π¨ CVE-2024-8199
The Reviews Feed β Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options.
π@cveNotify
The Reviews Feed β Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_api_key' function in all versions up to, and including, 1.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update API Key options.
π@cveNotify
π¨ CVE-2024-6783
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code.
π@cveNotify
A vulnerability has been discovered in Vue, that allows an attacker to perform XSS via prototype pollution. The attacker could change the prototype chain of some properties such as `Object.prototype.staticClass` or `Object.prototype.staticStyle` to execute arbitrary JavaScript code.
π@cveNotify
Herodevs
Vulnerability Directory | CVE-2024-6783 | Vue 2 | HeroDevs
A cross-site scripting (XSS) vulnerability (CVE-2024-6783) has been identified within the Vue 2 template compiler, which is present in the βfull buildβ of Vue 2.
π¨ CVE-2024-8200
The Reviews Feed β Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
π@cveNotify
The Reviews Feed β Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'update_api_key' function. This makes it possible for unauthenticated attackers to update an API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
π@cveNotify
π¨ CVE-2024-43788
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpackβs `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
π@cveNotify
Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpackβs `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Real-world exploitation of this gadget has been observed in the Canvas LMS which allows a XSS attack to happen through a javascript code compiled by Webpack (the vulnerable part is from Webpack). DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. This vulnerability can lead to cross-site scripting (XSS) on websites that include Webpack-generated files and allow users to inject certain scriptless HTML tags with improperly sanitized name or id attributes. This issue has been addressed in release version 5.94.0. All users are advised to upgrade. There are no known workarounds for this issue.
π@cveNotify
GitHub
security: fix DOM clobbering in auto public path Β· webpack/webpack@955e057
A bundler for javascript and friends. Packs many modules into a few bundled assets. Code Splitting allows for loading parts of the application on demand. Through "loaders", modules can be CommonJs, AMD, ES6 modules, CSS, Images, JSON, Coffeescript, LESS,β¦
π¨ CVE-2022-39996
Cross Site Scripting vulnerability in Teldats Router RS123, RS123w allows attacker to execute arbitrary code via the cmdcookie parameter to the upgrade/query.php page.
π@cveNotify
Cross Site Scripting vulnerability in Teldats Router RS123, RS123w allows attacker to execute arbitrary code via the cmdcookie parameter to the upgrade/query.php page.
π@cveNotify
π¨ CVE-2024-36068
An incorrect access control vulnerability in Rubrik CDM versions prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12, allows an attacker with network access to execute arbitrary code.
π@cveNotify
An incorrect access control vulnerability in Rubrik CDM versions prior to 9.1.2-p1, 9.0.3-p6 and 8.1.3-p12, allows an attacker with network access to execute arbitrary code.
π@cveNotify
Rubrik
Security Advisory (RBK-20240619-V0044): CDM weak authentication vulnerability
Rubrik continues to enhance validation and security protocol testing to protect customers against unauthorized access to CDM with improved penetration testing and security reviews designed to uncover and address potential vulnerabilities.
π¨ CVE-2024-42851
Buffer Overflow vulnerability in open source exiftags v.1.01 allows a local attacker to execute arbitrary code via the paresetag function.
π@cveNotify
Buffer Overflow vulnerability in open source exiftags v.1.01 allows a local attacker to execute arbitrary code via the paresetag function.
π@cveNotify
GitHub
fuzzing/exiftags at main Β· T1anyang/fuzzing
find of fuzzing. Contribute to T1anyang/fuzzing development by creating an account on GitHub.
π¨ CVE-2024-8296
A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
Gitee
0kooo/cve_article
get cve/cnvd
π¨ CVE-2024-8297
A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_middleware.go. The manipulation of the argument Authorization leads to improper output neutralization for logs. It is possible to launch the attack remotely. The name of the patch is 81b3336b4c9240f0bf50c13cb8375cf860d945f1. It is recommended to apply a patch to fix this issue.
π@cveNotify
A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_middleware.go. The manipulation of the argument Authorization leads to improper output neutralization for logs. It is possible to launch the attack remotely. The name of the patch is 81b3336b4c9240f0bf50c13cb8375cf860d945f1. It is recommended to apply a patch to fix this issue.
π@cveNotify
GitHub
fix bug Β· kitsada8621/Digital-Library-Management-System@81b3336
A comprehensive digital library management system that enables efficient management of digital resources, from storage and categorization to search and lending services for users. - fix bug Β· kitsada8621/Digital-Library-Management-System@81b3336
π¨ CVE-2024-8301
A vulnerability was found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax/checkin.php. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability was found in dingfanzu CMS up to 29d67d9044f6f93378e6eb6ff92272217ff7225c. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax/checkin.php. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
webray.com.cn/cve/dingfanzu-CMS/dingfanzu-CMS checkin.php username SQL-inject.md at main Β· Xor-Gerke/webray.com.cn
Contribute to Xor-Gerke/webray.com.cn development by creating an account on GitHub.
π¨ CVE-2024-41361
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\manageFilesFolders.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\manageFilesFolders.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_3 Β· Issue #2398 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41364
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\trackEdit.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\trackEdit.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_5 Β· Issue #2400 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41366
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\userScripts.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\userScripts.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_4 Β· Issue #2399 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41367
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\api\playlist\appendFileToPlaylist.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\api\playlist\appendFileToPlaylist.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_2 Β· Issue #2397 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41368
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWlanIpMail.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWlanIpMail.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_1 Β· Issue #2396 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41369
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWifi.php
π@cveNotify
RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWifi.php
π@cveNotify
GitHub
π | RPi-Jukebox-RFID V2.7_RCE_6 Β· Issue #2401 Β· MiczFlor/RPi-Jukebox-RFID
Version v2.7.0 Branch released OS ubuntu 22 Pi model unknown Hardware No response What happened? Hello, I would like to report for a RCE vulnerability in RPi-Jukebox-RFID-v2.7(No permissions requir...
π¨ CVE-2024-41371
Organizr v1.90 is vulnerable to Cross Site Scripting (XSS) via api.php.
π@cveNotify
Organizr v1.90 is vulnerable to Cross Site Scripting (XSS) via api.php.
π@cveNotify
GitHub
GitHub - causefx/Organizr: HTPC/Homelab Services Organizer - Written in PHP
HTPC/Homelab Services Organizer - Written in PHP. Contribute to causefx/Organizr development by creating an account on GitHub.
π¨ CVE-2024-39300
Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's settings.
π@cveNotify
Missing authentication vulnerability exists in Telnet function of WAB-I1750-PS v1.5.10 and earlier. When Telnet function of the product is enabled, a remote attacker may login to the product without authentication and alter the product's settings.
π@cveNotify
jvn.jp
JVN#24885537: Multiple vulnerabilities in ELECOM wireless LAN routers and access points
Japan Vulnerability Notes
π¨ CVE-2024-8338
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
π@cveNotify
A vulnerability was found in HFO4 shudong-share 2.4.7. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /includes/fileReceive.php of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
π@cveNotify
GitHub
webray.com.cn/cves/shudong-share Any File Upload.md at main Β· enjoyworld/webray.com.cn
Contribute to enjoyworld/webray.com.cn development by creating an account on GitHub.
π¨ CVE-2024-8339
A vulnerability was found in SourceCodester Electric Billing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /?page=tracks of the component Connection Code Handler. The manipulation of the argument code leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability was found in SourceCodester Electric Billing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /?page=tracks of the component Connection Code Handler. The manipulation of the argument code leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
GitHub
webray.com.cn/cves/Electric Billing Management System/Electric Billing Managemen SQL-inject System tracks.php SQL-inject.md atβ¦
Contribute to enjoyworld/webray.com.cn development by creating an account on GitHub.
π¨ CVE-2024-8340
A vulnerability classified as critical has been found in SourceCodester Electric Billing Management System 1.0. This affects an unknown part of the file /Actions.php?a=login. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability classified as critical has been found in SourceCodester Electric Billing Management System 1.0. This affects an unknown part of the file /Actions.php?a=login. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
GitHub
webray.com.cn/cves/Electric Billing Management System/Electric Billing Managemen SQL-inject System Action.php SQL-inject.md atβ¦
Contribute to enjoyworld/webray.com.cn development by creating an account on GitHub.