CVE-2024-45816

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks...

CVE-2024-45815 Prototype pollution in @backstage/plugin-catalog-backend

Backstage is an open framework for building developer portals. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. This has been fixed in the 1.26.0 relea...

CVE-2024-45496

A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An...

WordPress Share This Image Plugin <= 2.03 is vulnerable to Open Redirection

Software Share This Image Type Plugin Vulnerable versions = 2.03 Fixed in 2.04 OWASP Top 10 A1: Injection Classification Open Redirection CVE CVE-2024-8761 Patch priority Low CVSS severity Low 4.7 Developer Claim ownership PSID 2b483c93b8d5 Credits Krzysztof Zając Required privilege Unauthenticat...

WordPress Houzez Theme <= 3.2.4 is vulnerable to Privilege Escalation

Software Houzez Type Theme Vulnerable versions = 3.2.4 Fixed in 3.3.0 OWASP Top 10 A5: Security Misconfiguration Classification Privilege Escalation CVE CVE-2024-22303 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 51553a618b56 Credits luc Required privilege Subscriber...

mozilla: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran

The Mozilla Foundation's Security Advisory: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence...

mozilla: Internal event interfaces were exposed to web content when browser EventHandler listener callbacks ran

The Mozilla Foundation's Security Advisory: Internal browser event interfaces were exposed to web content when privileged EventHandler listener callbacks ran for those events. Web content that tried to use those interfaces would not be able to use them with elevated privileges, but their presence...

WordPress Bricks Builder Theme <= 1.10.1 is vulnerable to Cross Site Scripting (XSS)

Software Bricks Builder Type Theme Vulnerable versions = 1.10.1 Fixed in 1.10.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-3410 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID acd84adffb41 Credits Ram Required privilege...

WordPress SKT Templates – Elementor & Gutenberg templates Plugin <= 6.14 is vulnerable to Cross Site Scripting (XSS)

Software SKT Templates – Elementor & Gutenberg templates Type Plugin Vulnerable versions = 6.14 Fixed in 6.15 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-44007 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID c6e7fe073020 Credits...

WordPress Greenshift – animation and page builder blocks Plugin <= 9.3.7 is vulnerable to Cross Site Scripting (XSS)

Software Greenshift – animation and page builder blocks Type Plugin Vulnerable versions = 9.3.7 Fixed in 9.4 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-44005 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 6b98adee659f Credits João Pedr...

WordPress Geo Mashup Plugin <= 1.13.12 is vulnerable to Cross Site Scripting (XSS)

Software Geo Mashup Type Plugin Vulnerable versions = 1.13.12 Fixed in 1.13.13 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-44008 Patch priority Low CVSS severity Low 6.5 Developer Dylan Kuhn PSID d830e975a22f Credits LVT-tholv2k Required privilege Contributor...

WordPress MStore API Plugin <= 4.15.3 is vulnerable to Arbitrary File Upload

Software MStore API Type Plugin Vulnerable versions = 4.15.3 Fixed in 4.15.4 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2024-8242 Patch priority Medium CVSS severity Medium 4.3 Developer Claim ownership PSID 5f5d39cca07a Credits stealthcopter Required privilege...

WordPress Carousel Slider Plugin < 2.2.14 is vulnerable to Cross Site Scripting (XSS)

Software Carousel Slider Type Plugin Vulnerable versions 2.2.14 Fixed in 2.2.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6850 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 7f793427535a Credits Krugov Artyom Required...

WordPress YITH Custom Login Plugin <= 1.7.3 is vulnerable to Cross Site Scripting (XSS)

Software YITH Custom Login Type Plugin Vulnerable versions = 1.7.3 Fixed in 1.7.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8665 Patch priority Medium CVSS severity Medium 7.1 Developer YITH PSID 91c2ea88e903 Credits vgo0 Required privilege...

WordPress WP Simple Booking Calendar Plugin <= 2.0.10 is vulnerable to Cross Site Scripting (XSS)

Software WP Simple Booking Calendar Type Plugin Vulnerable versions = 2.0.10 Fixed in 2.0.11 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-8663 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 00e7be38a235 Credits vgo0...

WordPress Stream Plugin <= 4.0.1 is vulnerable to Cross Site Request Forgery (CSRF)

Software Stream Type Plugin Vulnerable versions = 4.0.1 Fixed in 4.0.2 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-7423 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID c46db6dcec76 Credits vgo0 Required privilege...

WordPress NinjaTeam Header Footer Custom Code Plugin < 1.2 is vulnerable to Cross Site Scripting (XSS)

Software NinjaTeam Header Footer Custom Code Type Plugin Vulnerable versions 1.2 Fixed in 1.2 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-6493 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 618713328f1e Credits Takshal...

Important: Red Hat Security Advisory: Red Hat OpenShift Dev Spaces 3.16.0 release

Red Hat OpenShift Dev Spaces 3.16 has been released. All containers have been updated to include feature enhancements, bug fixes and CVE fixes. Following the Red Hat Product Security standards this update is rated as having a security impact of Important. The Common Vulnerability Scoring System...

WordPress WordPress Tag Cloud Plugin – Tag Groups Plugin <= 2.0.3 is vulnerable to Sensitive Data Exposure

Software WordPress Tag Cloud Plugin – Tag Groups Type Plugin Vulnerable versions = 2.0.3 Fixed in 2.0.4 OWASP Top 10 A1: Broken Access Control Classification Sensitive Data Exposure CVE CVE-2024-43237 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID d69c3848e4ee Credits Pen...

WordPress CM Pop-Up banners Plugin < 1.7.3 is vulnerable to Cross Site Scripting (XSS)

Software CM Pop-Up banners Type Plugin Vulnerable versions 1.7.3 Fixed in 1.7.3 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2024-5799 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 747794d443c6 Credits Eunho Kim Required...