6.1
CVE-2024-5673 - Cross-Site Scripting in PHP File Manager by Dulldusk
Vulnerability in Dulldusk's PHP File Manager affecting version 1.7.8. This vulnerability consists of an XSS through the fm_current_dir parameter of index.php. An attacker could send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.
8.8
CVE-2024-5329 - Unlimited Elements For Elementor (Free Widgets, Addons, Templates) <= 1.5.109 - Authenticated (Cont…
The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to blind SQL Injection via the ‘data[addonID]’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient prepara…
6.4
CVE-2024-5259 - MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution <= 4.1.11 - Authenticated (…
The MultiVendorX Marketplace – WooCommerce MultiVendor Marketplace Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hover_animation’ parameter in all versions up to, and including, 4.1.11 due to insufficient input sanitization and output escaping. This makes it po…
8.6
CVE-2024-28995 - SolarWinds Serv-U L Directory Transversal Vulnerability
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
7.5
CVE-2024-6239 - Poppler: pdfinfo: crash in broken documents when using -dests parameter
A flaw was found in the Poppler's Pdfinfo utility. This issue occurs when using -dests parameter with pdfinfo utility. By using certain malformed input files, an attacker could cause the utility to crash, leading to a denial of service.
6.4
CVE-2024-5221 - Qi Blocks <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting
The Qi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's file uploader in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and abo…
9.1
CVE-2024-36394 - SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Inj…
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
9.9
CVE-2024-36393 - SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection…
SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
8.1
CVE-2024-4177 - Host whitelist parser issue in GravityZone Console On-Premise (VA-11554)
A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-2 that are running only on premise.
4.3
CVE-2024-5665 - Login/Signup Popup ( Inline Form + Woocommerce ) 2.7.1 - 2.7.2 - Missing Authorization to Arbitrary…
The Login/Signup Popup ( Inline Form + Woocommerce ) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ‘export_settings’ function in versions 2.7.1 to 2.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and…