6.8
CVE-2023-7273 - Cross Site Request Forgery in Kiteworks OwnCloud
Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRβ¦
3.7
CVE-2024-30132 - Missing default HTTP security headers affect HCL Nomad server on Domino
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
5.3
CVE-2024-9405 -
An incorrect limitation of a path to a restricted directory (path traversal) has been detected in Pluck CMS, affecting version 4.7.18. An unauthenticated attacker could extract sensitive information from the server via the absolute path of a file located in the same directory or subdirectory as theβ¦
6.6
CVE-2023-3441 - Exposure of Sensitive Information Due to Incompatible Policies in GitLab
An issue has been discovered in GitLab EE/CE affecting all versions starting from 8.0 before 16.4. The product did not sufficiently warn about security implications of granting merge rights to protected branches.
6.4
CVE-2024-9060 - AVIF & SVG Uploader <= 1.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uplβ¦
The AVIF & SVG Uploader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in version 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary webβ¦
6.4
CVE-2024-9118 - QS Dark Mode Plugin <= 2.9 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
The QS Dark Mode Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and aboveβ¦
9.8
CVE-2024-9289 - WordPress & WooCommerce Affiliate Program <= 8.4.1 - Authentication Bypass to Account Takeover and β¦
The WordPress & WooCommerce Affiliate Program plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 8.4.1. This is due to the rtwwwap_login_request_callback() function not properly validating a user's identity prior to authenticating them to the site. Thiβ¦
5.3
CVE-2024-8430 - Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import
The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spice_starter_sites_importer_creater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo conβ¦
9.8
CVE-2024-9265 - Echo RSS Feed Post Generator <= 5.4.6 - Unauthenticated Privilege Escalation
The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.4.6. This is due to the plugin not properly restricting the roles that can set during registration through the echo_check_post_header_sent() function. This makes it poβ¦
6.4
CVE-2024-8324 - XO Slider <= 3.8.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
The XO Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βget_sliderβ function in all versions up to, and including, 3.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access andβ¦