2024-03-29
2024-03-29 17:15Z
CRIT

CVE-2024-29640 — An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-29640

An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component. CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-29
2024-03-29 14:15Z
HIGH

CVE-2024-30488 — Katieseaborn Zotpress: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30488

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Katie Zotpress zotpress.This issue affects Zotpress: from n/a through <= 7.3.7. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDKatieseabornTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-03-29
2024-03-29 12:15Z
CRIT

CVE-2023-6191 — Webpdks Webpdks: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6191

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egehan Security WebPDKS allows SQL Injection. This issue affects WebPDKS: through 20240329. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 89VNDWebpdksTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-29
2024-03-29 09:15Z
CRIT

CVE-2024-2411 — Stylemixthemes Masterstudy_lms: The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2411

The MasterStudy LMS plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the 'modal' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and inclu CVSSv3.1 9.8 (CRITICAL) · EPSS 87th percentile

CWECWE 98VNDStylemixthemesVNDMasterstudyTYPVulnerability
9.8
CVSS v3.1
100
Edit Score
2024-03-29
2024-03-29 09:15Z
CRIT

CVE-2024-2409 — Stylemixthemes Masterstudy_lms: The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2409

The MasterStudy LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.3.1. This is due to insufficient validation checks within the _register_user() function called by the 'wp_ajax_nopriv_stm_lms_register' AJAX action. This makes it possible for unauthenticated attackers to register a user with administrator-level privileges when MasterStudy LMS Pro is installed and the LMS Forms Editor add-on is enabled. CVSSv3.1 9.8 (CRITICAL) · EPSS 48th percentile

CWECWE 266VNDStylemixthemesVNDMasterstudyTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-29
2024-03-29 07:15Z
HIGH

CVE-2024-1872 — Button: The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1872

The Button plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.27 via deserialization of untrusted input in the button_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker CVSSv3.1 8.8 (HIGH) · EPSS 79th percentile

CWECWE 502VNDButtonTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-29
2024-03-29 06:15Z
HIGH

CVE-2024-28960 — Arm Mbed_crypto: An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-28960

An issue was discovered in Mbed TLS 2.18.0 through 2.28.x before 2.28.8 and 3.x before 3.6.0, and Mbed Crypto. The PSA Crypto API mishandles shared memory. CVSSv3.1 8.2 (HIGH) · EPSS 35th percentile

CWECWE 284VNDFedoraprojectVNDArmVNDTrustedfirmwareTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
728 × 90 / responsive · programmatic ad slot
2024-03-28
2024-03-28 23:15Z
HIGH

CVE-2024-28714 — Crmeb Crmeb_java: SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-28714

SQL Injection vulnerability in CRMEB_Java e-commerce system v.1.3.4 allows an attacker to execute arbitrary code via the groupid parameter. CVSSv3.1 8.1 (HIGH) · EPSS 53th percentile

CWECWE 89VNDCrmebTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-03-28
2024-03-28 19:15Z
CRIT

CVE-2024-28713 — Mtons Mblog: An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-28713

An issue in Mblog Blog system v.3.5.0 allows an attacker to execute arbitrary code via a crafted file to the theme management feature. CVSSv3.1 9.8 (CRITICAL) · EPSS 72th percentile

CWECWE 434VNDMtonsVNDMblogTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-28
2024-03-28 14:15Z
CRIT

CVE-2023-6437 — Neutralization: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6437

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TP-Link TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3, TP-Link VX220-G2u, TP-Link VN020-G2u allows authenticated OS Command Injection. This issue affects TP-Link EX20v AX1800, Tp-Link Archer C5v AC1200, Tp-Link TD-W9970, Tp-Link TD-W9970v3 : through 20240328. Also  the vulnerability continues in the TP-Link VX220-G2u and TP-Link CVSSv3.1 9.8 (CRITICAL)

CWECWE 78TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-28
2024-03-28 05:15Z
HIGH

CVE-2024-30244 — Church_admin_project Church_admin: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30244

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in andy_moyle Church Admin church-admin.This issue affects Church Admin: from n/a through <= 4.0.27. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDChurch Admin ProjectTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-03-28
2024-03-28 05:15Z
HIGH

CVE-2024-30236 — Contest-gallery Contest_gallery: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30236

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.4. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDContest GalleryTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-03-28
2024-03-28 05:15Z
HIGH

CVE-2024-30229 — Givewp Givewp: Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.This issue affects GiveWP: from n/a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30229

Deserialization of Untrusted Data vulnerability in StellarWP GiveWP give.This issue affects GiveWP: from n/a through <= 3.4.2. CVSSv3.1 8.0 (HIGH)

CWECWE 502VNDGivewpTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2024-03-28
2024-03-28 02:15Z
HIGH

CVE-2024-1770 — Meta: The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-1770

The Meta Tag Manager plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0.2 via deserialization of untrusted input in the get_post_data function. This makes it possible for authenticated attackers, with contributor access or higher, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to de CVSSv3.1 8.8 (HIGH) · EPSS 75th percentile

CWECWE 502VNDMetaTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-27
2024-03-27 15:47Z
HIGH

Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu

Exodus Intel·blog.exodusintel.comCVE-2024-0582

CVE-2024-0582 is a use-after-free vulnerability in Linux kernel io_uring's provided buffer ring functionality that allows unprivileged users to gain root access via a data-only exploit. The vulnerability existed in kernels 6.4–6.6.4 and was patched in stable 6.6.5 (December 2023), but Ubuntu didn't backport the fix until February 2024, creating a two-month 0day window. The exploit leverages freed page access to modify kernel data structures without code execution, bypassing CFI mitigations.

SRFOsTACTA0004TACTA0005OSLinuxTYPWriteupTYPExploitTYPVulnerabilitySTGPrivesc
78
Edit Score
2024-03-27
2024-03-27 14:15Z
HIGH

CVE-2024-30238 — Contest-gallery Contest_gallery: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-30238

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery.This issue affects Contest Gallery: from n/a through <= 21.3.2. CVSSv3.1 8.5 (HIGH)

CWECWE 89VNDContest GalleryTYPVulnerability
8.5
CVSS v3.1
93
Edit Score
2024-03-27
2024-03-27 13:15Z
CRIT

CVE-2023-6153 — Authentication: Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6153

Authentication Bypass by Primary Weakness vulnerability in TeoSOFT Software TeoBASE allows Authentication Bypass. This issue affects TeoBASE: through 20240327. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL)

CWECWE 305TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-27
2024-03-27 12:15Z
CRIT

CVE-2023-6173 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-6173

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeoSOFT Software TeoBASE allows SQL Injection. This issue affects TeoBASE: through 27032024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. CVSSv3.1 9.8 (CRITICAL) · EPSS 36th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-26
2024-03-26 21:15Z
HIGH

CVE-2023-51148 — Trendnet Tew-821dap_firmware: An issue in TRENDnet Trendnet AC1200 Dual Band PoE Indoor Wireless Access Point TEW-821DAP

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2023-51148

An issue in TRENDnet Trendnet AC1200 Dual Band PoE Indoor Wireless Access Point TEW-821DAP v.3.00b06 allows an attacker to execute arbitrary code via the 'mycli' command-line interface component. CVSSv3.1 8.0 (HIGH) · EPSS 41th percentile

CWECWE 121VNDTrendnetTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2024-03-26
2024-03-26 03:15Z
HIGH

CVE-2024-0866 — Check: The Check & Log Email plugin for WordPress is vulnerable to Unauthenticated Hook Injection

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-0866

The Check & Log Email plugin for WordPress is vulnerable to Unauthenticated Hook Injection in all versions up to, and including, 1.0.9 via the check_nonce function. This makes it possible for unauthenticated attackers to execute actions with hooks in WordPress under certain circumstances. The action the attacker wishes to execute needs to have a nonce check, and the nonce needs to be known to the attacker. Furthermore, the absence of a capability check is a requirement. CVSSv3.1 8.1 (HIGH) · EPSS 81th percentile

CWECWE 94VNDCheckTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2024-03-25
2024-03-25 14:15Z
CRIT

CVE-2024-2865 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2865

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection. This issue affects Quality Management System: through 25032024. CVSSv3.1 9.8 (CRITICAL) · EPSS 22th percentile

CWECWE 89TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-25
2024-03-25 14:15Z
CRIT

CVE-2024-28386 — Home-made Fastmag_sync: An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-28386

An issue in Home-Made.io fastmagsync v.1.7.51 and before allows a remote attacker to execute arbitrary code via the getPhpBin() component. CVSSv3.1 9.8 (CRITICAL) · EPSS 70th percentile

CWECWE 94VNDHomeVNDHome MadeTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-23
2024-03-23 02:15Z
HIGH

CVE-2024-2025 — WooCommerce: Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-2025

The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could CVSSv3.1 8.8 (HIGH) · EPSS 75th percentile

CWECWE 502VNDWoocommerceTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2024-03-21
2024-03-21 04:15Z
CRIT

CVE-2024-29859 — Misp-project Misp: In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-29859

In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload. CVSSv3.1 9.8 (CRITICAL) · EPSS 52th percentile

CWECWE 434VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2024-03-21
2024-03-21 04:15Z
CRIT

CVE-2024-29858 — Misp-project Misp: In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2024-29858

In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload. CVSSv3.1 9.8 (CRITICAL) · EPSS 30th percentile

CWECWE 616VNDMispVNDMisp ProjectTYPVulnerability
9.8
CVSS v3.1
99
Edit Score