Security Vulnerabilities - CVEs Published In October 2024
SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request.
CVSS Score
9.8
EPSS Score
0.007
Published
2024-10-25
OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserWithTeam. Authentication is required. The information disclosed is associated with all registered user ID numbers.
CVSS Score
7.5
EPSS Score
0.001
Published
2024-10-25
OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required.
CVSS Score
9.8
EPSS Score
0.001
Published
2024-10-25
An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function.
CVSS Score
9.8
EPSS Score
0.003
Published
2024-10-25
Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. Version 0.7.2 fixes the vulnerability.
CVSS Score
7.5
EPSS Score
0.26
Published
2024-10-25
Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability.
CVSS Score
7.5
EPSS Score
0.002
Published
2024-10-25
A vulnerability, which was classified as critical, has been found in SourceCodester Petrol Pump Management Software 1.0. Affected by this issue is some unknown functionality of the file /admin/ajax_product.php. The manipulation of the argument drop_services leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS Score
6.3
EPSS Score
0.001
Published
2024-10-25
This vulnerability exists in Matrix Door Controller Cosec Vega FAXQ due to improper implementation of session management at the web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http request on the vulnerable device.
Successful exploitation of this vulnerability could allow remote attacker to gain unauthorized access and take complete control of the targeted device.
CVSS Score
9.8
EPSS Score
0.005
Published
2024-10-25
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
CVSS Score
8.8
EPSS Score
0.002
Published
2024-10-25
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpmem_loginout shortcode in all versions up to, and including, 3.4.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2024-10-25