CVE-2023-39998 WordPress BeTheme theme <= 27.1.1 - Author+ Broken Access Control vulnerability
Missing Authorization vulnerability in Muffingroup Betheme.This issue affects Betheme: from n/a through...
8.2CVSS
0.0004EPSS
CVE-2023-45658 WordPress Nexter theme <= 2.0.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in POSIMYTH Nexter.This issue affects Nexter: from n/a through...
7.6CVSS
0.0004EPSS
CVE-2023-45658 WordPress Nexter theme <= 2.0.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in POSIMYTH Nexter.This issue affects Nexter: from n/a through...
7.6CVSS
7AI Score
0.0004EPSS
Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before...
8.3CVSS
8.3AI Score
0.0004EPSS
Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before...
8.3CVSS
0.0004EPSS
CVE-2023-46146 WordPress Themify Ultra theme <= 7.3.5 - Multiple Broken Access Control vulnerability
Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...
8.3CVSS
0.0004EPSS
Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...
8.8CVSS
6.9AI Score
0.0004EPSS
Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...
8.8CVSS
0.0004EPSS
CVE-2023-47770 WordPress BeTheme theme <= 27.1.1 - Contributor+ Broken Access Control vulnerability
Missing Authorization vulnerability in Muffin Group Betheme.This issue affects Betheme: from n/a through...
7.6CVSS
0.0004EPSS
Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before...
8.3CVSS
0.0004EPSS
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
4.4CVSS
4.4AI Score
0.0004EPSS
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
4.4CVSS
0.0004EPSS
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
4.4CVSS
5.9AI Score
0.0004EPSS
The YARPP – Yet Another Related Posts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to and including 5.30.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
4.4CVSS
0.0004EPSS
Mailcow Mail Server Flaws Expose Servers to Remote Code Execution
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances. Both shortcomings impact all versions of the software prior to version 2024-04, which was released....
6.2CVSS
6.9AI Score
0.0004EPSS
The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files...
7.5CVSS
0.001EPSS
The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files...
7.5CVSS
7.8AI Score
0.001EPSS
org.keycloak, keycloak-core is vulnerable to Credential Leakage. The vulnerability is due to a lack of proper validation and enforcement when administrators change the LDAP Connection URL without requiring re-entry of the currently configured LDAP bind credentials. The vulnerability allows an...
2.7CVSS
6.5AI Score
0.0004EPSS
CVE-2024-5574 WP Magazine Modules Lite <= 1.1.2 - Authenticated (Contributor+) Local File Inclusion
The WP Magazine Modules Lite plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.2 via the 'blockLayout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files...
7.5CVSS
0.001EPSS
The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...
8.8CVSS
8.8AI Score
0.001EPSS
The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
5.4CVSS
0.0004EPSS
The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...
8.8CVSS
0.001EPSS
The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
5.4CVSS
5.7AI Score
0.0004EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with.....
6.3CVSS
5.8AI Score
0.0004EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with.....
6.3CVSS
0.0004EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level...
8.8CVSS
0.001EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level...
8.8CVSS
8.9AI Score
0.001EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_save_image function in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with subscriber-level...
8.8CVSS
0.001EPSS
The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...
8.8CVSS
7.2AI Score
0.001EPSS
The Photo Video Gallery Master plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.5.3 via deserialization of untrusted input 'PVGM_all_photos_details' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...
8.8CVSS
0.001EPSS
CVE-2024-5649 Universal Slider <= 1.6.5 - Authenticated (Contributor+) PHP Object Injection
The Universal Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.6.5 via deserialization of untrusted input 'fsl_get_gallery_value' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to...
5.4CVSS
0.0004EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with.....
6.3CVSS
0.0004EPSS
The AliExpress Dropshipping with AliNext Lite plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the ImportAjaxController.php file in all versions up to, and including, 3.3.5. This makes it possible for authenticated attackers, with.....
6.3CVSS
6.2AI Score
0.0004EPSS
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL...
7.6AI Score
0.0004EPSS
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL...
0.0004EPSS
CentOS 7 : bind, bind-dyndb-ldap, and dhcp (RHSA-2024:3741)
The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:3741 advisory. The DNS message parsing code in named includes a section whose computational complexity is overly high. It does not cause problems for typical DNS...
7.5CVSS
8AI Score
0.05EPSS
7.4AI Score
Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...
5.4CVSS
5.3AI Score
0.0004EPSS
Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...
5.4CVSS
0.0004EPSS
CVE-2024-38351 Password auth and OAuth2 unverified email linking
Pocketbase is an open source web backend written in go. In affected versions a malicious user may be able to compromise other user accounts. In order to be exploited users must have both OAuth2 and Password auth methods enabled. A possible attack scenario could be: 1. a malicious actor register...
5.4CVSS
0.0004EPSS
Summary In addition to updates of open source dependencies, the following security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.3 Vulnerability Details ** CVEID: CVE-2022-46364 DESCRIPTION: **Apache CXF is vulnerable to server-side request forgery, caused...
9.8CVSS
10.1AI Score
EPSS
Duplicate Advisory: Keycloak: Leak of configured LDAP bind credentials
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c25h-c27q-5qpv. This link is maintained to preserve external references. Original Description A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently...
3.7AI Score
Keycloak: Leak of configured LDAP bind credentials
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection...
2.7CVSS
6.6AI Score
0.0004EPSS
CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR and Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data,...
6.9AI Score
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection...
2.7CVSS
0.0004EPSS
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection...
2.7CVSS
3.6AI Score
0.0004EPSS
CVE-2024-5967 Keycloak: leak of configured ldap bind credentials through the keycloak admin console
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection...
2.7CVSS
0.0004EPSS
CVE-2024-5967 Keycloak: leak of configured ldap bind credentials through the keycloak admin console
A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host URL ("Connection...
2.7CVSS
6.9AI Score
0.0004EPSS
How are attackers trying to bypass MFA?
In the latest Cisco Talos Incident Response Quarterly Trends report, instances related to multi-factor authentication (MFA) were involved in nearly half of all security incidents that our team responded to in the first quarter of 2024. In 25% of engagements, the underlying cause was users...
8.1AI Score
Analysis of user password strength
The processing power of computers keeps growing, helping users to solve increasingly complex problems faster. A side effect is that passwords that were impossible to guess just a few years ago can be cracked by hackers within mere seconds in 2024. For example, the RTX 4090 GPU is capable of...
6.9AI Score