Skip to main content
CVE-2024-23724 CRITICAL POC PATCH Act Now

Ghost through 5.76.0 allows stored XSS, and resultant privilege escalation in which a contributor can take over any account, via an SVG profile picture that contains JavaScript code to interact with. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Privilege Escalation XSS Ghost
NVD GitHub
CVSS 3.1
9.0
EPSS
3.5%
CVE-2024-25722 CRITICAL PATCH Act Now

qanything_kernel/connector/database/mysql/mysql_client.py in qanything.ai QAnything before 1.2.0 allows SQL Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

SQLi Qanything
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2024-25718 CRITICAL PATCH Act Now

In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Samly.AuthHandler uses a cached session and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Samly
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-25714 CRITICAL PATCH Act Now

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rhonabwy Debian Linux
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy