CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30842 – WordPress Christmas Panda plugin <= 1.0.4 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2025-30842
27 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in pixolette Christmas Panda allows Cross Site Request Forgery. This issue affects Christmas Panda: from n/a through 1.0.4. The Christmas Panda plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into perfor... • https://patchstack.com/database/wordpress/plugin/christmas-panda/vulnerability/wordpress-christmas-panda-plugin-1-0-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13043 – Panda Security Dome Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-13043
30 Dec 2024 — Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hotspot Shield. By creating a junction, an attacker can abuse the application to delete arbitrary files. • https://www.zerodayinitiative.com/advisories/ZDI-24-1727 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7245 – Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7245
29 Jul 2024 — Panda Security Dome VPN Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Hydra Sdk Windows Service. The issue lies in the lack of proper permissions set on a folder created by the service. • https://www.zerodayinitiative.com/advisories/ZDI-24-1015 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7243 – Panda Security Dome Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7243
29 Jul 2024 — Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to create arbitrary files. • https://www.zerodayinitiative.com/advisories/ZDI-24-1013 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7244 – Panda Security Dome VPN DLL Hijacking Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7244
29 Jul 2024 — Panda Security Dome VPN DLL Hijacking Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the VPN process. The process does not restrict DLL search to trusted paths, which can result in the loading of a malicious DLL. • https://www.zerodayinitiative.com/advisories/ZDI-24-1014 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7242 – Panda Security Dome Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7242
29 Jul 2024 — Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the PSANHost executable. By creating a junction, an attacker can abuse the service to delete arbitrary files. • https://www.zerodayinitiative.com/advisories/ZDI-24-1017 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7241 – Panda Security Dome Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7241
29 Jul 2024 — Panda Security Dome Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Panda Security Dome. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the PSANHost service. By creating a junction, an attacker can abuse the service to create an arbitrary file. • https://www.zerodayinitiative.com/advisories/ZDI-24-1016 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2565 – PandaXGO PandaX File Extension upload.go unrestricted upload
https://notcve.org/view.php?id=CVE-2024-2565
17 Mar 2024 — A vulnerability was found in PandaXGO PandaX up to 20240310. It has been classified as critical. Affected is an unknown function of the file /apps/system/router/upload.go of the component File Extension Handler. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. • https://github.com/PandaXGO/PandaX/issues/5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2564 – PandaXGO PandaX user.go ExportUser path traversal
https://notcve.org/view.php?id=CVE-2024-2564
17 Mar 2024 — A vulnerability was found in PandaXGO PandaX up to 20240310 and classified as critical. This issue affects the function ExportUser of the file /apps/system/api/user.go. The manipulation of the argument filename leads to path traversal: '../filedir'. The attack may be initiated remotely. • https://github.com/PandaXGO/PandaX/issues/6 • CWE-24: Path Traversal: '../filedir' •
CVSS: 5.5EPSS: 1%CPEs: 1EXPL: 1CVE-2024-2563 – PandaXGO PandaX upload.go DeleteImage path traversal
https://notcve.org/view.php?id=CVE-2024-2563
17 Mar 2024 — A vulnerability has been found in PandaXGO PandaX up to 20240310 and classified as critical. This vulnerability affects the function DeleteImage of the file /apps/system/router/upload.go. The manipulation of the argument fileName with the input ../../../../../../../../../tmp/1.txt leads to path traversal: '../filedir'. • https://github.com/PandaXGO/PandaX/pull/3 • CWE-24: Path Traversal: '../filedir' •