Skip to main content
CVE-2024-35591 MEDIUM POC This Month

An arbitrary file upload vulnerability in O2OA v8.3.8 allows attackers to execute arbitrary code via uploading a crafted PDF file. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE XSS File Upload O2oa
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-5318 MEDIUM POC This Month

An issue has been discovered in GitLab CE/EE affecting all versions starting from 11.11 prior to 16.10.6, starting from 16.11 prior to 16.11.3, and starting from 17.0 prior to 17.0.1. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Gitlab
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-5310 MEDIUM POC This Month

A vulnerability classified as problematic has been found in JFinalCMS up to 20221020. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jfinalcms
NVD VulDB
CVSS 4.0
5.1
EPSS
0.4%
CVE-2024-4484 MEDIUM PATCH This Month

The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘xai_username’. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress The Plus Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
3.5%
CVE-2024-36361 MEDIUM PATCH This Month

Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Code Injection RCE
NVD GitHub
CVSS 3.1
6.8
EPSS
0.5%
CVE-2024-4037 MEDIUM PATCH This Month

The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

RCE Code Injection WordPress Wp Photo Album Plus
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-36079 MEDIUM This Month

An issue was discovered in Vaultize 21.07.27. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-36049 MEDIUM This Month

Aptos Wisal payroll accounting before 7.1.6 uses hardcoded credentials in the Windows client to fetch the complete list of usernames and passwords from the database server, using an unencrypted. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Microsoft
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-33809 MEDIUM This Month

PingCAP TiDB v7.5.1 was discovered to contain a buffer overflow vulnerability, which could lead to database crashes and denial of service attacks. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service Tidb
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-22588 MEDIUM PATCH This Month

Kwik commit 745fd4e2 does not discard unused encryption keys. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-3718 MEDIUM PATCH This Month

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's widgets all versions up to, and including, 5.5.4 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS The Plus Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.5%
CVE-2024-5060 MEDIUM PATCH This Month

The LottieFiles - JSON Based Animation Lottie & Bodymovin for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.10.9 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Lottiefiles
NVD
CVSS 3.1
6.4
EPSS
0.4%
CVE-2024-3557 MEDIUM This Month

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpgmza shortcode in all versions up to, and including, 9.0.36 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Google XSS WordPress Wp Go Maps
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-2618 MEDIUM This Month

The Elementor Header & Footer Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the size attribute in all versions up to, and including, 1.6.26 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress Elementor Header Footer Builder Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5205 MEDIUM This Month

The Videojs HTML5 Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's videojs_video shortcode in all versions up to, and including, 1.1.11 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS WordPress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1134 MEDIUM PATCH This Month

The SEOPress - On-site SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SEO title and description parameters as well as others in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Seopress
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-1332 MEDIUM PATCH This Month

The Custom Fonts - Host Your Fonts Locally plugin for WordPress is vulnerable to Stored Cross-Site Scripting via svg file upload in all versions up to, and including, 2.1.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

WordPress XSS File Upload Custom Fonts
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-2784 MEDIUM PATCH This Month

The The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Hover Card widget in all versions up to, and including, 5.5.4 due to insufficient input. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress The Plus Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-4485 MEDIUM PATCH This Month

The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress The Plus Addons For Elementor Elementor
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-4366 MEDIUM PATCH This Month

The Spectra - WordPress Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘block_id’ parameter in versions up to, and including, 2.13.0 due to insufficient. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS WordPress Spectra
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2024-5312 MEDIUM PATCH This Month

PHP Server Monitor, version 3.2.0, is vulnerable to an XSS via the /phpservermon-3.2.0/vendor/phpmailer/phpmailer/test_script/index.php page in all visible parameters. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP XSS
NVD
CVSS 3.1
6.3
EPSS
0.3%
CVE-2024-35595 MEDIUM This Month

An arbitrary file upload vulnerability in the File Preview function of Xintongda OA v2023.12.30.1 allows attackers to execute arbitrary code via uploading a crafted PDF file. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS File Upload
NVD GitHub
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-35593 MEDIUM This Month

An arbitrary file upload vulnerability in the File preview function of Raingad IM v4.1.4 allows attackers to execute arbitrary code via uploading a crafted PDF file. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE File Upload
NVD GitHub
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-33470 MEDIUM This Month

An issue in the SMTP Email Settings of AVTECH Room Alert 4E v4.4.0 allows attackers to gain access to credentials in plaintext via a passback attack. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2024-1376 MEDIUM PATCH This Month

The Event post plugin for WordPress is vulnerable to unauthorized bulk metadata update due to a missing capability check on the save_bulkdatas function in all versions up to, and including, 5.9.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass WordPress Event Post
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-0893 MEDIUM This Month

The Schema App Structured Data plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the MarkupUpdate function in all versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Schema App Structured Data
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-4409 MEDIUM This Month

The WP-ViperGB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2024-34995 MEDIUM This Month

svnWebUI v1.8.3 was discovered to contain an arbitrary file deletion vulnerability via the dirTemps parameter under com.cym.controller.UserController#importOver. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-5273 MEDIUM This Month

Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files, allowing attackers with Item/Configure permission to retrieve. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Jenkins Report Info
NVD
CVSS 3.1
4.3
EPSS
0.8%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy