9.8
CVE-2024-47943 - Improper signature verification of firmware upgrade files
The firmware upgrade function in the admin web interface of the RittalΒ IoT Interface & CMC III Processing Unit devices checks if the patch files are signed before executing the containing run.sh script. The signing process is kind of an HMAC with a long string as key which is hard-coded in the fβ¦
9.8
CVE-2024-9925 - SQL injection in QPLANT by TAI Smart Factory
SQL injection vulnerability in TAI Smart Factory's QPLANT SF version 1.0. Exploitation of this vulnerability could allow a remote attacker to retrieve all database information by sending a specially crafted SQL query to the βemailβ parameter on the βRequestPasswordChangeβ endpoint.
6.4
CVE-2024-9895 - Smart Online Order for Clover <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vβ¦
The Smart Online Order for Clover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's moo_receipt_link shortcode in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible β¦
10
CVE-2024-9985 - Ragic Enterprise Cloud Database - Arbitrary File Upload
Enterprise Cloud Database from Ragic does not properly validate the file type for uploads. Attackers with regular privileges can upload a webshell and use it to execute arbitrary code on the remote server.
9.8
CVE-2024-9984 - Ragic Enterprise Cloud Database - Missing Authentication
Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie.
7.5
CVE-2024-9983 - Ragic Enterprise Cloud Database - Arbitrary File Read through Path Traversal
Enterprise Cloud Database from Ragic does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files.
9.8
CVE-2024-9982 - ESi Technology AIM LINE Marketing Platform - SQL Injection
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.
8.8
CVE-2024-9981 - FormosaSoft ee-class - Local File Inclusion
The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to upload a malicious PHP file first and then exploit this vulnerability to include the file, resulting in arbitrary code execution on the server.
8.8
CVE-2024-9980 - FormosaSoft ee-class - SQL Injection
The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify and delete database contents.
7.3
CVE-2024-9837 - AADMY β Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution
The The AADMY β Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. Tβ¦