CVE-2024-5678

CVE-2024-5678 affects Zoho ManageEngine Applications Manager versions 17.0900 and earlier. The vulnerability is an authenticated admin‑only SQL Injection in the Create Monitor feature, introduced by the underlying input handling in that function. Exploitation requires admin access, with no user i...

CVE-2024-6908

Improper privilege management in Yugabyte Platform allows authenticated admin users to escalate privileges to SuperAdmin via a crafted PUT HTTP request, potentially leading to unauthorized access to sensitive system functions and data...

CVE-2024-6908

The CVE-2024-6908 entry concerns Yugabyte Platform, where improper privilege management allows an authenticated admin to escalate to SuperAdmin via a crafted PUT request, potentially granting access to sensitive functions and data. The described impact is unauthorized access to sensitive system c...

PT-2024-37949 · Yugabyte · Yugabyte Platform

Name of the Vulnerable Software and Affected Versions: Yugabyte Platform affected versions not specified Description: The issue concerns improper privilege management, allowing authenticated admin users to escalate privileges to SuperAdmin via a crafted PUT HTTP request. This could lead to...

CVE-2024-20296

A vulnerability in the web-based management interface of Cisco Identity Services Engine ISE could allow an authenticated, remote attacker to upload arbitrary files to an affected device. To exploit this vulnerability, an attacker would need at least valid Policy Admin credentials on the affected...

CVE-2024-24764

October is a self-hosted CMS platform based on the Laravel PHP Framework. This issue affects authenticated administrators who may be redirected to an untrusted URL using the PageFinder schema. The resolver for the page finder link schema october:// allowed external links, therefore allowing an op...

PT-2024-8589 · Ivanti · Ivanti Endpoint Manager

Name of the Vulnerable Software and Affected Versions: Ivanti Endpoint Manager versions prior to 2024 November Security Update Ivanti Endpoint Manager versions prior to 2022 SU6 November Security Update Description: The issue is related to a lack of protection against SQL query structure...

PT-2024-9037 · Ivanti · Ivanti Policy Secure +1

Name of the Vulnerable Software and Affected Versions: Ivanti Connect Secure versions prior to 22.7R2.2 and 9.1R18.9 Ivanti Policy Secure versions prior to 22.7R1.2 Description: The issue is related to argument injection, which allows a remote authenticated attacker with admin privileges to achie...

CVE-2024-28970

Dell Client BIOS contains an Out-of-bounds Write vulnerability. A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to platform denial of service...

PT-2024-5657

Name of the Vulnerable Software and Affected Versions Palo Alto Networks Panorama affected versions not specified Description The issue is related to an arbitrary file upload vulnerability, allowing an authenticated read-write administrator with access to the web interface to disrupt system...

CVE-2024-36082

SQL injection vulnerability in Music Store - WordPress eCommerce versions prior to 1.1.14 allows a remote authenticated attacker with an administrative privilege to execute arbitrary SQL commands. Information stored in the database may be obtained or altered by the attacker...

PT-2024-8592 · Ivanti · Ivanti Endpoint Manager

Name of the Vulnerable Software and Affected Versions: Ivanti Endpoint Manager versions prior to 2024 November Security Update Ivanti Endpoint Manager versions prior to 2022 SU6 November Security Update Description: The issue is related to SQL injection in Ivanti Endpoint Manager, which can be...

PT-2024-6301 · Ivanti · Ivanti Epm

Name of the Vulnerable Software and Affected Versions: Ivanti EPM versions before 2022 SU6 Ivanti EPM versions before the 2024 September update Description: The issue is related to an unspecified SQL injection in Ivanti EPM, which allows a remote authenticated attacker with admin privileges to...

PT-2024-6302 · Ivanti · Ivanti Epm

Name of the Vulnerable Software and Affected Versions: Ivanti EPM versions prior to 2022 SU6 Ivanti EPM versions prior to the 2024 September update Description: The issue is related to an unspecified SQL injection in Ivanti EPM, which allows a remote authenticated attacker with admin privileges t...

WordPress WP To Do plugin <= 1.3.0 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings vulnerability

Authenticated Admin+ Stored Cross-Site Scripting via Settings vulnerability discovered by Benedictus Jovan aillesiM in WordPress Plugin WP To Do versions = 1.3.0...

AZAN Plugin <= 0.6 - Stored XSS via CSRF

Description The plugin does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack PoC Make a logged in admin open an HTML file containing: If the widget is loaded on a page...

WordPress PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode plugin <= 1.7 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Benedictus Jovan aillesiM in WordPress Plugin PayPal Pay Now, Buy Now, Donation and Cart Buttons Shortcode versions = 1.7...

CVE-2024-22429

Dell BIOS contains an Improper Input Validation vulnerability. A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to arbitrary code execution...

Ruijie BCR810W/BCR860 vulnerable to OS command injection

Overview Network router BCR810W/BCR860 provided by Ruijie Networks Co., Ltd. contains an OS command injection vulnerability CVE-2023-3608, CWE-78. Note that this vulnerability can only be exploited when the BCOS port of the product is connected to the Internet. JPCERT/CC has confirmed attacks...

CVE-2022-28132

The T-Soft E-Commerce 4 web application is susceptible to SQL injection SQLi attacks when authenticated as an admin or privileged user. This vulnerability allows attackers to access and manipulate the database through crafted requests. By exploiting this flaw, attackers can bypass authentication...