Security Vulnerabilities - CVEs Published In September 2024
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3.
CVSS Score
5.0
EPSS Score
0.003
Published
2024-09-10
Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-10
Loftware Spectrum before 5.1 allows SSRF.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-09-10
Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.
CVSS Score
8.8
EPSS Score
0.001
Published
2024-09-10
Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-10
Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-10
The Master Addons – Free Widgets, Hover Effects, Toggle, Conditions, Animations for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-jltma-wrapper-link element in all versions up to, and including 2.0.6.4 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected link.
CVSS Score
5.4
EPSS Score
0.003
Published
2024-09-10
The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to unauthorized access to Private or Password-protected events due to missing authorization checks in all versions up to, and including, 4.0.4.3. This makes it possible for unauthenticated attackers to view private or password-protected events.
CVSS Score
5.3
EPSS Score
0.007
Published
2024-09-10
The Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload' function in all versions up to, and including, 6.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted upload permissions by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVSS Score
8.8
EPSS Score
0.041
Published
2024-09-10
SPRT dissector crash in Wireshark 4.2.0 to 4.0.5 and 4.0.0 to 4.0.15 allows denial of service via packet injection or crafted capture file
CVSS Score
5.5
EPSS Score
0.001
Published
2024-09-10