Security Vulnerabilities - CVEs Published In September 2024
A Command injection vulnerability in requestLetsEncryptSslWithDnsChallenge in NginxProxyManager 2.11.3 allows an attacker to achieve remote code execution via Add Let's Encrypt Certificate. NOTE: this is not part of any NGINX software shipped by F5.
CVSS Score
6.3
EPSS Score
0.004
Published
2024-09-27
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the username parameter in setup.php.
CVSS Score
6.1
EPSS Score
0.14
Published
2024-09-27
A cross-site scripting (XSS) vulnerability in Flatpress v1.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the email field.
CVSS Score
6.1
EPSS Score
0.066
Published
2024-09-27
Advantech ADAM-5630 contains a cross-site request forgery (CSRF) vulnerability. It allows an attacker to partly circumvent the same
origin policy, which is designed to prevent different websites from
interfering with each other.
CVSS Score
8.0
EPSS Score
0.0
Published
2024-09-27
Advantech ADAM-5630 shares user credentials plain text between the device and the user source device during the login process.
CVSS Score
5.7
EPSS Score
0.0
Published
2024-09-27
Advantech ADAM-5550 share user credentials with a low level of encryption, consisting of base 64 encoding.
CVSS Score
5.7
EPSS Score
0.0
Published
2024-09-27
Advantech ADAM 5550's web application includes a "logs" page where all
the HTTP requests received are displayed to the user. The device doesn't
correctly neutralize malicious code when parsing HTTP requests to
generate page output.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-27
Alisonic Sibylla devices are vulnerable to SQL injection attacks, which could allow complete access to the database.
CVSS Score
9.4
EPSS Score
0.001
Published
2024-09-27
A vulnerability was found in TP-LINK TL-WR841ND up to 20240920. It has been rated as critical. Affected by this issue is some unknown functionality of the file /userRpm/popupSiteSurveyRpm.htm. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-09-27
A Client-side Template Injection (CSTI) vulnerability in Webkul Krayin CRM 1.3.0 allows remote attackers to execute arbitrary client-side template code by injecting a malicious payload during the lead creation process. This can lead to privilege escalation when the payload is executed, granting the attacker elevated permissions within the CRM system.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-27