Security Vulnerabilities - CVEs Published In March 2024
A vulnerability classified as critical has been found in SourceCodester Complete E-Commerce Site 1.0. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-257544.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-03-21
An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-03-21
Stored Cross-Site Scripting (XSS) vulnerability in tramyardg autoexpress 1.3.0, allows remote unauthenticated attackers to inject arbitrary web script or HTML within parameter "imgType" via in uploadCarImages.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-03-21
The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.
CVSS Score
8.8
EPSS Score
0.058
Published
2024-03-21
An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature.
CVSS Score
6.6
EPSS Score
0.0
Published
2024-03-21
Cross Site Scripting (XSS) vulnerability in SurveyJS Survey Creator v.1.9.132 and before, allows attackers to execute arbitrary code and obtain sensitive information via the title parameter in form.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-03-21
In MISP before 2.4.187, __uploadLogo in app/Controller/OrganisationsController.php does not properly check for a valid logo upload.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-21
In MISP before 2.4.187, add_misp_export in app/Controller/EventsController.php does not properly check for a valid file upload.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-03-21
The Kerlink firewall in ChirpStack chirpstack-mqtt-forwarder before 4.2.1 and chirpstack-gateway-bridge before 4.0.11 wrongly accepts certain TCP packets when a connection is not in the ESTABLISHED state.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-03-21
Distrobox before 1.7.0.1 allows attackers to execute arbitrary code via command injection into exported executables.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-03-21