CVE-2024-5561

CVE-2024-5561

Título es
CVE-2024-5561

Lun, 09/09/2024 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-5561

Descripción en
The Popup Maker WordPress plugin before 1.19.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

09/09/2024
09/09/2024
Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
Pendiente de análisis

Referencias

  • https://wpscan.com/vulnerability/6a87cc25-bd7d-40e3-96f9-26646cd6f736/

    • Enviar en el boletín
    Off

    CVE-2024-7918

    CVE-2024-7918

    Título es
    CVE-2024-7918

    Lun, 09/09/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7918

    Descripción en
    The Pocket Widget WordPress plugin through 0.1.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/b1697646-1090-4a2b-9987-cec07428378e/

    • Enviar en el boletín
    Off

    CVE-2024-7689

    CVE-2024-7689

    Título es
    CVE-2024-7689

    Lun, 09/09/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7689

    Descripción en
    The Snapshot Backup WordPress plugin through 2.1.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/4463785c-55db-4f86-80a2-ada4d2241e5e/

    • Enviar en el boletín
    Off

    CVE-2024-7688

    CVE-2024-7688

    Título es
    CVE-2024-7688

    Lun, 09/09/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7688

    Descripción en
    The AZIndex WordPress plugin through 0.8.1 does not have CSRF checks in some places, which could allow attackers to make logged in admin delete arbitrary indexes via a CSRF attack

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/6c1d4354-b88b-46ca-b25a-efb9518f4955/

    • Enviar en el boletín
    Off

    CVE-2024-7687

    CVE-2024-7687

    Título es
    CVE-2024-7687

    Lun, 09/09/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-7687

    Descripción en
    The AZIndex WordPress plugin through 0.8.1 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack.

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/b861f18a-40ae-4989-a8e4-37df1771ae23/

    • Enviar en el boletín
    Off

    CVE-2024-6910

    CVE-2024-6910

    Título es
    CVE-2024-6910

    Lun, 09/09/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6910

    Descripción en
    The EventON WordPress plugin before 2.2.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/468373c6-7e47-489a-92c1-75025c543fd5/

    • Enviar en el boletín
    Off

    CVE-2024-45203

    CVE-2024-45203

    Título es
    CVE-2024-45203

    Lun, 09/09/2024 – 07:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-45203

    Descripción en
    Improper authorization in handler for custom URL scheme issue in "@cosme" App for Android versions prior 5.69.0 and "@cosme" App for iOS versions prior to 6.74.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.

    09/09/2024
    09/09/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://jvn.jp/en/jp/JVN81570776/

    • Enviar en el boletín
    Off

    CVE-2024-8584

    CVE-2024-8584

    Título es
    CVE-2024-8584

    Lun, 09/09/2024 – 03:15

    Tipo
    CWE-284

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8584

    Descripción en
    Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in.

    09/09/2024
    09/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html

  • https://www.twcert.org.tw/tw/cp-132-8039-24e48-1.html

    • Enviar en el boletín
    Off

    CVE-2024-8586

    CVE-2024-8586

    Título es
    CVE-2024-8586

    Lun, 09/09/2024 – 03:15

    Tipo
    CWE-601

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8586

    Descripción en
    WebITR from Uniong has an Open Redirect vulnerability, which allows unauthorized remote attackers to exploit this vulnerability to forge URLs. Users, believing they are accessing a trusted domain, can be redirected to another page, potentially leading to phishing attacks.

    09/09/2024
    09/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8044-65b84-2.html

  • https://www.twcert.org.tw/tw/cp-132-8043-cc323-1.html

    • Enviar en el boletín
    Off

    CVE-2024-8585

    CVE-2024-8585

    Título es
    CVE-2024-8585

    Lun, 09/09/2024 – 03:15

    Tipo
    CWE-22

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8585

    Descripción en
    Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files.

    09/09/2024
    09/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html

  • https://www.twcert.org.tw/tw/cp-132-8041-dfbf9-1.html

    • Enviar en el boletín
    Off