Weekly Vulnerabilities Reports > May 6 to 12, 2024

Overview

25 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 11 high severity vulnerabilities. This weekly summary report vulnerabilities in 0 products from 0 vendors including . Vulnerabilities are notably categorized as "Use After Free", and "Out-of-bounds Write".

9 reported vulnerabilities are remotely exploitables.
15 reported vulnerabilities are exploitable by an anonymous user.

TOTAL
VULNERABILITIES

CRITICAL RISK
VULNERABILITIES

HIGH RISK
VULNERABILITIES

MEDIUM RISK
VULNERABILITIES

LOW RISK
VULNERABILITIES

REMOTELY
EXPLOITABLE

LOCALLY
EXPLOITABLE

EXPLOIT
AVAILABLE

EXPLOITABLE
ANONYMOUSLY

AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

3 Critical Vulnerabilities

DATE	CVE	VULNERABILITY	CVSS
2024-05-08	CVE-2024-4393	The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2.	9.8
2024-05-07	CVE-2024-4186	The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5.	9.8
2024-05-07	CVE-2024-4346	The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13.	9.1

Expand/Hide

11 High Vulnerabilities

DATE	CVE	VULNERABILITY	CVSS
2024-05-06	CVE-2023-33119	Memory corruption while loading a VM from a signed VM image that is not coherent in the processor cache.	8.4
2024-05-06	CVE-2023-43531	Memory corruption while verifying the serialized header when the key pairs are generated.	8.4
2024-05-06	CVE-2024-21471	Memory corruption when IOMMU unmap of a GPU buffer fails in Linux.	8.4
2024-05-06	CVE-2024-21474	Memory corruption when size of buffer from previous call is used without validation or re-initialization.	8.4
2024-05-06	CVE-2024-23351	Memory corruption as GPU registers beyond the last protected range can be accessed through LPAC submissions.	8.4
2024-05-06	CVE-2024-23354	Memory corruption when the IOCTL call is interrupted by a signal.	8.4
2024-05-06	CVE-2024-21475	Memory corruption when the payload received from firmware is not as per the expected protocol size.	7.8
2024-05-06	CVE-2024-21476	Memory corruption when the channel ID passed by user is not validated and further used.	7.8
2024-05-06	CVE-2023-49675	An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability.	7.8
2024-05-06	CVE-2023-43529	Transient DOS while processing IKEv2 Informational request messages, when a malformed fragment packet is received.	7.5
2024-05-06	CVE-2024-21480	Memory corruption while playing audio file having large-sized input buffer.	7.3

Expand/Hide

11 Medium Vulnerabilities

DATE	CVE	VULNERABILITY	CVSS
2024-05-06	CVE-2023-43527	Information disclosure while parsing dts header atom in Video.	6.8
2024-05-06	CVE-2023-43521	Memory corruption when multiple listeners are being registered with the same file descriptor.	6.7
2024-05-06	CVE-2023-43524	Memory corruption when the bandpass filter order received from AHAL is not within the expected range.	6.7
2024-05-06	CVE-2023-43525	Memory corruption while copying the sound model data from user to kernel buffer during sound model register.	6.7
2024-05-08	CVE-2024-4281	The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'link-library' shortcode in all versions up to, and including, 7.6.11 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2024-05-08	CVE-2024-3494	The Mesmerize Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mesmerize_contact_form' shortcode in all versions up to, and including, 1.6.148 due to insufficient input sanitization and output escaping on user supplied attributes.	6.4
2024-05-06	CVE-2023-43528	Information disclosure when the ADSP payload size received in HLOS in response to Audio Stream Manager matrix session is less than this expected size.	6.1
2024-05-06	CVE-2023-43530	Memory corruption in HLOS while checking for the storage type.	5.9
2024-05-06	CVE-2023-49676	An unauthenticated local attacker may trick a user to open corrupted project files to crash the system due to use after free vulnerability.	5.5
2024-05-08	CVE-2024-4135	The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7.	5.4
2024-05-07	CVE-2023-6810	The ClickCease Click Fraud Protection plugin for WordPress is vulnerable to unauthorized access of data due to an improper capability check on the get_settings function in all versions up to, and including, 3.2.4.	4.3

Expand/Hide

0 Low Vulnerabilities

DATE	CVE	VENDOR	VULNERABILITY	CVSS