2024-06-24 | CVE-2024-6285 | Renesas | Integer Underflow (Wrap or Wraparound) vulnerability in Renesas Rcar Gen3 V2.5 Integer Underflow (Wrap or Wraparound) vulnerability in Renesas arm-trusted-firmware. An integer underflow in image range check calculations could lead to bypassing address restrictions and loading of images to unallowed addresses. | 6.7 |
2024-06-27 | CVE-2024-1493 | Gitlab | Unspecified vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 9.2 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, with the processing logic for generating link in dependency files can lead to a regular expression DoS attack on the server | 6.5 |
2024-06-27 | CVE-2024-3959 | Gitlab | Unspecified vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 16.7 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows private job artifacts can be accessed by any user. | 6.5 |
2024-06-27 | CVE-2024-4557 | Gitlab | Resource Exhaustion vulnerability in Gitlab Multiple Denial of Service (DoS) conditions has been discovered in GitLab CE/EE affecting all versions starting from 1.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1 which allowed an attacker to cause resource exhaustion via banzai pipeline. | 6.5 |
2024-06-24 | CVE-2021-45785 | Trudesk Project | Cross-Site Request Forgery (CSRF) vulnerability in Trudesk Project Trudesk 1.1.11 TruDesk Help Desk/Ticketing Solution v1.1.11 is vulnerable to a Cross-Site Request Forgery (CSRF) attack which would allow an attacker to restart the server, causing a DoS attack. | 6.5 |
2024-06-24 | CVE-2023-49793 | Ericsson | Path Traversal vulnerability in Ericsson Codechecker CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. | 6.5 |
2024-06-29 | CVE-2024-5819 | | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to DOM-based Stored Cross-Site Scripting via HTML data attributes in all versions up to, and including, 3.2.45 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-29 | CVE-2024-5666 | | The Extensions for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the EE Button widget in all versions up to, and including, 2.0.30 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-29 | CVE-2024-5790 | | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ attribute within the plugin's Gradient Heading widget in all versions up to, and including, 3.11.1 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-29 | CVE-2024-6363 | | The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock_ticker shortcode in all versions up to, and including, 3.24.4 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-28 | CVE-2024-5424 | | The Gallery Blocks with Lightbox. | 6.4 |
2024-06-28 | CVE-2024-5662 | | The Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count (Static) widget in all versions up to, and including, 3.11.7 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-28 | CVE-2024-5922 | | The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-28 | CVE-2024-5925 | | The Theron Lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-28 | CVE-2024-5788 | | The Silesia theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ attribute within the theme's Button shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-28 | CVE-2024-6296 | | The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-caption’ parameter in all versions up to, and including, 3.13.1 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-27 | CVE-2024-6262 | | The Portfolio Gallery – Image Gallery Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'PFG' shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-27 | CVE-2024-4983 | | The The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘video_color’ parameter in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. | 6.4 |
2024-06-26 | CVE-2024-5215 | | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-26 | CVE-2024-5332 | | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Card widget in all versions up to, and including, 2.6.9.8 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-26 | CVE-2024-5173 | | The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Video player widget settings in all versions up to, and including, 2.5.5 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-25 | CVE-2024-5451 | | The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' attribute within the plugin's Icon and Heading widgets in all versions up to, and including, 11.13.0 due to insufficient input sanitization and output escaping on user supplied attributes. | 6.4 |
2024-06-25 | CVE-2024-6307 | | WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. | 6.4 |
2024-06-29 | CVE-2023-4017 | | The Goya theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘attra-color’, 'attra-size', and 'product-cata' parameters in versions up to, and including, 1.0.8.7 due to insufficient input sanitization and output escaping. | 6.1 |
2024-06-29 | CVE-2024-5889 | | The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘country’ parameter in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping. | 6.1 |
2024-06-29 | CVE-2024-6405 | | The Floating Social Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. | 6.1 |
2024-06-28 | CVE-2024-3800 | Conceptintermedia | Cross-site Scripting vulnerability in Conceptintermedia S@M CMS Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in requested file names. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | 6.1 |
2024-06-28 | CVE-2024-3801 | Conceptintermedia | Cross-site Scripting vulnerability in Conceptintermedia S@M CMS Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in one of GET header parameters. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | 6.1 |
2024-06-28 | CVE-2024-5737 | Admiror Design Studio | Cross-site Scripting vulnerability in Admiror-Design-Studio Admirorframes Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. | 6.1 |
2024-06-27 | CVE-2024-4704 | Rocklobster | Open Redirect vulnerability in Rocklobster Contact Form 7 The Contact Form 7 WordPress plugin before 5.9.5 has an open redirect that allows an attacker to utilize a false URL and redirect to the URL of their choosing. | 6.1 |
2024-06-26 | CVE-2024-4604 | | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Magarsus Consultancy SSO (Single Sign On) allows Manipulating Hidden Fields.This issue affects SSO (Single Sign On): from 1.0 before 1.1. | 6.1 |
2024-06-24 | CVE-2024-37679 | Finesoft Project | Cross-site Scripting vulnerability in Finesoft Project Finesoft Cross Site Scripting vulnerability in Hangzhou Meisoft Information Technology Co., Ltd. | 6.1 |
2024-06-24 | CVE-2024-37680 | Finesoft Project | Cross-site Scripting vulnerability in Finesoft Project Finesoft Hangzhou Meisoft Information Technology Co., Ltd. | 6.1 |
2024-06-24 | CVE-2024-37732 | Anchorcms | Cross-site Scripting vulnerability in Anchorcms Anchor CMS 0.12.7 Cross Site Scripting vulnerability in Anchor CMS v.0.12.7 allows a remote attacker to execute arbitrary code via a crafted .pdf file. | 6.1 |
2024-06-27 | CVE-2024-1816 | Gitlab | Unspecified vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 12.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows for an attacker to cause a denial of service using a crafted OpenAPI file. | 5.5 |
2024-06-24 | CVE-2024-6104 | Hashicorp | Information Exposure Through Log Files vulnerability in Hashicorp Retryablehttp go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. | 5.5 |
2024-06-24 | CVE-2024-39292 | Linux | Double Free vulnerability in Linux Kernel In the Linux kernel, the following vulnerability has been resolved: um: Add winch to winch_handlers before registering winch IRQ Registering a winch IRQ is racy, an interrupt may occur before the winch is added to the winch_handlers list. If that happens, register_winch_irq() adds to that list a winch that is scheduled to be (or has already been) freed, causing a panic later in winch_cleanup(). Avoid the race by adding the winch to the winch_handlers list before registering the IRQ, and rolling back if um_request_irq() fails. | 5.5 |
2024-06-29 | CVE-2024-5942 | Carlosfazenda | Authorization Bypass Through User-Controlled Key vulnerability in Carlosfazenda Page and Post Clone The Page and Post Clone plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.0 via the 'content_clone' function due to missing validation on a user controlled key. | 5.4 |
2024-06-28 | CVE-2024-37741 | Openplcproject | Cross-site Scripting vulnerability in Openplcproject Openplc V3 Firmware OpenPLC 3 through 9cd8f1b allows XSS via an SVG document as a profile picture. | 5.4 |
2024-06-28 | CVE-2024-5863 | | The Easy Image Collage plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ajax_image_collage() function in all versions up to, and including, 1.13.5. | 5.4 |
2024-06-27 | CVE-2024-5601 | Mediavine | Cross-site Scripting vulnerability in Mediavine Create The Create by Mediavine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Schema Meta shortcode in all versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
2024-06-27 | CVE-2024-3111 | H5P | Cross-site Scripting vulnerability in H5P The Interactive Content WordPress plugin before 1.15.8 does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues | 5.4 |
2024-06-27 | CVE-2024-6283 | Detheme | Cross-site Scripting vulnerability in Detheme Dethemekit for Elementor The DethemeKit For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL parameter of the De Gallery widget in all versions up to and including 2.1.5 due to insufficient input sanitization and output escaping on user-supplied attributes. | 5.4 |
2024-06-27 | CVE-2024-4569 | Webtechstreet | Cross-site Scripting vulnerability in Webtechstreet Elementor Addon Elements The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-27 | CVE-2024-4570 | Webtechstreet | Cross-site Scripting vulnerability in Webtechstreet Elementor Addon Elements The Elementor Addon Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 1.13.5 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-27 | CVE-2024-5289 | Kadencewp | Cross-site Scripting vulnerability in Kadencewp Gutenberg Blocks With AI The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget parameters in all versions up to, and including, 3.2.42 due to insufficient input sanitization and output escaping. | 5.4 |
2024-06-27 | CVE-2024-4901 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, where a stored XSS vulnerability could be imported from a project with malicious commit notes. | 5.4 |
2024-06-25 | CVE-2024-34141 | | Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. | 5.4 |
2024-06-25 | CVE-2024-34142 | | Adobe Experience Manager versions 6.5.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. | 5.4 |
2024-06-24 | CVE-2024-4754 | | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Stored XSS.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. | 5.4 |
2024-06-28 | CVE-2024-2795 | | The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. | 5.3 |
2024-06-27 | CVE-2024-2191 | Gitlab | Unspecified vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 16.9 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows merge request title to be visible publicly despite being set as project members only. | 5.3 |
2024-06-24 | CVE-2024-33880 | Virtosoftware | Unspecified vulnerability in Virtosoftware Sharepoint Bulk File Download 5.5.44 An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. | 5.3 |
2024-06-24 | CVE-2024-33881 | Virtosoftware | Path Traversal vulnerability in Virtosoftware Sharepoint Bulk File Download 5.5.44 An issue was discovered in VirtoSoftware Virto Bulk File Download 5.5.44 for SharePoint 2019. | 5.3 |
2024-06-24 | CVE-2024-3264 | | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Mia Technology Inc. | 5.3 |
2024-06-27 | CVE-2024-5430 | Gitlab | Unspecified vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. | 4.9 |
2024-06-27 | CVE-2024-4664 | Ninjateam | Cross-site Scripting vulnerability in Ninjateam WP Chat APP The WP Chat App WordPress plugin before 3.6.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admins to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed. | 4.8 |
2024-06-28 | CVE-2024-6288 | | The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tiktok_user_id’ parameter in all versions up to, and including, 7.0.12 due to insufficient input sanitization and output escaping. | 4.7 |
2024-06-28 | CVE-2024-5864 | | The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eafl_reset_settings AJAX action in all versions up to, and including, 3.7.3. | 4.3 |
2024-06-27 | CVE-2024-1153 | | Improper Access Control vulnerability in Talya Informatics Travel APPS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travel APPS: before v17.0.68. | 4.3 |
2024-06-27 | CVE-2024-1330 | Kadencewp | Unspecified vulnerability in Kadencewp Kadence Blocks PRO The kadence-blocks-pro WordPress plugin before 2.3.8 does not prevent users with at least the contributor role using some of its shortcode's functionalities to leak arbitrary options from the database. | 4.3 |
2024-06-27 | CVE-2024-3115 | Gitlab | Missing Authorization vulnerability in Gitlab An issue was discovered in GitLab EE affecting all versions starting from 16.0 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows an attacker to access issues and epics without having an SSO session using Duo Chat. | 4.3 |
2024-06-27 | CVE-2024-4011 | Gitlab | Incorrect Authorization vulnerability in Gitlab An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows non-project member to promote key results to objectives. | 4.3 |
2024-06-25 | CVE-2024-3249 | | The Zita Elementor Site Library plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_xml_data, xml_data_import, import_option_data, import_widgets, and import_customizer_settings functions in all versions up to, and including, 1.6.2. | 4.3 |
2024-06-24 | CVE-2024-38369 | Xwiki | Incorrect Authorization vulnerability in Xwiki XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. | 4.3 |