Security Vulnerabilities - CVEs Published In April 2024
A stored cross-site scripting (XSS) vulnerability in the component /action/anti.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the word parameter.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-04-30
A stored cross-site scripting (XSS) vulnerability in the component /pubs/counter.php of ThinkSAAS v3.7.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the code parameter.
CVSS Score
5.4
EPSS Score
0.007
Published
2024-04-30
Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php.
CVSS Score
8.1
EPSS Score
0.001
Published
2024-04-30
modules/Users/models/Module.php in Vtiger CRM 7.5.0 allows a remote authenticated attacker to run arbitrary PHP code because an unprotected endpoint allows them to write this code to the config.inc.php file (executed on every page load).
CVSS Score
8.1
EPSS Score
0.164
Published
2024-04-30
The Event Monster – Event Management, Tickets Booking, Upcoming Event plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.4 via deserialization via shortcode of untrusted input from a custom meta value. This makes it possible for authenticated attackers, with contributor access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS Score
7.5
EPSS Score
0.006
Published
2024-04-30
It was identified that in certain versions of Octopus Server, that a user created with no permissions could view all users, user roles and permissions. This functionality was removed in versions of Octopus Server after the fixed versions listed.
CVSS Score
3.5
EPSS Score
0.001
Published
2024-04-30
O-RAN RIC I-Release e2mgr lacks array size checks in RicServiceUpdateHandler.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-04-30
O-RAN RIC I-Release e2mgr lacks array size checks in E2nodeConfigUpdateNotificationHandler.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-04-30
Open Networking Foundation SD-RAN Rimedo rimedo-ts 0.1.1 has a slice bounds out-of-range panic in "return plmnIdString[0:3], plmnIdString[3:]" in reader.go.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-04-30
Open Networking Foundation SD-RAN Rimedo rimedo-ts 0.1.1 has a slice bounds out-of-range panic in "return uint64(b[2])<<16 | uint64(b[1])<<8 | uint64(b[0])" in reader.go.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-04-30