Paid Membership, Ecommerce, Registration Form, Login Form, User Profile, Paywall & Restrict Content – ProfilePress Security Vulnerabilities

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS

PT-2021-02: Encryption bypass when downloading a firmware update in Diebold-Nixdorf RM3/CRS RM3/CRS dispenser firmware (all versions up to and including 41128 1002 RM3_CRS.BTR + 170329 2332 RM3_CRS.FRM) Severity: Severity level: High Encryption bypass when downloading a firmware update in...

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5

PT-2021-01: Encryption bypass when downloading a firmware update in Diebold-Nixdorf CMDv5 CMDv5 dispenser firmware (all versions up to and including 141128 1002 CD5_ATM.BTR + 170329 2332 CD5_ATM.FRM) Severity: Severity level: High Encryption bypass when downloading a firmware update in...

CVE-2023-45289 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

CVE-2024-24787 vulnerabilities

Vulnerabilities for packages: flannel, metrics-server, vt-cli, gitlab-runner, configmap-reload, gostatsd, influx, harbor-cli, policy-controller, tekton-chains, mockery, mongo-tools, prometheus-alertmanager, gitness, aws-efs-csi-driver, boring-registry, step, harbor-scanner-trivy, mods, spqr,...

GHSA-5FQ7-4MXC-535H vulnerabilities

Vulnerabilities for packages: flannel, metrics-server, vt-cli, gitlab-runner, configmap-reload, gostatsd, influx, harbor-cli, policy-controller, tekton-chains, mockery, mongo-tools, prometheus-alertmanager, gitness, aws-efs-csi-driver, boring-registry, step, harbor-scanner-trivy, mods, spqr,...

CVE-2023-45285 vulnerabilities

Vulnerabilities for packages: protoc-gen-go-grpc, metrics-server, cni-plugins, go-licenses, sops, configmap-reload, influx, aws-flb-cloudwatch, falco, cilium-envoy, petname, sbom-scorecard, local-path-provisioner, gosu, hey, cortex, docker-credential-ecr-login,...

CVE-2024-24784 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-RR6R-CFGF-GC6H vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

CVE-2023-45288 vulnerabilities

Vulnerabilities for packages: vt-cli, sigstore-scaffolding, gitlab-runner, harbor-cli, opentofu, tekton-chains, harbor-scanner-trivy, spqr, render-template, kube-rbac-proxy, aactl, kubeflow-pipelines, nri-mysql, s5cmd, mkcert, wireguard-go, nuclei, kyverno-policy-reporter, minio,...

GHSA-FGQ5-Q76C-GX78 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-4V7X-PQXF-CX7M vulnerabilities

Vulnerabilities for packages: vt-cli, sigstore-scaffolding, gitlab-runner, harbor-cli, opentofu, tekton-chains, harbor-scanner-trivy, spqr, render-template, kube-rbac-proxy, aactl, kubeflow-pipelines, nri-mysql, s5cmd, mkcert, wireguard-go, nuclei, kyverno-policy-reporter, minio,...

GHSA-2JWV-JMQ4-4J3R vulnerabilities

Vulnerabilities for packages: flannel, metrics-server, vt-cli, gitlab-runner, configmap-reload, gostatsd, influx, harbor-cli, policy-controller, tekton-chains, mockery, mongo-tools, prometheus-alertmanager, gitness, aws-efs-csi-driver, boring-registry, step, harbor-scanner-trivy, mods, spqr,...

GHSA-3Q2C-PVP5-3CQP vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-J6M3-GC37-6R6Q vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-9F76-WG39-X86H vulnerabilities

Vulnerabilities for packages: protoc-gen-go-grpc, metrics-server, cni-plugins, go-licenses, sops, configmap-reload, influx, aws-flb-cloudwatch, falco, cilium-envoy, petname, sbom-scorecard, local-path-provisioner, gosu, hey, cortex, docker-credential-ecr-login,...

CVE-2024-24783 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

CVE-2024-24785 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-32CH-6X54-Q4H9 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

GHSA-5F94-VHJQ-RPG8 vulnerabilities

Vulnerabilities for packages: protoc-gen-go-grpc, metrics-server, cni-plugins, go-licenses, sops, configmap-reload, influx, aws-flb-cloudwatch, falco, cilium-envoy, petname, sbom-scorecard, local-path-provisioner, gosu, hey, cortex, docker-credential-ecr-login,...

CVE-2023-39326 vulnerabilities

Vulnerabilities for packages: protoc-gen-go-grpc, metrics-server, cni-plugins, go-licenses, sops, configmap-reload, influx, aws-flb-cloudwatch, falco, cilium-envoy, petname, sbom-scorecard, local-path-provisioner, gosu, hey, cortex, docker-credential-ecr-login,...

CVE-2023-45290 vulnerabilities

Vulnerabilities for packages: vt-cli, metrics-server, cni-plugins, gitlab-runner, temporal-ui-server, configmap-reload, influx, opentofu, supercronic, mockery, yq, nri-rabbitmq, mongo-tools, stakater-reloader, prometheus-alertmanager, gitness, temporal, aws-efs-csi-driver,...

CVE-2024-24788 vulnerabilities

Vulnerabilities for packages: flannel, metrics-server, vt-cli, gitlab-runner, configmap-reload, gostatsd, influx, harbor-cli, policy-controller, tekton-chains, mockery, mongo-tools, prometheus-alertmanager, gitness, aws-efs-csi-driver, boring-registry, step, harbor-scanner-trivy, mods, spqr,...

CVE-2024-5138

The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised action on behalf of.....

CVE-2024-3820 wpDataTables - Tables & Table Charts (Premium) <= 6.3.1 - Unauthenticated SQL Injection

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to SQL Injection via the 'id_key' parameter of the wdt_delete_table_row AJAX action in all versions up to, and including, 6.3.1 due to insufficient escaping on the user supplied...

CVE-2024-3200 wpForo Forum <= 2.3.3 - Authenticated (Contributor+) SQL Injection

The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

CVE-2024-4958 User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin <= 3.2.0.1 - Missing Authorization to Privilege Escalation

The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including, 3.2.0.1. This makes it...

CVE-2024-2295 Contact Form Manager <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Contact Form Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's [xyz-cfm-form] shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2024-1324 QQWorld Auto Save Images <= 1.9.8 - Missing Authorization to Arbitrary Post Content Retrieval

The QQWorld Auto Save Images plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the save_remote_images_get_auto_saved_results() function hooked via a norpriv AJAX in all versions up to, and including, 1.9.8. This makes it possible for...

CVE-2024-2506 Popup Builder <= 4.2.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Custom JS

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS functionality in all versions up to, and including, 4.2.7 due to insufficient input sanitization and output escaping on user supplied.....

Base64 Encoder/Decoder <= 0.9.2 - Cross-Site Scripting

...

CVE-2024-4087 Royal Elementor Addons and Templates <= 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting via Back to Top Widget

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Back to Top widget in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-4342 Royal Elementor Addons and Templates <= 1.3.975 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image hotspot, image accordion, off canvas, woogrid, and product mini cart widgets in all versions up to, and including, 1.3.975 due to insufficient input sanitization and...

CVE-2024-5501 Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder <= 2.5.51 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘button_one_id’ parameter in all versions up to, and including, 2.5.51 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2023-6382 Master Slider - Responsive Touch Slider <= 3.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ms_slide' shortcode in all versions up to, and including, 3.9.9 due to insufficient input sanitization and output escaping on user supplied 'css_class' attribute. This...

Exploit for CVE-2024-5326

CVE-2024-5326 CVE-2024-5326 Post Grid Gutenberg Blocks and...

CVE-2024-3564 Content Blocks (Custom Post Widget) <= 3.3.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to include and...

CVE-2024-3565 Content Blocks (Custom Post Widget) <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via content_block Shortcode

The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_block' shortcode in all versions up to, and including, 3.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-4711 WordPress Infinite Scroll – Ajax Load More <= 7.1.1 - Authenticated (Contributor+) Cross-Site Scripting

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ajax_load_more shortcode in versions up to, and including, 7.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,.....

CVE-2024-2933 Page Builder Gutenberg Blocks – CoBlocks <= 3.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Profiles

The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Social Profiles widget in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

Exploit for CVE-2024-24919

...

Oracle Linux 8 : container-tools:ol8 (ELSA-2024-3254)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-3254 advisory. aardvark-dns buildah [2:1.33.7-1] - update to the latest content of https://github.com/containers/buildah/tree/release-1.33 ...

Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)

...

Akaunting 3.1.8 - Server-Side Template Injection (SSTI)

...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : Java (SUSE-SU-2024:1874-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1874-1 advisory. This update for Java fixes thefollowing issues: apiguardian was updated to vesion 1.1.2: - Added...

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) &amp; SSH Access

...

SUSE SLES15 Security Update : gstreamer-plugins-base (SUSE-SU-2024:1886-1)

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1886-1 advisory. - CVE-2024-4453: Fixed lack of proper validation of user-supplied data when parsing EXIF metadata (bsc#1224806) Tenable has extracted...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : gstreamer-plugins-base (SUSE-SU-2024:1882-1)

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1882-1 advisory. - CVE-2024-4453: Fixed lack of proper validation of user-supplied data when parsing EXIF metadata ...

Oracle Linux 8 : virt:ol / and / virt-devel:rhel (ELSA-2024-3253)

The remote Oracle Linux 8 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-3253 advisory. hivex libguestfs libguestfs-winsupport libiscsi libnbd libtpms libvirt [8.0.0-23.1.0.1] - Set SOURCE_DATE_EPOCH from changelog...

FreePBX 16 - Remote Code Execution (RCE) (Authenticated)

...

CVE-2024-5564

A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length...