Security Vulnerabilities - CVEs Published In October 2024
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-31
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-31
An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-10-31
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
CVSS Score
9.8
EPSS Score
0.019
Published
2024-10-31
Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability.
CVSS Score
6.1
EPSS Score
0.0
Published
2024-10-31
Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server.
CVSS Score
9.8
EPSS Score
0.019
Published
2024-10-31
When using Arm Cortex-M Security Extensions (CMSE), Secure stack
contents can be leaked to Non-secure state via floating-point registers
when a Secure to Non-secure function call is made that returns a
floating-point value and when this is the first use of floating-point
since entering Secure state. This allows an attacker to read a limited
quantity of Secure stack contents with an impact on confidentiality.
This issue is specific to code generated using LLVM-based compilers.
CVSS Score
3.7
EPSS Score
0.003
Published
2024-10-31
YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.
CVSS Score
9.9
EPSS Score
0.001
Published
2024-10-31
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-10-31
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-10-31