Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-52490 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52475 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform
Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52474 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Сервис "Экспресс Платежи" Express Payments Module express-pay allows Blind SQL Injection.This issue affects Express Payments Module: from n/a through <= 1.1.8. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-50942 — qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.
qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile
CVE-2024-52723 — Totolink X6000r_firmware: An attacker can achieve arbitrary command execution by constructing the payload.
In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload. CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
Volexity disclosed a novel attack pattern dubbed the "Nearest Neighbor Attack" used by Russian APT28 (GruesomeLarch) to breach a target organization in early 2022. The attacker compromised multiple nearby organizations via password-spray attacks, then leveraged dual-homed systems to connect to the target's Enterprise Wi-Fi network using stolen credentials, bypassing MFA protections on internet-facing services. The investigation revealed a multi-stage compromise chain involving three organizations, lateral movement via compromised systems, credential theft, and anti-forensics techniques including Cipher.exe for secure file deletion.
CVE-2024-7837 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection. This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.2 (HIGH) · EPSS 22th percentile
CVE-2024-51367 — An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers
An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile
CVE-2024-51366 — An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers
An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers to execute arbitrary code via uploading a crafted .conf file. CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile
CVE-2024-51364 — An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code
An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code via uploading a crafted .xml file. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile
CVE-2024-10898 — Krishaweb Contact_form_7_email_add_on: The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local
The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code ex CVSSv3.1 8.8 (HIGH)
CVE-2024-52451 — Site: Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue
Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2. CVSSv3.1 8.2 (HIGH)
CVE-2024-52447 — Path: Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path
Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through <= 1.6.1. CVSSv3.1 8.6 (HIGH)
CVE-2024-52446 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows
Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows Object Injection.This issue affects Buying Buddy IDX CRM: from n/a through <= 1.2.8. CVSSv3.1 8.8 (HIGH)
CVE-2024-52445 — Deserialization: of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows
Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through <= 1.0.4. CVSSv3.1 8.8 (HIGH)
CVE-2024-52443 — Deserialization: of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52442 — Incorrect: Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus
Incorrect Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus: from n/a through <= 2.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52441 — Improperly: Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52440 — Deserialization: of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This
Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through <= 1.0.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52439 — Deserialization: of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This
Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52438 — Authentication: Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue
Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue affects de:branding: from n/a through <= 1.0.2. CVSSv3.1 8.8 (HIGH)
CVE-2024-52437 — Authentication: Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows
Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.This issue affects Banner System: from n/a through <= 1.0.0. CVSSv3.1 8.8 (HIGH)
CVE-2024-52714 — Tenda Ac6_firmware: AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function
Tenda AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function 'fromSetSysTime. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile
CVE-2024-52402 — Site: Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload
Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload a Web Shell to a Web Server.This issue affects Exclusive Content Password Protect: from n/a through <= 1.1.0. CVSSv3.1 9.6 (CRITICAL)
CVE-2024-52401 — Site: Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a
Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a Web Shell to a Web Server.This issue affects Hacklog DownloadManager: from n/a through <= 2.1.4. CVSSv3.1 9.6 (CRITICAL)