Latest critical severity Vulnerabilities

CVE-2024-33499
A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Lo...
CVE-2024-32741
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains hard coded password which is used for the privileged system user `root` and for the boot load...
CVE-2024-32740
A vulnerability has been identified in SIMATIC CN 4100 (All versions < V3.0). The affected device contains undocumented users and credentials. An attacker could misuse the credentials to compromise th...
CVE-2024-30209
A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Lo...
CVE-2024-30207
A vulnerability has been identified in SIMATIC RTLS Locating Manager (6GT2780-0DA00) (All versions < V3.0.1.1), SIMATIC RTLS Locating Manager (6GT2780-0DA10) (All versions < V3.0.1.1), SIMATIC RTLS Lo...
CVE-2024-27939
A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this v...
CVE-2024-33006
File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
GHSA-xcp4-62vj-cq3r
### Impact When opening a form in Valtimo, the access token (JWT) of the user is exposed to `api.form.io` via the the `x-jwt-token` header. An attacker can retrieve personal information from this toke...
npm/@valtimo/components>=11.2.0<11.2.2
npm/@valtimo/components>=11.0.0<11.1.6
npm/@valtimo/components<10.8.4
CVE-2024-34706
@valtimo/components exposes access token to form.io
npm/@valtimo/components>=11.2.0<11.2.2
npm/@valtimo/components>=11.0.0<11.1.6
npm/@valtimo/components<10.8.4
CVE-2024-34340
Authentication Bypass when using using older password hashes
CVE-2024-29895
Cacti command injection in cmd_realtime.php
GHSA-56xg-wfcc-g829
## Description `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several pa...
pip/llama-cpp-python>=0.2.30<=0.2.71
CVE-2024-25641
Cacti RCE vulnerability when importing packages
CVE-2024-4824
SQL Injection in School ERP Pro+Responsive by AROX SOLUTION
CVE-2024-4825
Unrestricted Upload of File with Dangerous Type vulnerability on Cockpit CMS from Agentejo
CVE-2024-3263
Improper authentication in YMS VIS Pro
CVE-2024-31377
WordPress WP Photo Album Plus plugin <= 8.7.01.001 - Unauth. Arbitrary File Upload vulnerability
CVE-2024-34411
WordPress canvasio3D Light plugin <= 2.5.0 - Arbitrary File Upload vulnerability
CVE-2024-34416
WordPress Pk Favicon Manager plugin <= 2.1 - Arbitrary File Upload vulnerability
CVE-2024-34440
WordPress AI Engine plugin <= 2.2.63 - Auth. Arbitrary File Upload vulnerability
CVE-2024-34555
WordPress Z-Downloads plugin <= 1.11.3 - Auth. Arbitrary File Upload vulnerability
CVE-2024-29212
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is poss...
CVE-2024-4560
Kognetiks Chatbot for WordPress <= 1.9.9 - Unauthenticated Arbitrary File Upload via chatbot_chatgpt_upload_file_to_assistant Function
CVE-2024-4413
Hotel Booking Lite <= 4.11.1 - Unauthenticated PHP Object Injection
CVE-2024-34359
llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
pip/llama-cpp-python>=0.2.30<=0.2.71
GHSA-x525-54hf-xr53
### Description: A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user...
composer/froxlor/froxlor<2.1.9
GHSA-mxhq-xw3g-rphc
### Summary The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet serv...
npm/@lobehub/chat<=0.150.5
CVE-2024-34070
Froxlor Vulnerable to Blind XSS Leading to Froxlor Application Compromise
composer/froxlor/froxlor<2.1.9
CVE-2024-32964
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
npm/@lobehub/chat<=0.150.5
CVE-2024-4434
LearnPress – WordPress LMS Plugin <= 4.2.6.5 - Unauthenticated Time-Based SQL Injection
CVE-2023-47709
IBM Security Guardium command injection
IBM Security Guardium<=11.3
IBM Security Guardium<=11.4
IBM Security Guardium<=11.5
IBM Security Guardium<=12.0
CVE-2024-0087
CVE
GHSA-wpcv-5jgp-69f3
### Overview Path Traversal Vulnerability via File Uploads in Genie ### Impact Any Genie OSS users running their own instance and relying on the filesystem to store file attachments submitted to th...
maven/com.netflix.genie:genie-web<4.3.18
CVE-2024-4701
Path Traversal vulnerability via File Uploads in Genie
maven/com.netflix.genie:genie-web<4.3.18
CVE-2024-3070
Last Viewed Posts by WPBeginner <= 1.0.0 - Unauthenticated PHP Object Injection
CVE-2024-3806
Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts
GHSA-w4h6-9wrp-v5jq
**Important: Exploiting this vulnerability requires the attacker to have access to your Frigate instance, which means they could also just delete all of your recordings or perform any other action. If...
pip/frigate<0.13.2
CVE-2024-32735
CyberPower PowerPanel Enterprise Missing Authentication
CVE-2024-32874
In Frigate, Malicious Long Unicode filenames may cause a Multiple Application-level Denial of Service
pip/frigate<0.13.2
CVE-2024-28075
SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution
CVE-2024-4393
The Social Connect plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.2. This is due to insufficient verification on the OpenID server being supplied durin...
CVE-2024-4346
The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of...
CVE-2024-4345
The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'process' function in the 'startklarDropZoneUploadProcess' c...
CVE-2024-4186
The Build App Online plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.0.5. This is due to the 'eb_user_email_verification_key' default value is empty, an...
CVE-2024-4548
Delta Electronics DIAEnergie SQL Injection
CVE-2024-4547
Delta Electronics DIAEnergie Unauthenticated SQL Injection
CVE-2024-23706
In multiple locations, there is a possible bypass of health data permissions due to an improper input validation. This could lead to local escalation of privilege with no additional execution privileg...
Google Android
CVE-2024-4497
Tenda i21 formexeCommand stack-based overflow
CVE-2024-4496
Tenda i21 formWifiMacFilterSet stack-based overflow
CVE-2024-4495
Tenda i21 formWifiMacFilterGet stack-based overflow

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203