CyberSecurityBoard
Sponsor Register Login

CVE-2024-1538

The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the 'lang' parameter. This makes it possible for unauthenticated attackers to include local JavaScript files that can be leveraged to achieve RCE via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This issue was partially patched in version 7.2.4, and fully patched in 7.2.5.

Publication date: Thu, 21 Mar 2024 09:15:00 +0000


Cyber News related to CVE-2024-1538

AWS LetsEncrypt Lambda: Custom TLS Provider - DZone - Trying to renew ... INFO[0000] Checking certificate for domain 'hackernoon.referrs.me' with arn 'arn:aws:acm:us-east-2:004867756392:certificate/72f872fd-e577-43f4-ae38-6833962630af' INFO[0000] Certificate status is 'ISSUED' INFO[0000] Certificate in ...
8 months ago Feeds.dzone.com
Vulnerability Summary for the Week of March 11, 2024 - Published 2024-03-15 CVSS Score not yet calculated Source & Patch Info CVE-2021-47111416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - Product linux - linux Description In the ...
1 year ago Cisa.gov
Vulnerability Summary for the Week of March 4, 2024 - Published 2024-03-06 CVSS Score not yet calculated Source & Patch Info CVE-2023-52584416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67416baaa9-dc9f-4396-8d5f-8c081fb06d67 PrimaryVendor - ...
1 year ago Cisa.gov
CVE-2024-42114 - In the Linux kernel, the following vulnerability has been resolved: ...
8 months ago
CVE-2024-37051 - GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 ...
1 year ago Tenable.com
CVE-2024-1538 - The File Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.2.4. This is due to missing or incorrect nonce validation on the wp_file_manager page that includes files through the ...
1 year ago
CVE-2015-6575 - SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly consider integer promotion, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted ...
9 years ago
CVE-2020-1538 - An elevation of privilege vulnerability exists when the Windows UPnP Device Host improperly handles memory.To exploit this vulnerability, an attacker would first have to gain execution on the victim system, aka 'Windows UPnP Device Host Elevation ...
3 years ago
CVE-2015-4496 - Multiple integer overflows in libstagefright in Mozilla Firefox before 38.0 allow remote attackers to execute arbitrary code via crafted sample metadata in an MPEG-4 video file, a related issue to CVE-2015-1538. ...
8 years ago
CVE-2015-1538 - Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked ...
7 years ago
CVE-2001-1538 - SpeedXess HA-120 DSL router has a default administrative password of "speedxess", which allows remote attackers to gain access. ...
16 years ago
CVE-2002-1538 - Acuma Acusend 4, and possibly earlier versions, allows remote authenticated users to read the reports of other users by inferring the full URL, whose name is easily predictable. ...
16 years ago
CVE-2003-1538 - susehelp in SuSE Linux 8.1, Enterprise Server 8, Office Server, and Openexchange Server 4 does not properly filter shell metacharacters, which allows remote attackers to execute arbitrary commands via CGI queries. ...
16 years ago
CVE-2011-1538 - Open redirect vulnerability in HP Proliant Support Pack (PSP) before 8.7 allows remote authenticated users to redirect other users to arbitrary web sites and conduct phishing attacks via unspecified vectors. ...
13 years ago
CVE-2013-1538 - Unspecified vulnerability in the Network Layer component in Oracle Database Server 11.2.0.2 and 11.2.0.3 allows remote attackers to affect availability via unknown vectors. ...
11 years ago
CVE-1999-1538 - When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the ...
8 years ago
CVE-2004-1538 - SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. ...
7 years ago
CVE-2010-1538 - SQL injection vulnerability in print_raincheck.php in phpRAINCHECK 1.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. ...
7 years ago
CVE-2017-1538 - IBM Financial Transaction Manager for ACH Services for Multi-Platform 3.0.2 could allow an authenticated user to obtain sensitive information from an undocumented URL. IBM X-Force ID: 130735. ...
7 years ago
CVE-2014-1538 - Use-after-free vulnerability in the nsTextEditRules::CreateMozBR function in Mozilla Firefox before 30.0, Firefox ESR 24.x before 24.6, and Thunderbird before 24.6 allows remote attackers to execute arbitrary code or cause a denial of service (heap ...
7 years ago
CVE-2007-1538 - ** DISPUTED ** McAfee VirusScan Enterprise 8.5.0.i uses insecure permissions for certain Windows Registry keys, which allows local users to bypass local password protection via the UIP value in (1) ...
1 year ago
CVE-2006-1538 - The Enova X-Wall ASIC encrypts with a key obtained via Microwire from a serial EEPROM that stores the key in cleartext, which allows local users with physical access to obtain the key by reading and duplicating an EEPROM that is located on a hardware ...
6 years ago
CVE-2009-1538 - The QuickTime Movie Parser Filter in quartz.dll in DirectShow in Microsoft DirectX 7.0 through 9.0c on Windows 2000 SP4, Windows XP SP2 and SP3, and Windows Server 2003 SP2 performs updates to pointers without properly validating unspecified data ...
6 years ago
CVE-2008-1538 - Cross-site scripting (XSS) vulnerability in searchAction.do in ManageEngine EventLog Analyzer 5 allows remote attackers to inject arbitrary web script or HTML via the searchText parameter. NOTE: the provenance of this information is unknown; the ...
5 years ago
CVE-2012-1538 - Use-after-free vulnerability in Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code via a crafted web site, aka "CFormElement Use After Free Vulnerability." ...
4 years ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)