CVE-2024-5441

CVE-2024-5441

Título es
CVE-2024-5441

Mar, 09/07/2024 – 06:15

Gravedad 2.0 Txt
Pendiente de análisis

Título en

CVE-2024-5441

Descripción en
The Modern Events Calendar plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_featured_image function in all versions up to, and including, 7.11.0. This makes it possible for authenticated attackers, with subscriber access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The plugin allows administrators (via its settings) to extend the ability to submit events to unauthenticated users, which would allow unauthenticated attackers to exploit this vulnerability.

09/07/2024
09/07/2024
Vector CVSS:3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Gravedad 3.1 (CVSS 3.1 Base Score)
8.80

Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
HIGH

Referencias

  • https://webnus.net/modern-events-calendar/

  • https://www.wordfence.com/threat-intel/vulnerabilities/id/0c007090-9d9b-4ee7-8f77-91abd4373051?source=cve

    • Enviar en el boletín
    Off

    CVE-2024-6334

    CVE-2024-6334

    Título es
    CVE-2024-6334

    Mar, 09/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-6334

    Descripción en
    The Easy Table of Contents WordPress plugin before 2.0.67.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed.

    09/07/2024
    09/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/6c09083c-6960-4369-8c5c-ad20e34aaa8b/

    • Enviar en el boletín
    Off

    CVE-2024-5802

    CVE-2024-5802

    Título es
    CVE-2024-5802

    Mar, 09/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-5802

    Descripción en
    The URL Shortener by Myhop WordPress plugin through 1.0.17 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

    09/07/2024
    09/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/cd37f702-9144-4c98-9b08-c63e510cd97f/

    • Enviar en el boletín
    Off

    CVE-2024-5488

    CVE-2024-5488

    Título es
    CVE-2024-5488

    Mar, 09/07/2024 – 06:15

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-5488

    Descripción en
    The SEOPress WordPress plugin before 7.9 does not properly protect some of its REST API routes, which combined with another Object Injection vulnerability can allow unauthenticated attackers to unserialize malicious gadget chains, compromising the site if a suitable chain is present.

    09/07/2024
    09/07/2024
    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    Pendiente de análisis

    Referencias

  • https://wpscan.com/vulnerability/28507376-ded0-4e1a-b2fc-2182895aa14c/

    • Enviar en el boletín
    Off

    CVE-2024-28748

    CVE-2024-28748

    Título es
    CVE-2024-28748

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-28748

    Descripción en
    A remote attacker with high privileges may use a reading file function to inject OS commands.

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-012

    • Enviar en el boletín
    Off

    CVE-2024-28747

    CVE-2024-28747

    Título es
    CVE-2024-28747

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-798

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-28747

    Descripción en
    An unauthenticated remote attacker can use the hard-coded credentials to access the SmartSPS devices with high privileges.

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.80

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-012

    • Enviar en el boletín
    Off

    CVE-2024-22062

    CVE-2024-22062

    Título es
    CVE-2024-22062

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-346

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-22062

    Descripción en
    There is a permissions and access control vulnerability in ZXCLOUD IRAI.An attacker can elevate non-administrator permissions to administrator permissions by modifying the configuration.

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L

    Gravedad 3.1 (CVSS 3.1 Base Score)
    6.30

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    MEDIUM

    Referencias

  • https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1036204

    • Enviar en el boletín
    Off

    CVE-2024-28751

    CVE-2024-28751

    Título es
    CVE-2024-28751

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-28751

    Descripción en
    An high privileged remote attacker can enable telnet access that accepts hardcoded credentials. 

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    9.10

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    CRITICAL

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-012

    • Enviar en el boletín
    Off

    CVE-2024-28750

    CVE-2024-28750

    Título es
    CVE-2024-28750

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-28750

    Descripción en
    A remote attacker with high privileges may use a deleting file function to inject OS commands.

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-012

    • Enviar en el boletín
    Off

    CVE-2024-28749

    CVE-2024-28749

    Título es
    CVE-2024-28749

    Mar, 09/07/2024 – 07:15

    Tipo
    CWE-78

    Gravedad 2.0 Txt
    Pendiente de análisis

    Título en

    CVE-2024-28749

    Descripción en
    A remote attacker with high privileges may use a writing file function to inject OS commands.

    09/07/2024
    09/07/2024
    Vector CVSS:3.1
    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

    Gravedad 3.1 (CVSS 3.1 Base Score)
    7.20

    Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score)
    HIGH

    Referencias

  • https://cert.vde.com/en/advisories/VDE-2024-012

    • Enviar en el boletín
    Off