new tests
December 20, 2024
Now testing for the following vulnerabilities
New tests released based on submissions by our Detectify Crowdsource hackers:
- CVE-2024-9014: pgAdmin4 Insufficiently Protected Credentials [9.5 / Critical]
- CVE-2024-46938: Sitecore Experience Platform Arbitrary File Read [7.5 / High]
- CVE-2024-38819: Spring Path traversal vulnerability in functional web frameworks [7.5 / High]
- CVE-2024-38816: Spring Path traversal vulnerability in functional web frameworks [7.5 / High]
- CVE-2024-10914: D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L Command Injection via Name Parameter [9.2 / Critical]
- CVE-2024-0012: PAN-OS Management Web Interface Authentication Bypass [9.3 / Critical]
- ServiceNow HTML Injection [3.5 / Low]
- Retool DOM XSS [6.5 / Medium]
Submissions added by Detectify staff:
- CVE-2024-7332: TOTOLINK Hard-coded Credentials [9.8 / Critical]
- CVE-2024-7029: AVTECH IP Camera RCE [8.7 / High]
- CVE-2024-5522: WordPress Plugin "html5-video-player" (HTML5 Video Player) SQL Injection [6.5 / Medium]
- CVE-2024-36104: Apache OFBiz RCE [9.8 / Critical]
- CVE-2024-27956: WordPress Plugin "WP Automatic" (wp-automatic) SQL Injection [9.9 / Critical]
- CVE-2024-27954: WordPress Plugin "WP Automatic" (wp-automatic) Path Traversal & SSRF [9.3 / Critical]
- CVE-2024-25735: WyreStorm Apollo VX20 Information Disclosure [9.1 / Critical]
- CVE-2024-24131: SuperWebMailer Reflected XSS [6.1 / Medium]
- CVE-2024-1380: WordPress Plugin "Relevanssi – A Better Search" (relevanssi) Missing Authorization on Query Log Export [5.3 / Medium]
- CVE-2024-10915: D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L Command Injection via Group Parameter [9.8 / Critical]
- CVE-2024-1061: WordPress Plugin "html5-video-player" (HTML5 Video Player) SQL Injection [8.6 / High]
- CVE-2024-10486: WordPress Plugin "Google for WooCommerce" Information Disclosure [5.3 / Medium]
- CVE-2023-6553: WordPress Plugin "Backup Migration" (backup-backup) RCE [9.8 / Critical]
- CVE-2023-28662: WordPress Plugin "Gift Cards (Gift Vouchers and Packages)" (gift-voucher) SQL Injection [9.8 / Critical]
- CVE-2023-23489: WordPress Plugin "Easy Digital Downloads" (easy-digital-downloads) Blind SQL Injection [9.8 / Critical]
- CVE-2023-23488: WordPress Plugin "Paid Memberships Pro" (paid-memberships-pro) Blind SQL Injection [9.8 / Critical]
- CVE-2021-21800: Advantech R-SeeNet 2.4.12 XSS [6.1 / Medium]
- CVE-2021-21799: Advantech R-SeeNet 2.4.12 XSS [6.1 / Medium]
- CVE-2020-13937: Apache Kylin Configuration File Exposure [5.3 / Medium]
- WordPress Plugin "Paid Memberships Pro" (paid-memberships-pro) Blind SQL Injection [9.8 / Critical]
Improved tests to reduce false negatives
- Kafka UI Exposure
Thanks for your feedback