CVE-2024-49696

CVE-2024-49696

Título es
CVE-2024-49696

Jue, 24/10/2024 – 13:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-49696

Descripción en
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in RoboSoft Robo Gallery allows Stored XSS.This issue affects Robo Gallery: from n/a through 3.2.21.

24/10/2024
24/10/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Gravedad 3.1 (CVSS 3.1 Base Score)
5.90

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://patchstack.com/database/vulnerability/robo-gallery/wordpress-photo-gallery-images-slider-in-rbs-image-gallery-plugin-3-2-21-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-49695

    CVE-2024-49695

    Título es
    CVE-2024-49695

    Jue, 24/10/2024 – 13:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49695

    Descripción en
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Spiffy Plugins WP Flow Plus allows Stored XSS.This issue affects WP Flow Plus: from n/a through 5.2.3.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/vulnerability/wp-imageflow2/wordpress-wp-flow-plus-plugin-5-2-3-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-49693

    CVE-2024-49693

    Título es
    CVE-2024-49693

    Jue, 24/10/2024 – 13:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-49693

    Descripción en
    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kraftplugins Mega Elements allows Stored XSS.This issue affects Mega Elements: from n/a through 1.2.6.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://patchstack.com/database/vulnerability/mega-elements-addons-for-elementor/wordpress-mega-elements-addons-for-elementor-plugin-1-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve

    • Enviar en el boletín
    Off

    CVE-2024-6826

    CVE-2024-6826

    Título es
    CVE-2024-6826

    Jue, 24/10/2024 – 10:15

    Tipo
    CWE-770

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6826

    Descripción es
    Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde la 11.2 hasta la 17.3.6, desde la 17.4 hasta la 17.4.3 y desde la 17.5 hasta la 17.5.1. Se podría producir una denegación de servicio al importar un archivo de manifiesto XML manipulado con fines malintencionados.

    Descripción en
    An issue has been discovered in GitLab CE/EE affecting all versions from 11.2 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. A denial of service could occur via importing a malicious crafted XML manifest file.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://gitlab.com/gitlab-org/gitlab/-/issues/472928

  • https://hackerone.com/reports/2571364

    • Enviar en el boletín
    Off

    CVE-2024-8312

    CVE-2024-8312

    Título es
    CVE-2024-8312

    Jue, 24/10/2024 – 10:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8312

    Descripción es
    Se ha descubierto un problema en GitLab CE/EE que afecta a todas las versiones desde la 15.10 hasta la 17.3.6, la 17.4 hasta la 17.4.3 y la 17.5 hasta la 17.5.1. Un atacante podría inyectar HTML en el campo de búsqueda global en una vista de diferencias, lo que provocaría un XSS.

    Descripción en
    An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 17.3.6, 17.4 before 17.4.3, and 17.5 before 17.5.1. An attacker could inject HTML into the Global Search field on a diff view leading to XSS.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    8.70

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://gitlab.com/gitlab-org/gitlab/-/issues/481819

  • https://hackerone.com/reports/2659386

    • Enviar en el boletín
    Off

    CVE-2024-9650

    CVE-2024-9650

    Título es
    CVE-2024-9650

    Jue, 24/10/2024 – 11:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9650

    Descripción en
    The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tooltip’ parameter in all versions up to, and including, 9.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/wp-recipe-maker/trunk/assets/js/public/tooltip.js#L32

  • https://plugins.trac.wordpress.org/changeset/3173494/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/085d06e1-31d3-4c01-8d8e-588c04b79ae3?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9214

    CVE-2024-9214

    Título es
    CVE-2024-9214

    Jue, 24/10/2024 – 11:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9214

    Descripción en
    The Extra Product Options Builder for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'RednaoSerializedFields' parameter during the creation of a signature file in all versions up to, and including, 1.2.133 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/additional-product-fields-for-woocommerce/trunk/ajax/OrderDesignerAjax.php#L33

  • https://plugins.trac.wordpress.org/browser/additional-product-fields-for-woocommerce/trunk/ajax/OrderDesignerAjax.php#L61

  • https://plugins.trac.wordpress.org/browser/additional-product-fields-for-woocommerce/trunk/core/Managers/FileManager/FileManager.php#L106

  • https://plugins.trac.wordpress.org/changeset/3173169/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/09890f42-b9ee-4812-8cf2-f638ba9fb20f?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-10331

    CVE-2024-10331

    Título es
    CVE-2024-10331

    Jue, 24/10/2024 – 11:15

    Tipo
    CWE-89

    Gravedad v2.0
    6.50

    Gravedad 2.0 Txt
    MEDIUM

    Título en

    CVE-2024-10331

    Descripción en
    A vulnerability, which was classified as critical, has been found in PHPGurukul Vehicle Record System 1.0. This issue affects some unknown processing of the file /admin/search-vehicle.php. The manipulation of the argument searchinputdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

    24/10/2024
    24/10/2024
    Vector CVSS:4.0
    CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

    Vector CVSS:2.0
    AV:N/AC:L/Au:S/C:P/I:P/A:P

    Gravedad 4.0
    5.30

    Gravedad 4.0 txt
    MEDIUM

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://phpgurukul.com/

  • https://vuldb.com/?ctiid_281675=

  • https://vuldb.com/?id_281675=

  • https://vuldb.com/?submit_427426=

    • Enviar en el boletín
    Off

    CVE-2024-10176

    CVE-2024-10176

    Título es
    CVE-2024-10176

    Jue, 24/10/2024 – 11:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-10176

    Descripción en
    The Compact WP Audio Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's
    sc_embed_player shortcode in all versions up to, and including, 1.9.13 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/compact-wp-audio-player/trunk/shortcodes-functions.php#L79

  • https://plugins.trac.wordpress.org/changeset/3173541/

  • Compact WP Audio Player



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/bba90659-09a8-470a-91d3-d1986562672a?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9865

    CVE-2024-9865

    Título es
    CVE-2024-9865

    Jue, 24/10/2024 – 07:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9865

    Descripción es
    El complemento EventPrime – Events Calendar, Bookings and Tickets para WordPress es vulnerable a cross-site scripting almacenado a través de los campos 'ep_booking_attendee_fields' en todas las versiones hasta la 4.0.4.7 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda al registro de transacciones de una reserva.

    Descripción en
    The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ep_booking_attendee_fields’ fields in all versions up to, and including, 4.0.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the transaction log for a booking.

    24/10/2024
    24/10/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/changeset/3170503/

  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3168585%40eventprime-event-calendar-management&new=3168585%40eventprime-event-calendar-management

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/18ded977-5297-4b6f-b9f3-0567f995d08a?source=cve

    • Enviar en el boletín
    Off