CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-26469
https://notcve.org/view.php?id=CVE-2024-26469
Server-Side Request Forgery (SSRF) vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows remote attackers to cause a denial of service (DoS) and escalate privileges via the url parameter in the postProcess() method. • https://github.com/friends-of-presta/security-advisories/blob/main/_posts/2024-02-29-productdesigner-918.md •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27103 – Querybook Stored Cross-Site Scripting allows Privilege Elevation
https://notcve.org/view.php?id=CVE-2024-27103
Querybook is a Big Data Querying UI. When a user searches for their queries, datadocs, tables and lists, the search result is marked and highlighted, and this feature uses dangerouslySetInnerHTML which means that if the highlighted result has an XSS payload it will trigger. While the input to dangerouslySetInnerHTML is not sanitized for the data inside of queries which leads to an XSS vulnerability. During the "query auto-suggestion" the name of the suggested tables are set with innerHTML which leads to the XSS vulnerability. A patch to rectify this issue has been introduced in Querybook version 3.31.2. • https://github.com/pinterest/querybook/commit/449bdc9e7d679e042c3718b7ed07d2ffa3c46a8f https://github.com/pinterest/querybook/security/advisories/GHSA-3hjm-9277-5c88 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-1632 – Incorrect access control in the Sitefinity backend
https://notcve.org/view.php?id=CVE-2024-1632
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area. • https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2024-1632-and-CVE-2024-1636-February-2024 https://www.progress.com/sitefinity-cms • CWE-284: Improper Access Control •
CVSS: 3.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-26476
https://notcve.org/view.php?id=CVE-2024-26476
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component. • https://github.com/c4v4r0n/Research/blob/main/openemr_BlindSSRF/README.md https://github.com/mpdf/mpdf/issues/867 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: -EPSS: 0%CPEs: -EXPL: 1CVE-2024-22983
https://notcve.org/view.php?id=CVE-2024-22983
SQL injection vulnerability in Projectworlds Visitor Management System in PHP v.1.0 allows a remote attacker to escalate privileges via the name parameter in the myform.php endpoint. • https://github.com/keru6k/CVE-2024-22983 http://projectworlds.com http://visitor.com https://github.com/keru6k/CVE-2024-22983/blob/main/CVE-2024-22983.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •