Security Vulnerabilities - CVEs Published In March 2024
This vulnerability allows remote attackers to traverse paths via file upload on the affected LG LED Assistant.
CVSS Score
5.3
EPSS Score
0.638
Published
2024-03-25
This vulnerability allows remote attackers to reset the password of anonymous users without authorization on the affected LG LED Assistant.
CVSS Score
9.1
EPSS Score
0.81
Published
2024-03-25
Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
CVSS Score
4.3
EPSS Score
0.001
Published
2024-03-25
Missing Authorization vulnerability in InspiryThemes RealHomes.This issue affects RealHomes: from n/a through 4.0.2.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-03-25
The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins unpublish downloads via a CSRF attack
CVSS Score
6.8
EPSS Score
0.001
Published
2024-03-25
The CM Download Manager WordPress plugin before 2.9.0 does not have CSRF checks in some places, which could allow attackers to make logged in admins delete downloads via a CSRF attack
CVSS Score
4.8
EPSS Score
0.002
Published
2024-03-25
The wp-schema-pro WordPress plugin before 2.7.16 does not validate post access allowing a contributor user to access custom fields on any post regardless of post type or status via a shortcode
CVSS Score
4.3
EPSS Score
0.003
Published
2024-03-25
The CM Download Manager WordPress plugin before 2.9.1 does not have CSRF checks in some places, which could allow attackers to make logged in admins edit downloads via a CSRF attack
CVSS Score
8.8
EPSS Score
0.007
Published
2024-03-25
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6.
CVSS Score
6.8
EPSS Score
0.001
Published
2024-03-24
OneUptime is a solution for monitoring and managing online services. The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. This has been patched in 7.0.1815.
CVSS Score
8.3
EPSS Score
0.001
Published
2024-03-24