Rockwell Automation ThinManager ThinServer Remote Code Execution Vulnerability (CNVD-2024-46734)

Rockwell Automation ThinManager is the United States Rockwell Rockwell Automation a thin client management software. A remote code execution vulnerability exists in Rockwell Automation ThinManager ThinServer, which can be exploited by an authenticated, local attacker to submit a special request t...

CVE-2024-7601

Logsign Unified SecOps Platform Directory dataexportdeleteall Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerabilit...

CVE-2023-3419 tagDiv Opt-In Builder <= 1.4.4 - Authenticated (Admin+) SQL Injection

The tagDiv Opt-In Builder plugin is vulnerable to Blind SQL Injection via the 'couponId' parameter of the 'recreatestripesubscription' REST API endpoint in versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2022-27486

A improper neutralization of special elements used in an os command 'os command injection' in Fortinet FortiDDoS version 5.5.0 through 5.5.1, 5.4.2 through 5.4.0, 5.3.0 through 5.3.1, 5.2.0, 5.1.0, 5.0.0, 4.7.0, 4.6.0 and 4.5.0 and FortiDDoS-F version 6.3.0 through 6.3.1, 6.2.0 through 6.2.2, 6.1...

CVE-2024-5226 Fuse Social Floating Sidebar <= 5.4.10 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload

The Fuse Social Floating Sidebar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the file upload functionality in all versions up to, and including, 5.4.10 due to insufficient validation of SVG files. This makes it possible for authenticated attackers, with contributor-level...

CVE-2024-7353 Accept Stripe Payments <= 2.0.86 - Authenticated (Contributor+) Stored Cross-Site Scripting via accept_stripe_payment_ng Shortcode

The Accept Stripe Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's acceptstripepaymentng shortcode in all versions up to, and including, 2.0.86 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible...

CVE-2024-5330 Breakdance <= 1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the breakdancecssfilepathscache parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2024-40495

The CVE CVE-2024-40495 affects the Linksys Router E2500 (firmware 2.0.00). Affected component: hnd_parentalctrl_unblock function. Root cause allows an authenticated attacker to execute arbitrary code on the device. Impact per sources: high (remote code execution with authentication; consequences ...

Security Bulletin: IBM App Connect Enterprise is vulnerable to a local authenticated attack and denial of service due to Microsoft Azure Identity Libraries and Microsoft Authentication Library and gRPC on Node.js (CVE-2024-35255, CVE-2024-37168)

Summary IBM App Connect Enterprise is vulnerable to a local authenticated attack and denial of service due to Microsoft Azure Identity Libraries and Microsoft Authentication Library and gRPC on Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details...

CVE-2024-6392 Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Authenticated(Subscriber+) Missing Authorization to Plugin Settings Update

The Image Optimizer, Resizer and CDN – Sirv plugin for WordPress is vulnerable to unauthorized plugin settings modification due to missing capability checks on the plugin functions in all versions up to, and including, 7.2.7. This makes it possible for authenticated attackers, with Subscriber-lev...

CVE-2024-21993 Information Disclosure Vulnerability in SnapCenter

SnapCenter versions prior to 5.0p1 are susceptible to a vulnerability which could allow an authenticated attacker to discover plaintext credentials...

CVE-2024-5881 Webico Slider Flatsome Addons <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via wbc_image Shortcode

The Webico Slider Flatsome Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wbcimage shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Fortinet FortiAIOps Security Breach

Fortinet FortiAIOps is a Fortinet networking companion solution that combines artificial intelligence and machine learning AI/ML from Fortinet, Inc. A security vulnerability exists in Fortinet FortiAIOps version 2.0.0, which stems from the presence of an unsatisfactory neutralization of a formula...

CVE-2024-3513 Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute

The Ultimate Blocks – WordPress Blocks Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the title tag postTitleTag parameter in all versions up to, and including, 3.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2024-5819 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied...

CVE-2024-4390 Depicter <= 3.0.2 - Authenticated (Contributor+) Arbitrary Nonce Generation

The Slider and Carousel slider by Depicter plugin for WordPress is vulnerable to Arbitrary Nonce Generation in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers with contributor access and above, to generate a valid nonce for any WordPress action/functio...

CVE-2024-4375 Master Slider – Responsive Touch Slider <= 3.9.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via ms_layer Shortcode

The Master Slider – Responsive Touch Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mslayer' shortcode in all versions up to, and including, 3.9.10 due to insufficient input sanitization and output escaping on the 'cssid' user supplied attribute. This...

CVE-2024-5553 Premium Addons for Elementor <= 4.10.33 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

The Premium Addons for Elementor plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via several parameters in all versions up to, and including, 4.10.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2023-23775

Multiple improper neutralization of special elements used in SQL commands 'SQL Injection' vulnerabilities CWE-89 in FortiSOAR 7.2.0 and before 7.0.3 may allow an authenticated attacker to execute unauthorized code or commands via specifically crafted strings parameters...

CVE-2024-5189 Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 5.9.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘customjs’ parameter in all versions up to, and including, 5.9.23 due to insufficient input sanitization and output escapin...