Business and Enterprise Solutions

In WordPress MDTF versions 1.3.3.4 and prior a critical severity vulnerability CVE-2024-50450 was found. This vulnerability allows attackers to inject malicious code, compromising system security. To fix this issue, users are advised to upgrade to version 1.3.3.5 and above. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-50450.

In WooCommerce PDF Invoices & Packing Slips versions up to 3.8.6 a medium severity vulnerability CVE-2024-5042, was detected. This allows attackers to exploit incorrectly configured access control security levels, potentially leading to unauthorized access. To fix this issue, users must upgrade to version 3.8.7. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-50421.

In Umbraco CMS versions from 14.0.0 to before 14.3.0 a medium severity vulnerability CVE-2024-48925 was detected. This vulnerability allows low-privilege users to access the webhook API and retrieve information restricted to users with access to the settings section. To address this issue, upgrade to version 14.3.0 or later. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-48925.

In Umbraco versions 13.x before 13.5.2, 10.x before 10.8.7, and 8.x before 8.18.15 a medium severity vulnerability CVE-2024-48927 was detected. This vulnerability allows attackers to execute code remotely when Backoffice users “preview” SVG files in full-screen mode. To address this issue, update to versions 13.5.2, 10.8.7, or 8.18.15. As a workaround, enable server-side file validation to strip script tags from the content during file uploads. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-48927.

In Umbraco versions on the 13.x branch prior to 13.5.2 and versions on the 10.x branch prior to 10.8.7 a medium severity vulnerability CVE-2024-48929 was detected. This vulnerability allows attackers to exploit incomplete session termination during explicit sign-outs. To address this issue, users are advised to update to versions 13.5.2 or 10.8.7. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-48929.

In Liferay Portal versions 7.4.0 through 7.4.3.103 and Liferay DXP versions from 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92, and 7.3 update 29 through update 35 a high severity vulnerability CVE-2024-26273 was detected. This vulnerability allows attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_portlet_CommerceCatalogsPortlet_redirect parameter. To fix this issue, users should update Liferay Portal to version 7.4.3.104 and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-26273.

In Liferay Portal versions 7.4.3.75 through 7.4.3.111 and Liferay DXP versions 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92, and 7.3 update 32 through update 36 a high severity vulnerability CVE-2024-26271 was detected. This CSRF vulnerability in the My Account widget allows attackers to change user passwords, shut down the server, execute arbitrary code in the scripting console, and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. To address this issue, users should update Liferay Portal to version 7.4.3.112, and Liferay DXP to versions 2024.Q1.1, 2023.Q4.3, 2023.Q3.6, 7.3 Update 36. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-26271.

In Liferay Portal versions 7.0.0 to 7.4.3.101 and Liferay DXP versions 2023.Q3.1 to 2023.Q3.4 a critical severity vulnerability CVE-2024-8980 was detected. This vulnerability allows attackers to execute arbitrary Groovy scripts via crafted URLs due to insufficient CSRF protection. To fix this issue, users must upgrade to a patched version. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-8980.

In Liferay Portal versions 7.3.2 to 7.4.3.111 and Liferay DXP versions 2023.Q4.0 to 2023.Q4.5, 2023.Q3.1 to 2023.Q3.8, 7.4 GA to update 92, and 7.3 GA to update 36 a critical vulnerability CVE-2024-38002 was detected. This vulnerability allows attackers to modify workflow definitions and execute arbitrary code (RCE) by exploiting missing permission checks in the workflow component via the headless API. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-38002.