8.8
CVE-2024-9970 - NewType FlowMaster BPM Plus - Privilege Escalation
The FlowMaster BPM Plus system from NewType has a privilege escalation vulnerability. Remote attackers with regular privileges can elevate their privileges to administrator by tampering with a specific cookie.
5.4
CVE-2024-9969 - NewType WebEIP v3.0 - Reflected XSS
NewType WebEIP v3.0 does not properly validate user input, allowing a remote attacker with regular privileges to insert JavaScript into specific parameters, resulting in a Reflected Cross-site Scripting (XSS) attack. The affected product is no longer maintained. It is recommended to upgrade to the β¦
8.8
CVE-2024-9968 - NewType WebEIP v3.0 - SQL injection
WebEIP v3.0 from NewTypeΒ does not properly validate user input, allowing remote attackers with regular privilege to inject SQL commands to read, modify, and delete data stored in database. The affected product is no longer maintained. It is recommended to upgrade to the new product.
6.5
CVE-2024-9820 - WP 2FA with Telegram <= 3.0 - Two-Factor Authentication Bypass
The WP 2FA with Telegram plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 3.0. This is due to the two-factor code being stored in a cookie, which makes it possible to bypass two-factor authentication.
4.3
CVE-2024-6757 - Elementor <= 3.23.5 - Authenticated (Contributor+) Basic Information Exposure via get_image_alt Funβ¦
The Elementor Website Builder β More than Just a Page Builder plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 3.23.5 via the get_image_alt function. This makes it possible for authenticated attackers, with Contributor-level access and above, toβ¦
8.8
CVE-2024-9687 - WP 2FA with Telegram <= 3.0 - Authenticated (Subscriber+) Authentication Bypass
The WP 2FA with Telegram plugin for WordPress is vulnerable to Authentication Bypass in versions up to, and including, 3.0. This is due to insufficient validation of the user-controlled key on the 'validate_tg' action. This makes it possible for authenticated attackers, with subscriber-level permisβ¦
5.1
CVE-2024-9952 - SourceCodester Online Eyewear Shop Contact Information Page contact_info cross site scripting
A vulnerability was found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/?page=system_info/contact_info of the component Contact Information Page. The manipulation of the argument Address leads to cross site scrβ¦
9.8
CVE-2024-48782 -
File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end.
6.6
CVE-2023-31493 -
RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system.
9.8
CVE-2024-49195 -
Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair