Nomisec Exploits

22,699 exploits tracked across all sources.

Sort: Activity Stars
CVE-2024-9821 NOMISEC HIGH
WooCommerce plugin <1.2.4 - Info Disclosure
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature.
by RandomRobbieBF
1 stars
CVSS 8.8
CVE-2024-7135 NOMISEC MEDIUM
Tainacan <= 0.21.7 - Authenticated Arbitrary File Read via Missing Authorization in get_file Function
The Tainacan plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_file' function in all versions up to, and including, 0.21.7. The function is also vulnerable to directory traversal. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
by RandomRobbieBF
1 stars
CVSS 6.5
CVE-2024-7514 NOMISEC MEDIUM
WordPress Comments Import & Export <2.3.7 - Info Disclosure
The WordPress Comments Import & Export plugin for WordPress is vulnerable to to arbitrary file read due to insufficient file path validation during the comments import process, in versions up to, and including, 2.3.7. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. The issue was partially fixed in version 2.3.8 and fully fixed in 2.3.9
by RandomRobbieBF
1 stars
CVSS 6.5
CVE-2024-9224 NOMISEC MEDIUM
Hello World < 2.1.1 - Authenticated Arbitrary File Read via hello_world_lyric()
The Hello World plugin for WordPress is vulnerable to Arbitrary File Reading in all versions up to, and including, 2.1.1 via the hello_world_lyric() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
by RandomRobbieBF
1 stars
CVSS 6.5
CVE-2024-5932 NOMISEC CRITICAL
GiveWP <= 3.14.1 - Unauthenticated PHP Object Injection via give_title
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.14.1 via deserialization of untrusted input from the 'give_title' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely, and to delete arbitrary files.
by OxLmahdi
1 stars
CVSS 10.0
CVE-2024-9707 NOMISEC CRITICAL
Hunk Companion <= 1.8.4 - Unauthenticated Arbitrary Plugin Installation and Activation via REST API
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated.
by RandomRobbieBF
1 stars
CVSS 9.8
CVE-2023-45866 NOMISEC MEDIUM
BlueZ Bluetooth HID Hosts - Unauthenticated Keyboard Input Injection
Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue.
by Chedrian07
CVSS 6.3
CVE-2024-9441 NOMISEC CRITICAL
Linear eMerge e3-Series <1.00-07 - Command Injection
The Linear eMerge e3-Series through version 1.00-07 is vulnerable to an OS command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary OS commands via the login_id parameter when invoking the forgot_password functionality over HTTP.
by p33d
6 stars
CVSS 9.8
CVE-2024-44000 NOMISEC CRITICAL
LiteSpeed Cache < 6.5.0.1 - Unauthenticated Authentication Bypass via Insufficiently Protected Credentials
Insufficiently Protected Credentials vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Authentication Bypass.This issue affects LiteSpeed Cache: from n/a through < 6.5.0.1.
by geniuszly
4 stars
CVSS 9.8
CVE-2021-44228 NOMISEC CRITICAL
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by NikitaPark
CVSS 10.0
CVE-2024-8698 NOMISEC HIGH
Keycloak SAML Core < 22.0.13 - Improper Verification of Cryptographic Signature in XMLSignatureUtil
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks.
by huydoppaz
6 stars
CVSS 7.7
CVE-2024-4439 NOMISEC HIGH
WordPress 6.0-6.5.2 - Stored Cross-Site Scripting via Avatar Block Display Name
WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. In addition, it also makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that have the comment block present and display the comment author's avatar.
by soltanali0
CVSS 7.2
CVE-2024-9465 NOMISEC CRITICAL
Palo Alto Networks Expedition 1.2.0-1.2.95 - Unauthenticated SQL Injection and Arbitrary File Write
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
by Qlng
CVSS 9.1
CVE-2024-46209 NOMISEC MEDIUM
REDAXO CMS 5.17.1 - Stored Cross-Site Scripting via Password Parameter in /media/test.html
A stored cross-site scripting (XSS) vulnerability in the component /media/test.html of REDAXO CMS v5.17.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the password parameter.
by h4ckr4v3n
CVSS 5.4
CVE-2024-9464 NOMISEC MEDIUM
Palo Alto Networks Expedition 1.2.0-1.2.95 - Authenticated OS Command Injection
An OS command injection vulnerability in Palo Alto Networks Expedition allows an authenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
by horizon3ai
45 stars
CVSS 6.5
CVE-2024-9465 NOMISEC CRITICAL
Palo Alto Networks Expedition 1.2.0-1.2.95 - Unauthenticated SQL Injection and Arbitrary File Write
An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.
by horizon3ai
30 stars
CVSS 9.1
CVE-2024-27198 NOMISEC CRITICAL
TeamCity < 2023.11.4 - Authentication Bypass
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
by geniuszly
3 stars
CVSS 9.8
CVE-2023-6421 NOMISEC HIGH
WordPress Download Mgr <3.2.83 - Info Disclosure
The Download Manager WordPress plugin before 3.2.83 does not protect file download's passwords, leaking it upon receiving an invalid one.
by RandomRobbieBF
1 stars
CVSS 7.5
CVE-2024-34102 NOMISEC CRITICAL
Adobe Commerce and Magento - XML External Entity Injection to Code Execution
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.
by bka
CVSS 9.8
CVE-2023-50164 NOMISEC CRITICAL
Apache Struts 2.0.0-2.5.32 - Path Traversal and Remote Code Execution via File Upload
An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can be used to perform Remote Code Execution. Users are recommended to upgrade to versions Struts 2.5.33 or Struts 6.3.0.2 or greater to fix this issue.
by NikitaPark
1 stars
CVSS 9.8
CVE-2023-30486 NOMISEC MEDIUM
HashThemes Square <2.0.0 - Info Disclosure
Missing Authorization vulnerability in HashThemes Square allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Square: from n/a through 2.0.0.
by RandomRobbieBF
1 stars
CVSS 4.3
CVE-2024-38077 NOMISEC CRITICAL
Windows Remote Desktop Licensing Service - Remote Code Execution
Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability
by mrmtwoj
16 stars
CVSS 9.8
CVE-2021-44228 NOMISEC CRITICAL
Log4Shell HTTP Header Injection
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
by Carlos-Mesquita
1 stars
CVSS 10.0
CVE-2024-0044 NOMISEC MEDIUM
PackageInstallerService - Privilege Escalation
In createSessionInternal of PackageInstallerService.java, there is a possible run-as any app due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
by k4ran909
CVSS 6.7
CVE-2023-22527 NOMISEC CRITICAL
Atlassian Confluence SSTI Injection
A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin.
by kh4sh3i
1 stars
CVSS 9.8