CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8585 – LEARNING DIGITAL Orca HCM - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-8585
09 Sep 2024 — Orca HCM from LEARNING DIGITA does not properly restrict a specific parameter of the file download functionality, allowing a remote attacker with regular privileges to download arbitrary system files. • https://www.twcert.org.tw/en/cp-139-8042-f9f26-2.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8584 – LEARNING DIGITAL Orca HCM - Missing Authentication
https://notcve.org/view.php?id=CVE-2024-8584
09 Sep 2024 — Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. Orca HCM from LEARNING DIGITAL has an Missing Authentication vulnerability, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. • https://www.twcert.org.tw/en/cp-139-8040-948ef-2.html • CWE-284: Improper Access Control CWE-306: Missing Authentication for Critical Function •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8327 – HWA JIUH DIGITAL TECHNOLOGY Easy test Online Learning and Testing Platform - SQL injection
https://notcve.org/view.php?id=CVE-2024-8327
30 Aug 2024 — Easy test Online Learning and Testing Platform from HWA JIUH DIGITAL TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with regular privilege to inject arbitrary SQL commands to read, modify, and delete database contents. Easy test Online Learning and Testing Platform from HWA JIUH DIGITAL TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with regular privilege to inject arbitrary SQL commands to read, modify, and delete datab... • https://www.twcert.org.tw/en/cp-139-8032-a3d5c-2.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42905
https://notcve.org/view.php?id=CVE-2024-42905
28 Aug 2024 — Beijing Digital China Cloud Technology Co., Ltd. DCME-320 v.7.4.12.60 has a command execution vulnerability, which can be exploited to obtain device administrator privileges via the getVar function in the code/function/system/tool/ping.php file. • https://github.com/ZackSecurity/VulnerReport/blob/cve/DCN/1.md • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43162 – WordPress Easy Digital Downloads plugin <= 3.2.12 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43162
07 Aug 2024 — Missing Authorization vulnerability in Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.2.12. The Easy Digital Downloads – eCommerce Payments and Subscriptions made easy plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.2.12. This makes it possible for authenticated attackers, with Subscriber-level access a... • https://patchstack.com/database/vulnerability/easy-digital-downloads/wordpress-easy-digital-downloads-plugin-3-2-12-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22169 – Misconfiguration in node.js causing a code execution in WD Discovery
https://notcve.org/view.php?id=CVE-2024-22169
02 Aug 2024 — WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the v... • https://www.westerndigital.com/support/product-security/wdc-24004-wd-discovery-desktop-app-version-5-0-589 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 3CVE-2024-5057 – WordPress Easy Digital Downloads plugin <= 3.2.12 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-5057
01 Aug 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Easy Digital Downloads allows SQL Injection.This issue affects Easy Digital Downloads: from n/a through 3.2.12. The Easy Digital Downloads plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.2.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to ... • https://github.com/enter0x13/poc-CVE-2024-5057 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38678 – WordPress Calendar.online / Kalender.digital – Plugin plugin <= 1.0.8 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-38678
10 Jul 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Calendar.Online Calendar.Online / Kalender.Digital allows Stored XSS.This issue affects Calendar.Online / Kalender.Digital: from n/a through 1.0.8. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Calendar.Online Calendar.Online / Kalender.Digital permite XSS almacenado. Este problema afecta a Calendar.Online / Kalender.D... • https://patchstack.com/database/vulnerability/kalender-digital/wordpress-calendar-online-kalender-digital-plugin-plugin-1-0-8-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-22168 – Cross-Site Scripting (XSS) vulnerability on Western Digital My Cloud and SanDisk ibi Web Apps
https://notcve.org/view.php?id=CVE-2024-22168
24 Jun 2024 — A Cross-Site Scripting (XSS) vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry out malicious activities.The web apps for these devices have been automatically updated to resolve this vulnerability and improve the security of your devices and data. • https://www.westerndigital.com/support/product-security/wdc-24003-western-digital-my-cloud-os-5-my-cloud-home-sandisk-ibi-and-wd-cloud-web-app-update • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5514 – MinMax CMS - Hidden Functionality
https://notcve.org/view.php?id=CVE-2024-5514
30 May 2024 — MinMax CMS from MinMax Digital Technology contains a hidden administrator account with a fixed password that cannot be removed or disabled from the management interface. Remote attackers who obtain this account can bypass IP access control restrictions and log in to the backend system without being recorded in the system logs. MinMax CMS de MinMax Digital Technology contiene una cuenta de administrador oculta con una contraseña fija que no se puede eliminar ni deshabilitar desde la interfaz de administració... • https://www.twcert.org.tw/tw/cp-132-7828-c08b8-1.html • CWE-798: Use of Hard-coded Credentials CWE-912: Hidden Functionality •