Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-48028 — Deserialization: of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.This
Deserialization of Untrusted Data vulnerability in Boyan Raichev IP Loc8 ip-loc8 allows Object Injection.This issue affects IP Loc8: from n/a through <= 1.1. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-48027 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from
Unrestricted Upload of File with Dangerous Type vulnerability in xaraartech External featured image from bing external-featured-image-from-bing allows Upload a Web Shell to a Web Server.This issue affects External featured image from bing: from n/a through <= 1.0.2. CVSSv3.1 9.9 (CRITICAL)
CVE-2024-48026 — Deserialization: of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.This
Deserialization of Untrusted Data vulnerability in GMRobbins Disc Golf Manager disc-golf-manager allows Object Injection.This issue affects Disc Golf Manager: from n/a through <= 1.0.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-47649 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.This issue affects
Unrestricted Upload of File with Dangerous Type vulnerability in THATplugin Iconize iconize.This issue affects Iconize: from n/a through <= 1.2.4. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-47637 — Litespeedtech Litespeed_cache: Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.This issue
Relative Path Traversal vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Path Traversal.This issue affects LiteSpeed Cache: from n/a through <= 6.4.1. CVSSv3.1 8.8 (HIGH)
CVE-2024-49271 — Unlimited-elements Unlimited_elements_for_elementor: Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets
Deserialization of Untrusted Data vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Command Injection.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through <= 1.5.121. CVSSv3.1 9.1 (CRITICAL)
CVE-2024-49257 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in Denis Azz Anonim Posting azz-anonim-posting
Unrestricted Upload of File with Dangerous Type vulnerability in Denis Azz Anonim Posting azz-anonim-posting allows Upload a Web Shell to a Web Server.This issue affects Azz Anonim Posting: from n/a through <= 0.9. CVSSv3.1 10.0 (CRITICAL)
CVE-2024-49247 — Authentication: Bypass Using an Alternate Path or Channel vulnerability in SK BuddyPress Better Registration
Authentication Bypass Using an Alternate Path or Channel vulnerability in SK BuddyPress Better Registration better-bp-registration allows Authentication Bypass.This issue affects BuddyPress Better Registration: from n/a through <= 1.6. CVSSv3.1 9.8 (CRITICAL) · EPSS 21th percentile
CVE-2024-48042 — Deserialization: of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command
Deserialization of Untrusted Data vulnerability in supsystic Contact Form by Supsystic contact-form-by-supsystic allows Command Injection.This issue affects Contact Form by Supsystic: from n/a through <= 1.7.28. CVSSv3.1 9.1 (CRITICAL)
CVE-2021-4449 — Digitalzoomstudio Zoomsounds: The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2021-4457 is a duplicate of this. CVSSv3.1 9.8 (CRITICAL)
CVE-2020-36836 — Wpfastestcache Wp_fastest_cache: The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion
The WP Fastest Cache plugin for WordPress is vulnerable to unauthorized arbitrary file deletion in versions up to, and including, 0.9.0.2 due to a lack of capability checking and insufficient path validation. This makes it possible for authenticated users with minimal permissions to delete arbitrary files from the server. CVSSv3.1 8.0 (HIGH)
CVE-2024-49195 — Trustedfirmware Mbed_tls: Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when
Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair CVSSv3.1 9.8 (CRITICAL) · EPSS 77th percentile
CVE-2024-35584 — Os4ed Opensis: SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community
SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to perform SQL Injection due to the lack to sanitisation. The application takes arbitrary value from "X-Forwarded-For" header and appends it to a SQL INSERT statement directly, leading to SQL Injection. CVSSv3.1 8.8 (HIGH) · EPSS 93th percentile
CVE-2023-50780 — Apache Artemis: ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are
Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which CVSSv3.1 8.8 (HIGH) · EPSS 84th percentile
v1.3.0
NetExec v1.3.0 release adds significant new capabilities including NFS protocol support, SCCM LDAP reconnaissance modules, Hyper-V enumeration, pre-created computer account detection, and coercion technique consolidation via coerce_plus. The release includes 40+ bug fixes and improvements across SMB, LDAP, Kerberos, and credential handling.
CVE-2024-9821 — Bot: The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an admi CVSSv3.1 8.8 (HIGH)
CVE-2024-48772 — CHIP: An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information
An issue in C-CHIP (com.cchip.cchipamaota) v.1.2.8 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile
CVE-2024-48787 — Revic: An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to
An issue in Revic Optics Revic Ops (us.revic.revicops) 1.12.5 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 9.1 (CRITICAL) · EPSS 38th percentile
CVE-2024-48786 — SWITCHBOT: An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain
An issue in SWITCHBOT INC SwitchBot (com.theswitchbot.switchbot) 5.0.4 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 9.1 (CRITICAL) · EPSS 38th percentile
CVE-2024-48784 — Incorrect: An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to
An Incorrect Access Control issue in SAMPMAX com.sampmax.homemax 2.1.2.7 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile
CVE-2024-48778 — GIANT: An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker
An issue in GIANT MANUFACTURING CO., LTD RideLink (tw.giant.ridelink) 2.0.7 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 9.1 (CRITICAL) · EPSS 40th percentile
CVE-2024-48770 — Plug: An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to
An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process. CVSSv3.1 8.2 (HIGH) · EPSS 40th percentile
CVE-2024-48769 — BURG: An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve
An issue in BURG-WCHTER KG de.burgwachter.keyapp.app 4.5.0 allows a remote attacker to obtain sensitve information via the firmware update process. CVSSv3.1 9.1 (CRITICAL) · EPSS 39th percentile
CVE-2024-48040 — Tainacan Tainacan: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows SQL Injection.This issue affects Tainacan: from n/a through <= 0.21.8. CVSSv3.1 8.5 (HIGH)
CVE-2024-48033 — Deserialization: of Untrusted Data vulnerability in baptiste.gourdin Talkback talkback-secure-linkback-protocol allows Object Injection.This issue affects
Deserialization of Untrusted Data vulnerability in baptiste.gourdin Talkback talkback-secure-linkback-protocol allows Object Injection.This issue affects Talkback: from n/a through <= 1.0. CVSSv3.1 9.8 (CRITICAL)