9.9
CVE-2024-8672 - Widget Options β The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributβ¦
The Widget Options β The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply inpuβ¦
4.3
CVE-2024-10670 - Primary Addon for Elementor <= 1.6.2 - Authenticated (Contributor+) Post Disclosure
The Primary Addon for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.6.2 via the [prim_elementor_template] shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, witβ¦
4.3
CVE-2024-10798 - Royal Elementor Addons and Templates <= 1.7.1003 - Authenticated (Contributor+) Post Disclosure
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1003 via the 'wpr-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, wiβ¦
9.8
CVE-2024-11103 - Contest Gallery <= 24.0.7 - Unauthenticated Arbitrary Password Reset to Privilege Escalation/Accounβ¦
The Contest Gallery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 24.0.7. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackerβ¦
5.7
CVE-2024-22037 - Database password leaked by systemd uyuni-server-attestation service
The uyuni-server-attestation systemd service needs a database_password environment variable. This file has 640 permission, and cannot be shown users, but the environment is still exposed by systemd to non-privileged users.
8.2
CVE-2024-11599 - Domain Restriction Bypass on Registration
Mattermost versions 10.0.x <= 10.0.1, 10.1.x <= 10.1.1, 9.11.x <= 9.11.3, 9.5.x <= 9.5.11 fail to properly validate email addresses which allows an unauthenticated user to bypass email domain restrictions via carefully crafted input on email registration.
6.8
CVE-2024-22038 - DoS attacks, information leaks etc. with crafted Git repositories in obs-scm-bridge
Various problems in obs-scm-bridge allows attackers that create specially crafted git repositories to leak information of cause denial of service.
4.6
CVE-2024-49502 - Reflected XSS in Setup Wizard, HTTP Proxy credentials pane in spacewalk-web
A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in the Setup Wizard, HTTP Proxy credentials pane in spacewalk-web allows attackers to attack users by providing specially crafted URLs to click. This issue affects Container suse/manager/5.0/β¦
4.6
CVE-2024-49503 - Reflected XSS in Setup Wizard, Organization Credentials in spacewalk-web
A Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SUSE manager allows attackers to execute Javascript code in the organization credentials sub page. This issue affects Container suse/manager/5.0/x86_64/server:5.0.2.7.8.1: before 5.0.15-15β¦
5.7
CVE-2024-52283 -
Missing sanitation of inputs allowed arbitrary users to conduct a stored XSS attack that triggers for users that view a certain project