Our news and updates

In WordPress Portfolio Builder – Portfolio Gallery plugin in versions up to 1.1.7 a medium severity vulnerability CVE-2024-53788 was detected. This vulnerability allows editors or higher to inject scripts into pages, which execute when accessed, due to insufficient input sanitization. There is no patched version available to address this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53788.

In WooCommerce Ultimate Gift Card – Create, Sell and Manage Gift Cards with Customized Email Templates plugin for WordPress in versions up to 2.9.1 a medium severity vulnerability CVE-2024-53740 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages by tricking users into actions such as clicking on a link, due to insufficient input sanitization and output escaping. To address this issue, users must upgrade to version 2.9.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53740.

In WordPress Elementor Button Plus Plugin versions up to 1.3.3 a low severity vulnerability CVE-2024-53746 was detected. This vulnerability allows a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads, into websites, which will be executed when guests visit the site. There is no patched version available to address this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53746.

In Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17 a critical severity vulnerability CVE-2024-53908 was detected. This vulnerability allows attackers to perform SQL injection when untrusted data is used as the lhs value in direct usage of the `django.db.models.fields.json.HasKey` lookup on Oracle databases. Applications using `jsonfield.has_key` via `__` are unaffected. To address this issue, users should upgrade Django to versions 5.1.4, 5.0.10 or 4.2.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53908.

In Django versions 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17 a critical severity vulnerability CVE-2024-53907 was detected. This vulnerability allows attackers to trigger a potential denial-of-service attack using inputs with large sequences of nested incomplete HTML entities. To address this issue, users should upgrade Django to versions 5.1.4, 5.0.10, or 4.2.17. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-53907.

In Zabbix versions 5.0.0 <= 5.0.42, 6.0.0 <= 6.0.32, 6.4.0 <= 6.4.17, and 7.0.0 <= 7.0.1rc1 a high severity vulnerability CVE-2024-36467 was detected. This vulnerability allows authenticated users with API access (users with the default User role) to add themselves to any group, such as Zabbix Administrators, except for groups that are disabled or have restricted GUI access. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36467.

In Zabbix versions 7.0.0 through 7.0.2rc1 a low-severity vulnerability CVE-2024-36468 was detected. This vulnerability allows attackers to exploit a stack buffer overflow in the `zbx_snmp_cache_handle_engineid` function, caused by improper bounds checking when copying data from `session->securityEngineID` to `local_record.engineid`. Currently, there is no fix version for this issue. For more details, visit https://avd.aquasec.com/nvd/2024/cve-2024-36468.

In Mattermost versions 9.7.x up to 9.7.5, 9.8.x up to 9.8.2, and 9.9.x up to 9.9.2 a medium severity vulnerability CVE-2024-12247 was detected. This vulnerability allows users keep old permissions even when permission updates are made, as the updates don’t apply across all cluster nodes. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2024-12247.