Loading HuntDB...

High-Impact Vulnerabilities

Critical + High Exploit High EPSS

Vulnerabilities that meet all three criteria: Critical/High severity, known exploits, and high probability of exploitation (EPSS ≥ 10%).

CVE-2024-34351 6 months, 2 weeks ago

Next.js is a React framework that can provide building blocks to create web applications. A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. This vulnerability was fixed in Next.js `14.1.1`.

HIGH (7.5) EPSS: 91.8% 1 exploit
Next.js - Server Side Request…
CVE-2024-27198 6 months, 2 weeks ago

In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible

CRITICAL (9.8) EPSS: 94.6% 1 exploit
TeamCity < 2023.11.4 - Authen…
CVE-2024-27199 6 months, 2 weeks ago

In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible

HIGH (7.3) EPSS: 94.5% 1 exploit
TeamCity < 2023.11.4 - Authen…
CVE-2024-27954 6 months, 2 weeks ago

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Automatic Automatic allows Path Traversal, Server Side Request Forgery.This issue affects Automatic: from n/a through 3.92.0.

CRITICAL (9.3) EPSS: 93.3% 1 exploit
WordPress Automatic Plugin <3…
CVE-2024-27956 6 months, 2 weeks ago

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0.

CRITICAL (9.9) EPSS: 93.5% 1 exploit
WordPress Automatic Plugin <=…
CVE-2024-6670 6 months, 2 weeks ago

In WhatsUp Gold versions released before 2024.0.0, a SQL Injection vulnerability allows an unauthenticated attacker to retrieve the users encrypted password.

CRITICAL (9.8) EPSS: 94.5% 1 exploit
WhatsUp Gold HasErrors SQL In…
CVE-2024-6028 6 months, 2 weeks ago

The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'ays_questions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CRITICAL (9.8) EPSS: 80.6% 1 exploit
Quiz Maker <= 6.5.8.3 - SQL I…
CVE-2024-6587 6 months, 2 weeks ago

A Server-Side Request Forgery (SSRF) vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the `api_base` parameter when making requests to `POST /chat/completions`, causing the application to send the request to the domain specified by `api_base`. This request includes the OpenAI API key. A malicious user can set the `api_base` to their own domain and intercept the OpenAI API key, leading to unauthorized access and potential misuse of the API key.

HIGH (7.5) EPSS: 44.5% 1 exploit
LiteLLM - Server-Side Request…
CVE-2024-12849 6 months, 2 weeks ago

The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

HIGH (7.5) EPSS: 92.5% 1 exploit
Error Log Viewer By WP Guru <…
CVE-2024-12209 6 months, 2 weeks ago

The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CRITICAL (9.8) EPSS: 85.2% 1 exploit
WP Umbrella Update Backup Res…
CVE-2024-12356 6 months, 2 weeks ago

A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.

CRITICAL (9.8) EPSS: 93.8% 1 exploit
Privileged Remote Access & Re…
CVE-2024-45388 6 months, 2 weeks ago

Hoverfly is a lightweight service virtualization/ API simulation / API mocking tool for developers and testers. The `/api/v2/simulation` POST handler allows users to create new simulation views from the contents of a user-specified file. This feature can be abused by an attacker to read arbitrary files from the Hoverfly server. Note that, although the code prevents absolute paths from being specified, an attacker can escape out of the `hf.Cfg.ResponsesBodyFilesPath` base path by using `../` segments and reach any arbitrary files. This issue was found using the Uncontrolled data used in path expression CodeQL query for python. Users are advised to make sure the final path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, filePath)`) is contained within the expected base path (`filepath.Join(hf.Cfg.ResponsesBodyFilesPath, "/")`). This issue is also tracked as GHSL-2023-274.

HIGH (7.5) EPSS: 91.5% 1 exploit
Hoverfly < 1.10.3 - Arbitrary…
CVE-2024-45293 6 months, 2 weeks ago

PHPSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The security scanner responsible for preventing XXE attacks in the XLSX reader can be bypassed by slightly modifying the XML structure, utilizing white-spaces. On servers that allow users to upload their own Excel (XLSX) sheets, Server files and sensitive information can be disclosed by providing a crafted sheet. The security scan function in src/PhpSpreadsheet/Reader/Security/XmlScanner.php contains a flawed XML encoding check to retrieve the input file's XML encoding in the toUtf8 function. The function searches for the XML encoding through a defined regex which looks for `encoding="*"` and/or `encoding='*'`, if not found, it defaults to the UTF-8 encoding which bypasses the conversion logic. This logic can be used to pass a UTF-7 encoded XXE payload, by utilizing a whitespace before or after the = in the attribute definition. Sensitive information disclosure through the XXE on sites that allow users to upload their own excel spreadsheets, and parse them using PHPSpreadsheet's Excel parser. This issue has been addressed in release versions 1.29.1, 2.1.1, and 2.3.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.

HIGH (7.5) EPSS: 21.5% 1 exploit
TablePress < 2.4.3 - XXE Inje…
CVE-2024-29889 6 months, 2 weeks ago

GLPI is a Free Asset and IT Management Software package. Prior to 10.0.15, an authenticated user can exploit a SQL injection vulnerability in the saved searches feature to alter another user account data take control of it. This vulnerability is fixed in 10.0.15.

HIGH (7.1) EPSS: 53.7% 1 exploit
GLPI 10.0.10-10.0.14 - SQL In…
CVE-2024-29824 6 months, 2 weeks ago

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

CRITICAL (9.6) EPSS: 94.3% 1 exploit
Ivanti EPM - Remote Code Exec…
CVE-2024-29973 6 months, 2 weeks ago

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CRITICAL (9.8) EPSS: 93.7% 1 exploit
Zyxel NAS326 Firmware < V5.21…
CVE-2024-29972 6 months, 2 weeks ago

** UNSUPPORTED WHEN ASSIGNED ** The command injection vulnerability in the CGI program "remote_help-cgi" in Zyxel NAS326 firmware versions before V5.21(AAZF.17)C0 and NAS542 firmware versions before V5.21(ABAG.14)C0 could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.

CRITICAL (9.8) EPSS: 91.5% 1 exploit
Zyxel NAS326 Firmware < V5.21…
CVE-2024-29059 6 months, 2 weeks ago

No description available

HIGH (7.5) EPSS: 93.7% 1 exploit
.NET Framework - Leaking ObjR…
CVE-2024-0352 6 months, 2 weeks ago

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-250120.

HIGH (7.3) EPSS: 91.2% 1 exploit
Likeshop < 2.5.7.20210311 - A…
CVE-2024-10924 6 months, 2 weeks ago

The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. This is due to improper user check error handling in the two-factor REST API actions with the 'check_login_and_get_user' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).

CRITICAL (9.8) EPSS: 93.6% 1 exploit
Really Simple Security < 9.1.…