Security Vulnerabilities - CVEs Published In March 2024
The NextMove Lite – Thank You Page for WooCommerce and Finale Lite – Sales Countdown Timer & Discount for WooCommerce plugins for WordPress are vulnerable to unauthorized access of data due to a missing capability check on the download_tools_settings() function in all versions up to, and including, 2.17.0. This makes it possible for unauthenticated attackers to export system information that can aid attackers in an attack.
CVSS Score
5.3
EPSS Score
0.005
Published
2024-03-01
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.
CVSS Score
8.8
EPSS Score
0.916
Published
2024-03-01
Server-Side Request Forgery (SSRF) vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-03-01
Missing Authorization vulnerability in Sirv CDN and Image Hosting Sirv sirv.This issue affects Sirv: from n/a through <= 7.2.0.
CVSS Score
5.4
EPSS Score
0.004
Published
2024-03-01
In mongo-express 1.0.2, /admin allows CSRF, as demonstrated by deletion of a Collection.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-03-01
A local attacker can gain administrative privileges by inserting an executable file in the path of the affected product.
CVSS Score
7.8
EPSS Score
0.002
Published
2024-03-01
The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Score
8.8
EPSS Score
0.008
Published
2024-03-01
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link.
CVSS Score
9.8
EPSS Score
0.017
Published
2024-03-01
mjml-app versions 3.0.4 and 3.1.0-beta were discovered to contain a remote code execution (RCE) via the href attribute.
CVSS Score
9.3
EPSS Score
0.01
Published
2024-03-01
IBM Filenet Content Manager Component 5.5.8.0, 5.5.10.0, and 5.5.11.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. IBM X-Force ID: 261115.
CVSS Score
5.3
EPSS Score
0.008
Published
2024-03-01