Security Vulnerabilities - CVEs Published In December 2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. This issue is a follow-up to CVE-2024-39887 with additional disallowed PostgreSQL functions now included: query_to_xml_and_xmlschema, table_to_xml, table_to_xml_and_xmlschema.
This issue affects Apache Superset: <4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue or add these Postgres functions to the config set DISALLOWED_SQL_FUNCTIONS.
CVSS Score
2.3
EPSS Score
0.003
Published
2024-12-09
Generation of Error Message Containing analytics metadata Information in Apache Superset.
This issue affects Apache Superset: before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-12-09
Improper Authorization vulnerability in Apache Superset when FAB_ADD_SECURITY_API is enabled (disabled by default). Allows for lower privilege users to use this API.
issue affects Apache Superset: from 2.0.0 before 4.1.0.
Users are recommended to upgrade to version 4.1.0, which fixes the issue.
CVSS Score
7.6
EPSS Score
0.003
Published
2024-12-09
KASHIPARA E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_subject.php.
CVSS Score
7.2
EPSS Score
0.001
Published
2024-12-09
Missing Authorization vulnerability in Astoundify Jobify jobify.This issue affects Jobify: from n/a through < 4.3.0.
CVSS Score
5.3
EPSS Score
0.005
Published
2024-12-09
Missing Authorization vulnerability in ProfilePress Membership Team ProfilePress.This issue affects ProfilePress: from n/a through 4.13.1.
CVSS Score
5.3
EPSS Score
0.003
Published
2024-12-09
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.6.5.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-12-09
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in reputeinfosystems ARForms Form Builder arforms-form-builder allows Code Injection.This issue affects ARForms Form Builder: from n/a through <= 1.7.1.
CVSS Score
5.3
EPSS Score
0.004
Published
2024-12-09
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quomodosoft ElementsReady Addons for Elementor element-ready-lite allows DOM-Based XSS.This issue affects ElementsReady Addons for Elementor: from n/a through <= 6.4.7.
CVSS Score
6.5
EPSS Score
0.003
Published
2024-12-09
Missing Authorization vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons.This issue affects Tutor LMS Elementor Addons: from n/a through <= 2.1.5.
CVSS Score
4.3
EPSS Score
0.003
Published
2024-12-09