CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7106 – Spina CMS media_folders cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7106
A vulnerability classified as problematic was found in Spina CMS 2.18.0. Affected by this vulnerability is an unknown functionality of the file /admin/media_folders. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/topsky979/Security-Collections/blob/main/cve3/README.md https://vuldb.com/?ctiid.272431 https://vuldb.com/?id.272431 https://vuldb.com/?submit.376769 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41800 – Craft CMS Allows TOTP Token To Stay Valid After Use
https://notcve.org/view.php?id=CVE-2024-41800
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3. • https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38 https://github.com/craftcms/cms/releases/tag/5.2.3 https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use • CWE-287: Improper Authentication •
CVSS: 6.9EPSS: 0%CPEs: 19EXPL: 1CVE-2024-7065 – Spina CMS cross-site request forgery
https://notcve.org/view.php?id=CVE-2024-7065
A vulnerability was found in Spina CMS up to 2.18.0. It has been classified as problematic. Affected is an unknown function of the file /admin/pages/. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. • https://github.com/topsky979/Security-Collections/blob/main/1700810/README.md https://vuldb.com/?ctiid.272346 https://vuldb.com/?id.272346 https://vuldb.com/?submit.375236 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 1.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36119 – Password confirmation stored in plain text via registration form in statamic/cms
https://notcve.org/view.php?id=CVE-2024-36119
Statamic is a, Laravel + Git powered CMS designed for building websites. In affected versions users registering via the `user:register_form` tag will have their password confirmation stored in plain text in their user file. This only affects sites matching **all** of the following conditions: 1. Running Statamic versions between 5.3.0 and 5.6.1. (This version range represents only one calendar week), 2. • https://dev.to/balogh08/cleaning-your-git-history-safely-removing-sensitive-data-10i5 https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository https://github.com/statamic/cms/commit/0b804306c96c99b81755d5bd02df87ddf392853e https://github.com/statamic/cms/security/advisories/GHSA-qvpj-w7xj-r6w9 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 4CVE-2024-3311 – Dreamer CMS ThemesController.java ZipUtils.unZipFiles path traversal
https://notcve.org/view.php?id=CVE-2024-3311
A vulnerability was found in Dreamer CMS up to 4.1.3.0. It has been declared as critical. Affected by this vulnerability is the function ZipUtils.unZipFiles of the file controller/admin/ThemesController.java. The manipulation leads to path traversal. The attack can be launched remotely. • https://github.com/FaLLenSKiLL1/CVE-2024-33113 https://github.com/FaLLenSKiLL1/CVE-2024-33111 https://github.com/tekua/CVE-2024-33113 https://gitee.com/iteachyou/dreamer_cms/releases/tag/Latest_Stable_Release_4.1.3.1 https://gitee.com/y1336247431/poc-public/issues/I9BA5R https://vuldb.com/?ctiid.259369 https://vuldb.com/?id.259369 https://vuldb.com/?submit.303874 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •