Security Vulnerabilities - CVEs Published In February 2024
A Cross Site Scripting (XSS) vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via the membershipType parameter in the add_type.php component.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-02-28
An Unrestricted File Upload vulnerability in CodeAstro Membership Management System in PHP v.1.0 allows a remote attacker to execute arbitrary code via upload of a crafted php file in the settings.php component.
CVSS Score
8.8
EPSS Score
0.56
Published
2024-02-28
An issue exists within Piwigo before v.14.2.0 allowing a malicious user to take over the application. This exploit involves chaining a Cross Site Request Forgery vulnerability to issue a Stored Cross Site Scripting payload stored within an Admin user's dashboard, executing remote JavaScript. This can be used to upload a new PHP file under an administrator and directly call that file from the victim's instance to connect back to a malicious listener.
CVSS Score
5.4
EPSS Score
0.005
Published
2024-02-28
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
CVSS Score
3.5
EPSS Score
0.0
Published
2024-02-28
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment. IBM X-Force ID: 247621.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-02-28
IBM Security Guardium Key Lifecycle Manager 3.0, 3.0.1, 4.0, 4.1, and 4.1.1 could allow a remote authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request. IBM X-Force ID: 247632.
CVSS Score
8.5
EPSS Score
0.001
Published
2024-02-28
Dedecms v5.7.112 was discovered to contain a Cross-Site Request Forgery (CSRF) in the file manager.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-02-28
RuoYi v4.7.8 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /system/notice/.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-02-28
A memory leak issue discovered in parseSWF_FREECHARACTER in libming v0.4.8 allows attackers to cause a denial of service via a crafted SWF file.
CVSS Score
7.5
EPSS Score
0.003
Published
2024-02-28
An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request.
CVSS Score
9.8
EPSS Score
0.008
Published
2024-02-28