Our news and updates

In Drupal Core versions 10.0.0 to 10.2.10 a medium severity vulnerability CVE-2024-11942 was detected. This vulnerability allows attackers to perform file manipulation. To address this issue, users should upgrade Drupal Core to version 10.2.10. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-11942.

In Directus versions prior to 11.2.9 and 11.0.0 a high severity vulnerability CVE-2024-54151 was detected. This vulnerability allows unauthenticated users to perform any operations (CRUD, subscriptions) with full admin privileges if `WEBSOCKETS_GRAPHQL_AUTH` or `WEBSOCKETS_REST_AUTH` is set to `public`. To address this issue, users should upgrade Directus to version 11.3.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-54151.

In Drupal Core versions from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9 a medium severity vulnerability CVE-2024-55638 was detected. This vulnerability allows attackers to exploit deserialization of untrusted data, leading to object injection. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-55638.

In Drupal Core versions from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8 a medium severity vulnerability CVE-2024-12393 was detected. This vulnerability allows attackers to exploit improper neutralization of input during web page generation, leading to Cross-Site Scripting (XSS). Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12393.

In WordPress Portfolio Builder – Portfolio Gallery plugin in versions up to 1.1.7 a medium severity vulnerability CVE-2024-53788 was detected. This vulnerability allows editors or higher to inject scripts into pages, which execute when accessed, due to insufficient input sanitization. There is no patched version available to address this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53788.

In WooCommerce Ultimate Gift Card – Create, Sell and Manage Gift Cards with Customized Email Templates plugin for WordPress in versions up to 2.9.1 a medium severity vulnerability CVE-2024-53740 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages by tricking users into actions such as clicking on a link, due to insufficient input sanitization and output escaping. To address this issue, users must upgrade to version 2.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53740.

In WordPress Elementor Button Plus Plugin versions up to 1.3.3 a low severity vulnerability CVE-2024-53746 was detected. This vulnerability allows a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into websites, which will be executed when guests visit the site. There is no patched version available to address this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53746.

In Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17 a critical severity vulnerability CVE-2024-53908 was detected. This vulnerability allows attackers to perform SQL injection when untrusted data is used as the lhs value in direct usage of the `django.db.models.fields.json.HasKey` lookup on Oracle databases. Applications using `jsonfield.has_key` via `__` are unaffected. To address this issue, users should upgrade Django to versions 5.1.4, 5.0.10 or 4.2.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53908.