Security Vulnerabilities - CVEs Published In August 2024
VTiger CRM <= 8.1.0 does not correctly check user privileges. A low-privileged user can interact directly with the "Migration" administrative module to disable arbitrary modules.
CVSS Score
8.3
EPSS Score
0.002
Published
2024-08-16
A Command Injection vulnerability exists in formWriteFacMac of the httpd binary in Tenda AC9 v15.03.06.42. As a result, attacker can execute OS commands with root privileges.
CVSS Score
9.8
EPSS Score
0.054
Published
2024-08-16
reNgine is an automated reconnaissance framework for web applications. Versions 2.1.2 and prior are susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability occurs when scanning a domain, and if the target domain's DNS record contains an XSS payload, it leads to the execution of malicious scripts in the reNgine's dashboard view when any user views the scan results. The XSS payload is directly fetched from the DNS record of the remote target domain. Consequently, an attacker can execute the attack without requiring any additional input from the target or the reNgine user. A patch is available and expected to be part of version 2.1.3.
CVSS Score
5.0
EPSS Score
0.001
Published
2024-08-16
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
CVSS Score
4.6
EPSS Score
0.029
Published
2024-08-16
In JetBrains TeamCity before 2024.07.1 self XSS was possible in the HashiCorp Vault plugin
CVSS Score
3.7
EPSS Score
0.006
Published
2024-08-16
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible on the agentPushPreset page
CVSS Score
3.5
EPSS Score
0.0
Published
2024-08-16
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
CVSS Score
4.6
EPSS Score
0.089
Published
2024-08-16
The JetElements plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.6.20 via the 'progress_type' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS Score
8.8
EPSS Score
0.006
Published
2024-08-16
Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Abuse.This issue affects upKeeper Manager: through 5.1.9.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-08-16
Improper Restriction of Excessive Authentication Attempts vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Abuse.This issue affects upKeeper Manager: through 5.1.9.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-08-16