CVE-2024-27358

CVE-2024-27358 affects WithSecure Elements Agent and WithSecure Elements Client Security for macOS (23.x). The issue allows local users to block an admin from completing an installation, resulting in a Denial-of-Service (DoS). Affected components: Elements Agent and Elements Client Security on ma...

CVE-2024-6094 WP ULike < 4.7.1 - Admin+ Stored XSS

The WP ULike WordPress plugin before 4.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

Minfotech CMS 2.0 SQL Injection

==================================================================================================================================== | Title : Minfotech CMS v2.0 Sql injection Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla firefox 125.0.1 64 bits | |...

CVE-2024-6271

CVE-2024-6271 affects Community Events WordPress plugin prior to 1.5. The vulnerability is due to a missing CSRF check when deleting events, allowing a CSRF attack to cause a logged-in admin to delete arbitrary events. No exploitation details are provided in the documents. Remediation: upgrade to...

CVE-2024-5529 WP QuickLaTeX < 3.8.8 - Admin+ Stored XSS

The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-5529 WP QuickLaTeX < 3.8.8 - Admin+ Stored XSS

The WP QuickLaTeX WordPress plugin before 3.8.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-6908 Admin Can Escalate Privileges to SuperAdmin Using Manual PUT Request

Improper privilege management in Yugabyte Platform allows authenticated admin users to escalate privileges to SuperAdmin via a crafted PUT HTTP request, potentially leading to unauthorized access to sensitive system functions and data...

CVE-2023-7269

The ArtPlacer Widget WordPress plugin before 2.21.2 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack...

CVE-2024-5604 Bug Library < 2.1.2 - Admin+ Stored XSS

The Bug Library WordPress plugin before 2.1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-41603

The CVE-2024-41603 entry applies to Spina CMS v2.18.0, where a Cross-Site Request Forgery (CSRF) vulnerability exists through the /admin/layout endpoint. The issue is described as a CSRF in the admin layout API, with CVSS v3.1 metrics: Network attack, low complexity, no privileges, user interacti...

CVE-2024-40322

An issue was discovered in JFinalCMS v.5.0.0. There is a SQL injection vulnerablity via /admin/divdata/data...

CVE-2024-40322

An issue was discovered in JFinalCMS v.5.0.0. There is a SQL injection vulnerablity via /admin/divdata/data...

CVE-2024-6073

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6076 WP eStore < 8.5.5 - Reflected XSS in Category Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2024-6076

The CVE-2024-6076 vulnerability affects the WordPress plugin WP eStore (wp-cart-for-digital-products) up to version 8.5.5. The issue is a reflected XSS caused by improper sanitisation/escaping of a parameter before it is echoed back on the page, potentially impacting high-privilege users (e.g., a...

CVE-2024-6074 WP eStore < 8.5.5 - Reflected XSS in Customer Editing

The wp-cart-for-digital-products WordPress plugin before 8.5.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

WordPress EventON plugin < 2.2.15 - Admin+ Stored Cross-Site Scripting via event subtitle vulnerability

Admin+ Stored Cross-Site Scripting via event subtitle vulnerability discovered by Felipe Caon in WordPress Plugin EventON versions 2.2.15...

Atlassian Confluence Administrator Code Macro Remote Code Execution Exploit

This Metasploit module exploits an authenticated administrator-level vulnerability in Atlassian Confluence, tracked as CVE-2024-21683. The vulnerability exists due to the Rhino script engine parser evaluating tainted data from uploaded text files. This facilitates arbitrary code execution. This...

CVE-2024-5151

The SULly WordPress plugin before 4.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

CVE-2024-2870

The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...