Security Vulnerabilities - CVEs Published In April 2024
The Beaver Themer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 1.4.9 due to insufficient input sanitization and output escaping on user supplied custom fields. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-04-09
The Beaver Themer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the 'wpbb' shortcode. This makes it possible for authenticated attackers, with contributor access and above, to extract sensitive data including arbitrary user_meta values.
CVSS Score
6.5
EPSS Score
0.005
Published
2024-04-09
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthenticated API key disclosure in versions up to, and including, 9.0.34 due to the plugin adding the API key to several plugin files. This makes it possible for unauthenticated attackers to obtain the developer's Google API key. While this does not affect the security of sites using this plugin, it allows unauthenticated attackers to make requests using this API key with the potential of exhausting requests resulting in an inability to use the map functionality offered by the plugin.
CVSS Score
5.3
EPSS Score
0.035
Published
2024-04-09
The WP Reset – Most Advanced WordPress Reset Tool plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0 via the use of insufficiently random snapshot names. This makes it possible for unauthenticated attackers to extract sensitive data including site backups by brute-forcing the snapshot filenames. Please note that the vendor does not plan to do any further hardening on this functionality.
CVSS Score
5.9
EPSS Score
0.005
Published
2024-04-09
Sourcecodester Online Graduate Tracer System v1.0 is vulnerable to SQL Injection via the "id" parameter in admin/admin_cs.php.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-04-09
Sourcecodester Online Graduate Tracer System v1.0 is vulnerable to SQL Injection via the "request" parameter in admin/fetch_gendercs.php.
CVSS Score
8.6
EPSS Score
0.001
Published
2024-04-09
Cross site scripting in Zoom Desktop Client for Linux before version 5.17.10 may allow an authenticated user to conduct a denial of service via network access.
CVSS Score
4.1
EPSS Score
0.001
Published
2024-04-09
Improper privilege management in the installer for Zoom Desktop Client for macOS before version 5.17.10 may allow a privileged user to conduct an escalation of privilege via local access.
CVSS Score
5.5
EPSS Score
0.0
Published
2024-04-09
Improper privilege management in the installer for Zoom Desktop Client for Windows before version 5.17.10 may allow an authenticated user to conduct an escalation of privilege via local access.
CVSS Score
5.9
EPSS Score
0.0
Published
2024-04-09
Improper Input Validation vulnerability in Apache Zeppelin.
The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter.
This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1.
Users are recommended to upgrade to version 0.11.1, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.012
Published
2024-04-09