2024-09-19
2024-09-19 19:15Z
CRIT

CVE-2024-33109 — Ergophone Tiptel_ip_286_firmware: Directory Traversal in the web interface of the Tiptel IP 286 with firmware version

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-33109

Directory Traversal in the web interface of the Tiptel IP 286 with firmware version 2.61.13.10 allows attackers to overwrite arbitrary files on the phone via the Ringtone upload function. CVSSv3.1 9.9 (CRITICAL) · EPSS 55th percentile

CWECWE 22VNDYealinkVNDErgophoneTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-09-18
2024-09-18 15:15Z
CRIT

CVE-2024-5960 — Elizsoftware Panel: Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5960

Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials. This issue affects Panel: before v2.3.24. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 256VNDElizsoftwareVNDPlaintextTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-18
2024-09-18 15:15Z
HIGH

CVE-2024-5958 — Elizsoftware Panel: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-5958

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eliz Software Panel allows Command Line Execution through SQL Injection. This issue affects Panel: before v2.3.24. CVSSv3.1 8.8 (HIGH) · EPSS 46th percentile

CWECWE 89VNDElizsoftwareTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-17
2024-09-17 23:15Z
CRIT

CVE-2024-44004 — Wptaskforce Track_\&_trace: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44004

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows SQL Injection.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDWptaskforceTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-09-17
2024-09-17 23:15Z
CRIT

CVE-2024-43978 — Superstorefinder Super_store_finder: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43978

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through < 6.9.8. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDSuperstorefinderTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-09-17
2024-09-17 23:15Z
CRIT

CVE-2024-43976 — Superstorefinder Super_store_finder: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43976

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder superstorefinder-wp.This issue affects Super Store Finder: from n/a through <= 6.9.7. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDSuperstorefinderTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-09-16
2024-09-16 20:07Z
HIGH

Impacket 0.12.0

Impacket releases·github.com

Impacket 0.12.0 released with significant enhancements to credential access and lateral movement capabilities. Notable additions include MS-GKDI Group Key Distribution Protocol implementation, Kerberoasting without pre-authentication support, S4U2self abuse primitives, LAPS password extraction, and new DACL/ownership manipulation tools (dacledit.py, owneredit.py). Multiple bug fixes and performance improvements across SMB, LDAP, Kerberos, and NTLM relay functionality.

SRFNetworkTACTA0006TACTA0007SRFIdentityTACTA0008VNDImpacketTYPToolSTGDiscovery
78
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-09-16
2024-09-16 15:15Z
CRIT

CVE-2024-7104 — Sfs Winsure: Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7104

Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 49th percentile

CWECWE 94VNDSfsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-16
2024-09-16 15:15Z
CRIT

CVE-2024-7098 — Sfs Winsure: Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7098

Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection. This issue affects ww.Winsure: before 4.6.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile

CWECWE 611VNDSfsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-16
2024-09-16 15:15Z
CRIT

CVE-2024-6401 — Sfs Insuree_gl: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6401

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection. This issue affects InsureE GL: before 4.6.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile

CWECWE 89VNDSfsTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-13
2024-09-13 09:15Z
CRIT

CVE-2024-6656 — Tnbmobil Cockpit: Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6656

Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable. This issue affects Cockpit Software: before v2.13. CVSSv3.1 9.8 (CRITICAL)

CWECWE 798VNDTnbmobilTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-12
2024-09-12 09:15Z
CRIT

CVE-2024-8529 — Thimpress Learnpress: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8529

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_fields' parameter of the /wp-json/lp/v1/courses/archive-course REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be use CVSSv3.1 10.0 (CRITICAL)

CWECWE 89VNDThimpressVNDLearnpressTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-09-12
2024-09-12 09:15Z
CRIT

CVE-2024-8522 — Thimpress Learnpress: The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8522

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to SQL Injection via the 'c_only_fields' parameter of the /wp-json/learnpress/v1/courses REST API endpoint in all versions up to, and including, 4.2.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used CVSSv3.1 10.0 (CRITICAL)

CWECWE 89VNDThimpressVNDLearnpressTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-09-11
2024-09-11 17:15Z
HIGH

CVE-2024-44577 — Relyum Rely-pcie_firmware: RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44577

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function. CVSSv3.1 8.8 (HIGH) · EPSS 62th percentile

CWECWE 77VNDRelyumVNDRelyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-11
2024-09-11 17:15Z
HIGH

CVE-2024-44574 — Relyum Rely-pcie_firmware: RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44574

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function. CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile

CWECWE 77VNDRelyumVNDRelyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-11
2024-09-11 17:15Z
HIGH

CVE-2024-44572 — Relyum Rely-pcie_firmware: RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44572

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function. CVSSv3.1 8.8 (HIGH) · EPSS 61th percentile

CWECWE 77VNDRelyumVNDRelyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-11
2024-09-11 17:15Z
HIGH

CVE-2024-44571 — Relyum Rely-pcie_firmware: RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44571

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php. CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 284VNDRelyumVNDRelyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-11
2024-09-11 17:15Z
HIGH

CVE-2024-44570 — Relyum Rely-pcie_firmware: RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44570

RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php. CVSSv3.1 8.8 (HIGH) · EPSS 38th percentile

CWECWE 77VNDRelyumVNDRelyTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-11
2024-09-11 14:15Z
HIGH

CVE-2024-8642 — Eclipse Eclipse_dataspace_components: In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8642

In Eclipse Dataspace Components, from version 0.5.0 and before version 0.9.0, the ConsumerPullTransferTokenValidationApiController does not check for token validity (expiry, not-before, issuance date), which can allow an attacker to bypass the check for token expiration. The issue requires to have a dataplane configured to support http proxy consumer pull AND include the module "transfer-data-plane". The affected code was marked deprecated from the version 0.6.0 in favour of CVSSv3.1 8.1 (HIGH) · EPSS 30th percentile

CWECWE 287CWECWE 305CWECWE 303VNDEclipseTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-09-10
2024-09-10 17:15Z
HIGH

CVE-2024-44667 — Shenzhen: Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44667

Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access. CVSSv3.1 8.0 (HIGH) · EPSS 45th percentile

CWECWE 863VNDShenzhenTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2024-09-10
2024-09-10 17:15Z
HIGH

CVE-2024-43455 — Microsoft Windows_server_2008: Windows Remote Desktop Licensing Service Spoofing Vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43455

Windows Remote Desktop Licensing Service Spoofing Vulnerability CVSSv3.1 8.8 (HIGH) · EPSS 90th percentile

CWECWE 20VNDMicrosoftTYPVulnerability
8.8
CVSS v3.1
95
Edit Score
2024-09-09
2024-09-09 20:15Z
CRIT

CVE-2024-44902 — Thinkphp Thinkphp: A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44902

A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. CVSSv3.1 9.8 (CRITICAL) · EPSS 90th percentile

CWECWE 502VNDThinkphpTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-09-09
2024-09-09 14:15Z
CRIT

CVE-2024-7015 — Profelis Passbox: Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7015

Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse. This issue affects PassBox: before v1.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 35th percentile

CWECWE 306VNDProfelisTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-06
2024-09-06 14:15Z
HIGH

CVE-2024-8428 — Ultimatemember Forumwp: The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-8428

The ForumWP – Forum & Discussion Board Plugin plugin for WordPress is vulnerable to Privilege Escalation via Insecure Direct Object Reference in all versions up to, and including, 2.0.2 via the submit_form_handler due to missing validation on the 'user_id' user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to change the email address of administrative user accounts which can then be leveraged to reset the administr CVSSv3.1 8.8 (HIGH)

CWECWE 639VNDUltimatememberVNDForumwpTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-09-06
2024-09-06 14:15Z
CRIT

CVE-2024-7493 — Wpcom Wpcom_member: The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7493

The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration. CVSSv3.1 9.8 (CRITICAL)

CWECWE 269VNDWpcomTYPVulnerability
9.8
CVSS v3.1
99
Edit Score