Shodan
Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In December 2024
CVE-2024-52593
Misskey is an open source, federated social media platform.In affected versions missing validation in `NoteCreateService.insertNote`, `ApPersonService.createPerson`, and `ApPersonService.updatePerson` allows an attacker to control the target of any "origin" links (such as the "view on remote instance" banner). Any HTTPS URL can be set, even if it belongs to a different domain than the note / user. Vulnerable Misskey instances will use the unverified URL for several clickable links, allowing an attacker to conduct phishing or other attacks against remote users. This issue has been addressed in version 2024.11.0-alpha.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
5.3
EPSS Score
0.001
Published
2024-12-18
CVE-2024-36694
OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function.
CVSS Score
7.2
EPSS Score
0.004
Published
2024-12-18
CVE-2024-56053
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.
CVSS Score
7.6
EPSS Score
0.002
Published
2024-12-18
CVE-2024-56054
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.
CVSS Score
9.1
EPSS Score
0.004
Published
2024-12-18
CVE-2024-56055
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.
CVSS Score
8.5
EPSS Score
0.004
Published
2024-12-18
CVE-2024-56057
Unrestricted Upload of File with Dangerous Type vulnerability in VibeThemes WPLMS allows Upload a Web Shell to a Web Server.This issue affects WPLMS: from n/a before 1.9.9.5.2.
CVSS Score
9.9
EPSS Score
0.004
Published
2024-12-18
CVE-2024-55953
DataEase is an open source business analytics tool. Authenticated users can read and deserialize arbitrary files through the background JDBC connection. When constructing the jdbc connection string, the parameters are not filtered. This vulnerability has been fixed in v1.18.27. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
8.1
EPSS Score
0.01
Published
2024-12-18
CVE-2024-56047
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VibeThemes WPLMS allows SQL Injection.This issue affects WPLMS: from n/a before 1.9.9.5.3.
CVSS Score
8.5
EPSS Score
0.003
Published
2024-12-18
CVE-2024-56048
Missing Authorization vulnerability in VibeThemes WPLMS allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through 1.9.9.
CVSS Score
8.8
EPSS Score
0.003
Published
2024-12-18
CVE-2024-56049
Path Traversal: '.../...//' vulnerability in VibeThemes WPLMS allows Path Traversal.This issue affects WPLMS: from n/a before 1.9.9.5.2.
CVSS Score
8.5
EPSS Score
0.002
Published
2024-12-18


Products
Pricing
Contact Us

Shodan ® - All rights reserved