CVE-2024-30250

Astro-Shield (KindSpells) vulnerability CVE-2024-30250 affects versions 1.2.0–1.3.1, where injecting a correct SRI attribute into code causes the injected resource to be considered legitimate by CSP, enabling bypass of cross-origin allow-lists. Root cause: the SRI hash is added to the CSP header,...

CVE-2024-22189

The CVE concerns quic-go prior to v0.42.0 where an attacker can cause memory exhaustion on the peer by flooding with NEW_CONNECTION_ID frames that retire old connection IDs. The receiver is expected to reply with RETIRE_CONNECTION_ID frames for each retirement; an attacker can prevent most of the...

CVE-2024-22360

CVE-2024-22360 (IBM Db2 on Cloud Pak for Data) is a denial-of-service issue triggered by a specially crafted query on certain columnar tables. Affected products include IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data, with versions listed as v3.5 through various refresh leve...

CVE-2024-27254

CVE-2024-27254 affects IBM Db2 on Cloud Pak for Data and Db2 Warehouse on Cloud Pak for Data (versions in the 3.0/4.x line as listed in the remediation table) with a denial-of-service condition from a specially crafted query. The connected Red Hat entry confirms the vulnerability details and scop...

CVE-2024-27191

CVE-2024-27191 concerns the WordPress plugin Slivery Extender (Inpersttion Slivery Extender). Public sources describe an "ImpropER Control of Generation of Code (Code Injection)" vulnerability that enables an authenticated attacker (Contributor+) to execute arbitrary code via the plugin’s shortco...

CVE-2024-28782

IBM CVE-2024-28782 affects IBM QRadar Suite Software and IBM Cloud Pak for Security: QRadar Suite 1.10.12.0–1.10.18.0 and Cloud Pak for Security 1.10.0.0–1.10.11.0 store user credentials in plain clear text readable by an authenticated user. Root cause is plaintext credential storage, enabling in...

CVE-2024-28219

CVE-2024-28219 affects the Pillow Python imaging library. In _imagingcms.c, a buffer overflow was introduced because strcpy was used instead of a safer copy like strncpy, impacting Pillow before version 10.3.0. The issue filename and function indicate a likely overflow related to fixed-length str...

CVE-2023-35812

CVE-2023-35812 affects OpenSSH 7.4 in Amazon Linux 1/2. The issue stems from an incomplete mitigation for CVE-2019-6111: when a relative path is used with scp, the client does not verify that the received filename matches the requested one, allowing potential file misassociation. Public advisorie...

CVE-2024-30173

CVE-2024-30173 maps to an authentication bypass in the TYPO3 OpenID Connect Authentication extension. The TYPO3 extension’s authentication service does not verify the OpenID Connect authentication state from the user lookup chain and instead authenticates every valid frontend user whose tx_oidc f...

CVE-2023-50960

IBM QRadar SIEM is vulnerable to CVE-2023-50960, a stored cross-site scripting flaw in the Web UI. The IBM bulletin specifies affected product: IBM QRadar SIEM 7.5.0 UP7, with fix in 7.5.0 UP8; exploitation details are not provided beyond the stored XSS description, and the impact is potential cr...

CVE-2024-24883

CVE-2024-24883 affects BdThemes Prime Slider – Addons For Elementor (WordPress). Affected versions: up to 3.11.10. Root cause: missing authorization check in bdt_duplicate_as_draft() allows authenticated users with contributor-level access and above to duplicate private/password-protected posts. ...

CVE-2024-25907

CVE-2024-25907 affects WP Media Folder plugin for WordPress (versions

CVE-2024-24850

CVE-2024-24850: Quicksand Post Filter jQuery Plugin (WordPress) <= 3.1.1 has a Missing Authorization vulnerability via quicksand_admin_ajax, allowing unauthenticated access to delete arbitrary site options (Broken Access Control). The CVE is listed with a high risk in WordPress vulnerability f...

CVE-2024-25912

CVE-2024-25912 concerns the WordPress Moveto (MoveTo) plugin by Skymoonlabs, affecting MoveTo versions from n/a through 6.2. The root issue is Missing Authorization, allowing an unauthenticated attacker to perform an Unauthenticated Settings Change. The CVSS 3.1 base score is 9.8 (Network attack ...

CVE-2023-51672

CVE-2023-51672 affects FunnelKit Checkout (WordPress plugin). The issue is Unauthenticated Arbitrary Content Deletion (arbitrary post/page deletion) due to missing authorization, affecting FunnelKit Checkout versions up to and including 3.10.3. The CVSS 3.1 base score is 7.5 (HIGH) with network a...

CVE-2024-29019

CVE-2024-29019 affects ESPHome’s dashboard API (version 2023.12.9 and prior) and is due to a CSRF flaw that lets a logged-in user’s session perform operations on configuration files if the victim visits a weaponized page. The issue enables bypassing authentication for API calls that manipulate co...

CVE-2024-27966

CVE-2024-27966 is a stored XSS in the WordPress plugin “Quiz And Survey Master” (ExpressTech) affecting versions up to 8.2.2. The root cause is improper neutralization of input during web page generation, enabling stored cross-site scripting when used by authenticated users. Wordfence/RedHat/NVD ...

CVE-2024-27967

CVE-2024-27967 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the plugin “DSGVO All in one for WP” by Michael Leithold. The vulnerability affects versions from n/a up to 4.3. The NVD metrics indicate a high-severity impact (CVSS v3.1: 8.8, HIGH) with network attack vector, no priv...

CVE-2024-27969

CVE-2024-27969 affects the Free Downloads WooCommerce WordPress plugin (Free Downloads WooCommerce) and is a Stored XSS vulnerability. It impacts Free Downloads WooCommerce versions up to 3.5.8.2 and arises from improper input neutralization during web page generation. Public sources in the Conne...

CVE-2024-27985

CVE-2024-27985 : Deserialization of untrusted data in PropertyHive (WordPress) allows PHP Object Injection in versions up to 2.0.9 (authenticated as Subscriber+). Impact details per CVSS: 8.8 (HIGH) with network attack vector, no user interaction required; affects confidentiality, integrity, and ...