Security Vulnerabilities - CVEs Published In September 2024
The Limit Login Attempts Plus plugin for WordPress is vulnerable to IP Address Spoofing in versions up to, and including, 1.1.0. This is due to insufficient restrictions on where the IP Address information is being retrieved for request logging and login restrictions. Attackers can supply the X-Forwarded-For header with with a different IP Address that will be logged and can be used to bypass settings that may have blocked out an IP address or country from logging in.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-09-19
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-09-19
When logging in with the correct username and incorrect weak password, the user receives the notification, that their password is too weak.
However when an incorrect username is provided alongside with a weak password, the application responds with ’Invalid credentials’ notification.
This difference could be used to perform username enumeration.
CVSS Score
4.3
EPSS Score
0.002
Published
2024-09-18
Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report.
CVSS Score
7.3
EPSS Score
0.002
Published
2024-09-18
Mautic allows you to update the application via an upgrade script.
The upgrade logic isn't shielded off correctly, which may lead to vulnerable situation.
This vulnerability is mitigated by the fact that Mautic needs to be installed in a certain way to be vulnerable.
CVSS Score
7.8
EPSS Score
0.001
Published
2024-09-18
CoreDNS through 1.10.1 enables attackers to achieve DNS cache poisoning and inject fake responses via a birthday attack.
CVSS Score
7.5
EPSS Score
0.0
Published
2024-09-18
DedeCMS 5.7.115 is vulnerable to Cross Site Scripting (XSS) via the advertisement code box in the advertisement management module.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-09-18
Dedecms V5.7.115 contains an arbitrary code execution via file upload vulnerability in the backend.
CVSS Score
8.8
EPSS Score
0.007
Published
2024-09-18
Best House Rental Management System 1.0 contains a SQL injection vulnerability in the delete_category() function of the file rental/admin_class.php.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-09-18
Best House Rental Management System 1.0 contains an arbitrary file upload vulnerability in the signup() function of the file rental/admin_class.php.
CVSS Score
9.8
EPSS Score
0.025
Published
2024-09-18