Security Vulnerabilities - CVEs Published In December 2024
A Stored Cross-Site Scripting (XSS) vulnerability was found in /send_message.php of Kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the my_message parameter.
CVSS Score
5.4
EPSS Score
0.001
Published
2024-12-09
A Directory Listing issue was found in Kashipara E-Learning Management System v1.0, which allows remote attackers to access sensitive files and directories via /admin/assets.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-12-09
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Analytify.This issue affects Analytify: from n/a through 5.4.3.
CVSS Score
6.5
EPSS Score
0.002
Published
2024-12-09
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.
This issue affects Apache Superset: <4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
CVSS Score
9.8
EPSS Score
0.002
Published
2024-12-09
Generation of Error Message Containing analytics metadata Information in Apache Superset.
This issue affects Apache Superset: before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-12-09
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.
issue affects Apache Superset: from 2.0.0 before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-12-09
KASHIPARA E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_subject.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2024-12-09
Missing Authorization vulnerability in Astoundify Jobify - Job Board WordPress Theme.This issue affects Jobify - Job Board WordPress Theme: from n/a through 4.2.3.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-12-09
Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress.This issue affects ProfilePress: from n/a through 4.13.1.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-12-09
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons allows Stored XSS.This issue affects Xpro Elementor Addons: from n/a through 1.4.6.1.
CVSS Score
6.5
EPSS Score
0.001
Published
2024-12-09