CVE-2024-11707

CVE-2024-11707

Título es
CVE-2024-11707

Mar, 03/12/2024 – 08:15

Tipo
CWE-79

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-11707

Descripción es
El complemento My auctions allegro para WordPress es vulnerable a ataques de cross site scripting reflejado a través del parámetro 'page' en todas las versiones hasta la 3.6.17 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción, como hacer clic en un enlace.

Descripción en
The My auctions allegro plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 3.6.17 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

03/12/2024
03/12/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Gravedad 3.1 (CVSS 3.1 Base Score)
6.10

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
MEDIUM

Referencias

  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3197924%40my-auctions-allegro-free-edition&new=3197924%40my-auctions-allegro-free-edition

  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3198824%40my-auctions-allegro-free-edition&new=3198824%40my-auctions-allegro-free-edition

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/57a78696-5892-4621-992f-5e4a7d8fa965?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-11461

    CVE-2024-11461

    Título es
    CVE-2024-11461

    Mar, 03/12/2024 – 08:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-11461

    Descripción es
    El complemento Form Data Collector para WordPress es vulnerable a ataques de cross site scripting reflejado a través del parámetro 'page' en todas las versiones hasta la 2.2.3 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten scripts web arbitrarios en páginas que se ejecutan si logran engañar a un usuario para que realice una acción, como hacer clic en un enlace.

    Descripción en
    The Form Data Collector plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://plugins.trac.wordpress.org/browser/form-data-collector/tags/2.2.3/index.php#L165

  • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3199031%40form-data-collector&new=3199031%40form-data-collector

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/6dba72ee-7c38-4e10-9c0c-35d12aa83442?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-9200

    CVE-2024-9200

    Título es
    CVE-2024-9200

    Mar, 03/12/2024 – 02:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9200

    Descripción en
    A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on a vulnerable device.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-and-post-authentication-command-injection-vulnerabilities-in-some-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wifi-extenders-12-03-2024

    • Enviar en el boletín
    Off

    CVE-2024-9197

    CVE-2024-9197

    Título es
    CVE-2024-9197

    Mar, 03/12/2024 – 02:15

    Tipo
    CWE-120

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9197

    Descripción en
    A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B firmware versions through V5.50(ABPM.9.2)C0 could allow an authenticated attacker with administrator privileges to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP GET request to a vulnerable device if the function ZyEE is enabled.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    4.90

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-and-post-authentication-command-injection-vulnerabilities-in-some-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wifi-extenders-12-03-2024

    • Enviar en el boletín
    Off

    CVE-2024-8748

    CVE-2024-8748

    Título es
    CVE-2024-8748

    Mar, 03/12/2024 – 02:15

    Tipo
    CWE-120

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-8748

    Descripción en
    A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmware versions through V5.50(ABOM.8.4)C0 could allow an attacker to cause a temporary denial of service (DoS) condition against the web management interface by sending a crafted HTTP POST request to a vulnerable device.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.50

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-buffer-overflow-and-post-authentication-command-injection-vulnerabilities-in-some-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wifi-extenders-12-03-2024

    • Enviar en el boletín
    Off

    CVE-2024-45068

    CVE-2024-45068

    Título es
    CVE-2024-45068

    Mar, 03/12/2024 – 03:15

    Tipo
    CWE-1392

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-45068

    Descripción en
    Authentication credentials leakage vulnerability in Hitachi Ops Center Common Services within Hitachi Ops Center OVA.

    This issue affects Hitachi Ops Center Common Services: from 10.9.3-00 before 11.0.3-00; Hitachi Ops Center OVA: from 10.9.3-00 before 11.0.2-01.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2024-149/index.html

    • Enviar en el boletín
    Off

    CVE-2024-9694

    CVE-2024-9694

    Título es
    CVE-2024-9694

    Mar, 03/12/2024 – 03:15

    Tipo
    CWE-79

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-9694

    Descripción en
    The CMSMasters Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.14.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

    03/12/2024
    03/12/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.40

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • CMSMasters Elementor Addon Changelog



  • https://www.wordfence.com/threat-intel/vulnerabilities/id/7eb78b64-ebe3-44e9-9061-d380693c5566?source=cve

    • Enviar en el boletín
    Off

    CVE-2018-9449

    CVE-2018-9449

    Título es
    CVE-2018-9449

    Mar, 03/12/2024 – 01:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2018-9449

    Descripción en
    In process_service_search_attr_rsp of sdp_discovery.cc, there is a possible out of bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

    03/12/2024
    03/12/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://source.android.com/docs/security/bulletin/pixel/2018-08-01

    • Enviar en el boletín
    Off

    CVE-2018-9441

    CVE-2018-9441

    Título es
    CVE-2018-9441

    Mar, 03/12/2024 – 01:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2018-9441

    Descripción en
    In sdp_copy_raw_data of sdp_discovery.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

    03/12/2024
    03/12/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://source.android.com/docs/security/bulletin/pixel/2018-08-01

    • Enviar en el boletín
    Off

    CVE-2024-53941

    CVE-2024-53941

    Título es
    CVE-2024-53941

    Lun, 02/12/2024 – 22:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-53941

    Descripción en
    An issue was discovered in Victure RX1800 WiFi 6 Router (software EN_V1.0.0_r12_110933, hardware 1.0) devices. A remote attacker (in proximity to a Wi-Fi network) can derive the default Wi-Fi PSK value via the last 4 octets of the BSSID.

    02/12/2024
    02/12/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://github.com/actuator/cve/blob/main/Victure/CVE-2024-53941.txt

  • https://github.com/actuator/cve/blob/main/Victure/Victure_RX1800_Security_Report.pdf

    • Enviar en el boletín
    Off