CVE-2024-4890 Blind SQL Injection in berriai/litellm

A blind SQL injection vulnerability exists in the berriai/litellm application, specifically within the '/team/update' process. The vulnerability arises due to the improper handling of the 'userid' parameter in the raw SQL query used for deleting users. An attacker can exploit this vulnerability b...

CVE-2024-4890

The CVE-2024-4890 entry applies to the berriai/litellm project. A blind SQL injection exists in the /team/update flow due to improper handling of the user_id parameter in the raw SQL used to delete users, with affected version 1.27.14. Exploitation could yield unauthorized access to sensitive dat...

CVE-2024-3234 Path Traversal in gaizhenbiao/chuanhuchatgpt

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...

CVE-2024-3234 Path Traversal in gaizhenbiao/chuanhuchatgpt

The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...

CVE-2024-2088

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxsgetExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

CVE-2024-2088

CVE-2024-2088 affects NextScripts: Social Networks Auto-Poster for WordPress (all versions up to and including 4.4.3). The vulnerability is a Sensitive Information Exposure via the nxs_getExpSettings function that allows authenticated users with subscriber access and higher to disclose social net...

CVE-2024-2088 NextScripts: Social Networks Auto-Poster <= 4.4.3 - Authenticated(Subscriber+) Sensitive Information Exposure

The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.3 via the 'nxsgetExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract...

NextScripts: Social Networks Auto-Poster < 4.4.4 - Subscriber+ Sensitive Information Exposure

Description The plugin is vulnerable to Sensitive Information Exposure via the 'nxsgetExpSettings' function. This makes it possible for authenticated attackers, with subscriber access and above, to extract sensitive data including social network API keys and secrets...

CVE-2024-4321

A Local File Inclusion LFI vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker c...

CVE-2024-4321 Local File Inclusion (LFI) in gaizhenbiao/chuanhuchatgpt

A Local File Inclusion LFI vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker c...

CVE-2024-4321 Local File Inclusion (LFI) in gaizhenbiao/chuanhuchatgpt

A Local File Inclusion LFI vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker c...

CVE-2024-4321

A Local File Inclusion (LFI) exists in gaizhenbiao/chuanhuchatgpt (version 20240310) due to improper input validation when handling file paths during chat history upload. An attacker can modify the name parameter to specify arbitrary file paths, enabling reading of sensitive server files and leak...

Grafana Data source and plugin proxy endpoints leaking authentication tokens to some destination plugins

Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...

CVE-2023-6810

The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to...

CVE-2023-6810 ClickCease Click Fraud Protection <= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings

The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to...

CVE-2023-6810

The CVE describes CVE-2023-6810: ClickCease Click Fraud Protection (WordPress) has an improper capability check in get_settings, allowing authenticated users with author access and above to retrieve the plugin’s API keys. Affected versions are up to 3.2.4. The Red Hat entry and Wordfence state th...

CVE-2023-6810 ClickCease Click Fraud Protection <= 3.2.4 - Improper Authorization to sensitive information exposure via get_settings

The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access and above, to...

ClickCease Click Fraud Protection < 3.2.5 - Improper Authorization to sensitive information exposure via get_settings

Description The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the getsettings function in all versions up to, and including, 3.2.4. This makes it possible for authenticated attackers, with author access a...

Dropbox Sign customer data accessed in breach

Dropbox is reporting a recent "security incident" in which an attacker gained unauthorized access to the Dropbox Sign formerly HelloSign production environment. During this access, the attacker had access to Dropbox Sign customer information. Dropbox Sign is a platform that allows customers to...

Dropbox Discloses Breach of Digital Signature Service Affecting All Users

Cloud storage services provider Dropbox on Wednesday disclosed that Dropbox Sign formerly HelloSign was breached by unidentified threat actors, who accessed emails, usernames, and general account settings associated with all users of the digital signature product. The company, in a filing with th...