Vulnerabilities
Vulnerable Software
Security Vulnerabilities - CVEs Published In June 2024
MileSight DeviceHub - CWE-20 Improper Input Validation may allow Denial of Service
CVSS Score
7.5
EPSS Score
0.004
Published
2024-06-02
MileSight DeviceHub - CWE-320: Key Management Errors may allow Authentication Bypass and Man-In-The-Middle Traffic
CVSS Score
9.1
EPSS Score
0.004
Published
2024-06-02
MileSight DeviceHub - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Score
6.1
EPSS Score
0.003
Published
2024-06-02
MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
CVSS Score
10.0
EPSS Score
0.005
Published
2024-06-02
MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values may allow Authentication Bypass
CVSS Score
9.8
EPSS Score
0.005
Published
2024-06-02
MileSight DeviceHub - CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') may allow Unauthenticated RCE
CVSS Score
9.8
EPSS Score
0.006
Published
2024-06-02
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. By inserting '../' sequences in these parameters, attackers can traverse the directory structure and access files outside of the intended directory. Successful exploitation results in unauthorized access to sensitive information.
CVSS Score
7.5
EPSS Score
0.006
Published
2024-06-02
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the application and potentially render it completely non-functional. Specifically, the vulnerability can be triggered by sending a specially crafted request to the application, leading to a denial of service where the application crashes.
CVSS Score
7.5
EPSS Score
0.006
Published
2024-06-01
The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the 'slug' attribute of the 'wpforo' shortcode in all versions up to, and including, 2.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Score
9.9
EPSS Score
0.005
Published
2024-06-01
The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's image hotspot, image accordion, off canvas, woogrid, and product mini cart widgets in all versions up to, and including, 1.3.975 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.003
Published
2024-06-01


Contact Us

Shodan ® - All rights reserved