CVE-2024-8731

CVE-2024-8731

Título es
CVE-2024-8731

Vie, 13/09/2024 – 15:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-8731

Descripción en
The Cron Jobs plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

13/09/2024
13/09/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://plugins.trac.wordpress.org/browser/leira-cron-jobs/trunk/admin/class-leira-cron-jobs-admin.php#L147

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/5f6da693-4610-4875-aa14-102809309b8d?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8730

    CVE-2024-8730

    Título es
    CVE-2024-8730

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8730

    Descripción en
    The Exit Notifier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/exit-notifier/trunk/includes/class-exit-notifier-settings.php#L707

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/ddc1aedb-e64f-4b61-a247-c3cdc731f001?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8714

    CVE-2024-8714

    Título es
    CVE-2024-8714

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8714

    Descripción en
    The WordPress Affiliates Plugin — SliceWP Affiliates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.20. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/commissions/class-list-table-commissions.php#L544

  • https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/payouts/class-list-table-payments.php#L490

  • https://plugins.trac.wordpress.org/browser/slicewp/tags/1.1.20/includes/admin/visits/class-list-table-visits.php#L396

  • https://plugins.trac.wordpress.org/changeset/3151062/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/45dd22d4-9a51-4569-a756-1f1a5f8626c1?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8269

    CVE-2024-8269

    Título es
    CVE-2024-8269

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-284

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8269

    Descripción en
    The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 4.15.3. This is due to the plugin not checking that user registration is enabled prior to creating a user account through the register() function. This makes it possible for unauthenticated attackers to create user accounts on sites, even when user registration is disabled and plugin functionality is not activated.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.15.2/controllers/flutter-user.php#L406

  • https://plugins.trac.wordpress.org/browser/mstore-api/tags/4.15.2/controllers/flutter-user.php#L454

  • https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/controllers/flutter-user.php

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/59c5b6e7-74b0-430d-8b4a-5a42220f3ec9?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8747

    CVE-2024-8747

    Título es
    CVE-2024-8747

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8747

    Descripción en
    The Email Obfuscate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email-obfuscate' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://wordpress.org/plugins/email-obfuscate-shortcode/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/77bed6ce-84e7-4b71-8acd-bb5b73e362d2?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8737

    CVE-2024-8737

    Título es
    CVE-2024-8737

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8737

    Descripción en
    The PDF Thumbnail Generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/pdf-thumbnail-generator/tags/1.3/pdf-thumbnail-generator.php#L184

  • https://plugins.trac.wordpress.org/changeset/3151055/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/b183587b-95bd-4e82-bfc7-db5a8fbd58f9?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8734

    CVE-2024-8734

    Título es
    CVE-2024-8734

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8734

    Descripción en
    The Lucas String Replace plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/lucas-string-replace/trunk/includes/class-lucas-string-replace-settings.php#L176

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/cf1e4b20-e7e5-4a3a-9895-02d51499d54e?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-8732

    CVE-2024-8732

    Título es
    CVE-2024-8732

    Vie, 13/09/2024 – 15:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8732

    Descripción en
    The Roles & Capabilities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/leira-roles/trunk/admin/class-leira-roles-admin.php#L413

  • https://plugins.trac.wordpress.org/browser/leira-roles/trunk/admin/class-leira-roles-admin.php#L541

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/3956cd40-6b46-4013-9d71-a979de2c3687?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-43759

    CVE-2024-43759

    Título es
    CVE-2024-43759

    Vie, 13/09/2024 – 09:15

    Tipo
    CWE-476

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-43759

    Descripción es
    Las versiones 28.6, 27.9.5 y anteriores de Illustrator se ven afectadas por una vulnerabilidad de desreferencia de puntero nulo que podría provocar una denegación de servicio (DoS) de la aplicación. Un atacante podría aprovechar esta vulnerabilidad para bloquear la aplicación, lo que provocaría una condición de denegación de servicio. Para aprovechar este problema es necesaria la interacción del usuario, ya que la víctima debe abrir un archivo malicioso.

    Descripción en
    Illustrator versions 28.6, 27.9.5 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to an application denial-of-service (DoS). An attacker could exploit this vulnerability to crash the application, resulting in a DoS condition. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    5.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://helpx.adobe.com/security/products/illustrator/apsb24-66.html

    • Enviar en el boletín
    Off

    CVE-2024-45112

    CVE-2024-45112

    Título es
    CVE-2024-45112

    Vie, 13/09/2024 – 09:15

    Tipo
    CWE-843

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-45112

    Descripción es
    Las versiones 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 y anteriores de Acrobat Reader se ven afectadas por una vulnerabilidad de confusión de tipos que podría provocar la ejecución de código arbitrario en el contexto del usuario actual. Este problema se produce cuando se accede a un recurso utilizando un tipo que no es compatible con el tipo de objeto real, lo que genera un error lógico que un atacante podría aprovechar. Para aprovechar este problema es necesaria la interacción del usuario, ya que la víctima debe abrir un archivo malicioso.

    Descripción en
    Acrobat Reader versions 24.002.21005, 24.001.30159, 20.005.30655, 24.003.20054 and earlier are affected by a Type Confusion vulnerability that could result in arbitrary code execution in the context of the current user. This issue occurs when a resource is accessed using a type that is not compatible with the actual object type, leading to a logic error that an attacker could exploit. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

    13/09/2024
    13/09/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://helpx.adobe.com/security/products/acrobat/apsb24-70.html

    • Enviar en el boletín
    Off