Themis Solutions, Inc. Security Vulnerabilities
A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It....
3.5CVSS
0.0004EPSS
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the flyout_layout attribute in all versions up to, and including, 1.6.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with.....
6.4CVSS
5.8AI Score
0.0004EPSS
CVE-2024-5851 playSMS SMS Schedule cross site scripting
A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It....
3.5CVSS
6.4AI Score
0.0004EPSS
The Starter Templates — Elementor, WordPress & Beaver Builder Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_upload_mimes’ function in versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it...
6.4CVSS
5.7AI Score
0.001EPSS
The Restaurant Solutions – Checklist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Checklist points in version 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to...
4.4CVSS
4.5AI Score
0.0004EPSS
Summary IBM i Access Client Solutions is vulnerable to a remote attacker bypassing integrity checks (CVE-2023-48795) found in Apache Mina SSHD Common. Apache Mina SSHD Common is used by the Open Source Package Manager feature of IBM i Access Client Solutions when authenticating to the IBM i...
5.9CVSS
6.8AI Score
0.963EPSS
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-31130 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
7.5CVSS
7.5AI Score
0.001EPSS
Improved Guidance for Azure Network Service Tags
Summary Microsoft Security Response Center (MSRC) was notified in January 2024 by our industry partner, Tenable Inc., about the potential for cross-tenant access to web resources using the service tags feature. Microsoft acknowledged that Tenable provided a valuable contribution to the Azure...
7.2AI Score
CVE-2024-5851 playSMS SMS Schedule cross site scripting
A vulnerability classified as problematic has been found in playSMS up to 1.4.7. Affected is an unknown function of the file /index.php?app=main&inc=feature_schedule&op=list of the component SMS Schedule Handler. The manipulation of the argument name/message leads to basic cross site scripting. It....
3.5CVSS
0.0004EPSS
BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for...
6.6CVSS
6.9AI Score
0.0004EPSS
TIBCO Security Advisory: May 14, 2024 - TIBCO Hawk - CVE-2024-3182
**TIBCO Hawk install-time password disclosure vulnerability ** Original release date: May 14, 2024 Last revised: --- CVE-2024-3182 Source: TIBCO Software Inc. Products Affected TIBCO Hawk versions 6.2.0, 6.2.1, 6.2.2 and 6.2.3. Component Affected: TIBCO Hawk Universal Installer including the...
6.5CVSS
6.9AI Score
0.0004EPSS
Pentaho Business Analytics Information Disclosure Vulnerability - Active Check
Pentaho Business Analytics is prone to an information disclosure...
6.5AI Score
0.005EPSS
Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior...
7AI Score
0.0004EPSS
CVE-2024-0912 CCURE passwords exposed to administrators
Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior...
6.5AI Score
0.0004EPSS
An issue was discovered on certain Nuki Home Solutions devices. The code used to parse the JSON objects received from the WebSocket service provided by the device leads to a stack buffer overflow. An attacker would be able to exploit this to gain arbitrary code execution on a KeyTurner device....
8AI Score
EPSS
The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url attribute within the plugin's Site Title widget in all versions up to, and including, 1.6.35 due to insufficient input sanitization and output escaping. This makes it possible for...
6.4CVSS
5.7AI Score
0.0004EPSS
The HTML5 Audio Player- Best WordPress Audio Player Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 2.2.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
6.4CVSS
5.9AI Score
0.001EPSS
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTTP_USER_AGENT header in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers....
6.1CVSS
6.2AI Score
0.0004EPSS
Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through License (/admin/CDPUsers). Exploitation of this vulnerability could allow a remote user to execute arbitrary...
6.6CVSS
7.5AI Score
0.0004EPSS
Uncontrolled resource consumption vulnerability in White Bear Solutions WBSAirback, version 21.02.04. This vulnerability could allow an attacker to send multiple command injection payloads to influence the amount of resources...
6.5CVSS
7.3AI Score
0.0004EPSS
CVE-2024-32752 Johnson Controls Software House iStar Pro Door Controller
Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and...
0.0004EPSS
An issue was discovered on certain Nuki Home Solutions devices. The code used to parse the JSON objects received from the WebSocket service provided by the device leads to a stack buffer overflow. An attacker would be able to exploit this to gain arbitrary code execution on a KeyTurner device....
7.8AI Score
EPSS
Summary IBM i Access Client Solutions is vulnerable to an infinite loop (CVE-2024-25710) or an out of memory error (CVE-2024-26308) in Apache Commons Compress. Apache Commons Compress is used by the Data Transfer feature of IBM i Access Client Solutions when transferring data from (reading) xls...
8.1CVSS
7.3AI Score
0.001EPSS
MyBB HTTP Header 'CLIENT-IP' Field SQLi
The version of MyBB installed on the remote host is affected by a SQL injection vulnerability due to improper sanitization of user-supplied input to the 'CLIENT-IP' request header before using it in a database query when initiating a session in the inc/class_session.php script. A remote attacker...
7.1AI Score
0.012EPSS
Grafana Email addresses and usernames can not be trusted
Today we are releasing Grafana 9.2.4. Alongside other bug fixes, this patch release includes moderate severity security fixes for CVE-2022-39306. We are also releasing security patches for Grafana 8.5.15 to fix these issues. Release 9.2.4, latest patch, also containing security fix: Download...
8.1CVSS
8.3AI Score
0.002EPSS
An issue was discovered on certain Nuki Home Solutions devices. The code used to parse the JSON objects received from the WebSocket service provided by the device leads to a stack buffer overflow. An attacker would be able to exploit this to gain arbitrary code execution on a KeyTurner device....
7.8AI Score
EPSS
Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and...
7.1AI Score
0.0004EPSS
CVE-2024-32752 Johnson Controls Software House iStar Pro Door Controller
Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and...
6.9AI Score
0.0004EPSS
Under certain circumstances communications between the ICU tool and an iSTAR Pro door controller is susceptible to Machine-in-the-Middle attacks which could impact door control and...
0.0004EPSS
CVE-2024-0912 CCURE passwords exposed to administrators
Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior...
6.8AI Score
0.0004EPSS
An issue in MarvinTest Solutions Hardware Access Driver v.5.0.3.0 and before and fixed in v.5.0.4.0 allows a local attacker to escalate privileges via the Hw65.sys...
6.5AI Score
EPSS
CVE-2024-1605 DLL side-loading in BMC Control-M
BMC Control-M branches 9.0.20 and 9.0.21 upon user login load all Dynamic Link Libraries (DLL) from a directory that grants Write and Read permissions to all users. Leveraging it leads to loading of a potentially malicious libraries, which will execute with the application's privileges. Fix for...
6.6CVSS
6.8AI Score
0.0004EPSS
Under certain circumstances the Microsoft® Internet Information Server (IIS) used to host the C•CURE 9000 Web Server will log Microsoft Windows credential details within logs. There is no impact to non-web service interfaces C•CURE 9000 or prior...
6.5AI Score
0.0004EPSS
An issue in MarvinTest Solutions Hardware Access Driver v.5.0.3.0 and before and fixed in v.5.0.4.0 allows a local attacker to escalate privileges via the Hw65.sys...
7.2AI Score
EPSS
An issue in MarvinTest Solutions Hardware Access Driver v.5.0.3.0 and before and fixed in v.5.0.4.0 allows a local attacker to escalate privileges via the Hw65.sys...
6.5AI Score
EPSS
Vulnerability in WBSAirback 21.02.04, which consists of a stored Cross-Site Scripting (XSS) through /admin/CloudAccounts, account name / user password / server fields, all parameters. Exploitation of this vulnerability could allow a remote user to send a specially crafted URL to the victim and...
4.8CVSS
6AI Score
0.0004EPSS
A vulnerability was found in Techkshetra Info Solutions Savsoft Quiz 6.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /public/index.php/Qbank/editCategory of the component Category Page. The manipulation of the argument category_name with the...
2.4CVSS
3.3AI Score
0.0004EPSS
Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 that are used by Maximo Asset Management, Maximo Industry Solutions (including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities).....
5.9CVSS
6.1AI Score
0.0004EPSS
SQL injection vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: this issue has been disputed by a reliable third party, who states that inc/common.php only contains function...
8.3AI Score
0.002EPSS
Genesco Inc. Confirms Payment Card Data Breach in U.S. Stores
Specialty retailer Genesco Inc. announced on Friday that it experienced a criminal intrusion into the part of its computer network that processes payment card transactions. Some card details might have been compromised. However, the company quickly secured the affected network segment and...
7.1AI Score
SQL injection vulnerability in inc/common.php in GlobalMegaCorp dvddb 0.6 allows remote attackers to execute arbitrary SQL commands via the user parameter. NOTE: this issue has been disputed by a reliable third party, who states that inc/common.php only contains function...
8.3AI Score
0.002EPSS
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and...
6.4CVSS
7.8AI Score
0.0004EPSS
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and...
6.4CVSS
5.9AI Score
0.0004EPSS
An issue in the component AslO3_64.sys of ASUSTeK Computer Inc AISuite3 v3.03.36 3.03.36 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL...
7.6AI Score
EPSS
Grafana when using email as a username can block other users from signing in
Today we are releasing Grafana 9.2. Alongside with new features and other bug fixes, this release includes a Moderate severity security fix for CVE-2022-39229 We are also releasing security patches for Grafana 9.1.8 and Grafana 8.5.14 to fix these issues. Release 9.2, latest release, also...
4.3CVSS
4.8AI Score
0.001EPSS
An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL...
7.9AI Score
EPSS
An issue in the component IOMap64.sys of ASUSTeK Computer Inc ASUS GPU TweakII v1.4.5.2 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL...
7.6AI Score
EPSS
An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc ASUS ATSZIO Driver v0.2.1.7 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL...
7.9AI Score
EPSS
The WP Table Builder – WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the button element in all versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to...
6.4CVSS
5.9AI Score
0.001EPSS
An issue in the component ATSZIO64.sys of ASUSTeK Computer Inc ASUS ATSZIO Driver v0.2.1.7 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL...
7.6AI Score
EPSS