CVE-2024-7225

CVE-2024-7225

Título es
CVE-2024-7225

Mar, 30/07/2024 – 09:15

Tipo
CWE-79

Gravedad v2.0
4.00

Gravedad 2.0 Txt
MEDIUM

Título en

CVE-2024-7225

Descripción es
Se encontró una vulnerabilidad en SourceCodester Insurance Management System 1.0. Ha sido clasificada como problemática. Esto afecta a una parte desconocida del archivo /Script/admin/core/update_policy del componente Edit Insurance Policy Page. La manipulación del argumento pname conduce a cross site scripting. Es posible iniciar el ataque de forma remota. El exploit ha sido divulgado al público y puede utilizarse. A esta vulnerabilidad se le asignó el identificador VDB-272805.

Descripción en
A vulnerability was found in SourceCodester Insurance Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /Script/admin/core/update_policy of the component Edit Insurance Policy Page. The manipulation of the argument pname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272805 was assigned to this vulnerability.

30/07/2024
30/07/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Vector CVSS:2.0
AV:N/AC:L/Au:S/C:N/I:P/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
3.50

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
LOW

Referencias

  • https://github.com/Xu-Mingming/cve/blob/main/xss2.md

  • https://vuldb.com/?ctiid_272805=

  • https://vuldb.com/?id_272805=

  • https://vuldb.com/?submit_380967=

    • Enviar en el boletín
    Off

    CVE-2024-41924

    CVE-2024-41924

    Título es
    CVE-2024-41924

    Mar, 30/07/2024 – 09:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41924

    Descripción es
    En la serie EC-CUBE 4 existe la aceptación de datos extraños que no son de confianza con vulnerabilidad de datos confiables. Si se explota esta vulnerabilidad, un atacante que obtuvo el privilegio administrativo puede instalar un paquete PHP arbitrario. Si se instalan versiones obsoletas de paquetes PHP, el producto puede verse afectado por algunas vulnerabilidades conocidas.

    Descripción en
    Acceptance of extraneous untrusted data with trusted data vulnerability exists in EC-CUBE 4 series. If this vulnerability is exploited, an attacker who obtained the administrative privilege may install an arbitrary PHP package. If the obsolete versions of PHP packages are installed, the product may be affected by some known vulnerabilities.

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://jvn.jp/en/jp/JVN48324254/

  • https://www.ec-cube.net/info/weakness/20240701/index.php

    • Enviar en el boletín
    Off

    CVE-2024-41701

    CVE-2024-41701

    Título es
    CVE-2024-41701

    Mar, 30/07/2024 – 10:15

    Tipo
    CWE-200

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41701

    Descripción es
    AccuPOS – CWE-200: Exposición de información confidencial a un actor no autorizado

    Descripción en
    AccuPOS – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.gov.il/en/Departments/faq/cve_advisories

    • Enviar en el boletín
    Off

    CVE-2024-41702

    CVE-2024-41702

    Título es
    CVE-2024-41702

    Mar, 30/07/2024 – 10:15

    Tipo
    CWE-89

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-41702

    Descripción es
    SiberianCMS – CWE-89: Neutralización incorrecta de elementos especiales utilizados en un comando SQL ("Inyección SQL")

    Descripción en
    SiberianCMS – CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://www.gov.il/en/Departments/faq/cve_advisories

    • Enviar en el boletín
    Off

    CVE-2024-6230

    CVE-2024-6230

    Título es
    CVE-2024-6230

    Mar, 30/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6230

    Descripción en
    The پلاگین پرداخت دلخواه WordPress plugin through 2.9.8 does not have CSRF check in place when resetting its form fields, which could allow attackers to make a logged in admin perform such action via a CSRF attack

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/311e3c15-0f58-4f3b-91f8-0c62c0eea55e/

    • Enviar en el boletín
    Off

    CVE-2024-6226

    CVE-2024-6226

    Título es
    CVE-2024-6226

    Mar, 30/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6226

    Descripción en
    The WpStickyBar WordPress plugin through 2.1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/e42ce8dc-51d4-471d-b3bb-ad2a6b735d02/

    • Enviar en el boletín
    Off

    CVE-2024-6224

    CVE-2024-6224

    Título es
    CVE-2024-6224

    Mar, 30/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6224

    Descripción en
    The Send email only on Reply to My Comment WordPress plugin through 1.0.6 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/54457f1b-6572-4de0-9100-3433c715c5ce/

    • Enviar en el boletín
    Off

    CVE-2024-7220

    CVE-2024-7220

    Título es
    CVE-2024-7220

    Mar, 30/07/2024 – 06:15

    Tipo
    CWE-89

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2024-7220

    Descripción en
    A vulnerability classified as critical was found in SourceCodester School Log Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/print_barcode.php. The manipulation of the argument tbl leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-272791.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://gist.github.com/topsky979/5cd0b6a43815a0615b8493cde5c4dacf

  • https://vuldb.com/?ctiid_272791=

  • https://vuldb.com/?id_272791=

  • https://vuldb.com/?submit_380427=

    • Enviar en el boletín
    Off

    CVE-2024-7219

    CVE-2024-7219

    Título es
    CVE-2024-7219

    Mar, 30/07/2024 – 06:15

    Tipo
    CWE-89

    Gravedad v2.0
    7.50

    Gravedad 2.0 Txt
    HIGH

    Título en

    CVE-2024-7219

    Descripción en
    A vulnerability classified as critical has been found in SourceCodester School Log Management System 1.0. Affected is an unknown function of the file /admin/ajax.php?action=login. The manipulation of the argument username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-272790 is the identifier assigned to this vulnerability.

    30/07/2024
    30/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:N/C:P/I:P/A:P

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://gist.github.com/topsky979/03c7fe20c80455b4884ae9e6c3f3d978

  • https://vuldb.com/?ctiid_272790=

  • https://vuldb.com/?id_272790=

  • https://vuldb.com/?submit_380426=

    • Enviar en el boletín
    Off

    CVE-2024-6536

    CVE-2024-6536

    Título es
    CVE-2024-6536

    Mar, 30/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6536

    Descripción en
    The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

    30/07/2024
    30/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/ee40c1c6-4186-4b97-866c-fb0e76cedeb8/

    • Enviar en el boletín
    Off