Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2024-43240 — Wpindeed Ultimate_membership_pro: Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro
Improper Authentication vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro.This issue affects Ultimate Membership Pro: from n/a through <= 12.7. CVSSv3.1 9.4 (CRITICAL)
CVE-2024-42850 — Silverpeas Silverpeas: An issue in the password change function of Silverpeas v6.4.2 and lower allows for
An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity requirements. CVSSv3.1 9.8 (CRITICAL) · EPSS 71th percentile
CVE-2024-7593 — Ivanti Virtual_traffic_manager: Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or
Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel. CVSSv3.1 9.8 (CRITICAL) · EPSS 100th percentile
CVE-2024-41623 — D3dsecurity D8801_firmware: An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker
An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload CVSSv3.1 9.8 (CRITICAL) · EPSS 47th percentile
CVE-2024-43153 — Xtendify Woffice: Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through
Incorrect Privilege Assignment vulnerability in WofficeIO Woffice woffice.This issue affects Woffice: from n/a through <= 5.4.10. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-7094 — Help: The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for
The JS Help Desk – The Ultimate Help Desk & Support Plugin plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.8.6 via the 'storeTheme' function. This is due to a lack of sanitization on user-supplied values, which replace values in the style.php file, along with missing capability checks. This makes it possible for unauthenticated attackers to execute code on the server. This issue was partially pa CVSSv3.1 9.8 (CRITICAL)
CVE-2024-6917 — Veribase Order_management: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Veribilim Software Veribase Order Management allows OS Command Injection. This issue affects Veribase Order Management: before v4.010.2. CVSSv3.1 9.8 (CRITICAL) · EPSS 82th percentile
CVE-2024-42479 — Ggml Llama.cpp: provides LLM inference in C/C++.
llama.cpp provides LLM inference in C/C++. The unsafe `data` pointer member in the `rpc_tensor` structure can cause arbitrary address writing. This vulnerability is fixed in b3561. CVSSv3.1 10.0 (CRITICAL) · EPSS 90th percentile
CVE-2024-7399 — Samsung Magicinfo_9_server: Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9
Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1050 allows attackers to write arbitrary file as system authority. CVSSv3.1 8.8 (HIGH) · EPSS 99th percentile
CVE-2024-38887 — Horizoncloud Caterease: 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges. CVSSv3.1 9.8 (CRITICAL) · EPSS 74th percentile
CVE-2024-38889 — Horizoncloud Caterease: 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command. CVSSv3.1 9.8 (CRITICAL) · EPSS 55th percentile
CVE-2024-38886 — Horizoncloud Caterease: 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack due to improper verification of the source of a communication channel. CVSSv3.1 9.8 (CRITICAL) · EPSS 51th percentile
CVE-2024-38883 — Horizoncloud Caterease: 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Drop Encryption Level attack due to the selection of a less-secure algorithm during negotiation. CVSSv3.1 9.1 (CRITICAL) · EPSS 33th percentile
CVE-2024-38882 — Horizoncloud Caterease: 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through SQL Injection due to improper neutralization of special elements used in an OS command. CVSSv3.1 9.8 (CRITICAL) · EPSS 57th percentile
CVE-2024-39624 — Cridio Listingpro: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro listingpro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 8.5 (HIGH)
CVE-2024-39621 — Cridio Listingpro: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro listingpro-plugin allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 8.0 (HIGH)
CVE-2024-39619 — Cridio Listingpro: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CridioStudio ListingPro listingpro-plugin allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through <= 2.9.4. CVSSv3.1 9.0 (CRITICAL)
CVE-2024-39011 — Chargeover Chargeover\/redoc: Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects. CVSSv3.1 9.8 (CRITICAL) · EPSS 64th percentile
CVE-2024-38909 — Std42 Elfinder: Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control.
Studio 42 elFinder 2.1.64 is vulnerable to Incorrect Access Control. Copying files with an unauthorized extension between server directories allows an arbitrary attacker to expose secrets, perform RCE, etc. CVSSv3.1 9.8 (CRITICAL) · EPSS 38th percentile
CVE-2024-6699 — Mikafon Ma7_firmware: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mikafon Electronic Inc. Mikafon MA7 allows SQL Injection. This issue affects Mikafon MA7: from v3.0 before v3.1. CVSSv3.1 9.8 (CRITICAL) · EPSS 34th percentile
CVE-2024-37858 — Oretnom23 Lost_and_found_information_system: SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php. CVSSv3.1 9.8 (CRITICAL) · EPSS 54th percentile
CVE-2024-37857 — Oretnom23 Lost_and_found_information_system: SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker
SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via id parameter to php-lfis/admin/categories/view_category.php. CVSSv3.1 8.8 (HIGH) · EPSS 54th percentile
Softaculous Webuzo Authentication Bypass
Softaculous Webuzo contains a critical authentication bypass vulnerability in its password reset functionality (CVE-2024-24621, CVSS 10.0) that allows unauthenticated remote attackers to gain root-level server access. The vendor patched the issue within 24 hours of disclosure on July 12, 2024, with public disclosure following on July 25, 2024.
Softaculous Webuzo FTP Management Command Injection
Softaculous Webuzo contains a command injection vulnerability in FTP management functionality (CVE-2024-24623) allowing authenticated remote attackers to execute arbitrary code. The vendor patched the issue within 24 hours of disclosure on July 12, 2024, with public disclosure following on July 25, 2024.
Softaculous Webuzo Password Reset Command Injection
Softaculous Webuzo contains a command injection vulnerability in its password reset functionality (CVE-2024-24622) that allows authenticated remote attackers to execute arbitrary code with CVSS 9.0. The vendor patched the issue on July 12, 2024, one day after disclosure.