2024-11-28
2024-11-28 11:15Z
CRIT

CVE-2024-52490 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52490

Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1. CVSSv3.1 10.0 (CRITICAL)

CWECWE 434TYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-11-28
2024-11-28 11:15Z
CRIT

CVE-2024-52475 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52475

Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3.0.18. CVSSv3.1 9.8 (CRITICAL)

CWECWE 288TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-28
2024-11-28 11:15Z
CRIT

CVE-2024-52474 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52474

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Сервис "Экспресс Платежи" Express Payments Module express-pay allows Blind SQL Injection.This issue affects Express Payments Module: from n/a through <= 1.1.8. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89TYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-11-26
2024-11-26 21:15Z
CRIT

CVE-2024-50942 — qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-50942

qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-22
2024-11-22 16:15Z
CRIT

CVE-2024-52723 — Totolink X6000r_firmware: An attacker can achieve arbitrary command execution by constructing the payload.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52723

In TOTOLINK X6000R V9.4.0cu.1041_B20240224 in the shttpd file, the Uci_Set Str function is used without strict parameter filtering. An attacker can achieve arbitrary command execution by constructing the payload. CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile

CWECWE 78VNDTotolinkTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-22
2024-11-22 12:00Z
HIGH

The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access

Volexity·volexity.comin the wild

Volexity disclosed a novel attack pattern dubbed the "Nearest Neighbor Attack" used by Russian APT28 (GruesomeLarch) to breach a target organization in early 2022. The attacker compromised multiple nearby organizations via password-spray attacks, then leveraged dual-homed systems to connect to the target's Enterprise Wi-Fi network using stolen credentials, bypassing MFA protections on internet-facing services. The investigation revealed a multi-stage compromise chain involving three organizations, lateral movement via compromised systems, credential theft, and anti-forensics techniques including Cipher.exe for secure file deletion.

SRFOsTACTA0004TACTA0001SRFNetworkTACTA0008TACTA0009VNDMicrosoftTYPResearch
82
Edit Score
2024-11-22
2024-11-22 09:15Z
HIGH

CVE-2024-7837 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7837

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection. This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 8.2 (HIGH) · EPSS 22th percentile

CWECWE 89TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-11-21
2024-11-21 20:15Z
CRIT

CVE-2024-51367 — An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51367

An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. CVSSv3.1 9.8 (CRITICAL) · EPSS 50th percentile

CWECWE 94TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-21
2024-11-21 20:15Z
CRIT

CVE-2024-51366 — An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51366

An arbitrary file upload vulnerability in the component \Roaming\Omega of OmegaT v6.0.1 allows attackers to execute arbitrary code via uploading a crafted .conf file. CVSSv3.1 9.8 (CRITICAL) · EPSS 53th percentile

CWECWE 434TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-21
2024-11-21 20:15Z
HIGH

CVE-2024-51364 — An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-51364

An arbitrary file upload vulnerability in ModbusMechanic v3.0 allows attackers to execute arbitrary code via uploading a crafted .xml file. CVSSv3.1 8.8 (HIGH) · EPSS 47th percentile

CWECWE 434TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-21
2024-11-21 11:15Z
HIGH

CVE-2024-10898 — Krishaweb Contact_form_7_email_add_on: The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-10898

The Contact Form 7 Email Add on plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9 via the cf7_email_add_on_add_admin_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code ex CVSSv3.1 8.8 (HIGH)

CWECWE 98VNDKrishawebVNDContactTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52451 — Site: Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52451

Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2. CVSSv3.1 8.2 (HIGH)

CWECWE 352TYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52447 — Path: Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52447

Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a through <= 1.6.1. CVSSv3.1 8.6 (HIGH)

CWECWE 35TYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52446 — Site: Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52446

Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows Object Injection.This issue affects Buying Buddy IDX CRM: from n/a through <= 1.2.8. CVSSv3.1 8.8 (HIGH)

CWECWE 352TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52445 — Deserialization: of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52445

Deserialization of Untrusted Data vulnerability in ModelTheme QRMenu Restaurant QR Menu Lite qrmenu-lite allows Object Injection.This issue affects QRMenu Restaurant QR Menu Lite: from n/a through <= 1.0.4. CVSSv3.1 8.8 (HIGH)

CWECWE 502TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-20
2024-11-20 12:15Z
CRIT

CVE-2024-52443 — Deserialization: of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52443

Deserialization of Untrusted Data vulnerability in masikonis Geolocator geolocator allows Object Injection.This issue affects Geolocator: from n/a through <= 1.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-20
2024-11-20 12:15Z
CRIT

CVE-2024-52442 — Incorrect: Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52442

Incorrect Privilege Assignment vulnerability in userplus UserPlus userplus allows Privilege Escalation.This issue affects UserPlus: from n/a through <= 2.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-20
2024-11-20 12:15Z
CRIT

CVE-2024-52441 — Improperly: Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52441

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Rajesh Thanoch Quick Learn quick-learn allows Object Injection.This issue affects Quick Learn: from n/a through <= 1.0.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 1321VNDImproperlyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-20
2024-11-20 12:15Z
CRIT

CVE-2024-52440 — Deserialization: of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52440

Deserialization of Untrusted Data vulnerability in xpresslane Xpresslane Fast Checkout xpresslane-integration-for-woocommerce allows Object Injection.This issue affects Xpresslane Fast Checkout: from n/a through <= 1.0.0. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-20
2024-11-20 12:15Z
CRIT

CVE-2024-52439 — Deserialization: of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52439

Deserialization of Untrusted Data vulnerability in Mark O'Donnell Team Rosters team-rosters allows Object Injection.This issue affects Team Rosters: from n/a through <= 4.8.2. CVSSv3.1 9.8 (CRITICAL)

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52438 — Authentication: Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52438

Missing Authentication for Critical Function vulnerability in deco.agency de:branding debranding allows Privilege Escalation.This issue affects de:branding: from n/a through <= 1.0.2. CVSSv3.1 8.8 (HIGH)

CWECWE 306TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-20
2024-11-20 12:15Z
HIGH

CVE-2024-52437 — Authentication: Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52437

Missing Authentication for Critical Function vulnerability in Saul Morales Pacheco Banner System banner-system allows Privilege Escalation.This issue affects Banner System: from n/a through <= 1.0.0. CVSSv3.1 8.8 (HIGH)

CWECWE 306TYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-11-19
2024-11-19 19:15Z
CRIT

CVE-2024-52714 — Tenda Ac6_firmware: AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52714

Tenda AC6 v2.0 v15.03.06.50 was discovered to contain a buffer overflow in the function 'fromSetSysTime. CVSSv3.1 9.8 (CRITICAL) · EPSS 45th percentile

CWECWE 120VNDTendaTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-11-19
2024-11-19 17:15Z
CRIT

CVE-2024-52402 — Site: Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52402

Cross-Site Request Forgery (CSRF) vulnerability in gunghoinc Exclusive Content Password Protect exclusive-content-password-protect allows Upload a Web Shell to a Web Server.This issue affects Exclusive Content Password Protect: from n/a through <= 1.1.0. CVSSv3.1 9.6 (CRITICAL)

CWECWE 352TYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-11-19
2024-11-19 17:15Z
CRIT

CVE-2024-52401 — Site: Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-52401

Cross-Site Request Forgery (CSRF) vulnerability in HuangYe WuDeng Hacklog DownloadManager hacklog-downloadmanager allows Upload a Web Shell to a Web Server.This issue affects Hacklog DownloadManager: from n/a through <= 2.1.4. CVSSv3.1 9.6 (CRITICAL)

CWECWE 352TYPVulnerability
9.6
CVSS v3.1
98
Edit Score