AtRisk August 29, 2024 Vol. XXIV

Jump to:

Internet Storm Center Spotlight
Recent CVEs
Sponsors
Read More

Vega-Lite with Kibana to Parse and Display IP Activity over Time (2024.08.27) https://isc.sans.edu/diary/VegaLite+with+Kibana+to+Parse+and+Display+IP+Activity+over+Time/31210/ Why Is Python so Popular to Infect Windows Hosts? (2024.08.27) https://isc.sans.edu/diary/Why+Is+Python+so+Popular+to+Infect+Windows+Hosts/31208/ Pandas Errors: What encoding are my logs in? (2024.08.23) https://isc.sans.edu/diary/Pandas+Errors+What+encoding+are+my+logs+in/31200/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

Product: Microsoft Windows CVSS Score: AtRiskScore 80 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38063 ISC Podcast: https://isc.sans.edu/podcastdetail/9104

Product: Versa Networks Versa Director CVSS Score: 7.2 ** KEV since 2024-08-23 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-39717 ISC Podcast: https://isc.sans.edu/podcastdetail/9116 NVD References:

cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/" target="_self">https://versa-networks.com/blog/versa-security-bulletin-update-on-cve-2024-39717-versa-director-dangerous-file-type-upload-vulnerability/

Product: Apache OFBiz CVSS Score: 0 ** KEV since 2024-08-27 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38856 ISC Podcast: https://isc.sans.edu/podcastdetail/9116

Product: PHP CVSS Score: 0 ** KEV since 2024-06-12 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4577 ISC Podcast: https://isc.sans.edu/podcastdetail/9106

Product: Google Chrome CVSS Score: 8.8 ** KEV since 2024-08-28 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7965 NVD References: - https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html - https://issues.chromium.org/issues/356196918

Product: Google Chrome CVSS Score: 8.8 ** KEV since 2024-08-26 ** NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7971 NVD References: - https://chromereleases.googleblog.com/2024/08/stable-channel-update-for-desktop_21.html - https://issues.chromium.org/issues/360700873

Product: GiveWP Active Installations: 100,000+ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5932 NVD References: https://plugins.trac.wordpress.org/browser/give/tags/3.12.0/includes/login-register.php#L235 NVD References: - https://www.wordfence.com/blog/2024/08/4998-bounty-awarded-and-100000-wordpress-sites-protected-against-unauthenticated-remote-code-execution-vulnerability-patched-in-givewp-wordpress-plugin/ - https://www.wordfence.com/threat-intel/vulnerabilities/id/93e2d007-8157-42c5-92ad-704dc80749a3?source=cve

Product: Adonesevangelista Online Blood Bank Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7946 NVD References: - https://github.com/a1175165157/cve/issues/1 - https://vuldb.com/?ctiid.275138 - https://vuldb.com/?id.275138 - https://vuldb.com/?submit.393382

Product: Janobe Point Of Sales And Inventory Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7947 NVD References: - https://github.com/CveSecLook/cve/issues/60 - https://vuldb.com/?ctiid.275139 - https://vuldb.com/?id.275139 - https://vuldb.com/?submit.393525

Product: Bitapps Contact Form Builder Active Installations: 6,000+ CVSS Score: 9.0 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7777 NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/4deb128d-0163-4a8e-9591-87352f74c3ef?source=cve

Product: ChatGPT Chatbot Active Installations: 40+ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6847 NVD References: https://wpscan.com/vulnerability/baa860bb-3b7d-438a-ad54-92bf8e21e851/

Product: Apache DolphinScheduler CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43202 NVD References: - https://github.com/apache/dolphinscheduler/pull/15758 - https://lists.apache.org/thread/nlmdp7q7l7o3l27778vxc5px24ncr5r5 - https://lists.apache.org/thread/qbhk9wqyxhrn4z7m4m343wqxpwg926nh - https://www.cve.org/CVERecord?id=CVE-2023-49109

Product: Hargal Windows Client CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42334 NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

Product: Servision IVG Webmax 1.0.57 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42336 NVD References: https://www.gov.il/en/Departments/faq/cve_advisories

CVE-2024-42556 & CVE-2024-42558 - Hotel Management System commit 91caab8 was discovered to contain SQL injection vulnerabilities Product: Hotel Management System commit 91caab8 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42556 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42558 NVD References: https://gist.github.com/topsky979/9688bcdd3e05ba79ebf4ff1042609b20 NVD References: https://gist.github.com/topsky979/9651b4977e86f5b1bcae7a8959ff3342

Product: Hotel Management System commit 79d688 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42559 NVD References: https://gist.github.com/topsky979/99d2ebf7b5598ef227262ba1b2bb392f/edit

Product: Pharmacy Management System commit a2efc8 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42562 NVD References: https://gist.github.com/topsky979/2dcca275bcc18e8058cefef714a2f61b

Product: ERP commit 44bd04 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42563 NVD References: https://gist.github.com/topsky979/f645f99661ff33aed44d65dfa49e36fe

Product: ERP commit 44bd04 CVSS Score: 9.8 AtRiskScore 30 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42565 NVD References: https://gist.github.com/topsky979/648f2cd4f5e58560cbc9308d06e2f876

Product: Keyfactor Command CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33872 NVD References: https://trust.keyfactor.com/?itemUid=d73921fd-bc9e-4e35-a974-cfb628e6a226

Product: Go-Tribe-Admin CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8003 NVD References: - https://github.com/Go-Tribe/gotribe-admin/commit/45ac90d6d1f82716f77dbcdf8e7309c229080e3c - https://github.com/Go-Tribe/gotribe-admin/issues/1 - https://github.com/Go-Tribe/gotribe-admin/issues/1#issuecomment-2298187923 - https://vuldb.com/?ctiid.275198 - https://vuldb.com/?id.275198 - https://vuldb.com/?submit.393987

Product: Demozx Gf CMSCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8005NVD References: - https://github.com/demozx/gf_cms/commit/be702ada7cb6fdabc02689d90b38139c827458a5- https://github.com/demozx/gf_cms/commit/de51cc57a96ccca905c837ef925c2cc3a5241383- https://github.com/demozx/gf_cms/issues/5- https://github.com/demozx/gf_cms/issues/5#issuecomment-2296590417- https://vuldb.com/?ctiid.275199- https://vuldb.com/?id.275199- https://vuldb.com/?submit.393981CVE-2024-30949 - Newlib v.4.3.0 allows an attacker to execute arbitrary code through a vulnerability in the _gettimeofday function.Product: Newlib Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-30949NVD References: - https://gist.github.com/visitorckw/6b26e599241ea80210ea136b28441661- https://inbox.sourceware.org/newlib/20231129035714.469943-1-visitorckw%40gmail.com/- https://sourceware.org/git/?p=newlib-cygwin.git%3Ba=commit%3Bh=5f15d7c5817b07a6b18cbab17342c95cb7b42be4CVE-2024-35540 - Typecho v1.3.0 is vulnerable to stored cross-site scripting attacks, enabling malicious actors to run unauthorized web scripts or HTML by manipulating input data.Product: Typecho CVSS Score: 9.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35540NVD References: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/CVE-2024-43404 - MEGABOT prior to version 1.5.0 has a remote code execution vulnerability through the `/math` command in Discord.Product: Megacord MegabotCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43404NVD References: https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2CVE-2024-27185 - The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.Product: Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 CVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27185NVD References: https://developer.joomla.org/security-centre/942-20240802-core-cache-poisoning-in-pagination.htmlCVE-2024-38175 - Azure Managed Instance for Apache Cassandra has an improper access control vulnerability allowing an authenticated attacker to elevate privileges over a network.Product: Microsoft Azure Managed Instance for Apache CassandraCVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38175NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38175CVE-2024-7854 - The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping on the 'dbid' parameter, allowing unauthenticated attackers to extract sensitive information from the database.Product: WordPress Woo Inquiry pluginActive Installations: unknown. This plugin has been closed as of August 19, 2024 and is not available for download. This closure is temporary, pending a full review.CVSS Score: 10.0NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7854NVD References: - https://plugins.trac.wordpress.org/browser/woo-inquiry/trunk/includes/functions.php?rev=2088873#L307- https://www.wordfence.com/threat-intel/vulnerabilities/id/312a6601-c914-4661-82ff-6f8bac849442?source=cveCVE-2024-5335 - The Ultimate Store Kit Elementor Addons is vulnerable to PHP Object Injection via deserialization of untrusted input.Product: Brainstorm Force The Ultimate Store Kit Elementor AddonsActive Installations: 1,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5335NVD References: - https://plugins.trac.wordpress.org/browser/ultimate-store-kit/trunk/includes/helper.php#L1103- https://plugins.trac.wordpress.org/changeset/3135472/ultimate-store-kit/trunk/includes/helper.php- https://www.wordfence.com/threat-intel/vulnerabilities/id/2ae44bcb-6149-4661-8890-23c867e9a918?source=cveCVE-2024-28000 - LiteSpeed Technologies LiteSpeed Cache litespeed-cache version 1.9 through 6.3.0.1 allows Privilege Escalation via Incorrect Privilege Assignment vulnerability.Product: LiteSpeed Technologies LiteSpeed CacheActive Installations: 5,000,000+CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28000NVD References: - https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites?_s_id=cve- https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cveCVE-2024-40453 - squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName.Product: Squirrelly CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40453NVD References: - https://github.com/squirrellyjs/squirrelly- https://github.com/squirrellyjs/squirrelly/pull/262- https://samuzora.com/posts/cve-2024-40453CVE-2024-42777 - Kashipara Music Management System v1.0 is vulnerable to an Unrestricted file upload vulnerability in "/music/ajax.php?action=signup", enabling attackers to execute arbitrary code by uploading a crafted PHP file.Product: Lopalopa Mu…

Product: Typecho CVSS Score: 9.0 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-35540 NVD References: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/

Product: Megacord Megabot CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-43404 NVD References: https://github.com/NicPWNs/MEGABOT/security/advisories/GHSA-vhxp-4hwq-w3p2

Product: Joomla! CMS versions 3.0.0-3.10.16-elts, 4.0.0-4.4.6, 5.0.0-5.1.2 CVSS Score: 9.1 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-27185 NVD References: https://developer.joomla.org/security-centre/942-20240802-core-cache-poisoning-in-pagination.html

Product: Microsoft Azure Managed Instance for Apache Cassandra CVSS Score: 9.6 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-38175 NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38175

Product: WordPress Woo Inquiry plugin Active Installations: unknown. This plugin has been closed as of August 19, 2024 and is not available for download. This closure is temporary, pending a full review. CVSS Score: 10.0 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7854 NVD References: - https://plugins.trac.wordpress.org/browser/woo-inquiry/trunk/includes/functions.php?rev=2088873#L307 - https://www.wordfence.com/threat-intel/vulnerabilities/id/312a6601-c914-4661-82ff-6f8bac849442?source=cve

Product: Brainstorm Force The Ultimate Store Kit Elementor Addons Active Installations: 1,000+ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-5335 NVD References: - https://plugins.trac.wordpress.org/browser/ultimate-store-kit/trunk/includes/helper.php#L1103 - https://plugins.trac.wordpress.org/changeset/3135472/ultimate-store-kit/trunk/includes/helper.php - https://www.wordfence.com/threat-intel/vulnerabilities/id/2ae44bcb-6149-4661-8890-23c867e9a918?source=cve

Product: LiteSpeed Technologies LiteSpeed Cache Active Installations: 5,000,000+ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28000 NVD References: - https://patchstack.com/articles/critical-privilege-escalation-in-litespeed-cache-plugin-affecting-5-million-sites?_s_id=cve - https://patchstack.com/database/vulnerability/litespeed-cache/wordpress-litespeed-cache-plugin-6-3-0-1-unauthenticated-privilege-escalation-vulnerability?_s_id=cve

Product: Squirrelly CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-40453 NVD References: - https://github.com/squirrellyjs/squirrelly - https://github.com/squirrellyjs/squirrelly/pull/262 - https://samuzora.com/posts/cve-2024-40453

Product: Lopalopa Music Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42777 NVD References: https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Unrestricted%20File%20Upload%20-%20SignUp.pdf

CVE-2024-42781, CVE-2024-42782, & CVE-2024-42784 - Kashipara Music Management System v1.0 is vulnerable to SQL injection Product: Lopalopa Music Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42781 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42782 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42784 NVD References: https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/SQL%20Injection%20-%20Login.pdf NVD References: https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/SQL%20Injection%20-%20Find%20Music.pdf NVD References: https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/SQL%20Injection%20-%20View%20Music%20List.pdf NVD References: https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code

Product: WPML WordPress Active Installations: 1,000,000+ CVSS Score: 9.9 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6386 NVD References: - https://sec.stealthcopter.com/wpml-rce-via-twig-ssti/ - https://wpml.org/ - https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e?source=cve

Product: SolarWinds Web Help Desk CVSS Score: 9.1 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-28987 NVD References: - https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2 - https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987

Product: Mirai botnet CVSS Score: 9.1 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45163 NVD References: - https://cypressthatkid.medium.com/remote-dos-exploit-found-in-mirai-botnet-source-code-27a1aad284f1 - https://pastebin.com/6tqHnCva - https://youtu.be/aJkvSr85ML8 CVE-2024-45166, CVE-2024-45167. &

Product: UCI IDOL 2 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45166 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45167 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45169 NVD References: - http://download.uci.de/idol2/idol2Client_2_12.exe - https://uci.de/download/idol2-client.html - https://uci.de/products/index.html - https://www.syss.de/en/responsible-disclosure-policy - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-050.txt - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-051.txt - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-052.txt

Product: UCI IDOL CVSS Score: 9.1 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45168 NVD References: - http://download.uci.de/idol2/idol2Client_2_12.exe - https://uci.de/download/idol2-client.html - https://uci.de/products/index.html - https://www.syss.de/en/responsible-disclosure-policy - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-049.txt

Product: Swissphone DiCal-RED 4009 CVSS Score: 9.4 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36439 NVD References: - https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red/ - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-038.txt

Product: Swissphone DiCal-RED 4009 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-36445 NVD References: - https://www.swissphone.com/en-us/solutions/components/terminals/radio-data-module-dical-red/ - https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-035.txt

Product: Forcepoint Web Security CVSS Score: 9.6 NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-6452 NVD References: https://support.forcepoint.com/s/article/000042212

Product: Matrix libolm (Olm) CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45191 NVD References: - https://gitlab.matrix.org/matrix-org/olm/ - https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985 - https://news.ycombinator.com/item?id=41249371 - https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library/

Product: Kashipara Hotel Management System v1.0 CVSS Score: 9.1 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42775 NVD References: - https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Hotel%20Management%20System%20v1.0/Broken%20Access%20Control%20-%20Add%20New%20Room%20Entry.pdf - https://www.kashipara.com/

Product: Kevinwong Payroll Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8081 NVD References: - https://github.com/ppp-src/ha/issues/6 - https://itsourcecode.com/ - https://vuldb.com/?ctiid.275563 - https://vuldb.com/?id.275563 - https://vuldb.com/?submit.396110

CVE-2024-8086 & CVE-2024-8087 - SourceCodester E-Commerce System 1.0 critical sql injection vulnerabilities Product: Janobe E-Commerce System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8086 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8087 NVD References: https://github.com/0xffaaa/cve/blob/main/ecommerce-Universal%20password%20bypasses%20login%20verification.md NVD References: https://github.com/0xffaaa/cve/blob/main/ecommerce-Unauthorized%20sql%20union%20injection.md

Product: Janobe E-Commerce System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8089 NVD References: - https://github.com/0xffaaa/cve/blob/main/ecommerce-Unauthorized%20arbitrary%20file%20upload%20vulnerability.md - https://vuldb.com/?ctiid.275568 - https://vuldb.com/?id.275568 - https://vuldb.com/?submit.396324 - https://www.sourcecodester.com/

Product: Kashipara Bus Ticket Reservation System CVSS Score: 9.4 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42764 NVD References: - https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Bus%20Ticket%20Reservation%20System%20v1.0/CSRF.pdf - https://www.kashipara.com/

Product: Kashipara Bus Ticket Reservation System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42765 NVD References: - https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Bus%20Ticket%20Reservation%20System%20v1.0/SQL%20Injection%20-%20Login.pdf - https://www.kashipara.com/

CVE-2024-44381 & CVE-2024-44382 - D-Link DI_8004W 16.07.26A1 contains command execution vulnerabilities Product: D-Link DI_8004W CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44381 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-44382 NVD References: https://github.com/GroundCTL2MajorTom/pocs/blob/main/dlink_DI8004W.md NVD References: https://www.dlink.com/en/security-bulletin/

Product: Centreon Web CVSS Scores: 9.1 - 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-32501 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33852 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33853 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-33854 NVD References: https://github.com/centreon/centreon/releases NVD References: https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3744

Product: Ezviz Internet PT Camera CS-CV246 D15655150 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42531 NVD References: - http://ezviz.com - https://github.com/Anonymous120386/Anonymous

Product: SPIP porte_plume plugin CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7954 NVD References: - https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html - https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather/ - https://vulncheck.com/advisories/spip-porte-plume

Product: ArrowHitech ArrowCMSCVSS Score: 9.1NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-42914NVD References: - https://github.com/soursec/CVEs/tree/main/CVE-2024-42914- https://github.com/trquoccuong/ArrowCMS/CVE-2024-7568 - The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.5, allowing unauthenticated attackers to delete arbitrary files on the server by tricking a site administrator into clicking on a forged link.Product: WordPress Favicon Generator pluginActive Installations: 300+CVSS Score: 9.6NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7568NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3139340%40favicon-generator&new=3139340%40favicon-generator&sfp_email=&sfph_mail=- https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=cveCVE-2024-8127 through CVE-2024-8134 - Multiple D-Link models are vulnerable to remote command injectionProduct: Multiple D-Link modelsCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8127NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8128NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8129NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8130NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8131NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8132NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8133NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8134NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_unzip.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3_modify.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.mdNVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.mdNVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383NVD References: https://www.dlink.com/CVE-2024-8135 - Go-Tribe has a critical vulnerability in the Sign function in pkg/token/token.go, allowing manipulation of config.key to expose hard-coded credentials.Product: Go-TribeCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8135NVD References: - https://github.com/Go-Tribe/gotribe/commit/4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f- https://github.com/Go-Tribe/gotribe/issues/1- https://github.com/Go-Tribe/gotribe/issues/1#issuecomment-2307205980- https://vuldb.com/?ctiid.275706- https://vuldb.com/?id.275706- https://vuldb.com/?submit.396310CVE-2024-45237 - Fort before 1.6.3 is vulnerable to a buffer overflow when reading a resource certificate with a Key Usage extension containing more than two bytes of data from a malicious RPKI repository.Product: Nicmx Fort-ValidatorCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45237NVD References: https://nicmx.github.io/FORT-validator/CVE.htmlCVE-2024-8138 - Pharmacy Management System 1.0 is vulnerable to a critical sql injection in the editManager function of the Parameter Handler component, allowing remote attackers to launch attacks with no available updates due to continuous delivery with rolling releases.Product: Pharmacy Management System Project CVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8138NVD References: - https://code-projects.org/- https://github.com/SYQGITHUB/cve/blob/main/sql1.md- https://vuldb.com/?ctiid.275718- https://vuldb.com/?id.275718- https://vuldb.com/?submit.396817CVE-2024-45258 - The req package for Go before 3.43.4 may unintentionally send a request with a malformed URL due to a "garbage in, garbage out" design flaw in cleanHost.Product: Go req packageCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45258NVD References: - https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d- https://github.com/imroc/req/compare/v3.43.3...v3.43.4CVE-2024-8073 - Hillstone Networks Web Application Firewall on 5.5R6 is susceptible to Command Injection due to improper input validation, impacting versions 5.5R6-2.6.7 through 5.5R6-2.8.13.Product: Hillstone Networks Web Application FirewallCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8073NVD References: https://www.hillstonenet.com.cn/security-notification/2024/08/21/mlzrld-2/CVE-2024-8161 - ATISolutions CIGES before version 2.15.5 is vulnerable to SQL injection, allowing an attacker to access database information through /modules/ajaxServiciosCentro.php.Product: ATISolutions CIGESCVSS Score: 9.8NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8161NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injec…

Product: WordPress Favicon Generator plugin Active Installations: 300+ CVSS Score: 9.6 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7568 NVD References: - https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3139340%40favicon-generator&new=3139340%40favicon-generator&sfp_email=&sfph_mail= - https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb3ad80-3510-4018-91af-b733ef62e28f?source=cve

Product: Multiple D-Link models CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8127 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8128 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8129 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8130 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8131 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8132 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8133 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8134 NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_unzip.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_add_zip.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3_modify.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_s3.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_module_enable_disable.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_webdav_mgr.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_R5_SpareDsk_DiskMGR.md NVD References: https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R5_1st_DiskMGR.md NVD References: https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 NVD References: https://www.dlink.com/

Product: Go-Tribe CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8135 NVD References: - https://github.com/Go-Tribe/gotribe/commit/4fb9b9e80a2beedd09d9fde4b9cf5bd510baf18f - https://github.com/Go-Tribe/gotribe/issues/1 - https://github.com/Go-Tribe/gotribe/issues/1#issuecomment-2307205980 - https://vuldb.com/?ctiid.275706 - https://vuldb.com/?id.275706 - https://vuldb.com/?submit.396310

Product: Nicmx Fort-Validator CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45237 NVD References: https://nicmx.github.io/FORT-validator/CVE.html

Product: Pharmacy Management System Project CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8138 NVD References: - https://code-projects.org/ - https://github.com/SYQGITHUB/cve/blob/main/sql1.md - https://vuldb.com/?ctiid.275718 - https://vuldb.com/?id.275718 - https://vuldb.com/?submit.396817

Product: Go req package CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45258 NVD References: - https://github.com/imroc/req/commit/04e3ece5b380ecad9da3551c449f1b8a9aa76d3d - https://github.com/imroc/req/compare/v3.43.3...v3.43.4

Product: Hillstone Networks Web Application Firewall CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8073 NVD References: https://www.hillstonenet.com.cn/security-notification/2024/08/21/mlzrld-2/

Product: ATISolutions CIGES CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8161 NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-vulnerability-cigesv2-system

Product: TOTOLINK T10 AC1200 4.1.8cu.5207 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8162 NVD References: - https://github.com/rohitburke/TOTOLINK - https://vuldb.com/?ctiid.275760 - https://vuldb.com/?id.275760 - https://vuldb.com/?submit.392015 - https://www.totolink.net/

Product: Rockwell Automation ThinManager® ThinServer™ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-7988 NVD References: https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1692.html

Product: Fabianros Job_Portal 1.0 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8167 NVD References: - https://code-projects.org/ - https://github.com/t4rrega/cve/issues/1 - https://vuldb.com/?ctiid.275766 - https://vuldb.com/?id.275766 - https://vuldb.com/?submit.397714

Product: Fabianros Online_Bus_Reservation_Site 1.0 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8168 NVD References: - https://code-projects.org/ - https://github.com/t4rrega/cve/issues/2 - https://vuldb.com/?ctiid.275767 - https://vuldb.com/?id.275767 - https://vuldb.com/?submit.397715

Product: Fabianros Online_Quiz_Site 1.0 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8169 NVD References: - https://code-projects.org/ - https://github.com/t4rrega/cve/issues/5 - https://vuldb.com/?ctiid.275768 - https://vuldb.com/?id.275768 - https://vuldb.com/?submit.397718

Product: Fastcom FW300R CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41285 NVD References: - https://gist.github.com/Giles-one/834b2becd7abebc3cabea0484301d149 - https://github.com/Giles-one/FW300RouterCrack/ - https://www.fastcom.com.cn/product-8.html

Product: Rems Zipped Folder Manager App CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8170 NVD References: - https://github.com/jadu101/CVE/blob/main/SourceCodester_Zipped_Folder_Manager_App_File_Upload.md - https://vuldb.com/?ctiid.275769 - https://vuldb.com/?id.275769 - https://vuldb.com/?submit.397719 - https://www.sourcecodester.com/

Product: Angeljudesuarez Tailoring Management System CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8171 NVD References: - https://github.com/t4rrega/cve/issues/6 - https://itsourcecode.com/ - https://vuldb.com/?ctiid.275770 - https://vuldb.com/?id.275770 - https://vuldb.com/?submit.397720

Product: SeaCMS v12.9 CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-41444 NVD References: - https://gist.github.com/looppppp/fa328c81ce19c1097d10f95c763d0d50 - https://github.com/seacms-net/CMS - https://www.seacms.net/p-549

Product: SkySystem Arfa-CMS CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45265 NVD References: https://github.com/TheHermione/CVE-2024-45265

Product: App cpanminus CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-45321 NVD References: - https://github.com/miyagawa/cpanminus/issues/611 - https://github.com/miyagawa/cpanminus/pull/674 - https://security.metacpan.org/2024/08/26/cpanminus-downloads-code-using-insecure-http.html CVE-2024-3980 - Hitachi Energy MicroSCADA X SYS600 allows user input to manipulate file paths, potentially granting attackers unauthorized access or modification of critical files. Product: Hitachi Energy MicroSCADA X SYS600 CVSS Score: 9.9 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-3980 NVD References: https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch CVE-2024-4872 - Dynatrace Application Monitoring does not validate any query towards persistent data, resulting in a risk of injection attacks. Product: Dynatrace Application Monitoring CVSS Score: 9.9 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-4872 NVD References: https://publisher.hitachienergy.com/preview?DocumentID=8DBD000160&LanguageCode=en&DocumentPartId=&Action=Launch CVE-2024-6633 - FileCatalyst Workflow is vulnerable to compromise due to default credentials published in a vendor knowledgebase article, allowing for potential attacks on confidentiality, integrity, and availability. Product: FileCatalyst Workflow CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6633 NVD References: https://www.fortra.com/security/advisories/product-security/fi-2024-011 CVE-2024-8030 - The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_wishlist cookie. Product: The Ultimate Store Kit Elementor Addons Woocommerce Builder Active Installations: 1,000+ CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-8030 NVD References: - https://plugins.trac.wordpress.org/changeset/3141022/ultimate-store-kit/trunk/includes/helper.php - https://www.wordfence.com/threat-intel/vulnerabilities/id/ef566dca-91ed-4929-b36b-4e424e07e1d4?source=cve

Product: FileCatalyst Workflow CVSS Score: 9.8 NVD: https://nvd.nist.gov/vuln/detail/CVE-2024-6633 NVD References: https://www.fortra.com/security/advisories/product-security/fi-2024-011

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

SANS

SANS

SANS

SANS

SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals

The Consensus Security Vulnerability Alert

Share

Internet Storm Center Spotlight

Internet Storm Center Entries

Recent CVEs

CVE-2024-38063 - Windows TCP/IP Remote Code Execution Vulnerability

CVE-2024-39717 - The Versa Director GUI allows for uploading malicious files under the guise of image files, posing a high severity risk if exploited by authorized admin users with Provider-Data-Center privileges.

cve-2024-39717 - versa-director-dangerous-file-type-upload-vulnerability/

CVE-2024-38856 - Apache OFBiz is susceptible to an Incorrect Authorization vulnerability through version 18.12.14, allowing unauthenticated users to execute screen rendering code under specific conditions.

CVE-2024-4577 - PHP versions 8.1.*, 8.2.*, and 8.3.* on Windows using Apache and PHP-CGI are vulnerable to character substitution leading to potential source code exposure and arbitrary code execution.

CVE-2024-7965 - Google Chrome prior to 128.0.6613.84 is vulnerable to remote attacks due to inappropriate implementation in V8, potentially leading to heap corruption via a crafted HTML page.

CVE-2024-7971 - Google Chrome's Type confusion vulnerability prior to version 128.0.6613.84 enabled a remote attacker to exploit heap corruption via a crafted HTML page.

CVE-2024-5932 - The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, allowing attackers to execute remote code and delete files.

CVE-2024-7946 - Itsourcecode Online Blood Bank Management System 1.0 is vulnerable to a critical sql injection in the User Signup component's register.php file, allowing for remote attacks.

CVE-2024-7947 - SourceCodester Point of Sales and Inventory Management System 1.0 is vulnerable to sql injection in the file login.php through manipulation of the email argument, allowing for remote attacks due to a critical vulnerability that has been publicly disclosed.

CVE-2024-7777 - The Contact Form by Bit Form for WordPress is vulnerable to arbitrary file read and deletion, allowing authenticated attackers to potentially achieve remote code execution.

CVE-2024-6847 - The Chatbot with ChatGPT WordPress plugin before 2.4.5 is vulnerable to SQL injection via unauthenticated user-submitted messages.

CVE-2024-43202 - Apache DolphinScheduler is vulnerable to remote code execution before version 3.2.2, users should update to the latest version to fix the issue.

CVE-2024-42334 - Hargal - CWE-284: Improper Access Control

CVE-2024-42336 - Servision - CWE-287: Improper Authentication

CVE-2024-42556 & CVE-2024-42558 - Hotel Management System commit 91caab8 was discovered to contain SQL injection vulnerabilities

CVE-2024-42559 - Hotel Management System has a vulnerability in its login component that allows attackers to authenticate without a valid password.

CVE-2024-42562 - Pharmacy Management System commit a2efc8 was discovered to contain a SQL injection vulnerability via the invoice_number parameter at preview.php.

CVE-2024-42563 - ERP commit 44bd04 contains an arbitrary file upload vulnerability that allows attackers to execute arbitrary code by uploading a crafted HTML file.

CVE-2024-42565 - ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/contact/delete?action=delete.

CVE-2024-42566 through CVE-2024-42575 - School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the password parameter at login.php

CVE-2024-33872 - Keyfactor Command versions 10.5.x before 10.5.1 and 11.5.x before 11.5.1 are vulnerable to SQL Injection leading to code execution and privilege escalation.

CVE-2024-8003 - Go-Tribe gotribe-admin 1.0 has a vulnerability in its Log Handler component (InitRoutes function) leading to deserialization manipulation, fixable by applying patch 45ac90d6d1f82716f77dbcdf8e7309c229080e3c.

CVE-2024-8005 - Demozx gf_cms 1.0/1.0.1 is vulnerable to a critical issue in JWT Authentication allowing for remote attackers to manipulate hard-coded credentials, with a fix available in version 1.0.2 (patch: be702ada7cb6fdabc02689d90b38139c827458a5).

CVE-2024-35540 - Typecho v1.3.0 is vulnerable to stored cross-site scripting attacks, enabling malicious actors to run unauthorized web scripts or HTML by manipulating input data.

CVE-2024-43404 - MEGABOT prior to version 1.5.0 has a remote code execution vulnerability through the `/math` command in Discord.

CVE-2024-27185 - The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors.

CVE-2024-38175 - Azure Managed Instance for Apache Cassandra has an improper access control vulnerability allowing an authenticated attacker to elevate privileges over a network.

CVE-2024-7854 - The Woo Inquiry plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping on the 'dbid' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

CVE-2024-5335 - The Ultimate Store Kit Elementor Addons is vulnerable to PHP Object Injection via deserialization of untrusted input.

CVE-2024-28000 - LiteSpeed Technologies LiteSpeed Cache litespeed-cache version 1.9 through 6.3.0.1 allows Privilege Escalation via Incorrect Privilege Assignment vulnerability.

CVE-2024-40453 - squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName.

CVE-2024-42777 - Kashipara Music Management System v1.0 is vulnerable to an Unrestricted file upload vulnerability in "/music/ajax.php?action=signup", enabling attackers to execute arbitrary code by uploading a crafted PHP file.

CVE-2024-42781, CVE-2024-42782, & CVE-2024-42784 - Kashipara Music Management System v1.0 is vulnerable to SQL injection

CVE-2024-6386 - The WPML plugin for WordPress allows authenticated attackers with Contributor-level access and above to execute code on the server due to a Remote Code Execution vulnerability via Twig Server-Side Template Injection up to version 4.6.12.

CVE-2024-28987 - SolarWinds Web Help Desk (WHD) software is susceptible to a hardcoded credential flaw that enables unauthorized users to access internal functions and change information.

CVE-2024-45163 - The Mirai botnet vulnerability on 2024-08-19 allows unauthenticated attackers to open simultaneous TCP connections to the CNC server, leading to resource consumption.

CVE-2024-45169 - UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12 is vulnerable to DoS attacks and potential remote code execution due to improper input validation and deserialization

CVE-2024-45168 - UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12 transfers data over a raw socket without authentication, making communication endpoints unverifiable.

CVE-2024-36439 - Swissphone DiCal-RED 4009 devices can be compromised by a remote attacker who can access the administrative web interface using the device password's hash value.

CVE-2024-36445 - Swissphone DiCal-RED 4009 devices allow a remote attacker to gain a root shell via TELNET without authentication.

CVE-2023-6452 - Forcepoint Web Security (Transaction Viewer) before version 8.5.6 is vulnerable to Stored Cross-Site Scripting (XSS) attacks, allowing unauthorized users to execute malicious scripts in the browser context of administrators.

CVE-2024-45191 - Matrix libolm (aka Olm) through 3.2.16 is vulnerable to cache-timing attacks due to use of S-boxes in its AES implementation, affecting only unsupported products.

CVE-2024-42775 - Kashipara Hotel Management System v1.0 is vulnerable to unauthorized access in the administrator section, allowing attackers to add valid hotel room entries via direct URL access.

CVE-2024-8081 - itsourcecode Payroll Management System 1.0 is vulnerable to a critical SQL injection flaw in the login.php file, allowing remote attackers to exploit the username argument and potentially compromise the system.

CVE-2024-8086 & CVE-2024-8087 - SourceCodester E-Commerce System 1.0 critical sql injection vulnerabilities

CVE-2024-8089 - SourceCodester E-Commerce System 1.0 is vulnerable to an unrestricted file upload exploit in controller.php allowing remote attackers to launch attacks.

CVE-2024-42764 - Kashipara Bus Ticket Reservation System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via /deleteTicket.php.

CVE-2024-42765 - Kashipara Bus Ticket Reservation System v1.0 is vulnerable to SQL injection through "/login.php" allowing remote attackers to execute arbitrary SQL commands and bypass the Login using "email" or "password" parameters.

CVE-2024-44381 & CVE-2024-44382 - D-Link DI_8004W 16.07.26A1 contains command execution vulnerabilities

CVE-2024-32501, CVE-2024-33852 through CVE-2024-33854 - Centreon Web versions 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23 are susceptible to SQL Injection vulnerabilities

CVE-2024-42531 - Ezviz Internet PT Camera CS-CV246 D15655150 is vulnerable to unauthorized access via crafted RTSP packets allowing an unauthenticated host to view its live video stream.

CVE-2024-7954 - SPIP's porte_plume plugin is vulnerable to an arbitrary code execution vulnerability, allowing remote attackers to execute PHP as the SPIP user via a crafted HTTP request.

CVE-2024-42914 - ArrowCMS version 1.0.0 is vulnerable to a host header injection flaw in its forgot password feature, allowing attackers to reset passwords and intercept password reset tokens.

CVE-2024-7568 - The Favicon Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 1.5, allowing unauthenticated attackers to delete arbitrary files on the server by tricking a site administrator into clicking on a forged link.

CVE-2024-8127 through CVE-2024-8134 - Multiple D-Link models are vulnerable to remote command injection

CVE-2024-8135 - Go-Tribe has a critical vulnerability in the Sign function in pkg/token/token.go, allowing manipulation of config.key to expose hard-coded credentials.

CVE-2024-45237 - Fort before 1.6.3 is vulnerable to a buffer overflow when reading a resource certificate with a Key Usage extension containing more than two bytes of data from a malicious RPKI repository.

CVE-2024-8138 - Pharmacy Management System 1.0 is vulnerable to a critical sql injection in the editManager function of the Parameter Handler component, allowing remote attackers to launch attacks with no available updates due to continuous delivery with rolling releases.

CVE-2024-45258 - The req package for Go before 3.43.4 may unintentionally send a request with a malformed URL due to a "garbage in, garbage out" design flaw in cleanHost.

CVE-2024-8073 - Hillstone Networks Web Application Firewall on 5.5R6 is susceptible to Command Injection due to improper input validation, impacting versions 5.5R6-2.6.7 through 5.5R6-2.8.13.

CVE-2024-8161 - ATISolutions CIGES before version 2.15.5 is vulnerable to SQL injection, allowing an attacker to access database information through /modules/ajaxServiciosCentro.php.

CVE-2024-44549, CVE-2024-44550 through CVE-2024-44553, CVE-2024-44555 through CVE-2024-44558, CVE-2024-44563, CVE-2024-44565 - Tenda AX1806 v1.0.0.1 contains stack overflow vulnerabilities

CVE-2024-8162 - TOTOLINK T10 AC1200 4.1.8cu.5207 has a critical vulnerability in Telnet Service allowing for remote attackers to access hard-coded credentials.

CVE-2024-7988 - Rockwell Automation ThinManager® ThinServer™ is vulnerable to remote code execution, enabling threat actors to execute arbitrary code with System privileges by overwriting files due to improper data input validation.

CVE-2024-8167 - Job Portal 1.0 is vulnerable to a critical SQL injection via the /forget.php file, allowing for remote attacks and public exploitation.

CVE-2024-8168 - Online Bus Reservation Site 1.0 is susceptible to a critical sql injection vulnerability in the login.php file, allowing for remote attackers to exploit the Username argument.

CVE-2024-8169 - Online Quiz Site 1.0 is susceptible to a critical SQL injection vulnerability in the file signupuser.php due to manipulation of the argument lid, allowing for remote attacks with a disclosed exploit.

CVE-2024-41285 - FAST FW300R v1.3.13 Build 141023 Rel.61347n is vulnerable to a stack overflow, enabling attackers to execute arbitrary code or initiate a Denial of Service (DoS) attack by manipulating a file path.

CVE-2024-8170 - SourceCodester Zipped Folder Manager App 1.0 is vulnerable to unrestricted upload through manipulation of the argument "folder" in /endpoint/add-folder.php, allowing for remote attacks following public disclosure of the exploit.

CVE-2024-8171 - Itsourcecode Tailoring Management System 1.0 is susceptible to a critical SQL injection vulnerability in the file staffcatedit.php, allowing for remote attacks.

CVE-2024-41444 - SeaCMS v12.9 has a SQL injection vulnerability in the key parameter of /js/player/dmplayer/dmku/index.php?ac=so.

CVE-2024-45265 - SkySystem Arfa-CMS before 5.1.3124 is vulnerable to SQL injection via the psid parameter in the poll component, allowing remote attackers to execute arbitrary SQL commands.

CVE-2024-45321 - The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers.

CVE-2024-4577 - PHP versions 8.1., 8.2., and 8.3.* on Windows using Apache and PHP-CGI are vulnerable to character substitution leading to potential source code exposure and arbitrary code execution.