Security Vulnerabilities - CVEs Published In October 2024
The Miniorange OTP Verification with Firebase plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 3.6.0. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources, and the user current password check is missing. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
CVSS Score
9.8
EPSS Score
0.004
Published
2024-10-17
Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Control of Generation of Code ('Code Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.
CVSS Score
8.0
EPSS Score
0.007
Published
2024-10-17
Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure.
CVSS Score
4.3
EPSS Score
0.007
Published
2024-10-17
A maliciously crafted PDF file, when parsed through Autodesk Revit, may force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.004
Published
2024-10-16
A maliciously crafted RFA file, when parsed through Autodesk Revit, can force a Stack-Based Buffer Overflow. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.
CVSS Score
7.8
EPSS Score
0.004
Published
2024-10-16
ClassCMS <=4.8 is vulnerable to file inclusion in the nowView method in/class/cms/cms.php, which can include a file uploaded to the/class/template directory to execute PHP code.
CVSS Score
9.8
EPSS Score
0.005
Published
2024-10-16
dingfanzu CMS V1.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the addPro parameter of the component doAdminAction.php which allows a remote attacker to execute arbitrary code
CVSS Score
6.1
EPSS Score
0.006
Published
2024-10-16
A discrepancy in error messages for invalid login attempts in Webmin Usermin v2.100 allows attackers to enumerate valid user accounts.
CVSS Score
5.3
EPSS Score
0.149
Published
2024-10-16
An issue in the component /index.php?page=backup/export of REDAXO CMS v5.17.1 allows attackers to execute a directory traversal.
CVSS Score
4.9
EPSS Score
0.008
Published
2024-10-16
REDAXO CMS v2.11.0 was discovered to contain a remote code execution (RCE) vulnerability.
CVSS Score
7.2
EPSS Score
0.02
Published
2024-10-16