CVEs Today
Latest Information on Common Vulnerabilities and Exposures (CVEs)
Last updated: May 4, 2024. 19:20:30 UTC
click on an item for more info;
ID | Description | Modified | References |
---|---|---|---|
CVE-2023-22655 | Protection mechanism failure in some 3rd and 4th Generation Intel(R) Xeon(R) Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | May 4, 2024. 16:15:00 | [www.intel.com][security.netapp.com] |
CVE-2023-28746 | Information exposure through microarchitectural state after transient execution from some register files for some Intel(R) Atom(R) Processors may allow an authenticated user to potentially enable information disclosure via local access. | May 4, 2024. 16:15:00 | [www.intel.com][lists.fedoraproject.org] |
CVE-2023-38575 | Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access. | May 4, 2024. 16:15:00 | [www.intel.com][security.netapp.com] |
CVE-2023-39368 | Protection mechanism failure of bus lock regulator for some Intel(R) Processors may allow an unauthenticated user to potentially enable denial of service via network access. | May 4, 2024. 16:15:00 | [www.intel.com][security.netapp.com] |
CVE-2023-43490 | Incorrect calculation in microcode keying mechanism for some Intel(R) Xeon(R) D Processors with Intel(R) SGX may allow a privileged user to potentially enable information disclosure via local access. | May 4, 2024. 16:15:00 | [www.intel.com][security.netapp.com] |
CVE-2023-27283 | IBM Aspera Orchestrator 4.0.1 could allow a remote attacker to enumerate usernames due to observable response discrepancies. IBM X-Force ID: 248545. | May 4, 2024. 14:16:00 | [www.ibm.com][exchange.xforce.ibmcloud.com] |
CVE-2024-27268 | IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.3 is vulnerable to a denial of service, caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 284574. | May 4, 2024. 14:16:00 | [www.ibm.com][exchange.xforce.ibmcloud.com] |
CVE-2023-7065 | The Stop Spammers Security | Block Spam Users, Comments, Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2024.4. This is due to missing or incorrect nonce validation on the sfs_process AJAX action. This makes it possible for unauthenticated attackers to add arbitrary IPs to the plugin's allowlist and blocklist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | May 4, 2024. 08:15:00 | [www.wordfence.com][plugins.trac.wordpress.org] |
CVE-2024-1050 | The Import and export users and customers plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_force_reset_password_delete_metas() function in all versions up to, and including, 1.26.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete all forced password resets. | May 4, 2024. 08:15:00 | [www.wordfence.com][plugins.trac.wordpress.org] |
CVE-2024-34460 | The Tree Explorer tool from Organizer in Zenario before 9.5.60602 is affected by XSS. (This component was removed in 9.5.60602.) | May 4, 2024. 05:15:00 | [zenar.io] |
CVE-2024-34461 | Zenario before 9.5.60437 uses Twig filters insecurely in the Twig Snippet plugin, and in the site-wide HEAD and BODY elements, enabling code execution by a designer or an administrator. | May 4, 2024. 05:15:00 | [zenar.io] |
CVE-2024-3237 | The ConvertPlug plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cp_dismiss_notice() function in all versions up to, and including, 3.5.25. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary option values to true. | May 4, 2024. 04:15:00 | [www.wordfence.com][www.convertplug.com] |
CVE-2024-3240 | The ConvertPlug plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.25 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_info_bar' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | May 4, 2024. 04:15:00 | [www.wordfence.com][www.convertplug.com] |
CVE-2023-28755 | A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. | May 4, 2024. 03:15:00 | [github.com][www.ruby-lang.org] |
CVE-2023-36617 | A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. | May 4, 2024. 03:15:00 | [www.ruby-lang.org][security.netapp.com] |
CVE-2023-38709 | Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58. | May 4, 2024. 03:15:00 | [httpd.apache.org][security.netapp.com] |
CVE-2024-24795 | HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Users are recommended to upgrade to version 2.4.59, which fixes this issue. | May 4, 2024. 03:15:00 | [httpd.apache.org][security.netapp.com] |
CVE-2024-3868 | The Folders Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a user's First Name and Last Name in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | May 4, 2024. 03:15:00 | [www.wordfence.com][premio.io] |
CVE-2024-4331 | Use after free in Picture In Picture in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | May 4, 2024. 02:15:00 | [chromereleases.googleblog.com][issues.chromium.org] |
CVE-2024-4368 | Use after free in Dawn in Google Chrome prior to 124.0.6367.118 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | May 4, 2024. 02:15:00 | [chromereleases.googleblog.com][issues.chromium.org] |
Page 1 of 1243