This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.
We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.
If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!
1. CVE-2024-10687
The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal, Social Share Buttons plugin for WordPress is vulnerable to time-based SQL Injection via the $collectedIds parameter in all versions up to, and including, 24.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
https://nvd.nist.gov/vuln/detail/CVE-2024-10687
2. CVE-2024-21060
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
https://nvd.nist.gov/vuln/detail/CVE-2024-21060
3. CVE-2019-0708
A remote code execution vulnerability exists in Remote Desktop Services formerly known as Terminal Services when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka ‘Remote Desktop Services Remote Code Execution Vulnerability’.
https://nvd.nist.gov/vuln/detail/CVE-2019-0708
4. CVE-2024-35250
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-35250
5. CVE-2024-30084
Windows Kernel-Mode Driver Elevation of Privilege Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-30084
6. CVE-2024-26229
Windows CSC Service Elevation of Privilege Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-26229
7. CVE-2024-21341
Windows Kernel Remote Code Execution Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-21341
8. CVE-2024-21412
Internet Shortcut Files Security Feature Bypass Vulnerability
https://nvd.nist.gov/vuln/detail/CVE-2024-21412
9. CVE-2024-1071
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
https://nvd.nist.gov/vuln/detail/CVE-2024-1071
10. CVE-2019-8943
WordPress through 5.0.3 allows Path Traversal in wp_crop_image(). An attacker (who has privileges to crop an image) can write the output image to an arbitrary directory via a filename containing two image extensions and ../ sequences, such as a filename ending with the .jpg?/../../file.jpg substring.
https://nvd.nist.gov/vuln/detail/CVE-2019-8943