2024-09-05
2024-09-05 19:15Z
CRIT

CVE-2024-45159 — Trustedfirmware Mbed_tls: With TLS 1.3, when a server enables optional authentication of the client, if the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-45159

An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an attacker that had a certificate valid for uses other than TLS c CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile

CWECWE 295VNDMbedVNDTrustedfirmwareTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-05
2024-09-05 19:15Z
CRIT

CVE-2024-45158 — Trustedfirmware Mbed_tls: A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-45158

An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This never happens in internal library calls, but can affect applications that call these functions directly.) CVSSv3.1 9.8 (CRITICAL) · EPSS 72th percentile

CWECWE 121VNDMbedVNDTrustedfirmwareTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-04
2024-09-04 15:15Z
CRIT

CVE-2024-7078 — Semtekyazilim Semtek_sempos: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7078

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows SQL Injection. This issue affects Semtek Sempos: through 31072024. CVSSv3.1 9.8 (CRITICAL) · EPSS 42th percentile

CWECWE 89VNDSemtekyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-04
2024-09-04 15:15Z
CRIT

CVE-2024-7076 — Semtekyazilim Semtek_sempos: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7076

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024. CVSSv3.1 9.8 (CRITICAL) · EPSS 42th percentile

CWECWE 89VNDSemtekyazilimTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-03
2024-09-03 14:15Z
CRIT

CVE-2024-4259 — Sambas Akos: Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4259

Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect Data as Provided by Users. This issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 862VNDSambasTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-09-02
2024-09-02 18:15Z
CRIT

CVE-2024-6919 — Nac Nacpremium: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6919

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Blind SQL Injection. This issue affects NACPremium: through 01082024. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile

CWECWE 89VNDNacTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-30
2024-08-30 03:15Z
CRIT

CVE-2024-45492 — Libexpat_project Libexpat: nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-45492

An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVSSv3.1 9.8 (CRITICAL) · EPSS 80th percentile

CWECWE 190VNDLibexpat ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-08-30
2024-08-30 03:15Z
CRIT

CVE-2024-45491 — Libexpat_project Libexpat: dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-45491

An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). CVSSv3.1 9.8 (CRITICAL) · EPSS 69th percentile

CWECWE 190VNDLibexpat ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-29
2024-08-29 18:15Z
CRIT

CVE-2024-44779 — Vtiger Vtiger_crm: A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44779

A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. CVSSv3.1 9.6 (CRITICAL) · EPSS 49th percentile

CWECWE 79VNDXssVNDVtigerTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-08-29
2024-08-29 18:15Z
CRIT

CVE-2024-44778 — Vtiger Vtiger_crm: A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44778

A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. CVSSv3.1 9.6 (CRITICAL) · EPSS 48th percentile

CWECWE 79VNDXssVNDVtigerTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-08-29
2024-08-29 18:15Z
CRIT

CVE-2024-44777 — Vtiger Vtiger_crm: A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-44777

A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. CVSSv3.1 9.6 (CRITICAL) · EPSS 47th percentile

CWECWE 79VNDXssVNDVtigerTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-08-29
2024-08-29 16:15Z
CRIT

CVE-2024-43955 — Themeum Droip: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43955

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Droip droip allows Path Traversal.This issue affects Droip: from n/a through < 2.5.2. CVSSv3.1 10.0 (CRITICAL)

CWECWE 22VNDThemeumTYPVulnerability
10.0
CVSS v3.1
100
Edit Score
2024-08-29
2024-08-29 15:15Z
CRIT

CVE-2024-39622 — Cridio Listingpro: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-39622

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDCridioTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-08-29
2024-08-29 15:15Z
HIGH

CVE-2024-39620 — Cridio Listingpro: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-39620

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro-plugin allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDCridioTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-08-29
2024-08-29 15:15Z
CRIT

CVE-2024-38795 — Cridio Listingpro: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-38795

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CridioStudio ListingPro listingpro-plugin allows SQL Injection.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 9.3 (CRITICAL)

CWECWE 89VNDCridioTYPVulnerability
9.3
CVSS v3.1
97
Edit Score
2024-08-29
2024-08-29 11:15Z
HIGH

CVE-2024-7856 — Sonaar Mp3_audio_player_for_music\,_radio_\&_podcast: The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7856

The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to unauthorized arbitrary file deletion due to a missing capability check on the removeTempFiles() function and insufficient path validation on the 'file' parameter in all versions up to, and including, 5.7.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files which can make remote code execution possible CVSSv3.1 8.1 (HIGH)

CWECWE 862VNDSonaarVNDMp3TYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-08-29
2024-08-29 11:15Z
CRIT

CVE-2024-4428 — Menulux Managment_portal: Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-4428

Missing Authentication for Critical Function, Missing Authorization vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users. This issue affects Managment Portal: through 21.05.2024. CVSSv3.1 9.8 (CRITICAL) · EPSS 43th percentile

CWECWE 862CWECWE 306VNDMenuluxTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-27
2024-08-27 14:15Z
CRIT

CVE-2024-7071 — Brainlowcode Brain_low-code: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE -

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7071

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), CWE - 564 - SQL Injection: Hibernate vulnerability in Brain Information Technologies Inc. Brain Low-Code allows SQL Injection. This issue affects Brain Low-Code: before 2.1.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile

CWECWE 89VNDBrainlowcodeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-24
2024-08-24 02:15Z
CRIT

CVE-2024-7568 — Pixeljar Favicon_generator: The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-7568

The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the output_sub_admin_page_0 function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The plugin author deleted the functionality of t CVSSv3.1 9.6 (CRITICAL)

CWECWE 352VNDPixeljarVNDFaviconTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2024-08-23
2024-08-23 17:15Z
CRIT

CVE-2024-42531 — Ezviz: Internet PT Camera CS-CV246 D15655150 allows an unauthenticated host to access its live

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-42531

Ezviz Internet PT Camera CS-CV246 D15655150 allows an unauthenticated host to access its live video stream by crafting a set of RTSP packets with a specific set of URLs that can be used to redirect the camera feed. NOTE: the vendor's perspective is that the Anonymous120386 sample code can establish RTSP protocol communictaion, but cannot obtain video or audio data; thus, there is no risk. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile

CWECWE 20VNDEzvizTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-21
2024-08-21 21:15Z
CRIT

CVE-2024-6386 — Wpml Wpml: The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-6386

The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. CVSSv3.1 9.9 (CRITICAL)

CWECWE 94CWECWE 1336VNDWpmlTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2024-08-21
2024-08-21 14:15Z
CRIT

CVE-2024-28000 — Litespeedtech Litespeed_cache: Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-28000

Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache.This issue affects LiteSpeed Cache: from n/a through <= 6.3.0.1. CVSSv3.1 9.8 (CRITICAL)

CWECWE 266VNDLitespeedtechTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-19
2024-08-19 20:15Z
CRIT

CVE-2024-43354 — Deserialization: of Untrusted Data vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43354

Deserialization of Untrusted Data vulnerability in Saad Iqbal myCred mycred.This issue affects myCred: from n/a through <= 2.7.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 44th percentile

CWECWE 502TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-08-19
2024-08-19 18:15Z
CRIT

CVE-2024-43252 — Deserialization: of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43252

Deserialization of Untrusted Data vulnerability in Crew HRM Crew HRM hr-management.This issue affects Crew HRM: from n/a through <= 1.1.1. CVSSv3.1 9.0 (CRITICAL)

CWECWE 502TYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2024-08-19
2024-08-19 18:15Z
CRIT

CVE-2024-43242 — Wpindeed Ultimate_membership_pro: Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-43242

Deserialization of Untrusted Data vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7. CVSSv3.1 9.0 (CRITICAL) · EPSS 68th percentile

CWECWE 502VNDWpindeedTYPVulnerability
9.0
CVSS v3.1
95
Edit Score