CVE-2024-35742 WordPress Easy Forms for Mailchimp plugin <= 6.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...

5.3CVSS

0.0005EPSS

2024-06-10 07:40 AM
2
vulnrichment
vulnrichment

CVE-2024-35742 WordPress Easy Forms for Mailchimp plugin <= 6.9.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Code Parrots Easy Forms for Mailchimp.This issue affects Easy Forms for Mailchimp: from n/a through...

5.3CVSS

7.2AI Score

0.0005EPSS

2024-06-10 07:40 AM
osv
osv

Malicious code in rb-payment-wallet (npm)

-= Per source details. Do not edit below this line.=- Source: ossf-package-analysis (4eb4113e8b820d0f3ed35205bfc6b682ce6bb937db31002b79c44bb723908e18) The OpenSSF Package Analysis project identified 'rb-payment-wallet' @ 0.1.2 (npm) as malicious. It is considered malicious because: The package...

7.1AI Score

2024-06-10 07:34 AM
1
veracode
veracode

Improper Enforcement Of Behavioral Workflow

aimeos/ai-client-html is vulnerable to Improper enforcement of behavioral workflow. The vulnerability is due to an issue where digital downloads sold in online shops can be accessed without valid payment, for instance, if the payment process fails. This could allow attackers to obtain digital...

6.9AI Score

2024-06-10 06:02 AM
4
veracode
veracode

Improper Input Validation

github.com/golang/go/ is vulnerable to Improper Input Validation. The vulnerability is due to various methods (IsPrivate, IsLoopback, etc.) which do not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4...

9.8CVSS

6.6AI Score

0.001EPSS

2024-06-10 05:27 AM
wpvulndb
wpvulndb

Advanced Contact form 7 DB <= 2.0.2 - Missing Authorization to Unauthenticated Information Disclosure

Description The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to download the...

5.3CVSS

6.7AI Score

0.0005EPSS

2024-06-10 12:00 AM
1
cve
cve

CVE-2024-35676

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

6.5CVSS

6.4AI Score

0.0004EPSS

2024-06-08 04:15 PM
22
nvd
nvd

CVE-2024-35676

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-08 04:15 PM
4
cvelist
cvelist

CVE-2024-35676 WordPress Recurring PayPal Donations plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

6.5CVSS

0.0004EPSS

2024-06-08 04:05 PM
1
vulnrichment
vulnrichment

CVE-2024-35676 WordPress Recurring PayPal Donations plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS.This issue affects Recurring PayPal Donations: from n/a through...

6.5CVSS

6.8AI Score

0.0004EPSS

2024-06-08 04:05 PM
1
nessus
nessus

FreeBSD : kanboard -- Project Takeover via IDOR in ProjectPermissionController (91929399-249e-11ef-9296-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 91929399-249e-11ef-9296-b42e991fc52e advisory. [email protected] reports: Kanboard is project management software that focuses on the...

8.2CVSS

6.8AI Score

0.0004EPSS

2024-06-08 12:00 AM
1
github
github

TYPO3 Cross-Site Scripting in Form Framework

Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site...

6.7AI Score

2024-06-07 06:24 PM
osv
osv

TYPO3 Cross-Site Scripting in Form Framework

Failing to properly encode user input, frontend forms handled by the form framework (system extension “form”) are vulnerable to cross-site...

6.7AI Score

2024-06-07 06:24 PM
2
Total number of security vulnerabilities28231