Vendors & Products Under Threat

Published during the last 7 days

«

7 Days

»

Vendor CVEs
Product CVEs

Recent CVE reports we annotated

List of recently published CVE reports with a CVSS score above 6.0

ID CVSS Description
CVE-2024-36503 7.3 Memory management vulnerability in the Gralloc module Impact: Successful exploitation of this vulnerability will affect availability. https://basefortify.eu/cve_reports/2024/06/cve-2024-36503.html
CVE-2024-2472 9.1 The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the start_or_use_session_for_customer function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customers cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account. https://basefortify.eu/cve_reports/2024/06/cve-2024-2472.html
CVE-2024-36502 7.9 Out-of-bounds read vulnerability in the audio module Impact: Successful exploitation of this vulnerability will affect availability. https://basefortify.eu/cve_reports/2024/06/cve-2024-36502.html
CVE-2024-31162 7.2 The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device. https://basefortify.eu/cve_reports/2024/06/cve-2024-31162.html
CVE-2024-5731 6.8 A vulnerability in the IPS Manager, Central Manager, and Local Manager communication workflow allows an attacker to control the destination of a request by manipulating the parameter, thereby leveraging sensitive information. https://basefortify.eu/cve_reports/2024/06/cve-2024-5731.html
CVE-2024-37888 6.1 The Open Link is a CKEditor plugin, extending context menu with a possibility to open link in a new tab. The vulnerability allowed to execute JavaScript code by abusing link href attribute. It affects all users using the Open Link plugin at version 1.0.5. https://basefortify.eu/cve_reports/2024/06/cve-2024-37888.html
CVE-2024-2024 8.8 The Folders Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_folders_file_upload function in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with author access and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. https://basefortify.eu/cve_reports/2024/06/cve-2024-2024.html
CVE-2024-3912 9.8 Certain models of ASUS routers have an arbitrary firmware upload vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on the device. https://basefortify.eu/cve_reports/2024/06/cve-2024-3912.html
CVE-2024-27154 6.2 Passwords are stored in clear-text logs. An attacker can retrieve passwords. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27154.html
CVE-2024-31161 7.2 The upload functionality of ASUS Download Master does not properly filter user input. Remote attackers with administrative privilege can exploit this vulnerability to upload any file to any location. They may even upload malicious web page files to the website directory, allowing arbitrary system commands to be executed upon browsing the webpage. https://basefortify.eu/cve_reports/2024/06/cve-2024-31161.html
CVE-2024-5996 8.8 The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. These emails are sent without using an encrypted transmission protocol. If an attacker intercepts the packets, they can obtain the plaintext session information and use it to log into the system. https://basefortify.eu/cve_reports/2024/06/cve-2024-5996.html
CVE-2024-5981 6.3 A vulnerability was found in itsourcecode Online House Rental System 1.0. It has been classified as critical. Affected is an unknown function of the file manage_user.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-268458 is the identifier assigned to this vulnerability. https://basefortify.eu/cve_reports/2024/06/cve-2024-5981.html
CVE-2024-27164 7.1 Toshiba printers contain hardcoded credentials. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27164.html
CVE-2024-37882 8.1 Nextcloud Server is a self hosted personal cloud system. A recipient of a share with readshare permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. https://basefortify.eu/cve_reports/2024/06/cve-2024-37882.html
CVE-2024-36499 6.8 Vulnerability of unauthorized screenshot capturing in the WMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. https://basefortify.eu/cve_reports/2024/06/cve-2024-36499.html
CVE-2024-5994 6.4 The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Custom JS option in versions up to, and including, 9.0.38. This makes it possible for authenticated attackers that have been explicitly granted permissions by an administrator, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Version 9.0.39 adds a caution to make administrators aware of the possibility for abuse if permissions are granted to lower-level users. https://basefortify.eu/cve_reports/2024/06/cve-2024-5994.html
CVE-2024-31163 7.2 ASUS Download Master has a buffer overflow vulnerability. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device. https://basefortify.eu/cve_reports/2024/06/cve-2024-31163.html
CVE-2024-1094 7.3 The Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the make_staff function in all versions up to, and including, 1.0.21. This makes it possible for unauthenticated attackers to grant users staff permissions. https://basefortify.eu/cve_reports/2024/06/cve-2024-1094.html
CVE-2024-3498 7.8 Attackers can then execute malicious files by enabling certain services of the printer via the web configuration page and elevate its privileges to root. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-3498.html
CVE-2024-4863 6.4 The Gutenberg Blocks with AI by Kadence WP Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the titleFont parameter in all versions up to, and including, 3.2.38 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. https://basefortify.eu/cve_reports/2024/06/cve-2024-4863.html
CVE-2024-27157 6.8 The sessions are stored in clear-text logs. An attacker can retrieve authentication sessions. A remote attacker can retrieve the credentials and bypass the authentication mechanism. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27157.html
CVE-2024-27170 7.4 It was observed that all the Toshiba printers contain credentials used for WebDAV access in the readable file. Then, it is possible to get a full access with WebDAV to the printer. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27170.html
CVE-2024-27168 7.1 It appears that some hardcoded keys are used for authentication to internal API. Knowing these private keys may allow attackers to bypass authentication and reach administrative interfaces. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27168.html
CVE-2024-5995 8.8 The notification emails sent by Soar Cloud HR Portal contain a link with a embedded session. The expiration of the session is not properly configured, remaining valid for more than 7 days and can be reused. https://basefortify.eu/cve_reports/2024/06/cve-2024-5995.html
CVE-2024-27148 7.4 The Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27148.html
CVE-2024-27153 7.4 The Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27153.html
CVE-2024-27158 7.4 All the Toshiba printers share the same hardcoded root password. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27158.html
CVE-2024-3079 7.2 Certain models of ASUS routers have buffer overflow vulnerabilities, allowing remote attackers with administrative privileges to execute arbitrary commands on the device. https://basefortify.eu/cve_reports/2024/06/cve-2024-3079.html
CVE-2024-27162 6.1 Toshiba printers provide a web interface that will load the JavaScript file. The file contains insecure codes vulnerable to XSS and is loaded inside all the webpages provided by the printer. An attacker can steal the cookie of an admin user. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27162.html
CVE-2024-23442 6.1 An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-23442.html
CVE-2023-51495 6.5 Missing Authorization vulnerability in Woo WooCommerce Warranty Requests.This issue affects WooCommerce Warranty Requests: from na through 2.2.7. https://basefortify.eu/cve_reports/2024/06/cve-2023-51495.html
CVE-2024-4936 9.8 The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit. https://basefortify.eu/cve_reports/2024/06/cve-2024-4936.html
CVE-2024-5983 6.3 A vulnerability was found in itsourcecode Online Bookstore 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file bookPerPub.php. The manipulation of the argument pubid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268459. https://basefortify.eu/cve_reports/2024/06/cve-2024-5983.html
CVE-2024-27156 6.8 The session cookies, used for authentication, are stored in clear-text logs. An attacker can retrieve authentication sessions. A remote attacker can retrieve the credentials and bypass the authentication mechanism. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27156.html
CVE-2024-3496 8.8 Attackers can bypass the web login authentication process to gain access to the printers system information and upload malicious drivers to the printer. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-3496.html
CVE-2024-36500 7.8 Privilege escalation vulnerability in the AMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality. https://basefortify.eu/cve_reports/2024/06/cve-2024-36500.html
CVE-2024-27171 7.4 A remote attacker using the insecure upload functionality will be able to overwrite any Python file and get Remote Code Execution. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27171.html
CVE-2024-27180 6.7 An attacker with admin access can install rogue applications. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27180.html
CVE-2024-4404 8.5 The ElementsKit PRO plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.6.2 via the render_raw function. This can allow authenticated attackers, with contributor-level permissions and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. https://basefortify.eu/cve_reports/2024/06/cve-2024-4404.html
CVE-2024-37313 7.3 Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Server is upgraded to 21.0.9.17, 22.2.10.22, 23.0.12.17, 24.0.12.13, 25.0.13.8, 26.0.13, 27.1.8 or 28.0.4. https://basefortify.eu/cve_reports/2024/06/cve-2024-37313.html
CVE-2024-27161 6.2 all the Toshiba printers have programs containing a hardcoded key used to encrypt files. An attacker can decrypt the encrypted files using the hardcoded key. Insecure algorithm is used for the encryption. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the Base Score of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https:www.toshibatec.comcontactsproducts As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27161.html
CVE-2024-5577 9.8 The Where I Was, Where I Will Be plugin for WordPress is vulnerable to Remote File Inclusion in version 1.1.1 via the WIW_HEADER parameter of the systemincludeinclude_user.php file. This makes it possible for unauthenticated attackers to include and execute arbitrary files hosted on external servers, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution. This requires allow_url_include to be set to true in order to exploit, which is not commonly enabled. https://basefortify.eu/cve_reports/2024/06/cve-2024-5577.html
CVE-2024-5985 6.3 A vulnerability classified as critical has been found in SourceCodester Best Online News Portal 1.0. This affects an unknown part of the file adminindex.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-268461 was assigned to this vulnerability. https://basefortify.eu/cve_reports/2024/06/cve-2024-5985.html
CVE-2024-27159 6.2 All the Toshiba printers contain a shell script using the same hardcoded key to encrypt logs. An attacker can decrypt the encrypted files using the hardcoded key. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the Base Score of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https:www.toshibatec.comcontactsproducts As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27159.html
CVE-2024-27144 9.8 The Toshiba printers provide several ways to upload files using the web interface without authentication. An attacker can overwrite any insecure files. And the Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. The programs can be replaced by malicious programs by any local or remote attacker. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the Base Score of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https:www.toshibatec.comcontactsproducts As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27144.html
CVE-2024-27169 8.4 Toshiba printers provides API without authentication for internal access. A local attacker can bypass authentication in applications, providing administrative access. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27169.html
CVE-2024-27147 7.4 The Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27147.html
CVE-2024-27155 7.7 The Toshiba printers are vulnerable to a Local Privilege Escalation vulnerability. An attacker can remotely compromise any Toshiba printer. The programs can be replaced by malicious programs by any local or remote attacker. As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27155.html
CVE-2024-27145 9.8 The Toshiba printers provide several ways to upload files using the admin web interface. An attacker can remotely compromise any Toshiba printer. An attacker can overwrite any insecure files. This vulnerability can be executed in combination with other vulnerabilities and difficult to execute alone. So, the CVSS score for this vulnerability alone is lower than the score listed in the Base Score of this vulnerability. For detail on related other vulnerabilities, please ask to the below contact point. https:www.toshibatec.comcontactsproducts As for the affected productsmodelsversions, see the reference URL. https://basefortify.eu/cve_reports/2024/06/cve-2024-27145.html
CVE-2024-5671 9.8 Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS Manager. https://basefortify.eu/cve_reports/2024/06/cve-2024-5671.html

About Us

Learn more about the developers behind BaseFortify!

BaseFortify has been developed by Axxemble, a software company located in Enschede, Netherlands. Axxemble has an established history of developing high-quality software products intended for small & medium businesses. BaseFortify is no different, intended to improve the cybersecurity posture for those companies and organizations that are unable to provide for continuous protection. Making careful use of vulnerability databases and the list of operating systems & applications used by our clients BaseFortify is able to provide immediate warning of a component being at risk. Furthermore, tailored background information on vulnerabilities & exploits is provided without users becoming flooded with information.