Security Vulnerabilities - CVEs Published In September 2024
The DN Popup WordPress plugin through 1.2.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack
CVSS Score
4.3
EPSS Score
0.001
Published
2024-09-02
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape some parameters, which could allow unauthenticated users to perform Cross-Site Scripting attacks against administrators.
CVSS Score
6.1
EPSS Score
0.005
Published
2024-09-02
The Flaming Forms WordPress plugin through 1.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-09-02
SQL Injection in download student learning course function of Easytest Online Test Platform ver.24E01 and earlier allow remote attackers to execute arbitrary SQL commands via the uid parameter.
CVSS Score
9.3
EPSS Score
0.005
Published
2024-09-02
SQL Injection in download class learning course function of Easytest Online Test Platform ver.24E01 and earlier allow remote attackers to execute arbitrary SQL commands via the cstr parameter.
CVSS Score
9.3
EPSS Score
0.005
Published
2024-09-02
SQL Injection in download personal learning course function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the uid parameter.
CVSS Score
8.7
EPSS Score
0.005
Published
2024-09-02
SQL Injection in search course titles function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the search parameter.
CVSS Score
8.7
EPSS Score
0.005
Published
2024-09-02
SQL Injection in mock exam function of Easytest Online Test Platform ver.24E01 and earlier allow remote authenticated users to execute arbitrary SQL commands via the qlevel parameter.
CVSS Score
8.7
EPSS Score
0.005
Published
2024-09-02
REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website.
CVSS Score
6.1
EPSS Score
0.001
Published
2024-09-02
CodeAstro MembershipM-PHP (aka Membership Management System in PHP) 1.0 allows add_members.php fullname stored XSS.
CVSS Score
5.4
EPSS Score
0.002
Published
2024-09-02