CVE-2024-11036 GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.1.5 - Unauthenticated Arbitrary Shortcode Execution via gamipress_get_user_earnings

The The GamiPress – The 1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via gamipressgetuserearnings AJAX action in all versions up to, and including, 7.1.5. This is due to the software allowing...

CVE-2024-52763

A cross-site scripting XSS vulnerability in the component /graphallperiods.php of Ganglia-web v3.73 to v3.75 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the "g" parameter...

Progress Kemp LoadMaster OS Command Injection Vulnerability

Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbitrary system command execution...

CVE-2024-9839

The The Uix Slideshow plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.6.5. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

LibreNMS has an Authenticated OS Command Injection

Summary An authenticated attacker can create dangerous directory names on the system and alter sensitive configuration parameters through the web portal. Those two defects combined then allows to inject arbitrary OS commands inside shellexec calls, thus achieving arbitrary code execution. Details...

CVE-2023-2332 Stored Cross-site Scripting (XSS) in pimcore/pimcore

A stored Cross-site Scripting XSS vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. The vulnerability is present in the From and To fields of the Date Range section, allowing an attacker to inject malicious scripts. This can lead to the execution of...

CVE-2024-52505

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in...

CVE-2024-52505 matrix-appservice-irc allows IRC Command injection in provisioning API

matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. The provisioning API of the matrix-appservice-irc bridge up to version 3.0.2 contains a vulnerability which can lead to arbitrary IRC command execution as the bridge IRC bot. The vulnerability has been patched in...

AMD Cloud Manageability Service Incorrect Default Permissions Vulnerability

Bulletin ID: AMD-SB-9006 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary A researcher reported an incorrect default permissions vulnerability within the AMD Cloud Manageability Service ACMS Software. ACMS is designed to help enable IT...

AMD Management Plugin for SCCM Incorrect Default Permissions Vulnerability

Bulletin ID: AMD-SB-9005 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary An incorrect default permissions vulnerability is identified within the AMD Management Plugin for the Microsoft® System Center Configuration Manager SCCM. The plugin is...

AMD Management Console Incorrect Default Permissions Vulnerability

Bulletin ID: AMD-SB-9003 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary A researcher reported an incorrect default permissions vulnerability within AMD Management Console Software. AMD Management Console AMC is a GUI-based manageability...

AMD Provisioning Console Incorrect Default Permissions Vulnerability

Bulletin ID: AMD-SB-9007 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary A researcher reported an incorrect default permissions vulnerability within the AMD Provisioning Console Software. The researcher’s report noted that AMD Provisioning...

Ryzen™ Master Monitoring SDK & AMD Ryzen™ Master Utility Incorrect Default Permission Vulnerabilities

Bulletin ID: AMD-SB-9004 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary The AMD Ryzen™ Master Monitoring SDK is a public distribution that is designed to allow software developers to add processor and memory functions to their own utilities...

AMD Graphics Driver Installer Vulnerability

Bulletin ID: AMD-SB-6015 Potential Impact: Incorrect Default Permissions Leading to Arbitrary Execution Severity: High Summary A researcher reported an incorrect default permissions vulnerability within AMD HIP SDK Software. The AMD HIP SDK is a software development kit SDK designed to allow...

CVE-2024-46962

The CVE-2024-46962 entry concerns SYQ’s com.downloader.video.fast (Master Video Downloader) for Android up to version 2.0. Public sources describe that an attacker can exploit the com.downloader.video.fast.SpeedMainAct component to execute arbitrary JavaScript code. The Red Hat, NVD, CNNVD, CVE/C...

D-Link DI-8003 命令注入漏洞

The D-Link DI-8003 is a wireless router from China-based AUO D-Link. A command injection vulnerability exists in the D-Link DI-8003 version 16.07.16A1, which stems from the parameter path in the file /upgradefilter.asp failing to correctly filter construct command special characters, commands, et...

CVE-2024-10261

The The Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.13.0. This is due to the software allowing users to execute an action that does not...

CVE-2024-10640

CVE-2024-10640 concerns the FOX – Currency Switcher Professional for WooCommerce (WordPress) plugin. It allows unauthenticated users to trigger arbitrary shortcode execution because the value passed to do_shortcode is not properly validated. Affected versions are up to and including 1.4.2.2; the ...

CVE-2024-10640 The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution

The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running...

NETGEAR R8500 ether.cgi Component Command Injection Vulnerability

The NETGEAR R8500 is a wireless router from NETGEAR. A command injection vulnerability exists in the NETGEAR R8500 v1.0.2.160, which stems from the wangateway parameter in the ether.cgi component failing to correctly filter constructed command special characters, commands, and so on. An attacker...