CVE-2024-11838

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

CVE-2024-11838

External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1...

CVE-2024-11838

The CVE is confirmed for PlexTrac: external control of a file name or path enabling Local Code Inclusion via an undocumented API endpoint. Affected versions are 1.61.3 through 2.8.1. The underlying issue is an external control vulnerability allowing file path manipulation, leading to local code i...

PT-2024-36188 · Unknown · Aicomments

Name of the Vulnerable Software and Affected Versions: AIcomments versions 1.4.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability, which allows an attacker to perform unauthorized actions on a user's account. This can be achieved by tricking the user into...

GO-2024-3327 SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel

SiYuan has an arbitrary file read via /api/template/render in github.com/siyuan-note/siyuan/kernel...

CVE-2024-9387

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...

CVE-2024-9387 URL Redirection to Untrusted Site ('Open Redirect') in GitLab

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...

CVE-2024-9387 URL Redirection to Untrusted Site ('Open Redirect') in GitLab

An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint...

CVE-2024-12265

The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attacker...

CVE-2024-10499

The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks...

CVE-2024-10499 AI-Engine < 2.6.5 - Admin+ SQLi

The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks...

CVE-2024-12265 Web3 Cryptocurrency Payments by DePay for WooCommerce <= 2.12.17 - Missing Authorization to Information Exposure

The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attacker...

WordPress plugin AI Engine 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

GHSA-FQJ6-WHHX-47P7 SiYuan has an arbitrary file write in the host via /api/asset/upload

Summary The /api/asset/upload endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored XSS via the file write. Impact Arbitrary file write...

PT-2024-36575 · Siyuan · Siyuan

Name of the Vulnerable Software and Affected Versions: SiYuan versions prior to 3.1.16 Description: SiYuan's /api/template/renderSprig endpoint is vulnerable to Server-Side Template Injection SSTI through the Sprig template engine. Although the engine has limitations, it allows attackers to acces...

PT-2024-34547 · Jepaas · Jepaas

Name of the Vulnerable Software and Affected Versions: JEPAAS version 7.2.8 Description: The issue allows a remote user to submit a specially crafted query via the /je/rbac/rbac/loadLoginCount API endpoint in the dateVal parameter. This could enable an attacker to retrieve all the information...

PT-2024-36456 · Unknown · Kashipara E-Learning Management System

Name of the Vulnerable Software and Affected Versions: Kashipara E-Learning Management System version 1.0 Description: A Directory Listing issue was found in Kashipara E-Learning Management System, which allows remote attackers to access sensitive files and directories via the "/admin/uploads" AP...

Shopify: GraphQL Introspection Enabled on Shopify API Endpoint (Intended Behavior)

Summary: Hi team ! i've found a misconfiguration in your graphql Api on the endpoint in which an attacker is able to run a graphql interospection query to fetch schemas , types , fields , available query operations , after running interospection query on the graphql api endpoint , an attacker is...

Acronis Cyber Protect/Backup Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Acronis Cyber Protect/Backup remote code execution', 'Description' = %q Acronis Cyber Protect or Backup is an enterprise backup/recovery solution...

TikTok: Unauthorized Access to TikTok Account [Private Videos] via API Endpoint

The vulnerability on a TikTok endpoint that allowed unauthorized viewing of videos from private accounts was discovered and reported by @datph4m. The issue was subsequently remediated...