Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-52400 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Subhasis Laha Gallerio gallerio allows
Unrestricted Upload of File with Dangerous Type vulnerability in Subhasis Laha Gallerio gallerio allows Upload a Web Shell to a Web Server.This issue affects Gallerio: from n/a through <= 1.01. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-52399 — Upload: Writer Helper writer-helper allows Upload a Web Shell to a Web Server.This issue affects
Unrestricted Upload of File with Dangerous Type vulnerability in Clarisse K. Writer Helper writer-helper allows Upload a Web Shell to a Web Server.This issue affects Writer Helper: from n/a through <= 3.1.6. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-52398 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Halyra CDI collect-and-deliver-interface-for-woocommerce.This issue affects
Unrestricted Upload of File with Dangerous Type vulnerability in Halyra CDI collect-and-deliver-interface-for-woocommerce.This issue affects CDI: from n/a through <= 5.5.3. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-9849 — Real3D: The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress
The Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'r3dfb_save_thumbnail_callback' function in all versions up to, and including, 4.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)
BrazenBamboo Weaponizes FortiClient Vulnerability to Steal VPN Credentials via DEEPDATA
Volexity disclosed a zero-day credential disclosure vulnerability in Fortinet FortiClient VPN client (Windows, v7.4.0) that allows extraction of VPN credentials from process memory via hardcoded JSON object offsets. The vulnerability was discovered in July 2024 being actively exploited by BrazenBamboo (Chinese state-affiliated APT) through a dedicated plugin in their DEEPDATA post-exploitation malware framework. Fortinet acknowledged the issue on July 24, 2024, but had not patched it at publication; a public advisory was issued December 18, 2024.
CVE-2024-10534 — Dataprom Personnel_attendance_control_systems_\/_access_control_security_: Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) /
Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection. This issue affects Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS): before 2024. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile
CVE-2024-52370 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support hive-support
Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support hive-support allows Upload a Web Shell to a Web Server.This issue affects Hive Support: from n/a through <= 1.1.1. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-52369 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows
Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows Upload a Web Shell to a Web Server.This issue affects KBucket: from n/a through <= 4.2.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-52393 — Podlove Podlove_podcast_publisher: Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects
Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects Podlove Podcast Publisher: from n/a through <= 4.1.15. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-52384 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI
Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation ai-content-generator allows Upload a Web Shell to a Web Server.This issue affects Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation: from n/a through <= 2.4.9. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-52382 — Authorization: Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects
Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through <= 1.0.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-52381 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART zij-kart allows PHP Local File Inclusion.This issue affects ZIJ KART: from n/a through <= 1.1. CVSSv3.1 8.1 (HIGH)
CVE-2024-52380 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in softpulseinfotech Picsmize picsmize allows Upload
Unrestricted Upload of File with Dangerous Type vulnerability in softpulseinfotech Picsmize picsmize allows Upload a Web Shell to a Web Server.This issue affects Picsmize: from n/a through <= 1.0.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52379 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce
Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects kineticPay for WooCommerce: from n/a through <= 2.0.8. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52377 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image
Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image allows Upload a Web Shell to a Web Server.This issue affects Instant Image Generator: from n/a through <= 1.5.2. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52376 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for
Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress boat-rental-system allows Upload a Web Shell to a Web Server.This issue affects Boat Rental Plugin for WordPress: from n/a through <= 1.0.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52375 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Arttia Creative Datasets Manager by
Unrestricted Upload of File with Dangerous Type vulnerability in Arttia Creative Datasets Manager by Arttia Creative datasets-manager-by-arttia-creative.This issue affects Datasets Manager by Arttia Creative: from n/a through <= 1.5. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52374 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task
Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task allows Upload a Web Shell to a Web Server.This issue affects Do That Task: from n/a through <= 1.5.5. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52373 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery
Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery allows Upload a Web Shell to a Web Server.This issue affects Devexhub Gallery: from n/a through <= 2.0.1. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52372 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA
Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA easy-csv-importer allows Upload a Web Shell to a Web Server.This issue affects Easy CSV Importer BETA: from n/a through <= 7.0.0. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-52371 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway | globe-gateway-e4.This issue affects Global Gateway e4 | Payeezy Gateway |: from n/a through <= 2.0. CVSSv3.1 8.6 (HIGH)
CVE-2024-10571 — Ays-pro Chartify: The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be CVSSv3.1 9.8 (CRITICAL)
CVE-2024-10629 — GPX: The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. CVSSv3.1 8.8 (HIGH)
CVE-2024-51882 — Ehues Gboy_custom_google_map: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopalkumar315 Gboy Custom Google Map gboy-custom-google-map allows Blind SQL Injection.This issue affects Gboy Custom Google Map: from n/a through <= 1.2. CVSSv3.1 8.5 (HIGH)
CVE-2024-51845 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in richteam Share Buttons – Social Media rich-web-share-button allows Blind SQL Injection.This issue affects Share Buttons – Social Media: from n/a through <= 1.0.2. CVSSv3.1 8.5 (HIGH)