Security Vulnerabilities - CVEs Published In June 2024
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
CVSS Score
6.3
EPSS Score
0.0
Published
2024-06-18
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
CVSS Score
3.5
EPSS Score
0.002
Published
2024-06-18
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
CVSS Score
4.3
EPSS Score
0.0
Published
2024-06-18
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
CVSS Score
5.3
EPSS Score
0.0
Published
2024-06-18
When Bazel Plugin in intellij imports a project (either using "import project" or "Auto import") the dialog for trusting the project is not displayed. This comes from the fact that both call the method ProjectBuilder.createProject which then calls ProjectManager.getInstance().createProject. This method, as its name suggests is intended to create a new project, not to import an existing one.
We recommend upgrading to version 2024.06.04.0.2 or beyond for the IntelliJ, CLion and Android Studio Bazel plugins.
CVSS Score
3.3
EPSS Score
0.001
Published
2024-06-18
The Divi theme for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.25.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.001
Published
2024-06-18
The Lightbox & Modal Popup WordPress Plugin WordPress plugin before 2.7.28, foobox-image-lightbox-premium WordPress plugin before 2.7.28 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
CVSS Score
4.8
EPSS Score
0.002
Published
2024-06-18
The Simple Share Buttons Adder WordPress plugin before 8.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as editors to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed
CVSS Score
5.4
EPSS Score
0.002
Published
2024-06-18
The Expert Invoice WordPress plugin through 1.0.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
CVSS Score
4.8
EPSS Score
0.001
Published
2024-06-18
vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.474
Published
2024-06-18