Lucene search

K

Newsletter – Send Awesome Emails From WordPress Security Vulnerabilities

cvelist
cvelist

CVE-2024-5443 Remote Code Execution via Path Traversal in parisneo/lollms

CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the ExtensionBuilder().build_extension() function. The vulnerability arises from the /mount_extension endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory...

9.8CVSS

0.0004EPSS

2024-06-22 04:12 PM
2
thn
thn

Warning: New Adware Campaign Targets Meta Quest App Seekers

A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust. "The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes,"...

7.1AI Score

2024-06-22 11:03 AM
16
nvd
nvd

CVE-2024-38379

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users...

0.0004EPSS

2024-06-22 09:15 AM
2
cve
cve

CVE-2024-38379

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users...

5.7AI Score

0.0004EPSS

2024-06-22 09:15 AM
16
vulnrichment
vulnrichment

CVE-2024-38379 Apache Allura: Stored authenticated XSS

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users...

5.9AI Score

0.0004EPSS

2024-06-22 09:09 AM
2
cvelist
cvelist

CVE-2024-38379 Apache Allura: Stored authenticated XSS

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack. Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users...

0.0004EPSS

2024-06-22 09:09 AM
2
github
github

Arbitrary File Creation in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

7.2CVSS

7.2AI Score

0.0005EPSS

2024-06-22 06:30 AM
github
github

Zip slip in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

7.2CVSS

6.9AI Score

0.001EPSS

2024-06-22 06:30 AM
osv
osv

Arbitrary File Creation in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

7.2CVSS

7.2AI Score

0.0005EPSS

2024-06-22 06:30 AM
osv
osv

Zip slip in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

7.2CVSS

6.9AI Score

0.001EPSS

2024-06-22 06:30 AM
github
github

SQL injection in opencart

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

8.1CVSS

8.8AI Score

0.001EPSS

2024-06-22 06:30 AM
1
github
github

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

4.7CVSS

6.3AI Score

0.0005EPSS

2024-06-22 06:30 AM
osv
osv

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

4.7CVSS

5AI Score

0.0005EPSS

2024-06-22 06:30 AM
1
osv
osv

SQL injection in opencart

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

8.1CVSS

8.8AI Score

0.001EPSS

2024-06-22 06:30 AM
1
osv
osv

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.7CVSS

5AI Score

0.0005EPSS

2024-06-22 06:30 AM
github
github

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.7CVSS

6.3AI Score

0.0005EPSS

2024-06-22 06:30 AM
osv
osv

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

6.1CVSS

6.1AI Score

0.0005EPSS

2024-06-22 06:30 AM
github
github

Cross site scripting in opencart

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

6.1CVSS

6AI Score

0.0005EPSS

2024-06-22 06:30 AM
cve
cve

CVE-2024-5596

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta...

6.3CVSS

6.3AI Score

0.0005EPSS

2024-06-22 06:15 AM
16
nvd
nvd

CVE-2024-5596

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta...

6.3CVSS

0.0005EPSS

2024-06-22 06:15 AM
5
nvd
nvd

CVE-2024-3593

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated....

7.2CVSS

0.0005EPSS

2024-06-22 06:15 AM
7
cve
cve

CVE-2024-3593

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated....

7.2CVSS

6.7AI Score

0.0005EPSS

2024-06-22 06:15 AM
18
thn
thn

U.S. Treasury Sanctions 12 Kaspersky Executives Amid Software Ban

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) imposed sanctions against a dozen individuals serving executive and senior leadership roles at Kaspersky Lab, a day after the Russian company was banned by the Commerce Department. The move "underscores our commitment to....

7.2AI Score

2024-06-22 06:00 AM
17
cvelist
cvelist

CVE-2024-3593 UberMenu <= 3.8.3 - Cross-Site Request Forgery to Settings Reset

The UberMenu plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.3. This is due to missing or incorrect nonce validation on the ubermenu_delete_all_item_settings and ubermenu_reset_settings functions. This makes it possible for unauthenticated....

7.2CVSS

0.0005EPSS

2024-06-22 05:47 AM
7
cvelist
cvelist

CVE-2024-5596 ARMember Premium <= 6.7 - Cross-Site Request Forgery via multiple functions

The ARMember Premium plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 6.7. This is due to incorrectly implemented nonce validation function on multiple functions. This makes it possible for unauthenticated attackers to modify, or delete user meta...

6.3CVSS

0.0005EPSS

2024-06-22 05:47 AM
7
nvd
nvd

CVE-2024-21519

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

7.2CVSS

0.0005EPSS

2024-06-22 05:15 AM
3
cve
cve

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

7.2CVSS

7AI Score

0.001EPSS

2024-06-22 05:15 AM
16
nvd
nvd

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

7.2CVSS

0.001EPSS

2024-06-22 05:15 AM
3
cve
cve

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

4.4AI Score

0.0004EPSS

2024-06-22 05:15 AM
19
cve
cve

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

6.1CVSS

4.5AI Score

0.0005EPSS

2024-06-22 05:15 AM
15
nvd
nvd

CVE-2024-4874

The Bricks Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.8 via the postId parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and...

4.3CVSS

0.0004EPSS

2024-06-22 05:15 AM
4
cve
cve

CVE-2024-21519

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

7.2CVSS

6.7AI Score

0.0005EPSS

2024-06-22 05:15 AM
17
osv
osv

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

6.1CVSS

6AI Score

0.0005EPSS

2024-06-22 05:15 AM
nvd
nvd

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

6.1CVSS

0.0005EPSS

2024-06-22 05:15 AM
4
nvd
nvd

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.7CVSS

0.0005EPSS

2024-06-22 05:15 AM
4
osv
osv

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.7CVSS

6.3AI Score

0.0005EPSS

2024-06-22 05:15 AM
osv
osv

CVE-2024-21515

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

4.7CVSS

6.3AI Score

0.0005EPSS

2024-06-22 05:15 AM
nvd
nvd

CVE-2024-21515

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

4.7CVSS

0.0005EPSS

2024-06-22 05:15 AM
4
cve
cve

CVE-2024-21515

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the filename parameter of the admin tool/log route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted to login...

4.7CVSS

4.7AI Score

0.0005EPSS

2024-06-22 05:15 AM
14
cve
cve

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.7CVSS

4.7AI Score

0.0005EPSS

2024-06-22 05:15 AM
15
nvd
nvd

CVE-2024-21514

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

8.1CVSS

0.001EPSS

2024-06-22 05:15 AM
5
osv
osv

CVE-2024-21514

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

8.1CVSS

8.5AI Score

0.001EPSS

2024-06-22 05:15 AM
2
cve
cve

CVE-2024-21514

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

8.1CVSS

8.1AI Score

0.001EPSS

2024-06-22 05:15 AM
18
cvelist
cvelist

CVE-2024-21516

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the directory parameter of admin common/filemanager.list route. An attacker could obtain a user's token by tricking the user to click on a maliciously crafted URL. The user is then prompted....

4.2CVSS

0.0005EPSS

2024-06-22 05:00 AM
2
vulnrichment
vulnrichment

CVE-2024-21519

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

6.6CVSS

7.3AI Score

0.0005EPSS

2024-06-22 05:00 AM
1
cvelist
cvelist

CVE-2024-21519

This affects versions of the package opencart/opencart from 4.0.0.0. An Arbitrary File Creation issue was identified via the database restoration functionality. By injecting PHP code into the database, an attacker with admin privileges can create a backup file with an arbitrary filename (including....

6.6CVSS

0.0005EPSS

2024-06-22 05:00 AM
4
cvelist
cvelist

CVE-2024-21514

This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have.....

7.4CVSS

0.001EPSS

2024-06-22 05:00 AM
3
cvelist
cvelist

CVE-2024-21518

This affects versions of the package opencart/opencart from 4.0.0.0. A Zip Slip issue was identified via the marketplace installer due to improper sanitization of the target path, allowing files within a malicious archive to traverse the filesystem and be extracted to arbitrary locations. An...

7.2CVSS

0.001EPSS

2024-06-22 05:00 AM
5
vulnrichment
vulnrichment

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

4.2CVSS

6AI Score

0.0005EPSS

2024-06-22 05:00 AM
cvelist
cvelist

CVE-2024-21517

This affects versions of the package opencart/opencart from 4.0.0.0. A reflected XSS issue was identified in the redirect parameter of customer account/login route. An attacker can inject arbitrary HTML and Javascript into the page response. As this vulnerability is present in the account...

4.2CVSS

0.0005EPSS

2024-06-22 05:00 AM
3
Total number of security vulnerabilities888968