CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30199 – WordPress WP-Lister Lite for Amazon plugin <= 2.6.8 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-30199
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Lab WP-Lister Lite for Amazon allows Reflected XSS.This issue affects WP-Lister Lite for Amazon: from n/a through 2.6.8. La vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('cross-site Scripting') en WP Lab WP-Lister Lite for Amazon permite XSS reflejado. Este problema afecta a WP-Lister Lite for Amazon: desde n/a hasta 2.6.8. The WP-Lister Lite for Amazon plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/wp-lister-for-amazon/wordpress-wp-lister-lite-for-amazon-plugin-2-6-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-23680 – AWS Encryption SDK for Java Improper Verification of Cryptographic Signature
https://notcve.org/view.php?id=CVE-2024-23680
AWS Encryption SDK for Java versions 2.0.0 to 2.2.0 and less than 1.9.0 incorrectly validates some invalid ECDSA signatures. AWS Encryption SDK para Java, versiones 2.0.0 a 2.2.0 y anteriores a 1.9.0, valida incorrectamente algunas firmas ECDSA no válidas. • https://github.com/advisories/GHSA-55xh-53m6-936r https://github.com/aws/aws-encryption-sdk-java/security/advisories/GHSA-55xh-53m6-936r https://vulncheck.com/advisories/vc-advisory-GHSA-55xh-53m6-936r • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21634 – Ion Java StackOverflow vulnerability
https://notcve.org/view.php?id=CVE-2024-21634
Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in `ion-java` for applications that use `ion-java` to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the `IonValue` model and then invoke certain `IonValue` methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the `IonValue` model, results in a `StackOverflowError` originating from the `ion-java` library. The patch is included in `ion-java` 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with. • https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6 https://access.redhat.com/security/cve/CVE-2024-21634 https://bugzilla.redhat.com/show_bug.cgi?id=2304311 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51386 – Sandbox Accounts for Events vulnerable to privilege escalation to read running events data
https://notcve.org/view.php?id=CVE-2023-51386
Sandbox Accounts for Events provides multiple, temporary AWS accounts to a number of authenticated users simultaneously via a browser-based GUI. Authenticated users could potentially read data from the events table by sending request payloads to the events API, collecting information on planned events, timeframes, budgets and owner email addresses. This data access may allow users to get insights into upcoming events and join events which they have not been invited to. This issue has been patched in version 1.10.0. Sandbox Accounts for Events proporciona múltiples cuentas temporales de AWS a varios usuarios autenticados simultáneamente a través de una GUI basada en navegador. • https://github.com/awslabs/sandbox-accounts-for-events/commit/f30a0662f0a28734eb33c5868cccc1c319eb6e79 https://github.com/awslabs/sandbox-accounts-for-events/security/advisories/GHSA-p7w3-j66h-m7mx • CWE-269: Improper Privilege Management •
CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-51651 – Potential URI resolution path traversal in the AWS SDK for PHP
https://notcve.org/view.php?id=CVE-2023-51651
AWS SDK for PHP is the Amazon Web Services software development kit for PHP. Within the scope of requests to S3 object keys and/or prefixes containing a Unix double-dot, a URI path traversal is possible. The issue exists in the `buildEndpoint` method in the RestSerializer component of the AWS SDK for PHP v3 prior to 3.288.1. The `buildEndpoint` method relies on the Guzzle Psr7 UriResolver utility, which strips dot segments from the request path in accordance with RFC 3986. Under certain conditions, this could lead to an arbitrary object being accessed. • https://github.com/aws/aws-sdk-php/commit/aebc9f801438746ac4ade327551576cb75f635f2 https://github.com/aws/aws-sdk-php/releases/tag/3.288.1 https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •