SIGMA Lite & Lite + Security Vulnerabilities

This Week in Spring - March 26th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! Sam Brannen shares some good news: a null-safe Index operator for the Spring Expression Language (SpEL) is coming to Spring Framework 6.2! This is interesting, and a nice application of AI (do I even need to spell out...

Ubuntu: Security Advisory (USN-6712-1)

The remote host is missing an update for...

libnet-cidr-lite-perl vulnerability

It was discovered that Net::CIDR::Lite incorrectly handled extra zero characters at the beginning of IP address strings. A remote attacker could possibly use this issue to bypass access...

Security Bulletin: Multiple vulnerabilities in IBM Db2 may affect IBM Storage Protect Server.

Summary IBM Storage Protect Server uses IBM Db2 and may be affected by multiple vulnerabilities which could lead to denial of service, remote code execution or loss of confidentiality, integrity or availability. CVE-2015-8383, CVE-2015-8381, CVE-2015-8386, CVE-2015-8388, CVE-2015-8385,...

Net::CIDR::Lite vulnerability

Releases Ubuntu 20.04 LTS Packages libnet-cidr-lite-perl - module for merging IPv4 or IPv6 CIDR address ranges Details It was discovered that Net::CIDR::Lite incorrectly handled extra zero characters at the beginning of IP address strings. A remote attacker could possibly use this issue to...

Ubuntu 20.04 LTS : Net::CIDR::Lite vulnerability (USN-6712-1)

The remote Ubuntu 20.04 LTS host has a package installed that is affected by a vulnerability as referenced in the USN-6712-1 advisory. The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some...

Debian: Security Advisory (DLA-3770-1)

The remote host is missing an update for the...

[SECURITY] [DLA 3770-1] libnet-cidr-lite-perl security update

Debian LTS Advisory DLA-3770-1 [email protected] https://www.debian.org/lts/security/ Thorsten Alteholz March 23, 2024 https://wiki.debian.org/LTS Package : libnet-cidr-lite-perl Version : 0.21-2+debu10u1 CVE...

CVE-2024-24840

Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-24840

Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

CVE-2024-24840 WordPress Element Pack Elementor Addons plugin <= 5.4.11 - Broken Access Control on Duplicate Post vulnerability

Missing Authorization vulnerability in BdThemes Element Pack Elementor Addons.This issue affects Element Pack Elementor Addons: from n/a through...

libnet-cidr-lite-perl - security update

Bulletin has no...

CVE-2024-1727

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can...

CVE-2024-24883 WordPress Prime Slider plugin <= 3.11.10 - Broken Access Control on Duplicate Post vulnerability

Missing Authorization vulnerability in BdThemes Prime Slider – Addons For Elementor.This issue affects Prime Slider – Addons For Elementor: from n/a through...

Wordfence Intelligence Weekly WordPress Vulnerability Report (March 11, 2024 to March 17, 2024)

Did you know we're running a Bug Bounty Extravaganza again? Earn over 6x our usual bounty rates, up to $10,000, for all vulnerabilities submitted through May 27th, 2024 when you opt to have Wordfence handle responsible disclosure! Last week, there were 163 vulnerabilities disclosed in 126...

CVE-2024-2538

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and...

CVE-2024-2538

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and...

CVE-2024-2538

The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author access and...

Permalink Manager Lite < 2.4.3.1 - Reflected Cross-Site Scripting

Description The Permalink Manager Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

WP Fusion Lite < 3.42.10 - Authenticated (Contributor+) Remote Code Execution

Description The WP Fusion Lite – Marketing Automation and CRM Integration for WordPress plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.41.24. This makes it possible for authenticated attackers, with contributor-level access and above, to execute....

Permalink Manager Lite and Permalink Manager pro < 2.4.3.2 - Reflected Cross-Site Scripting

Description The Permalink Manager Pro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘s’ parameter in all versions up to, and including, 2.4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject.....

Plugin Permalink < 2.4.3.2 - Missing Authorization via get_uri_editor

Description The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_uri_editor' function in all versions up to, and including, 2.4.3.1. This makes it possible for unauthenticated attackers to view the permalinks of.....

CVE-2024-29092

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.This issue affects Permalink Manager Lite: from n/a through...

CVE-2024-29092

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.This issue affects Permalink Manager Lite: from n/a through...

CVE-2024-27998

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Reflected XSS.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through...

CVE-2024-27998

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Reflected XSS.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through...

CVE-2024-27998 WordPress Barcode Scanner and Inventory manager plugin <= 1.5.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Reflected XSS.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through...

CVE-2024-29092 WordPress Permalink Manager Lite plugin <= 2.4.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maciej Bis Permalink Manager Lite allows Reflected XSS.This issue affects Permalink Manager Lite: from n/a through...

(RHSA-2024:1406) Moderate: bind security update

The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. Security....

CVE-2024-29105

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timersys WP Popups allows Stored XSS.This issue affects WP Popups: from n/a through...

CVE-2024-29105

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timersys WP Popups allows Stored XSS.This issue affects WP Popups: from n/a through...

CVE-2024-29105 WordPress WP Popups – WordPress Popup builder plugin <= 2.1.5.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timersys WP Popups allows Stored XSS.This issue affects WP Popups: from n/a through...

RHEL 8 : bind (RHSA-2024:1406)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:1406 advisory. The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a...

CVE-2021-47154

A vulnerability was found in the Perl module Net::CIDR::Lite, where extraneous zero characters at the start of an IP address string are not adequately handled. This flaw may enable attackers to circumvent IP address-based access controls in certain...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

CVE-2021-47154

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP...

Permalink Manager < 2.4.3.2 - Missing Authorization to Authenticated(Author+) arbitrary post slug modification

Description The Permalink Manager Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajax_save_permalink' function in all versions up to, and including, 2.4.3.1. This makes it possible for authenticated attackers, with author...

PowerPack Lite for Beaver Builder < 1.3.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via element link

Description The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the link in multiple elements in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2024-1857

The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible.....

CVE-2024-1857

The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible.....

CVE-2024-1857

The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible.....

CVE-2024-1857

The Ultimate Gift Cards for WooCommerce – Create, Redeem & Manage Digital Gift Certificates with Personalized Templates plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.6 via the wps_wgm_preview_email_template(). This makes it possible.....

CVE-2024-2042

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-2042

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Accordion widget in all versions up to, and including, 3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1239

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blog post read more button in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-1239

The ElementsKit Elementor addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blog post read more button in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...