Security Vulnerabilities - CVEs Published In April 2024
Portainer before 2.20.0 allows redirects when the target is not index.yaml.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-04-26
The Advanced Search WordPress plugin through 1.1.6 does not properly escape parameters appended to an SQL query, making it possible for users with the administrator role to conduct SQL Injection attacks in the context of a multisite WordPress configurations.
CVSS Score
4.7
EPSS Score
0.001
Published
2024-04-25
Cross Site Scripting (XSS) vulnerability in BOSSCMS v3.10 allows attackers to run arbitrary code via the header code and footer code fields in code configuration.
CVSS Score
7.1
EPSS Score
0.001
Published
2024-04-25
File Upload vulnerability in the function for employees to upload avatars in Code-Projects Simple School Management System v1.0 allows attackers to run arbitrary code via upload of crafted file.
CVSS Score
6.3
EPSS Score
0.002
Published
2024-04-25
Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-04-25
Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue.
CVSS Score
9.1
EPSS Score
0.001
Published
2024-04-25
ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-04-25
Buffer Overflow vulnerability in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v.3.2 allows a local attacker to execute arbitrary code via the vpn_client_ip variable of the config_vpn_pptp function in rc program.
CVSS Score
7.8
EPSS Score
0.0
Published
2024-04-25
An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure.
CVSS Score
6.8
EPSS Score
0.001
Published
2024-04-25
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-04-25