Security Vulnerabilities - CVEs Published In May 2024
Umbraco CMS is an ASP.NET CMS used by more than 730.000 websites. Stored Cross-site scripting (XSS) enable attackers that have access to backoffice to bring malicious content into a website or application. This vulnerability has been patched in version(s) 8.18.13, 10.8.4, 12.3.7, 13.1.1 by implementing IHtmlSanitizer.
CVSS Score
4.2
EPSS Score
0.007
Published
2024-05-21
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_array_length function in the mjs.c file.
CVSS Score
5.5
EPSS Score
0.014
Published
2024-05-21
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_mk_ffi_sig function in the mjs.c file.
CVSS Score
4.3
EPSS Score
0.009
Published
2024-05-21
An issue in Cesanta mjs 2.20.0 allows a remote attacker to cause a denial of service via the mjs_do_gc function in the mjs.c file.
CVSS Score
7.5
EPSS Score
0.021
Published
2024-05-21
The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.002
Published
2024-05-21
Umbraco is an ASP.NET CMS used by more than 730.000 websites. Umbraco has an endpoint that is vulnerable to open redirects. The endpoint is protected so it requires the user to be signed into backoffice before the vulnerable is exposed. This vulnerability has been patched in version(s) 8.18.14, 10.8.6, 12.3.10 and 13.3.1.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-05-21
OMERO.web provides a web based client and plugin infrastructure. There is currently no escaping or validation of the `callback` parameter that can be passed to various OMERO.web endpoints that have JSONP enabled. This vulnerability has been patched in version 5.26.0.
CVSS Score
6.1
EPSS Score
0.004
Published
2024-05-21
The YouTube Video Gallery by YouTube Showcase – Video Gallery Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the emd_form_builder_lite_submit_form function in all versions up to, and including, 3.3.6. This makes it possible for unauthenticated attackers to create arbitrary posts or pages.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-05-21
There exists a Denial of service vulnerability in Tink-cc in versions prior to 2.1.3. * An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input that is not an encoded JSON object, but still a valid encoded JSON element, for example a number or an array. This will crash as Tink just assumes any valid JSON input will contain an object.
* An adversary can crash binaries using the crypto::tink::JsonKeysetReader in tink-cc by providing an input containing many nested JSON objects. This may result in a stack overflow.
We recommend upgrading to version 2.1.3 or above
CVSS Score
7.5
EPSS Score
0.001
Published
2024-05-21
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siteorigin_widget' shortcode in all versions up to, and including, 2.29.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.004
Published
2024-05-21