6.4
CVE-2024-4361 - Page Builder by SiteOrigin <= 2.29.15 - Authenticated (Contributor+) Stored Cross-Site Scripting vi…
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl…
6.4
CVE-2024-4876 - HT Mega – Absolute Addons For Elementor <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site S…
The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popover_header_text’ parameter in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker…
10
CVE-2023-3941 - Multiple arbitrary file writes in ZkTeco-based OEM devices
Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to write any file on the system with root privileges. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ve…
7.5
CVE-2023-3940 - Multiple arbitrary file reads in ZkTeco-based OEM devices
Relative Path Traversal vulnerability in ZkTeco-based OEM devices allows an attacker to access any file on the system. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec ST-FR041ME and possibly others) with the ZAM170-NF-1.8.25-7354-Ver1.0.0 and possibly …
7.5
CVE-2024-4988 - Improper permission control in com.transsion.videocallenhancer
The mobile application (com.transsion.videocallenhancer) interface has improper permission control, which can lead to the risk of private file leakage.
10
CVE-2023-3939 - Multiple command injection in ZkTeco-based OEM devices
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in ZkTeco-based OEM devices allows OS Command Injection. Since all the found command implementations are executed from the superuser, their impact is the maximum possible. This issue affects…
5.9
CVE-2024-4435 - BTreeMap memory leak when deallocating nodes with overflows
When storing unbounded types in a BTreeMap, a node is represented as a linked list of "memory chunks". It was discovered recently that when we deallocate a node, in some cases only the first memory chunk is deallocated, and the rest of the memory chunks remain (incorrectly) allocated, causing a mem…
4.6
CVE-2023-3938 - Bypassing ZkTeco-based OEM devices/ZKTeco biometric authentication system via SQLi in QR code
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZkTeco-based OEM devices allows an attacker to authenticate under any user from the device database. This issue affects ZkTeco-based OEM devices (ZkTeco ProFace X, Smartec ST-FR043, Smartec…
6.4
CVE-2024-4553 - WP Shortcodes Plugin — Shortcodes Ultimate <= 7.1.5 - Authenticated (Contributor+) Stored Cross-Sit…
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'su_members' shortcode in all versions up to, and including, 7.1.5 due to insufficient input sanitization and output escaping on user supplied 'color' attribute. This ma…
6.4
CVE-2024-4695 - Move Addons for Elementor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via M…
The Move Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers…