2024-06
2024-06-26:CVE-2024-28999:SolarWinds Platform 2024.1 SR1 – Race Condition
2024-06-14:N/A:Zyxel IKE Packet Decoder – Unauthenticated Remote Code Execution (Metasploit)
2024-06-14:N/A:PHP < 8.3.8 – Remote Code Execution (Unauthenticated) (Windows)
2024-06-01:CVE-2023-26602:ASUS ASMB8 iKVM 1.14.51 – Remote Code Execution (RCE) & SSH Access
2024-06-01:N/A:FreePBX 16 – Remote Code Execution (RCE) (Authenticated)
2024-06-01:N/A:Akaunting 3.1.8 – Server-Side Template Injection (SSTI)
2024-05
2024-05-19:CVE-2024-32113:Apache OFBiz 18.12.12 – Directory Traversal
2024-05-19:N/A:WordPress Theme XStore 9.3.8 – SQLi
2024-05-13:N/A:PyroCMS v3.0.1 – Stored XSS
2024-05-13:CVE-2024-27460:Plantronics Hub 3.25.1 – Arbitrary File Read
2024-05-13:N/A:CrushFTP < 11.1.0 – Directory Traversal
2024-05-13:CVE-2023-6710:Apache mod_proxy_cluster – Stored XSS
2024-05-08:CVE-2024-3378:iboss Secure Web Gateway – Stored Cross-Site Scripting (XSS)
2024-04
2024-04-21:CVE-2024-29291:Laravel Framework 11 – Credential Leakage
2024-04-21:N/A:WordPress Plugin Background Image Cropper v1.2 – Remote Code Execution
2024-04-21:CVE-2024-3400:Palo Alto PAN-OS < v11.1.2-h3 – Command Injection and Arbitrary File Creation
2024-04-15:CVE-2023-40279:OpenClinic GA 5.247.01 – Path Traversal (Authenticated)
2024-04-15:CVE-2023-40278:OpenClinic GA 5.247.01 – Information Disclosure
2024-04-15:CVE-2024-23897:Jenkins 2.441 – Local File Inclusion
2024-04-13:CVE-2023-40304:BMC Compuware iStrobe Web – 20.13 – Pre-auth RCE
2024-04-13:CVE-2023-51951:Stock Management System v1.0 – Unauthenticated SQL Injection
2024-04-13:N/A:Online Fire Reporting System OFRS – SQL Injection Authentication Bypass
2024-04-12:N/A:WordPress Plugin WP Video Playlist 1.1.1 – Stored Cross-Site Scripting (XSS)
2024-04-12:CVE-2021-36393:Moodle 3.10.1 – Authenticated Blind Time-Based SQL Injection – “sort” parameter
2024-04-12:CVE-2023-47268:PrusaSlicer 2.6.1 – Arbitrary code execution
2024-04-12:N/A:WordPress Plugin Playlist for Youtube 1.32 – Stored Cross-Site Scripting (XSS)
2024-04-12:CVE-2024-24747:MinIO < 2024-01-31T20-20-33Z – Privilege Escalation
2024-04-08:N/A:Human Resource Management System v1.0 – Multiple SQLi
2024-04-08:N/A:WordPress Theme Travelscape v1.0.3 – Arbitrary File Upload
2024-04-08:N/A:AnyDesk 7.0.15 – Unquoted Service Path
2024-04-03:N/A:WordPress Plugin Alemha Watermarker 1.3.1 – Stored Cross-Site Scripting (XSS)
2024-04-03:N/A:ESET NOD32 Antivirus 17.0.16.0 – Unquoted Service Path
2024-04-02:CVE-2023-48974:Axigen < 10.5.7 – Persistent Cross-Site Scripting
2024-04-02:CVE-2023-34927:Casdoor < v1.331.0 – ‘/api/set-password’ CSRF
2024-04-02:N/A:Microsoft Windows Defender – Detection Mitigation Bypass TrojanWin32Powessere.G
2024-04-02:CVE-2022-4395:WordPress Plugin – Membership For WooCommerce < v2.1.7 – Arbitrary File Upload to Shell (Unauthenticated)
2024-04-02:CVE-2024-21338:Microsoft Windows 10.0.17763.5458 – Kernel Privilege Escalation
2024-04-02:N/A:Rapid7 nexpose – ‘nexposeconsole’ Unquoted Service Path
2024-04-02:N/A:OpenCart Core 4.0.2.3 – ‘search’ SQLi
2024-04-02:CVE-2024-27673:ASUS Control Center Express 01.06.15 – Unquoted Service Path
2024-04-02:N/A:Simple Backup Plugin Python Exploit 2.7.10 – Path Traversal
2024-03
2024-03-28:CVE-2023-38831:WinRAR version 6.22 – Remote Code Execution via ZIP archive
2024-03-28:CVE-2023-32479:Dell Security Management Server <1.9.0 – Local Privilege Escalation
2024-03-28:CVE-2024-27686:RouterOS 6.40.5 – 6.44 and 6.48.1 – 6.49.10 – Denial of Service
2024-03-28:N/A:Broken Access Control – on NodeBB v3.6.7
2024-03-28:CVE-2023-49294:Asterisk AMI – Partial File Content & Path Disclosure (Authenticated)
2024-03-25:CVE-2024-24506:LimeSurvey Community 5.3.32 – Stored XSS
2024-03-25:CVE-2024-24401:Nagios XI Version 2024R1.01 – SQL Injection
2024-03-25:N/A:Tourism Management System v2.0 – Arbitrary File Upload
2024-03-25:N/A:Insurance Management System PHP and MySQL 1.0 – Multiple Stored XSS
2024-03-25:CVE-2023-41892:Craft CMS 4.4.14 – Unauthenticated Remote Code Execution
2024-03-20:N/A:CSZCMS v1.3.0 – SQL Injection (Authenticated)
2024-03-20:CVE-2023-6538:HNAS SMU 14.8.7825 – Information Disclosure
2024-03-20:CVE-2023-46023:Simple Task List 1.0 – ‘status’ SQLi
2024-03-20:CVE-2024-28595:Employee Management System 1.0 – ‘admin_id’ SQLi
2024-03-18:CVE-2023-22527:Atlassian Confluence < 8.5.3 – Remote Code Execution
2024-03-18:CVE-2024-24725:Gibbon LMS < v26.0.00 – Authenticated RCE
2024-03-18:CVE-2023-26035:ZoneMinder Snapshots < 1.37.33 – Unauthenticated RCE
2024-03-18:CVE-2023-30451:TYPO3 11.5.24 – Path Traversal (Authenticated)
2024-03-18:CVE-2023-4811:WordPress File Upload Plugin < 4.23.3 – Stored XSS
2024-03-16:CVE-2023-37466:vm2 – sandbox escape
2024-03-16:N/A:UPS Network Management Card 4 – Path Traversal
2024-03-16:CVE-2022-45899:Nokia BMC Log Scanner – Remote Code Execution
2024-03-16:N/A:Karaf v4.4.3 Console – RCE
2024-03-16:CVE-2024-1346:LaborOfficeFree 19.10 – MySQL Root Password Calculator
2024-03-16:N/A:Winter CMS 1.2.3 – Server-Side Template Injection (SSTI) (Authenticated)
2024-03-14:CVE-2024-23749:KiTTY 0.76.1.13 – Command Injection
2024-03-14:CVE-2024-25004:KiTTY 0.76.1.13 – ‘Start Duplicated Session Username’ Buffer Overflow
2024-03-14:CVE-2024-25003:KiTTY 0.76.1.13 – ‘Start Duplicated Session Hostname’ Buffer Overflow
2024-03-14:CVE-2023-7028:GitLab CE/EE < 16.7.2 – Password Reset
2024-03-14:N/A:Ruijie Switch PSG-5124 26293 – Remote Code Execution (RCE)
2024-03-14:CVE-2023-5702 CVE-2023-5222:Viessmann Vitogate 300 2.1.3.0 – Remote Code Execution (RCE)
2024-03-14:CVE-2023-23333:SolarView Compact 6.00 – Command Injection
2024-03-14:CVE-2023-3710:Honeywell PM43 < P10.19.050004 – Remote Code Execution (RCE)
2024-03-14:CVE-2023-42793:JetBrains TeamCity 2023.05.3 – Remote Code Execution (RCE)
2024-03-12:CVE-2023-5452:SnipeIT 6.2.1 – Stored Cross Site Scripting
2024-03-12:CVE-2023-34060:VMware Cloud Director 10.5 – Bypass identity verification
2024-03-12:CVE-2023-20048:Cisco Firepower Management Center < 6.6.7.1 – Authenticated RCE
2024-03-12:CVE-2023-7137:Client Details System 1.0 – SQL Injection
2024-03-12:N/A:Human Resource Management System 1.0 – ’employeeid’ SQL Injection
2024-03-11:CVE-2023-35813:Sitecore – Remote Code Execution v8.2
2024-03-11:CVE-2023-26360:Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier – Arbitrary File Read
2024-03-11:CVE-2023-6114:WordPress Plugin Duplicator < 1.5.7.1 – Unauthenticated Sensitive Data Exposure to Account Takeover
2024-03-11:N/A:Microsoft Windows Defender / Trojan.Win32/Powessere.G – Detection Mitigation Bypass
2024-03-11:CVE-2023-5808:Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 – IDOR
2024-03-10:CVE-2022-4681:Hide My WP < 6.2.9 – Unauthenticated SQLi
2024-03-10:CVE_2024-22836:Akaunting < 3.1.3 – RCE
2024-03-10:CVE-2024-27620:Ladder v0.0.21 – Server-side request forgery (SSRF)
2024-03-10:CVE-2024-25832:DataCube3 v1.0 – Unrestricted file upload ‘RCE’
2024-03-10:CVE-2024-25830:DataCube3 v1.0 – Unrestricted file upload ‘RCE’
2024-03-10:CVE-2024-27612:Numbas < v7.3 – Remote Code Execution
2024-03-06:CVE-2023-46453:GLiNet – Router Authentication Bypass
2024-03-06:CVE-2023-50071:Customer Support System 1.0 – Multiple SQL injection
2024-03-05:CVE-2023-4642:kk Star Ratings < 5.4.6 – Rating Tampering via Race Condition
2024-03-05:CVE-2023-5817:Neontext WordPress Plugin – Stored XSS
2024-03-03:N/A:Magento ver. 2.4.6 – XSLT Server Side Injection
2024-03-03:N/A:Windows PowerShell – Event Log Bypass Single Quote Code Execution
2024-02
2024-02-28:CVE-2023-6063:WP Fastest Cache 1.2.2 – Unauthenticated SQL Injection
2024-02-28:CVE-2023-47184:WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 – “Dashboard Redirect” field Stored XSS
2024-02-27:CVE-2023-22515:Atlassian Confluence Data Center and Server – Authentication Bypass (Metasploit)
2024-02-27:CVE-2023-3452:WordPress Plugin Canto < 3.0.5 – Remote File Inclusion (RFI) and Remote Code Execution (RCE)
2024-02-27:CVE-2023-37608:Automatic-Systems SOC FL9600 FastLine – The device contains hardcoded login and password for super admin
2024-02-26:CVE-2024-22318:IBM i Access Client Solutions v1.1.2 – 1.1.4, v1.1.4.3 – 1.1.9.4 – Remote Credential Theft
2024-02-26:CVE-2024-25735:Wyrestorm Apollo VX20 < 1.3.58 – Incorrect Access Control ‘Credentials Disclosure’
2024-02-26:CVE-2024-25735:Wyrestorm Apollo VX20 < 1.3.58 – Incorrect Access Control ‘Credentials Disclosure’
2024-02-26:CVE-2024-25736:Wyrestorm Apollo VX20 < 1.3.58 – Incorrect Access Control ‘DoS’
2024-02-26:CVE-2024-25734:Wyrestorm Apollo VX20 < 1.3.58 – Account Enumeration
2024-02-26:CVE-2024-25734:Wyrestorm Apollo VX20 < 1.3.58 – Account Enumeration
2024-02-26:CVE-2023-4987:taskhub 2.8.7 – SQL Injection
2024-02-26:CVE-2023-3244:comments-like-dislike < 1.2.0 – Authenticated (Subscriber+) Plugin Setting Reset
2024-02-21:CVE-2023-46391:WEBIGniter v28.7.23 – Stored Cross Site Scripting (XSS)
2024-02-19:CVE-2021-3860:JFrog Artifactory < 7.25.4 – Blind SQL Injection
2024-02-19:CVE-2023-3897:SureMDM On-premise < 6.31 – CAPTCHA Bypass User Enumeration
2024-02-19:CVE-2023-46517:XAMPP – Buffer Overflow POC
2024-02-15:CVE-2023-45887:DS Wireless Communication – Remote Code Execution
2024-02-15:CVE-2023-38646:Metabase 0.46.6 – Pre-Auth Remote Code Execution
2024-02-15:CVE-2023-36085:SISQUALWFM 7.1.319.103 – Host Header Injection
2024-02-13:CVE-2023-38965:Lost and Found Information System v1.0 – ( IDOR ) leads to Account Take over
2024-02-13:CVE-2023-31492:ManageEngine ADManager Plus Build < 7183 – Recovery Password Disclosure
2024-02-13:N/A:Splunk 9.0.4 – Information Disclosure
2024-02-09:CVE-2023-31419:Elasticsearch – StackOverflow DoS
2024-02-09:CVE-2022-26531:Zyxel zysh – Format string
2024-02-05:CVE-2023-43261:Milesight Routers UR5X, UR32L, UR32, UR35, UR41 – Credential Leakage Through Unprotected System Logs and Weak Password Encryption
2024-02-05:CVE-2023-35759:WhatsUp Gold 2022 (22.1.0 Build 39) – XSS
2024-02-05:CVE-2023-37307:MISP 2.4.171 – Stored XSS
2024-02-02:CVE-2023-36845:Juniper-SRX-Firewalls&EX-switches – (PreAuth-RCE) (PoC)
2024-02-02:CVE-2023-42222:WebCatalog 48.4 – Arbitrary Protocol Execution
2024-01
2024-01-31:CVE-2023-43320:Proxmox VE – TOTP Brute Force
2024-01-31:CVE-2023-42270:Grocy <=4.0.2 – CSRF
2024-01-31:CVE-2023-4974:Academy LMS 6.2 – SQL Injection
IoT OT Security News 