In float block WordPress plugin versions 1.7 and prior a low severity vulnerability CVE-2024-11645 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unsanitized and unescaped settings, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11645.
Read more CMS
In Spring Framework versions 5.3.0 to 5.3.40, 6.0.0 to 6.0.24, and 6.1.0 to 6.1.13 a high severity vulnerability CVE-2024-38816 was detected. This vulnerability allows attackers to perform path traversal attacks, enabling them to access any file on the system that the Spring application has access to. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-38816.
Read more Application Development
In wp-publications WordPress plugin versions 1.2 and prior a low severity vulnerability CVE-2024-11605 was detected. This vulnerability allows high-privilege users, such as administrators, to perform Stored Cross-Site Scripting (XSS) attacks by exploiting unescaped filenames, even when the unfiltered_html capability is disallowed (e.g., in a multisite setup). No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11605.
Read more CMS
In the Calculated Fields Form plugin for WordPress versions 5.2.63 and prior a medium severity vulnerability CVE-2024-12601 was detected. This vulnerability allows attackers to overload server resources by sending multiple requests with excessively large CAPTCHA image dimensions, leading to potential denial of service. To fix this issue, users should upgrade Calculated Fields Form plugin for WordPress to version 5.2.64 or later. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-12601.
Read more CMS
In Liferay Portal versions starting from 7.0.0 through 7.4.3.87 and Liferay DXP versions starting from 7.4 GA through update 87, 7.3 GA through update 29 a medium severity vulnerability CVE-2024-37940 was detected. This vulnerability allows attackers to inject arbitrary web scripts or HTML into the Service Class text field in Liferay Portal and Liferay DXP, potentially leading to cross-site scripting attacks. To fix this issue, users should upgrade Liferay Portal to version 7.4.3.88 and Liferay DXP to versions 2023.Q3.1, 7.4 update 88, 7.3 update 30. For more details, visit https://nvd.nist.gov/vuln/detail/cve-2024-37940.
Read more CMS
In Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 a medium severity vulnerability CVE-2024-54083 was detected. This vulnerability allows attackers to cause a client-side denial of service (DoS) to users of particular channels by sending specially crafted posts. To address this issue, users should upgrade Mattermost to version 10.1.3. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54083.
Read more Communication
In Vaultwarden versions 1.32.6 and prior a high severity vulnerability CVE-2024-56335 was detected. This vulnerability allows attackers with specific conditions to update or delete groups from an organization, potentially causing denial of service or privilege escalation. No patched version has been officially released at this time. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-56335.
Read more Security
In Download Manager plugin for WordPress versions 3.3.03 and prior a medium severity vulnerability CVE-2024-11768 was detected. This vulnerability allows attackers to download password-protected files due to improper password validation. To address this issue, users should upgrade to version 3.3.04 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11768.
Read more CMS
In WooCommerce Point of Sale plugin for WordPress versions up to 6.1.0 a critical severity vulnerability CVE-2024-11281 was detected. This vulnerability allows attackers to change the email and reset the password of any user, including administrators, due to insufficient validation of the ‘logged_in_user_id’ value. To address this issue, users should upgrade to version 6.2.0 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11281.
Read more E-commerce