The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-3893 | The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the rtcl_fb_gallery_image_delete AJAX action in all versions up to, and including, 3.0.10.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachements. | -- | Apr 25, 2024 |
| CVE-2024-3733 | The Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 5.9.15 via the ajax_load_more() , eael_woo_pagination_product_ajax(), and ajax_eael_product_gallery() functions. This makes it possible for unauthenticated attackers to extract posts that may be in private or draft status. | -- | Apr 25, 2024 |
| CVE-2024-3730 | The Simple Membership plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s \'swpm_paypal_subscription_cancel_link\' shortcode in all versions up to, and including, 4.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 25, 2024 |
| CVE-2024-3625 | A flaw was found in Quay, where Quay\'s database is stored in plain text in mirror-registry on Jinja\'s config.yaml file. This issue leaves the possibility of a malicious actor with access to this file to gain access to Quay\'s Redis instance. | -- | Apr 25, 2024 |
| CVE-2024-3624 | A flaw was found in how Quay\'s database is stored in plain-text in mirror-registry on the jinja\'s config.yaml file. This flaw allows a malicious actor with access to this file to gain access to Quay\'s database. | -- | Apr 25, 2024 |
| CVE-2024-3623 | A flaw was found when using mirror-registry to install Quay. It uses a default database secret key, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same database secret key. This flaw allows a malicious actor to access sensitive information from Quay\'s database. | -- | Apr 25, 2024 |
| CVE-2024-3622 | A flaw was found when using mirror-registry to install Quay. It uses a default secret, which is stored in plain-text format in one of the configuration template files. This issue may lead to all instances of Quay deployed using mirror-registry to have the same secret key. This flaw allows a malicious actor to craft session cookies and as a consequence, it may lead to gaining access to the affected Quay instance. | -- | Apr 25, 2024 |
| CVE-2024-3265 | The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations. | -- | Apr 25, 2024 |
| CVE-2024-2907 | The AGCA WordPress plugin before 7.2.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | -- | Apr 25, 2024 |
| CVE-2024-2905 | A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication data to unauthorized access. | -- | Apr 25, 2024 |
| CVE-2024-2829 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.5 before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. A crafted wildcard filter in FileFinder may lead to a denial of service. | -- | Apr 25, 2024 |
| CVE-2024-2434 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | -- | Apr 25, 2024 |
| CVE-2024-1726 | A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service. | -- | Apr 25, 2024 |
| CVE-2024-1657 | A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system. | -- | Apr 25, 2024 |
| CVE-2024-1347 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. | -- | Apr 25, 2024 |
| CVE-2024-1139 | A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret. | -- | Apr 25, 2024 |
| CVE-2024-1102 | A vulnerability was found in jberet-core logging. An exception in \'dbProperties\' might display user credentials such as the username and password for the database-connection. | -- | Apr 25, 2024 |
| CVE-2024-0916 | Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. | -- | Apr 25, 2024 |
| CVE-2024-0874 | A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. | -- | Apr 25, 2024 |
| CVE-2024-0151 | Insufficient argument checking in Secure state Entry functions in software using Cortex-M Security Extensions (CMSE), that has been compiled using toolchains that implement \'Arm v8-M Security Extensions Requirements on Development Tools\' prior to version 1.4, allows an attacker to pass values to Secure state that are out of range for types smaller than 32-bits. Out of range values might lead to incorrect operations in secure state. | LOW | Apr 25, 2024 |
| CVE-2023-52220 | Missing Authorization vulnerability in MonsterInsights Google Analytics by Monster Insights.This issue affects Google Analytics by Monster Insights: from n/a through 8.21.0. | -- | Apr 25, 2024 |
| CVE-2023-51484 | Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | -- | Apr 25, 2024 |
| CVE-2023-51482 | Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | -- | Apr 25, 2024 |
| CVE-2023-51478 | Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. | -- | Apr 25, 2024 |
| CVE-2023-20249 | A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | -- | Apr 25, 2024 |
| CVE-2023-20248 | A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | -- | Apr 25, 2024 |
| CVE-2023-6787 | A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter prompt=login, prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting Restart login, an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session. | -- | Apr 25, 2024 |
| CVE-2023-6717 | A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance. | -- | Apr 25, 2024 |
| CVE-2023-6596 | An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers. | -- | Apr 25, 2024 |
| CVE-2023-6544 | A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized. | -- | Apr 25, 2024 |
| CVE-2023-6484 | A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity. | -- | Apr 25, 2024 |
| CVE-2023-5675 | A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either \'quarkus.security.jaxrs.deny-unannotated-endpoints\' or \'quarkus.security.jaxrs.default-roles-allowed\' properties. | -- | Apr 25, 2024 |
| CVE-2023-3597 | A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication. | -- | Apr 25, 2024 |
| CVE-2022-36029 | Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | -- | Apr 25, 2024 |
| CVE-2022-36028 | Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | -- | Apr 25, 2024 |
| CVE-2024-33697 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rimes Gold CF7 File Download – File Download for CF7 allows Stored XSS.This issue affects CF7 File Download – File Download for CF7: from n/a through 2.0. | -- | Apr 26, 2024 |
| CVE-2024-33696 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Broadstreet XPRESS WordPress Ad Widget allows Stored XSS.This issue affects WordPress Ad Widget: from n/a through 2.20.0. | -- | Apr 26, 2024 |
| CVE-2024-33695 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ThemeNcode Fan Page Widget by ThemeNcode allows Stored XSS.This issue affects Fan Page Widget by ThemeNcode: from n/a through 2.0. | -- | Apr 26, 2024 |
| CVE-2024-33694 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Meks Meks ThemeForest Smart Widget allows Stored XSS.This issue affects Meks ThemeForest Smart Widget: from n/a through 1.5. | -- | Apr 26, 2024 |
| CVE-2024-33693 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Meks Meks Smart Social Widget allows Stored XSS.This issue affects Meks Smart Social Widget: from n/a through 1.6.4. | -- | Apr 26, 2024 |
| CVE-2024-33692 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Satrya Smart Recent Posts Widget allows Stored XSS.This issue affects Smart Recent Posts Widget: from n/a through 1.0.3. | -- | Apr 26, 2024 |
| CVE-2024-33691 | Cross-Site Request Forgery (CSRF) vulnerability in OptinMonster Popup Builder Team OptinMonster.This issue affects OptinMonster: from n/a through 2.15.3. | -- | Apr 26, 2024 |
| CVE-2024-33690 | Cross-Site Request Forgery (CSRF) vulnerability in Jegstudio Financio.This issue affects Financio: from n/a through 1.1.3. | -- | Apr 26, 2024 |
| CVE-2024-33689 | Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli, Tony Hayes Radio Station.This issue affects Radio Station: from n/a through 2.5.7. | -- | Apr 26, 2024 |
| CVE-2024-33688 | Cross-Site Request Forgery (CSRF) vulnerability in Extend Themes Teluro.This issue affects Teluro: from n/a through 1.0.31. | -- | Apr 26, 2024 |
| CVE-2024-33683 | Cross-Site Request Forgery (CSRF) vulnerability in WP Republic Hide Dashboard Notifications.This issue affects Hide Dashboard Notifications: from n/a through 1.2.3. | -- | Apr 26, 2024 |
| CVE-2024-33682 | Cross-Site Request Forgery (CSRF) vulnerability in Cookie Information A/S WP GDPR Compliance.This issue affects WP GDPR Compliance: from n/a through 2.0.23. | -- | Apr 26, 2024 |
| CVE-2024-33680 | Cross-Site Request Forgery (CSRF) vulnerability in MainWP MainWP Child Reports.This issue affects MainWP Child Reports: from n/a through 2.1.1. | -- | Apr 26, 2024 |
| CVE-2024-33679 | Cross-Site Request Forgery (CSRF) vulnerability in FameThemes FameTheme Demo Importer.This issue affects FameTheme Demo Importer: from n/a through 1.1.5. | -- | Apr 26, 2024 |
| CVE-2024-33678 | Cross-Site Request Forgery (CSRF) vulnerability in ClickCease ClickCease Click Fraud Protection.This issue affects ClickCease Click Fraud Protection: from n/a through 3.2.4. | -- | Apr 26, 2024 |
