Security Vulnerabilities - CVEs Published In June 2024
The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-06-15
StorageGRID (formerly StorageGRID Webscale) versions prior to
11.7.0.9 and 11.8.0.5 are susceptible to disclosure of sensitive
information via complex MiTM attacks due to a vulnerability in the SSH
cryptographic implementation.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-06-14
Itsourcecode Payroll Management System 1.0 is vulnerable to SQL Injection in payroll_items.php via the ID parameter.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-06-14
MyFinances is a web application for managing finances. MyFinances has a way to access other customer invoices while signed in as a user. This method allows an actor to access PII and financial information from another account. The vulnerability is fixed in 0.4.6.
CVSS Score
6.5
EPSS Score
0.109
Published
2024-06-14
Buffer Overflow Vulnerability in libcdio 2.2.0 (fixed in 2.3.0) allows an attacker to execute arbitrary code via a crafted ISO 9660 image file.
CVSS Score
8.4
EPSS Score
0.001
Published
2024-06-14
Directory Traversal vulnerability in Mgt-commerce CloudPanel v.2.0.0 thru v.2.4.0 allows a remote attacker to obtain sensitive information and execute arbitrary code via the service parameter of the load-logfiles function.
CVSS Score
8.8
EPSS Score
0.035
Published
2024-06-14
Aegon Life v1.0 was discovered to contain a SQL injection vulnerability via the client_id parameter at clientStatus.php.
CVSS Score
8.8
EPSS Score
0.87
Published
2024-06-14
A cross-site scripting (XSS) vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at insertClient.php.
CVSS Score
6.1
EPSS Score
0.002
Published
2024-06-14
The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version < **1.0.5**.
CVSS Score
6.1
EPSS Score
0.206
Published
2024-06-14
A privilege escalation vulnerability exists in the affected product. The vulnerability allows low-privilege users to edit scripts, bypassing Access Control Lists, and potentially gaining further access within the system.
CVSS Score
8.5
EPSS Score
0.0
Published
2024-06-14