2024-12-13
2024-12-13 15:15Z
HIGH

CVE-2023-33996 — Authorization: Missing Authorization vulnerability in CleanTalk Inc Spam protection, AntiSpam, FireWall by CleanTalk cleantalk-spam-protect allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-33996

Missing Authorization vulnerability in CleanTalk Inc Spam protection, AntiSpam, FireWall by CleanTalk cleantalk-spam-protect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spam protection, AntiSpam, FireWall by CleanTalk: from n/a through <= 6.10. CVSSv3.1 8.8 (HIGH)

CWECWE 862TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-13
2024-12-13 15:15Z
CRIT

CVE-2022-46838 — Joomsky Js_help_desk: Missing Authorization vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2022-46838

Missing Authorization vulnerability in JoomSky JS Help Desk js-support-ticket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk: from n/a through <= 2.7.1. CVSSv3.1 9.1 (CRITICAL)

CWECWE 862VNDJoomskyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-12-13
2024-12-13 10:15Z
HIGH

CVE-2024-10783 — MainWP: The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-10783

The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this on CVSSv3.1 8.1 (HIGH)

CWECWE 862VNDMainwpTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-12-13
2024-12-13 05:15Z
HIGH

CVE-2024-21544 — Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21544

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server. CVSSv3.1 8.6 (HIGH) · EPSS 37th percentile

CWECWE 20TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2024-12-12
2024-12-12 19:15Z
CRIT

CVE-2024-55875 — Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-55875

http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 6.50.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. The original fix shipped in v5.41.0.0 / v4.50.0.0 closed the documented external-entity attack class CVSSv3.1 9.8 (CRITICAL) · EPSS 92th percentile

CWECWE 918CWECWE 200CWECWE 611TYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-12-12
2024-12-12 04:15Z
HIGH

CVE-2024-10111 — OAuth: The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-10111

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service ret CVSSv3.1 8.1 (HIGH)

CWECWE 287VNDOauthTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-12-10
2024-12-10 20:15Z
CRIT

CVE-2024-53480 — Phpgurukul Beauty_parlour_management_system: Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53480

Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 89VNDPhpgurukulVNDBeautyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-12-10
2024-12-10 19:15Z
CRIT

CVE-2024-46442 — BYD: An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-46442

An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 307VNDBydTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-10
2024-12-10 18:15Z
CRIT

CVE-2024-53866 — Pnpm Pnpm: The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53866

The package manager pnpm prior to version 9.15.0 seems to mishandle overrides and global cache: Overrides from one workspace leak into npm metadata saved in global cache; npm metadata from global cache affects other workspaces; and installs by default don't revalidate the data (including on first lockfile generation). This can make workspace A (even running with `ignore-scripts=true`) posion global cache and execute scripts in workspace B. Users generally expect `ignore-scrip CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile

CWECWE 426VNDPnpmTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-10
2024-12-10 05:15Z
HIGH

CVE-2024-21542 — Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-21542

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function. CVSSv3.1 8.6 (HIGH) · EPSS 94th percentile

CWECWE 22CWECWE 29TYPVulnerability
8.6
CVSS v3.1
97
Edit Score
2024-12-09
2024-12-09 16:15Z
CRIT

CVE-2024-40583 — Pentaminds Curovms: v2.0.1 was discovered to contain exposed credentials.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-40583

Pentaminds CuroVMS v2.0.1 was discovered to contain exposed credentials. CVSSv3.1 9.1 (CRITICAL) · EPSS 46th percentile

CWECWE 522VNDPentamindsTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2024-12-09
2024-12-09 14:15Z
CRIT

CVE-2024-8259 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8259

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eryaz Information Technologies NatraCar B2B Dealer Management Program allows SQL Injection. This issue affects NatraCar B2B Dealer Management Program: through 09.12.2024. NOTE: The vendor was contacted and it was learned that the product is not supported. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2024-54215 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-54215

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in roninwp Revy revy.This issue affects Revy: from n/a through <= 1.18. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2024-53822 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Genetech Pie Register Premium pie-register-premium.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-53822

Unrestricted Upload of File with Dangerous Type vulnerability in Genetech Pie Register Premium pie-register-premium.This issue affects Pie Register Premium: from n/a through < 3.8.3.3. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2024-43222 — Authorization: Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43222

Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet Date: from n/a through <= 3.7.3. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-51360 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-51360

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDWpdeveloperTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-51359 — Wpdeveloper Essential_blocks: Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-51359

Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg essential-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through <= 4.2.0. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDWpdeveloperTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-51355 — Authorization: Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-51355

Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiVendorX: from n/a through <= 4.0.23. CVSSv3.1 8.2 (HIGH) · EPSS 33th percentile

CWECWE 862TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2023-51353 — Supsystic Popup: Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-51353

Missing Authorization vulnerability in supsystic Popup by Supsystic popup-by-supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through <= 1.10.19. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDSupsysticTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2023-50903 — Wpmet Metform_elementor_contact_form_builder: Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-50903

Missing Authorization vulnerability in Roxnor Metform metform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Metform: from n/a through <= 3.4.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDWpmetTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-49856 — Rednao Smart_forms: Missing Authorization vulnerability in EDGARROJAS Smart Forms smart-forms allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-49856

Missing Authorization vulnerability in EDGARROJAS Smart Forms smart-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart Forms: from n/a through <= 2.6.84. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDRednaoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-49817 — Authorization: Missing Authorization vulnerability in heolixfy Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor allows Exploiting Incorrectly

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-49817

Missing Authorization vulnerability in heolixfy Flexible Woocommerce Checkout Field Editor flexible-woocommerce-checkout-field-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flexible Woocommerce Checkout Field Editor: from n/a through <= 2.0.1. CVSSv3.1 8.2 (HIGH)

CWECWE 862TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-49756 — Themewinter Eventin: Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-49756

Missing Authorization vulnerability in Arraytics Eventin wp-event-solution allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventin: from n/a through <= 3.3.52. CVSSv3.1 8.8 (HIGH)

CWECWE 862VNDThemewinterTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-12-09
2024-12-09 13:15Z
HIGH

CVE-2023-48286 — Authorization: Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-48286

Missing Authorization vulnerability in mra13 Stripe Payments stripe-payments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stripe Payments: from n/a through <= 2.0.79. CVSSv3.1 8.2 (HIGH) · EPSS 40th percentile

CWECWE 862TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-12-09
2024-12-09 13:15Z
CRIT

CVE-2023-47805 — Themewinter Wpcafe: Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-47805

Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through <= 2.2.22. CVSSv3.1 9.8 (CRITICAL)

CWECWE 862VNDThemewinterTYPVulnerability
9.8
CVSS v3.1
99
Edit Score