Patch Tuesday — November 2024
2024-11-12 · 1048 CVEs
CVEs published or modified the week of 2024-11-12, partitioned by vendor.
Microsoft (134 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-43602 | Critical | 9.9 | — | 2024-11-12 | Azure CycleCloud Remote Code Execution Vulnerability |
CVE-2022-1884 | Critical | 9.8 | — | 2024-11-15 | A remote command execution vulnerability exists in gogs/gogs versions <=0.12.7 when deployed on a Windows server. |
CVE-2024-43639 | Critical | 9.8 | — | 2024-11-12 | Windows KDC Proxy Remote Code Execution Vulnerability |
CVE-2024-43498 | Critical | 9.8 | — | 2024-11-12 | .NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2024-49060 | High | 8.8 | — | 2024-11-15 | Azure Stack HCI Elevation of Privilege Vulnerability |
CVE-2024-11112 | High | 8.8 | — | 2024-11-12 | Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. |
CVE-2024-49050 | High | 8.8 | — | 2024-11-12 | Visual Studio Code Python Extension Remote Code Execution Vulnerability |
CVE-2024-49039 | High | 8.8 | KEV | 2024-11-12 | Windows Task Scheduler Elevation of Privilege Vulnerability |
CVE-2024-49018 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49017 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49016 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49015 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49014 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49013 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49012 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49011 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49010 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49009 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49008 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49007 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49006 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49005 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49004 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49003 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49002 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49001 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-49000 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48999 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48998 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48997 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48996 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48995 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48994 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-48993 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-43635 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43628 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43627 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43624 | High | 8.8 | — | 2024-11-12 | Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability |
CVE-2024-43622 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43621 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43620 | High | 8.8 | — | 2024-11-12 | Windows Telephony Service Remote Code Execution Vulnerability |
CVE-2024-43462 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-43459 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-38255 | High | 8.8 | — | 2024-11-12 | SQL Server Native Client Remote Code Execution Vulnerability |
CVE-2024-11114 | High | 8.3 | — | 2024-11-12 | Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. |
CVE-2024-39726 | High | 8.2 | — | 2024-11-15 | IBM Engineering Lifecycle Optimization - Engineering Insights 7.0.2 and 7.0.3 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. |
CVE-2024-49048 | High | 8.1 | — | 2024-11-12 | TorchGeo Remote Code Execution Vulnerability |
CVE-2024-43625 | High | 8.1 | — | 2024-11-12 | Microsoft Windows VMSwitch Elevation of Privilege Vulnerability |
CVE-2024-43598 | High | 8.1 | — | 2024-11-12 | LightGBM Remote Code Execution Vulnerability |
CVE-2024-43447 | High | 8.1 | — | 2024-11-12 | Windows SMBv3 Server Remote Code Execution Vulnerability |
CVE-2024-46465 | High | 7.8 | — | 2024-11-15 | By default, dedicated folders of CRYHOD for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. |
CVE-2024-49509 | High | 7.8 | — | 2024-11-12 | InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49508 | High | 7.8 | — | 2024-11-12 | InDesign Desktop versions ID18.5.2, ID19.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49507 | High | 7.8 | — | 2024-11-12 | InDesign Desktop versions ID18.5.2, ID19.5 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47452 | High | 7.8 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47451 | High | 7.8 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47450 | High | 7.8 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47443 | High | 7.8 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47442 | High | 7.8 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47441 | High | 7.8 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-45114 | High | 7.8 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49051 | High | 7.8 | — | 2024-11-12 | Microsoft PC Manager Elevation of Privilege Vulnerability |
CVE-2024-49046 | High | 7.8 | — | 2024-11-12 | Windows Win32 Kernel Subsystem Elevation of Privilege Vulnerability |
CVE-2024-49043 | High | 7.8 | — | 2024-11-12 | Microsoft.SqlServer.XEvent.Configuration.dll Remote Code Execution Vulnerability |
CVE-2024-49032 | High | 7.8 | — | 2024-11-12 | Microsoft Office Graphics Remote Code Execution Vulnerability |
CVE-2024-49031 | High | 7.8 | — | 2024-11-12 | Microsoft Office Graphics Remote Code Execution Vulnerability |
CVE-2024-49030 | High | 7.8 | — | 2024-11-12 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2024-49029 | High | 7.8 | — | 2024-11-12 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2024-49028 | High | 7.8 | — | 2024-11-12 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2024-49027 | High | 7.8 | — | 2024-11-12 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2024-49026 | High | 7.8 | — | 2024-11-12 | Microsoft Excel Remote Code Execution Vulnerability |
CVE-2024-49021 | High | 7.8 | — | 2024-11-12 | Microsoft SQL Server Remote Code Execution Vulnerability |
CVE-2024-49019 | High | 7.8 | — | 2024-11-12 | Active Directory Certificate Services Elevation of Privilege Vulnerability |
CVE-2024-43644 | High | 7.8 | — | 2024-11-12 | Windows Client-Side Caching Elevation of Privilege Vulnerability |
CVE-2024-43641 | High | 7.8 | — | 2024-11-12 | Windows Registry Elevation of Privilege Vulnerability |
CVE-2024-43640 | High | 7.8 | — | 2024-11-12 | Windows Kernel-Mode Driver Elevation of Privilege Vulnerability |
CVE-2024-43636 | High | 7.8 | — | 2024-11-12 | Win32k Elevation of Privilege Vulnerability |
CVE-2024-43630 | High | 7.8 | — | 2024-11-12 | Windows Kernel Elevation of Privilege Vulnerability |
CVE-2024-43629 | High | 7.8 | — | 2024-11-12 | Windows DWM Core Library Elevation of Privilege Vulnerability |
CVE-2024-43626 | High | 7.8 | — | 2024-11-12 | Windows Telephony Service Elevation of Privilege Vulnerability |
CVE-2024-43623 | High | 7.8 | — | 2024-11-12 | Windows NT OS Kernel Elevation of Privilege Vulnerability |
CVE-2024-43530 | High | 7.8 | — | 2024-11-12 | Windows Update Stack Elevation of Privilege Vulnerability |
CVE-2024-7571 | High | 7.8 | — | 2024-11-12 | Incorrect permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. |
CVE-2024-49528 | High | 7.8 | — | 2024-11-12 | Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49526 | High | 7.8 | — | 2024-11-12 | Animate versions 23.0.7, 24.0.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49514 | High | 7.8 | — | 2024-11-12 | Photoshop Desktop versions 24.7.3, 25.11 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49040 | High | 7.5 | — | 2024-11-12 | Microsoft Exchange Server Spoofing Vulnerability |
CVE-2024-49033 | High | 7.5 | — | 2024-11-12 | Microsoft Word Security Feature Bypass Vulnerability |
CVE-2024-43642 | High | 7.5 | — | 2024-11-12 | Windows SMB Denial of Service Vulnerability |
CVE-2024-43499 | High | 7.5 | — | 2024-11-12 | .NET and Visual Studio Denial of Service Vulnerability |
CVE-2024-43452 | High | 7.5 | — | 2024-11-12 | Windows Registry Elevation of Privilege Vulnerability |
CVE-2024-43450 | High | 7.5 | — | 2024-11-12 | Windows DNS Spoofing Vulnerability |
CVE-2024-49056 | High | 7.3 | — | 2024-11-12 | Authentication bypass by assumed-immutable data on airlift.microsoft.com allows an authorized attacker to elevate privileges over a network. |
CVE-2024-9842 | High | 7.3 | — | 2024-11-12 | Incorrect permissions in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to create arbitrary folders. |
CVE-2024-49042 | High | 7.2 | — | 2024-11-12 | Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability |
CVE-2024-43613 | High | 7.2 | — | 2024-11-12 | Azure Database for PostgreSQL Flexible Server Extension Elevation of Privilege Vulnerability |
CVE-2024-49049 | High | 7.1 | — | 2024-11-12 | Visual Studio Code Remote Extension Elevation of Privilege Vulnerability |
CVE-2024-8539 | High | 7.1 | — | 2024-11-12 | Improper authorization in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker to modify sensitive configuration files. |
CVE-2024-43643 | Medium | 6.8 | — | 2024-11-12 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
CVE-2024-43638 | Medium | 6.8 | — | 2024-11-12 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
CVE-2024-43637 | Medium | 6.8 | — | 2024-11-12 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
CVE-2024-43634 | Medium | 6.8 | — | 2024-11-12 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
CVE-2024-43449 | Medium | 6.8 | — | 2024-11-12 | Windows USB Video Class System Driver Elevation of Privilege Vulnerability |
CVE-2024-38668 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) Quartus(R) Prime Standard Edition software for Windows before version 23.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-38383 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) Quartus(R) Prime Pro Edition software for Windows before version 24.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-36253 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in the Intel(R) SDP Tool for Windows software all version may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-35201 | Medium | 6.7 | — | 2024-11-13 | Incorrect default permissions in the Intel(R) SDP Tool for Windows software all versions may allow an authenticated user to enable escalation of privilege via local access. |
CVE-2024-28952 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) IPP software for Windows before version 2021.12.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-49044 | Medium | 6.7 | — | 2024-11-12 | Visual Studio Elevation of Privilege Vulnerability |
CVE-2024-43646 | Medium | 6.7 | — | 2024-11-12 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
CVE-2024-43645 | Medium | 6.7 | — | 2024-11-12 | Windows Defender Application Control (WDAC) Security Feature Bypass Vulnerability |
CVE-2024-43631 | Medium | 6.7 | — | 2024-11-12 | Windows Secure Kernel Mode Elevation of Privilege Vulnerability |
CVE-2024-43633 | Medium | 6.5 | — | 2024-11-12 | Windows Hyper-V Denial of Service Vulnerability |
CVE-2024-43451 | Medium | 6.5 | KEV | 2024-11-12 | NTLM Hash Disclosure Spoofing Vulnerability |
CVE-2024-38203 | Medium | 6.2 | — | 2024-11-12 | Windows Package Library Manager Information Disclosure Vulnerability |
CVE-2024-38264 | Medium | 5.9 | — | 2024-11-12 | Microsoft Virtual Hard Disk (VHDX) Denial of Service Vulnerability |
CVE-2024-49536 | Medium | 5.5 | — | 2024-11-15 | Audition versions 23.6.9, 24.4.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-49512 | Medium | 5.5 | — | 2024-11-12 | InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-49511 | Medium | 5.5 | — | 2024-11-12 | InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-49510 | Medium | 5.5 | — | 2024-11-12 | InDesign Desktop versions ID18.5.3, ID19.5 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47458 | Medium | 5.5 | — | 2024-11-12 | Bridge versions 13.0.9, 14.1.2 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2024-47457 | Medium | 5.5 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2024-47456 | Medium | 5.5 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47455 | Medium | 5.5 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47454 | Medium | 5.5 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47453 | Medium | 5.5 | — | 2024-11-12 | Illustrator versions 28.7.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47449 | Medium | 5.5 | — | 2024-11-12 | Audition versions 23.6.9, 24.4.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47446 | Medium | 5.5 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47445 | Medium | 5.5 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47444 | Medium | 5.5 | — | 2024-11-12 | After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-45147 | Medium | 5.5 | — | 2024-11-12 | Bridge versions 13.0.9, 14.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-49527 | Medium | 5.5 | — | 2024-11-12 | Animate versions 23.0.7, 24.0.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47535 | Medium | 5.5 | — | 2024-11-12 | Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. |
CVE-2024-49025 | Medium | 5.4 | — | 2024-11-14 | Microsoft Edge (Chromium-based) Information Disclosure Vulnerability |
Other vendors (914 CVEs across 286 vendors)
N/a · 149 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-44758 | Critical | 9.8 | — | 2024-11-15 | An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. |
CVE-2024-50724 | Critical | 9.8 | — | 2024-11-15 | KASO v9.0 was discovered to contain a SQL injection vulnerability via the person_id parameter at /cardcase/editcard.jsp. |
CVE-2024-50649 | Critical | 9.8 | — | 2024-11-15 | The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability. |
CVE-2024-31695 | Critical | 9.8 | — | 2024-11-14 | A misconfiguration in the fingerprint authentication mechanism of Binance: BTC, Crypto and NFTS v2.85.4, allows attackers to bypass authentication when adding a new fingerprint. |
CVE-2024-50636 | Critical | 9.8 | — | 2024-11-11 | PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. |
CVE-2024-25255 | Critical | 9.8 | — | 2024-11-11 | Sublime Text 4 was discovered to contain a command injection vulnerability via the New Build System module. |
CVE-2024-44546 | Critical | 9.8 | — | 2024-11-11 | Powerjob >= 3.20 is vulnerable to SQL injection via the version parameter. |
CVE-2024-51135 | Critical | 9.8 | — | 2024-11-11 | An XML External Entity (XXE) vulnerability in the component DocumentBuilderFactory of powertac-server v1.9.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XM… |
CVE-2024-50667 | Critical | 9.8 | — | 2024-11-11 | The boa httpd of Trendnet TEW-820AP 1.01.B01 has a stack overflow vulnerability in /boafrm/formIPv6Addr, /boafrm/formIpv6Setup, /boafrm/formDnsv6. |
CVE-2024-50989 | Critical | 9.8 | — | 2024-11-11 | A SQL injection vulnerability in /omrs/admin/search.php in PHPGurukul Online Marriage Registration System v1.0 allows an attacker to execute arbitrary SQL commands via the "searchdata " parameter. |
CVE-2023-52268 | Critical | 9.1 | — | 2024-11-12 | The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. |
CVE-2024-46962 | Critical | 9.1 | — | 2024-11-11 | The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.video.fast.SpeedMainAct component. |
CVE-2024-10979 | High | 8.8 | — | 2024-11-14 | Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. |
CVE-2024-36242 | High | 8.8 | — | 2024-11-13 | Protection mechanism failure in the SPP for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-23918 | High | 8.8 | — | 2024-11-13 | Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-50970 | High | 8.8 | — | 2024-11-13 | A SQL injection vulnerability in orderview1.php of Itsourcecode Online Furniture Shopping Project 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
CVE-2024-50854 | High | 8.8 | — | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a stack overflow via the formSetPortMapping function. |
CVE-2024-50853 | High | 8.8 | — | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function. |
CVE-2024-50852 | High | 8.8 | — | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetUSBPartitionUmount function. |
CVE-2024-41992 | High | 8.8 | — | 2024-11-11 | Wi-Fi Alliance wfa_dut (in Wi-Fi Test Suite) through 9.0.0 allows OS command injection via 802.11x frames because the system() library function is used. |
CVE-2020-10370 | High | 8.8 | — | 2024-11-11 | Certain Cypress (and Broadcom) Wireless Combo chips such as CYW43455, when a 2021-01-26 Bluetooth firmware update is not present, allow a Bluetooth outage via a "Spectra" attack. |
CVE-2024-51093 | High | 8.7 | — | 2024-11-12 | Stored Cross-Site Scripting (XSS) vulnerability in Snipe-IT - v7.0.13 allows an attacker to upload a malicious XML file containing JavaScript code. |
CVE-2024-38665 | High | 8.4 | — | 2024-11-13 | Out-of-bounds write in some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34023 | High | 8.4 | — | 2024-11-13 | Untrusted pointer dereference in some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-36282 | High | 8.2 | — | 2024-11-13 | Improper input validation in the Intel(R) Server Board S2600ST Family BIOS and Firmware Update software all versions may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-46966 | High | 8.1 | — | 2024-11-11 | The Ikhgur mn.ikhgur.khotoch (aka Video Downloader Pro & Browser) application through 1.0.42 for Android allows an attacker to execute arbitrary JavaScript code via the mn.ikhgur.khotoch.MainActivity component. |
CVE-2024-46964 | High | 8.1 | — | 2024-11-11 | The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity component. |
CVE-2024-46963 | High | 8.1 | — | 2024-11-11 | The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the com.bluesky.browser.ui.BrowserMainActivity compone… |
CVE-2024-48322 | High | 8.1 | — | 2024-11-11 | UsersController.php in Run.codes 1.5.2 and older has a reset password race condition vulnerability. |
CVE-2024-39368 | High | 8.0 | — | 2024-11-13 | Improper neutralization of special elements used in an SQL command ('SQL Injection') in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent… |
CVE-2024-28726 | High | 8.0 | — | 2024-11-12 | An issue in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to execute arbitrary code via a crafted payload to the Diagnostics function. |
CVE-2024-51094 | High | 8.0 | — | 2024-11-12 | An issue in Snipe-IT v.7.0.13 build 15514 allows a low-privileged attacker to modify their profile name and inject a malicious payload into the "Name" field. |
CVE-2024-51141 | High | 7.8 | — | 2024-11-15 | An issue in TOTOLINK Bluetooth Wireless Adapter A600UB allows a local attacker to execute arbitrary code via the WifiAutoInstallDriver.exe and MSASN1.dll components. |
CVE-2024-46467 | High | 7.8 | — | 2024-11-15 | By default, dedicated folders of ZONEPOINT for Windows up to 2024.1 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. |
CVE-2024-46466 | High | 7.8 | — | 2024-11-15 | By default, dedicated folders of ZONECENTRAL for Windows up to 2024.3 or up to Q.2021.2 (ANSSI qualification submission) can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. |
CVE-2024-46463 | High | 7.8 | — | 2024-11-15 | By default, dedicated folders of ORIZON for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. |
CVE-2024-46462 | High | 7.8 | — | 2024-11-15 | By default, dedicated folders of ZEDMAIL for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. |
CVE-2021-27700 | High | 7.6 | — | 2024-11-12 | SOCIFI Socifi Guest wifi as SAAS wifi portal is affected by Insecure Permissions. |
CVE-2024-44759 | High | 7.5 | — | 2024-11-15 | An arbitrary file download vulnerability in the component /Doc/DownloadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. |
CVE-2024-45969 | High | 7.5 | — | 2024-11-15 | NULL pointer dereference in the MMS Client in MZ Automation LibIEC1850 before commit 7afa40390b26ad1f4cf93deaa0052fe7e357ef33 allows a malicious server to Cause a Denial-of-Service via the MMS InitiationResponse message. |
CVE-2024-24431 | High | 7.5 | — | 2024-11-15 | A reachable assertion in the ogs_nas_emm_decode function of Open5GS v2.7.0 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet with a zero-length EMM message length. |
CVE-2024-24426 | High | 7.5 | — | 2024-11-15 | Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. |
CVE-2024-50654 | High | 7.5 | — | 2024-11-15 | lilishop <=4.2.4 is vulnerable to Incorrect Access Control, which can allow attackers to obtain coupons beyond the quantity limit by capturing and sending the data packets for coupon collection in high concurrency. |
CVE-2024-50650 | High | 7.5 | — | 2024-11-15 | python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. |
CVE-2024-50647 | High | 7.5 | — | 2024-11-15 | The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. |
CVE-2024-50955 | High | 7.5 | — | 2024-11-13 | An issue in how XINJE XD5E-24R and XL5E-16T v3.5.3b handles TCP protocol messages allows attackers to cause a Denial of Service (DoS) via a crafted TCP message. |
CVE-2024-31158 | High | 7.5 | — | 2024-11-13 | Improper input validation in UEFI firmware in some Intel(R) Server Board S2600BP Family may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-31154 | High | 7.5 | — | 2024-11-13 | Improper input validation in UEFI firmware for some Intel(R) Server S2600BPBR may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-28028 | High | 7.5 | — | 2024-11-13 | Improper input validation in some Intel(R) Neural Compressor software before version v3.0 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2024-51179 | High | 7.5 | — | 2024-11-12 | An issue in Open 5GS v.2.7.1 allows a remote attacker to cause a denial of service via the Network Function Virtualizations (NFVs) such as the User Plane Function (UPF) and the Session Management Function (SMF), The Packet Data Unit (PDU)… |
CVE-2024-25253 | High | 7.5 | — | 2024-11-11 | Driver Booster v10.6 was discovered to contain a buffer overflow via the Host parameter under the Customize proxy module. |
CVE-2024-48939 | High | 7.5 | — | 2024-11-11 | Insufficient validation performed on the REST API License file in Paxton Net2 before 6.07.14023.5015 (SR4) enables use of the REST API with an invalid License File. |
CVE-2021-27702 | High | 7.3 | — | 2024-11-12 | Sercomm Router Etisalat Model S3- AC2100 is affected by Incorrect Access Control via the diagnostic utility in the router dashboard. |
CVE-2024-24985 | High | 7.2 | — | 2024-11-13 | Exposure of resource to wrong sphere in some Intel(R) processors with Intel(R) ACTM may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-22185 | High | 7.2 | — | 2024-11-13 | Time-of-check Time-of-use Race Condition in some Intel(R) processors with Intel(R) ACTM may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-21820 | High | 7.2 | — | 2024-11-13 | Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-21799 | High | 7.1 | — | 2024-11-13 | Path traversal for some Intel(R) Extension for Transformers software before version 1.5 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-39766 | High | 7.0 | — | 2024-11-13 | Improper neutralization of special elements used in SQL command in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-32044 | Medium | 6.8 | — | 2024-11-13 | Improper access control for some Intel(R) Arc(TM) Pro Graphics for Windows drivers before version 31.0.101.5319 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2024-49592 | Medium | 6.7 | — | 2024-11-15 | Trial installer for McAfee Total Protection (legacy trial installer software) 16.0.53 allows local privilege escalation because of an Uncontrolled Search Path Element. |
CVE-2024-38387 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in the Intel(R) Graphics Driver installers for versions 15.40 and 15.45 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-37025 | Medium | 6.7 | — | 2024-11-13 | Incorrect execution-assigned permissions in some Intel(R) Advanced Link Analyzer Standard Edition software installer before version 23.1.1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-37024 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some ACAT software maintained by Intel(R) for Windows before version 3.11.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-35245 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path element in some Intel(R) PROSet/Wireless WiFi software for Windows before version 23.60 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34167 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for the Intel(R) Server Board S2600ST Family BIOS and Firmware Update software all versions may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34165 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in some Intel(R) oneAPI DPC++/C++ Compiler before version 2024.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34164 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path element in some Intel(R) MAS software before version 2.5 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34028 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in some Intel(R) Graphics Offline Compiler for OpenCL(TM) Code software for Windows before version 2024.1.0.142, graphics driver 31.0.101.5445 may allow an authenticated user to potentially enable escalation of pri… |
CVE-2024-34022 | Medium | 6.7 | — | 2024-11-13 | Improper Access Control in some Thunderbolt(TM) Share software before version 1.0.49.9 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-31407 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in some Intel(R) High Level Synthesis Compiler software for Intel(R) Quartus(R) Prime Pro Edition Software before version 24.1 may allow an authenticated user to potentially enable escalation of privilege via local… |
CVE-2024-29083 | Medium | 6.7 | — | 2024-11-13 | Incorrect default permissions in some Intel(R) Distribution for Python software before version 2024.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-29077 | Medium | 6.7 | — | 2024-11-13 | Improper access control in some JAM STAPL Player software before version 2.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-28950 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) oneAPI Math Kernel Library software for Windows before version 2024.2 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-28881 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) Fortran Compiler Classic software before version 2021.13 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-26017 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path in some Intel(R) Rendering Toolkit software before version 2024.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-25647 | Medium | 6.7 | — | 2024-11-13 | Incorrect default permissions for some Intel(R) Binary Configuration Tool software for Windows before version 3.4.5 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-23312 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path for some Intel(R) Binary Configuration Tool software for Windows before version 3.4.5 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-34170 | Medium | 6.6 | — | 2024-11-13 | Improper buffer restrictions in some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-28728 | Medium | 6.6 | — | 2024-11-12 | Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via a crafted payload to the WiFi SSID Name field. |
CVE-2024-24446 | Medium | 6.5 | — | 2024-11-15 | An uninitialized pointer dereference in OpenAirInterface CN5G AMF up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted InitialContextSetupResponse message sent to the AMF. |
CVE-2024-24425 | Medium | 6.5 | — | 2024-11-15 | Magma v1.8.0 and OAI EPC Federation v1.20 were discovered to contain an out-of-bounds read in the amf_as_establish_req function at /tasks/amf/amf_as.cpp. |
CVE-2024-24449 | Medium | 6.5 | — | 2024-11-15 | An uninitialized pointer dereference in the NasPdu::NasPdu component of OpenAirInterface CN5G AMF up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted InitialUEMessage message sent to the AMF. |
CVE-2024-51027 | Medium | 6.5 | — | 2024-11-13 | Ruijie NBR800G gateway NBR_RGOS_11.1(6)B4P9 is vulnerable to command execution in /itbox_pi/networksafe.php via the province parameter. |
CVE-2024-50956 | Medium | 6.5 | — | 2024-11-13 | A buffer overflow in the RecvSocketData function of Inovance HCPLC_AM401-CPU1608TPTN 21.38.0.0, HCPLC_AM402-CPU1608TPTN 41.38.0.0, and HCPLC_AM403-CPU1608TN 81.38.0.0 allows attackers to cause a Denial of Service (DoS) or execute arbitrary… |
CVE-2024-45877 | Medium | 6.5 | — | 2024-11-13 | baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. |
CVE-2024-45876 | Medium | 6.5 | — | 2024-11-13 | The login form of baltic-it TOPqw Webportal v1.35.283.2 (fixed in version 1.35.283.4) at /Apps/TOPqw/Login.aspx is vulnerable to SQL injection. |
CVE-2024-32048 | Medium | 6.5 | — | 2024-11-13 | Improper input validation in the Intel(R) Distribution of OpenVINO(TM) Model Server software before version 2024.0 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2024-24984 | Medium | 6.5 | — | 2024-11-13 | Improper input validation for some Intel(R) Wireless Bluetooth(R) products for Windows before version 23.40 may allow an unauthenticated user to potentially enable denial of service via adjacent access. |
CVE-2024-40885 | Medium | 6.4 | — | 2024-11-13 | Use after free in the UEFI firmware of some Intel(R) Server M20NTP BIOS may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-39811 | Medium | 6.3 | — | 2024-11-13 | Improper input validation in firmware for some Intel(R) Server M20NTP Family UEFI may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-48068 | Medium | 6.1 | — | 2024-11-15 | A cross-site scripting (XSS) vulnerability in Shenzhen Landray Software Co.,LTD Landray EKP v16 and earlier allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
CVE-2024-36275 | Medium | 6.1 | — | 2024-11-13 | NULL pointer dereference in some Intel(R) Optane(TM) PMem Management software versions before CR_MGMT_02.00.00.4040, CR_MGMT_03.00.00.0499 may allow a authenticated user to potentially enable denial of service via local access. |
CVE-2024-51213 | Medium | 6.1 | — | 2024-11-11 | Cross Site Scripting vulnerability in Online Shop Store v.1.0 allows a remote attacker to execute arbitrary code via the login.php component. |
CVE-2024-50601 | Medium | 6.1 | — | 2024-11-11 | Persistent and reflected XSS vulnerabilities in the themeMode cookie and _h URL parameter of Axigen Mail Server up to version 10.5.28 allow attackers to execute arbitrary Javascript. |
CVE-2024-50990 | Medium | 6.1 | — | 2024-11-11 | A Reflected Cross Site Scriptng (XSS) vulnerability was found in /omrs/user/search.php in PHPGurukul Online Marriage Registration System v1.0, which allows remote attackers to execute arbitrary code via the "searchdata" POST request parame… |
CVE-2024-21850 | Medium | 6.0 | — | 2024-11-13 | Sensitive information in resource not removed before reuse in some Intel(R) TDX Seamldr module software before version 1.5.02.00 may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-33617 | Medium | 5.9 | — | 2024-11-13 | Insufficient control flow management in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. |
CVE-2024-31074 | Medium | 5.9 | — | 2024-11-13 | Observable timing discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. |
CVE-2024-28885 | Medium | 5.9 | — | 2024-11-13 | Observable discrepancy in some Intel(R) QAT Engine for OpenSSL software before version v1.6.1 may allow information disclosure via network access. |
CVE-2024-36284 | Medium | 5.5 | — | 2024-11-13 | Improper input validation in some Intel(R) Neural Compressor software before version v3.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2024-29085 | Medium | 5.5 | — | 2024-11-13 | Improper access control for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable escalation of privilege via adjacent access. |
CVE-2024-29076 | Medium | 5.5 | — | 2024-11-13 | Uncaught exception for some Intel(R) CST software before version 8.7.10803 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-50800 | Medium | 5.4 | — | 2024-11-15 | Cross Site Scripting vulnerability in M2000 Smart4Web before v.5.020241004 allows a remote attacker to execute arbitrary code via the error parameter in URL |
CVE-2024-40579 | Medium | 5.4 | — | 2024-11-14 | Cross Site Scripting vulnerability in Virtuozzo Hybrid Server for WHMCS Open Source v.1.7.1 allows a remote attacker to obtain sensitive information via modification of the hostname parameter. |
CVE-2024-45879 | Medium | 5.4 | — | 2024-11-13 | The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site Scripting (XSS). |
CVE-2024-45878 | Medium | 5.4 | — | 2024-11-13 | The "Stammdaten" menu of baltic-it TOPqw Webportal v1.35.283.2 (fixed in version 1.35.291), in /Apps/TOPqw/qwStammdaten.aspx, is vulnerable to persistent Cross-Site Scripting (XSS). |
CVE-2024-45875 | Medium | 5.4 | — | 2024-11-13 | The create user function in baltic-it TOPqw Webportal 1.35.287.1 (fixed in version1.35.291), in /Apps/TOPqw/BenutzerManagement.aspx/SaveNewUser, is vulnerable to SQL injection. |
CVE-2024-28169 | Medium | 5.4 | — | 2024-11-13 | Cleartext transmission of sensitive information for some BigDL software maintained by Intel(R) before version 2.5.0 may allow an authenticated user to potentially enable denial of service via adjacent access. |
CVE-2024-42834 | Medium | 5.4 | — | 2024-11-13 | A stored cross-site scripting (XSS) vulnerability in the Create Customer API in Incognito Service Activation Center (SAC) UI v14.11 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload int… |
CVE-2021-27703 | Medium | 5.4 | — | 2024-11-12 | Sercomm Model Etisalat Model S3- AC2100 is affected by Cross Site Scripting (XSS) via the firmware update page. |
CVE-2024-51026 | Medium | 5.4 | — | 2024-11-11 | The NetAdmin IAM system (version 4.0.30319) has a Cross Site Scripting (XSS) vulnerability in the /BalloonSave.ashx endpoint, where it is possible to inject a malicious payload into the Content= field. |
CVE-2024-46965 | Medium | 5.4 | — | 2024-11-11 | The DS allvideo.downloader.browser (aka Fast Video Downloader: Browser) application through 1.6-RC1 for Android allows an attacker to execute arbitrary JavaScript code via the allvideo.downloader.browser.DefaultBrowserActivity component. |
CVE-2024-24450 | Medium | 5.3 | — | 2024-11-15 | Stack-based memcpy buffer overflow in the ngap_handle_pdu_session_resource_setup_response routine in OpenAirInterface CN5G AMF <= 2.0.0 allows a remote attacker with access to the N2 interface to carry out denial of service against the AMF… |
CVE-2024-24447 | Medium | 5.3 | — | 2024-11-15 | A buffer overflow in the ngap_amf_handle_pdu_session_resource_setup_response function of oai-cn5g-amf up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a PDU Session Resource Setup Response with an empty Response Item li… |
CVE-2024-39707 | Medium | 5.3 | — | 2024-11-14 | Insyde IHISI function 0x49 can restore factory defaults for certain UEFI variables without further authentication by default, which could lead to a possible roll-back attack in certain platforms. |
CVE-2024-50843 | Medium | 5.3 | — | 2024-11-14 | A Directory listing issue was found in PHPGurukul User Registration & Login and User Management System 3.2, which allows remote attackers attacker to access sensitive files and directories via /loginsystem/assets. |
CVE-2024-39285 | Medium | 5.3 | — | 2024-11-13 | Improper access control in UEFI firmware in some Intel(R) Server M20NTP Family may allow a privileged user to potentially enable information disclosure via local access. |
CVE-2024-23919 | Medium | 5.3 | — | 2024-11-13 | Improper buffer restrictions in some Intel(R) Graphics software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-48075 | Medium | 5.3 | — | 2024-11-12 | A Heap buffer overflow in the server-site handshake implementation in Real Time Logic SharkSSL from 09/09/24 and earlier allows a remote attacker to trigger a Denial-of-Service via a malformed TLS Client Key Exchange message. |
CVE-2024-51330 | Medium | 5.1 | — | 2024-11-15 | An issue in UltiMaker Cura v.4.41 and 5.8.1 and before allows a local attacker to execute arbitrary code via Inter-process communication (IPC) mechanism between Cura application and CuraEngine processes, localhost network stack, printing s… |
CVE-2024-48284 | Medium | 4.8 | — | 2024-11-14 | A Reflected Cross-Site Scripting (XSS) vulnerability was found in the /search-result.php page of the PHPGurukul User Registration & Login and User Management System 3.2. |
CVE-2024-21783 | Medium | 4.8 | — | 2024-11-13 | Integer overflow for some Intel(R) VPL software before version 24.1.4 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2023-38920 | Medium | 4.8 | — | 2024-11-13 | Cross Site Scripting vulnerability in Cyber Cafe Management System v.1.0 allows a local attacker to execute arbitrary code via a crafted script to the adminname parameter. |
CVE-2024-51190 | Medium | 4.8 | — | 2024-11-11 | TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the ptRule_ApplicationName_1.1.6.0.0 parameter on the /special_ap.htm page. |
CVE-2024-51189 | Medium | 4.8 | — | 2024-11-11 | TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the macList_Name_1.1.1.0.0 parameter on the /filters.htm page. |
CVE-2024-51188 | Medium | 4.8 | — | 2024-11-11 | TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the vsRule_VirtualServerName_1.1.10.0.0 parameter on the /virtual_server.htm page. |
CVE-2024-51187 | Medium | 4.8 | — | 2024-11-11 | TRENDnet TEW-651BR 2.04B1, TEW-652BRP 3.04b01, and TEW-652BRU 1.00b12 devices contain a Store Cross-site scripting (XSS) vulnerability via the firewallRule_Name_1.1.1.0.0 parameter on the /firewall_setting.htm page. |
CVE-2024-51054 | Medium | 4.8 | — | 2024-11-11 | A Cross Site Scriptng (XSS) vulnerability was found in /omrs/admin/search.php in PHPGurukul Online Marriage Registration System 1.0, which allows remote attackers to execute arbitrary code via the "searchdata" POST request parameter. |
CVE-2024-50991 | Medium | 4.8 | — | 2024-11-11 | A Cross Site Scripting (XSS) vulnerability was found in /ums-sp/admin/registered-users.php in PHPGurukul User Management System v1.0, which allows remote attackers to execute arbitrary code via the "fname" POST request parameter |
CVE-2024-11242 | Medium | 4.7 | — | 2024-11-15 | A vulnerability was found in ZZCMS 2023. |
CVE-2024-21853 | Medium | 4.7 | — | 2024-11-13 | Improper finite state machines (FSMs) in the hardware logic in some 4th and 5th Generation Intel(R) Xeon(R) Processors may allow an authorized user to potentially enable denial of service via local access. |
CVE-2021-27701 | Medium | 4.7 | — | 2024-11-12 | SOCIFI Socifi Guest wifi as SAAS is affected by Cross Site Request Forgery (CSRF) via the Socifi wifi portal. |
CVE-2024-23169 | Medium | 4.6 | — | 2024-11-15 | The web interface in RSA NetWitness 11.7.2.0 allows Cross-Site Scripting (XSS) via the Where textbox on the Reports screen during new rule creation. |
CVE-2024-34776 | Medium | 4.5 | — | 2024-11-13 | Out-of-bounds write in some Intel(R) SGX SDK software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-27200 | Medium | 4.4 | — | 2024-11-13 | Improper access control in some Intel(R) Granulate(TM) software before version 4.30.1 may allow a authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-33624 | Medium | 4.3 | — | 2024-11-13 | Improper input validation for some Intel(R) PROSet/Wireless WiFi software for Windows before version 23.60 may allow an unauthenticated user to potentially enable denial of service via network access. |
CVE-2024-40443 | Medium | 4.3 | — | 2024-11-13 | SQL Injection vulnerability in Simple Laboratory Management System using PHP and MySQL v.1.0 allows a remote attacker to cause a denial of service via the delete_users function in the Useres.php |
CVE-2024-10976 | Medium | 4.2 | — | 2024-11-14 | Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. |
CVE-2024-21808 | Medium | 4.2 | — | 2024-11-13 | Improper buffer restrictions in some Intel(R) VPL software before version 24.1.4 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-32667 | Low | 3.9 | — | 2024-11-13 | Out-of-bounds read for some OpenCL(TM) software may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-38660 | Low | 3.8 | — | 2024-11-13 | Protection mechanism failure in the SPP for some Intel(R) Xeon(R) processor family (E-Core) may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-25565 | Low | 3.8 | — | 2024-11-13 | Insufficient control flow management in UEFI firmware for some Intel(R) Xeon(R) Processors may allow an authenticated user to enable denial of service via local access. |
CVE-2024-33611 | Low | 3.4 | — | 2024-11-13 | Improper input validation for some Intel(R) PROSet/Wireless WiFi software for Windows before version 23.60 may allow a privileged user to potentially enable denial of service via local access. |
CVE-2024-10977 | Low | 3.1 | — | 2024-11-14 | Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. |
CVE-2024-46383 | Low | 2.4 | — | 2024-11-15 | Hathway Skyworth Router CM5100-511 v4.1.1.24 was discovered to store sensitive information about USB and Wifi connected devices in plaintext. |
CVE-2024-11130 | Low | 2.4 | — | 2024-11-12 | A vulnerability was found in ZZCMS up to 2023. |
CVE-2024-28051 | Low | 2.2 | — | 2024-11-13 | Out-of-bounds read in some Intel(R) VPL software before version 24.1.4 may allow an authenticated user to potentially enable information disclosure via local access. |
CVE-2024-28030 | Low | 2.2 | — | 2024-11-13 | NULL pointer dereference in some Intel(R) VPL software before version 24.1.4 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2023-40457 | — | — | — | 2024-11-11 | The BGP daemon in Extreme Networks ExtremeXOS (aka EXOS) 30.7.1.1 allows an attacker (who is not on a directly connected network) to cause a denial of service (BGP session reset) because of BGP attribute error mishandling (for attribute 21… |
Cisco · 50 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-20036 | Critical | 9.9 | — | 2024-11-15 | A vulnerability in the web UI of Cisco IND could allow an authenticated, remote attacker to execute arbitrary commands with administrative privileges on the underlying operating system of an affected device. This vulnerability is due to… |
CVE-2023-20154 | Critical | 9.1 | — | 2024-11-15 | A vulnerability in the external authentication mechanism of Cisco Modeling Labs could allow an unauthenticated, remote attacker to access the web interface with administrative privileges. This vulnerability is due to the improper handli… |
CVE-2022-20655 | High | 8.8 | — | 2024-11-15 | A vulnerability in the implementation of the CLI on a device that is running ConfD could allow an authenticated, local attacker to perform a command injection attack. The vulnerability is due to insufficient validation of a process argum… |
CVE-2023-20125 | High | 8.6 | — | 2024-11-15 | A vulnerability in the local interface of Cisco BroadWorks Network Server could allow an unauthenticated, remote attacker to exhaust system resources, causing a denial of service (DoS) condition. This vulnerability exists because rate l… |
CVE-2022-20649 | High | 8.1 | — | 2024-11-15 | A vulnerability in Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform remote code execution on the application with root-level privileges in the context of the configured container… |
CVE-2022-20685 | High | 7.5 | — | 2024-11-15 | A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow… |
CVE-2022-20853 | High | 7.4 | — | 2024-11-15 | A vulnerability in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. This vulnerabil… |
CVE-2022-20814 | High | 7.4 | — | 2024-11-15 | A vulnerability in the certificate validation of Cisco Expressway-C and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to gain unauthorized access to sensitive data. The vulnerability is due to… |
CVE-2022-20793 | Medium | 6.8 | — | 2024-11-15 | A vulnerability in pairing process of Cisco TelePresence CE Software and RoomOS Software for Cisco Touch 10 Devices could allow an unauthenticated, remote attacker to impersonate a legitimate device and pair with an affected devi… |
CVE-2021-34752 | Medium | 6.7 | — | 2024-11-15 | A vulnerability in the CLI of Cisco FTD Software could allow an authenticated, local attacker with administrative privileges to execute arbitrary commands with root privileges on the underlying operating system of an affected device.&… |
CVE-2023-20090 | Medium | 6.7 | — | 2024-11-15 | A vulnerability in Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to elevate privileges to root on an affected device. This vulnerability is due to improper access control on certain CLI commands. |
CVE-2021-1491 | Medium | 6.5 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to read arbitrary files on the underlying file system of the device. This vulnerability is due to in… |
CVE-2021-1484 | Medium | 6.5 | — | 2024-11-15 | A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to inject arbitrary commands on an affected system and cause a denial of service (DoS) condition. This vulnerability is due… |
CVE-2022-20931 | Medium | 6.5 | — | 2024-11-15 | A vulnerability in the version control of Cisco TelePresence CE Software for Cisco Touch 10 Devices could allow an unauthenticated, adjacent attacker to install an older version of the software on an affected device. This vulner… |
CVE-2022-20656 | Medium | 6.5 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco PI and Cisco EPNM could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. |
CVE-2022-20652 | Medium | 6.5 | — | 2024-11-15 | A vulnerability in the web-based management interface and in the API subsystem of Cisco Tetration could allow an authenticated, remote attacker to inject arbitrary commands to be executed with root-level privileges on the underlying o… |
CVE-2021-1483 | Medium | 6.4 | — | 2024-11-15 | A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. This vulnerability is due to improper han… |
CVE-2021-1482 | Medium | 6.4 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization checking and gain access to sensitive information on an affected system. Thi… |
CVE-2022-20871 | Medium | 6.3 | — | 2024-11-15 | A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection… |
CVE-2022-20632 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. The vulnerability exists because the w… |
CVE-2023-20060 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco Prime Collaboration Deployment could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface. This vulnerability e… |
CVE-2022-20849 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the Broadband Network Gateway PPP over Ethernet (PPPoE) feature of Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the PPPoE process to continually crash. This vulnerability exists… |
CVE-2022-20663 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco Secure Network Analytics, formerly Stealthwatch Enterprise, could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user o… |
CVE-2022-20657 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco PI and Cisco EPNM could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. This vulnerability… |
CVE-2022-20654 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based interface of Cisco Webex Meetings could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. This vulnerability is due to… |
CVE-2022-20631 | Medium | 6.1 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to conduct an XSS attack against a user of the interface of an affected device. The vulnerability exists because the w… |
CVE-2022-20845 | Medium | 6.0 | — | 2024-11-15 | A vulnerability in the TL1 function of Cisco Network Convergence System (NCS) 4000 Series could allow an authenticated, local attacker to cause a memory leak in the TL1 process. This vulnerability is due to TL1 not freeing memory und… |
CVE-2021-34753 | Medium | 5.8 | — | 2024-11-15 | A vulnerability in the payload inspection for Ethernet Industrial Protocol (ENIP) traffic for Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured rules for ENIP traffic. Thi… |
CVE-2021-1494 | Medium | 5.8 | — | 2024-11-15 | Multiple Cisco products are affected by a vulnerability in the Snort detection engine that could allow an unauthenticated, remote attacker to bypass a configured file policy for HTTP. The vulnerability is due to incorrect handling of spe… |
CVE-2023-20039 | Medium | 5.5 | — | 2024-11-15 | A vulnerability in Cisco IND could allow an authenticated, local attacker to read application data. This vulnerability is due to insufficient default file permissions that are applied to the application data directory. |
CVE-2022-20626 | Medium | 5.5 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco Prime Access Registrar Appliance could allow an authenticated, remote attacker to conduct a cross-site scripting attack against a user of the interface. |
CVE-2021-1466 | Medium | 5.4 | — | 2024-11-15 | A vulnerability in the vDaemon service of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to cause a buffer overflow on an affected system, resulting in a denial of service (DoS) condition. The vulnera… |
CVE-2022-20948 | Medium | 5.4 | — | 2024-11-15 | A vulnerability in the web management interface of Cisco BroadWorks Hosted Thin Receptionist could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerabi… |
CVE-2022-20633 | Medium | 5.3 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to perform a username enumeration attack against an affected device. This vulnerability is due to differences in aut… |
CVE-2022-20766 | Medium | 5.3 | — | 2024-11-15 | A vulnerability in the Cisco Discovery Protocol functionality of Cisco ATA 190 Series Adaptive Telephone Adapter firmware could allow an unauthenticated, remote attacker to cause a DoS condition on an affected device. This vulne… |
CVE-2022-20648 | Medium | 5.3 | — | 2024-11-15 | A vulnerability in a debug function for Cisco RCM for Cisco StarOS Software could allow an unauthenticated, remote attacker to perform debug actions that could result in the disclosure of confidential information that should be r… |
CVE-2024-20373 | Medium | 5.3 | — | 2024-11-15 | A vulnerability in the implementation of the Simple Network Management Protocol (SNMP) IPv4 access control list (ACL) feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to perform SNMP p… |
CVE-2023-20091 | Medium | 5.1 | — | 2024-11-15 | A vulnerability in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. This vulnerability is due to improper access contro… |
CVE-2021-1464 | Medium | 5.0 | — | 2024-11-15 | A vulnerability in Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to bypass authorization checking and gain restricted access to the configuration information of an affected system. This vulnerability exi… |
CVE-2021-1470 | Medium | 4.9 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to improper input… |
CVE-2022-20634 | Medium | 4.7 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco ECE could allow an unauthenticated, remote attacker to redirect a user to an undesired web page. This vulnerability is due to improper input validation of the URL paramet… |
CVE-2023-20093 | Medium | 4.4 | — | 2024-11-15 | Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vulnerabilities are due to improper acc… |
CVE-2023-20092 | Medium | 4.4 | — | 2024-11-15 | Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vulnerabilities are due to improper acc… |
CVE-2023-20004 | Medium | 4.4 | — | 2024-11-15 | Three vulnerabilities in the CLI of Cisco TelePresence CE and RoomOS could allow an authenticated, local attacker to overwrite arbitrary files on the local file system of an affected device. These vulnerabilities are due to improper acc… |
CVE-2021-34751 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in the administrative web-based GUI configuration manager of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to access sensitive configuration information. |
CVE-2021-34750 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in the administrative web-based GUI configuration manager of Cisco Firepower Management Center Software could allow an authenticated, remote attacker to access sensitive configuration information. |
CVE-2021-1481 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct Cypher query language injection attacks on an affected system. This vulnerability is due… |
CVE-2023-20094 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in Cisco TelePresence CE and RoomOS could allow an unauthenticated, adjacent attacker to view sensitive information on an affected device. This vulnerability exists because the affected software performs improper bounds… |
CVE-2022-20939 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in the web-based management interface of Cisco Smart Software Manager On-Prem could allow an authenticated, remote attacker to elevate privileges on an affected system. This vulnerability is due to inadequate protecti… |
CVE-2022-20846 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to cause the Cisco Discovery Protocol process to reload on an affected device. This… |
Ivanti · 45 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50330 | Critical | 9.8 | — | 2024-11-12 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2024-39712 | Critical | 9.1 | — | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-39711 | Critical | 9.1 | — | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-39710 | Critical | 9.1 | — | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-38656 | Critical | 9.1 | — | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-11006 | Critical | 9.1 | — | 2024-11-12 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve… |
CVE-2024-11005 | Critical | 9.1 | — | 2024-11-12 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve… |
CVE-2024-11007 | Critical | 9.1 | — | 2024-11-12 | Command injection in Ivanti Connect Secure before version 22.7R2.1 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.1 (Not Applicable to 9.1Rx) allows a remote authenticated attacker with admin privileges to achieve… |
CVE-2024-9420 | High | 8.8 | — | 2024-11-12 | A use-after-free in Ivanti Connect Secure before version 22.7R2.3 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker to achieve remote code execution |
CVE-2024-50329 | High | 8.8 | — | 2024-11-12 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote unauthenticated attacker to achieve remote code execution. |
CVE-2024-39709 | High | 7.8 | — | 2024-11-13 | Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker to escalate their privileges. |
CVE-2024-37398 | High | 7.8 | — | 2024-11-13 | Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. |
CVE-2024-34787 | High | 7.8 | — | 2024-11-13 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. |
CVE-2024-50323 | High | 7.8 | — | 2024-11-12 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. |
CVE-2024-50322 | High | 7.8 | — | 2024-11-12 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. |
CVE-2024-47906 | High | 7.8 | — | 2024-11-12 | Excessive binary privileges in Ivanti Connect Secure before version 22.7R2.3 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1.2 (Not Applicable to 9.1Rx) allows a local authenticated attacker to escalate privileges. |
CVE-2024-38649 | High | 7.5 | — | 2024-11-13 | An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-37400 | High | 7.5 | — | 2024-11-13 | An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service. |
CVE-2024-8495 | High | 7.5 | — | 2024-11-12 | A null pointer dereference in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-50331 | High | 7.5 | — | 2024-11-12 | An out-of-bounds read vulnerability in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to leak sensitive information in memory. |
CVE-2024-50321 | High | 7.5 | — | 2024-11-12 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-50320 | High | 7.5 | — | 2024-11-12 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-50319 | High | 7.5 | — | 2024-11-12 | An infinite loop in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-50318 | High | 7.5 | — | 2024-11-12 | A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-50317 | High | 7.5 | — | 2024-11-12 | A null pointer dereference in Ivanti Avalanche before 6.4.6 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-47907 | High | 7.5 | — | 2024-11-12 | A stack-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service. |
CVE-2024-38655 | High | 7.2 | — | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-37376 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-34784 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-34782 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-34781 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-34780 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-32847 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-32844 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-32841 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-32839 | High | 7.2 | — | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-50328 | High | 7.2 | — | 2024-11-12 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-50327 | High | 7.2 | — | 2024-11-12 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-50326 | High | 7.2 | — | 2024-11-12 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-50324 | High | 7.2 | — | 2024-11-12 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
CVE-2024-11004 | Medium | 6.1 | — | 2024-11-12 | Reflected XSS in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote unauthenticated attacker to obtain admin privileges. |
CVE-2024-47909 | Medium | 4.9 | — | 2024-11-12 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service. |
CVE-2024-47905 | Medium | 4.9 | — | 2024-11-12 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to cause a denial of service. |
CVE-2024-29211 | Medium | 4.7 | — | 2024-11-13 | A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files. |
CVE-2024-38654 | Medium | 4.4 | — | 2024-11-13 | Improper bounds checking in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker with admin privileges to cause a denial of service. |
Google · 35 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-43091 | Critical | 9.8 | — | 2024-11-13 | In filterMask of SkEmbossMaskFilter.cpp, there is a possible out of bounds write due to an integer overflow. |
CVE-2024-11113 | High | 8.8 | — | 2024-11-12 | Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. |
CVE-2017-13314 | High | 7.8 | — | 2024-11-15 | In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. |
CVE-2017-13312 | High | 7.8 | — | 2024-11-15 | In createFromParcel of MediaCas.java, there is a possible parcel read/write mismatch due to improper input validation. |
CVE-2017-13310 | High | 7.8 | — | 2024-11-15 | In createFromParcel of ViewPager.java, there is a possible read/write serialization issue leading to a permissions bypass. |
CVE-2024-43089 | High | 7.8 | — | 2024-11-13 | In updateInternal of MediaProvider.java , there is a possible access of another app's files due to a missing permission check. |
CVE-2024-43088 | High | 7.8 | — | 2024-11-13 | In multiple functions in AppInfoBase.java, there is a possible way to manipulate app permission settings belonging to another user on the device due to a missing permission check. |
CVE-2024-43087 | High | 7.8 | — | 2024-11-13 | In getInstalledAccessibilityPreferences of AccessibilitySettings.java, there is a possible way to hide an enabled accessibility service in the accessibility service settings due to a logic error in the code. |
CVE-2024-43085 | High | 7.8 | — | 2024-11-13 | In handleMessage of UsbDeviceManager.java, there is a possible method to access device contents over USB without unlocking the device due to a logic error in the code. |
CVE-2024-43081 | High | 7.8 | — | 2024-11-13 | In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. |
CVE-2024-43080 | High | 7.8 | — | 2024-11-13 | In onReceive of AppRestrictionsFragment.java, there is a possible escalation of privilege due to unsafe deserialization. |
CVE-2024-40671 | High | 7.8 | — | 2024-11-13 | In DevmemIntChangeSparse2 of devicemem_server.c, there is a possible way to achieve arbitrary code execution due to a missing permission check. |
CVE-2024-40661 | High | 7.8 | — | 2024-11-13 | In mayAdminGrantPermission of AdminRestrictedPermissionsUtils.java, there is a possible way to access the microphone due to a missing permission check. |
CVE-2024-40660 | High | 7.8 | — | 2024-11-13 | In setTransactionState of SurfaceFlinger.cpp, there is a possible way to change protected display attributes due to a logic error in the code. |
CVE-2024-34747 | High | 7.8 | — | 2024-11-13 | In DevmemXIntMapPages of devicemem_server.c, there is a possible use-after-free due to a logic error in the code. |
CVE-2024-34729 | High | 7.8 | — | 2024-11-13 | In multiple locations, there is a possible arbitrary code execution due to a logic error in the code. |
CVE-2024-34719 | High | 7.8 | — | 2024-11-13 | In multiple locations, there is a possible permissions bypass due to a missing null check. |
CVE-2024-31337 | High | 7.8 | — | 2024-11-13 | In PVRSRVRGXKickTA3DKM of rgxta3d.c, there is a possible arbitrary code execution due to improper input validation. |
CVE-2024-23715 | High | 7.8 | — | 2024-11-13 | In PMRWritePMPageList of pmr.c, there is a possible out of bounds write due to a logic error in the code. |
CVE-2023-35686 | High | 7.8 | — | 2024-11-13 | In PVRSRVRGXKickTA3DKM of rgxta3d.c, there is a possible arbitrary code execution due to improper input validation. |
CVE-2023-35659 | High | 7.8 | — | 2024-11-13 | In DevmemIntChangeSparse of devicemem_server.c, there is a possible arbitrary code execution due to a logic error in the code. |
CVE-2024-43093 | High | 7.3 | KEV | 2024-11-13 | In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. |
CVE-2017-13311 | Medium | 6.7 | — | 2024-11-15 | In the read() function of ProcessStats.java, there is a possible read/write serialization issue leading to a permissions bypass. |
CVE-2017-13313 | Medium | 6.5 | — | 2024-11-15 | In ElementaryStreamQueue::dequeueAccessUnitMPEG4Video of ESQueue.cpp, there is a possible infinite loop leading to resource exhaustion due to an incorrect bounds check. |
CVE-2024-11110 | Medium | 6.5 | — | 2024-11-12 | Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. |
CVE-2017-13309 | Medium | 5.5 | — | 2024-11-15 | In readEncryptedData of ConscryptEngine.java, there is a possible plaintext leak due to improperly used crypto. |
CVE-2017-13227 | Medium | 5.5 | — | 2024-11-14 | In the autofill service, the package name that is provided by the app process is trusted inappropriately. |
CVE-2024-43086 | Medium | 5.5 | — | 2024-11-13 | In validateAccountsInternal of AccountManagerService.java, there is a possible way to leak account credentials to a third party app due to a confused deputy. |
CVE-2024-43084 | Medium | 5.5 | — | 2024-11-13 | In visitUris of multiple files, there is a possible information disclosure due to a confused deputy. |
CVE-2024-43083 | Medium | 5.5 | — | 2024-11-13 | In validate of WifiConfigurationUtil.java , there is a possible persistent denial of service due to resource exhaustion. |
CVE-2024-43082 | Medium | 5.5 | — | 2024-11-13 | In onActivityResult of EditUserPhotoController.java, there is a possible cross-user media read due to a confused deputy. |
CVE-2024-43090 | Medium | 5.0 | — | 2024-11-13 | In multiple locations, there is a possible cross-user image read due to a missing permission check. |
CVE-2024-11117 | Medium | 4.3 | — | 2024-11-12 | Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. |
CVE-2024-11116 | Medium | 4.3 | — | 2024-11-12 | Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
CVE-2024-11111 | Medium | 4.3 | — | 2024-11-12 | Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. |
Adobe · 23 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49525 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49520 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49519 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49518 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49517 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49516 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49515 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an Untrusted Search Path vulnerability that might allow attackers to execute arbitrary code. |
CVE-2024-47434 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47433 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47432 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47431 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47430 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47429 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47428 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47427 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-47426 | High | 7.8 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a Double Free vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2024-49521 | High | 7.7 | — | 2024-11-12 | Adobe Commerce versions 3.2.5 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to a security feature bypass. |
CVE-2024-47440 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47439 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a NULL Pointer Dereference vulnerability that could result in an application denial-of-service. |
CVE-2024-47438 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by a Write-what-where Condition vulnerability that could lead to a memory leak. |
CVE-2024-47437 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47436 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2024-47435 | Medium | 5.5 | — | 2024-11-12 | Substance3D - Painter versions 10.1.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
Siemens · 22 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-44102 | Critical | 10.0 | — | 2024-11-12 | A vulnerability has been identified in PP TeleControl Server Basic 1000 to 5000 V3.1 (6NH9910-0AA31-0AE1) (All versions < V3.1.2.1 with redundancy configured), PP TeleControl Server Basic 256 to 1000 V3.1 (6NH9910-0AA31-0AD1) (All versions… |
CVE-2024-46888 | Critical | 9.9 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-46890 | Critical | 9.1 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-47808 | High | 8.4 | — | 2024-11-12 | A vulnerability has been identified in SINEC NMS (All versions < V3.0 SP1). |
CVE-2024-47941 | High | 7.8 | — | 2024-11-12 | A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 9). |
CVE-2024-47940 | High | 7.8 | — | 2024-11-12 | A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 9). |
CVE-2024-47783 | High | 7.8 | — | 2024-11-12 | A vulnerability has been identified in SIPORT (All versions < V3.4.0). |
CVE-2024-29119 | High | 7.8 | — | 2024-11-12 | A vulnerability has been identified in Spectrum Power 7 (All versions < V24Q3). |
CVE-2024-50310 | High | 7.5 | — | 2024-11-12 | A vulnerability has been identified in SIMATIC CP 1543-1 V4.0 (6GK7543-1AX10-0XE0) (All versions >= V4.0.44 < V4.0.50). |
CVE-2024-47942 | High | 7.3 | — | 2024-11-12 | A vulnerability has been identified in Solid Edge SE2024 (All versions < V224.0 Update 9). |
CVE-2023-32736 | High | 7.3 | — | 2024-11-12 | A vulnerability has been identified in SIMATIC S7-PLCSIM V16 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 Safety V16 (All versions), SIMATIC STEP 7 Safety V17 (All versions < V17 Update 8), SIMATIC STEP 7 Safety V18… |
CVE-2024-50572 | High | 7.2 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
CVE-2024-50557 | High | 7.2 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
CVE-2024-36140 | Medium | 6.8 | — | 2024-11-12 | A vulnerability has been identified in OZW672 (All versions < V5.2), OZW772 (All versions < V5.2). |
CVE-2024-46894 | Medium | 6.3 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-46891 | Medium | 5.3 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-46889 | Medium | 5.3 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-46892 | Medium | 4.9 | — | 2024-11-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 3). |
CVE-2024-50561 | Medium | 4.3 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
CVE-2024-50559 | Medium | 4.3 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
CVE-2024-50558 | Medium | 4.3 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
CVE-2024-50560 | Low | 3.1 | — | 2024-11-12 | A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.2), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8… |
Lopalopa · 20 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50823 | Critical | 9.8 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/login.php in kashipara E-learning Management System Project 1.0 via the username and password parameters. |
CVE-2024-50833 | Critical | 9.8 | — | 2024-11-14 | A SQL Injection vulnerability was found in /login.php in KASHIPARA E-learning Management System Project 1.0 via the username and password parameters. |
CVE-2024-50831 | High | 7.2 | — | 2024-11-14 | A SQL Injection was found in /admin/admin_user.php in kashipara E-learning Management System Project 1.0 via the username and password parameters. |
CVE-2024-50830 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/calendar_of_events.php in kashipara E-learning Management System Project 1.0 via the date_start, date_end, and title parameters. |
CVE-2024-50829 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/edit_subject.php in kashipara E-learning Management System Project 1.0 via the unit parameter. |
CVE-2024-50828 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/edit_department.php in kashipara E-learning Management System Project 1.0 via the d parameter. |
CVE-2024-50827 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/add_subject.php in kashipara E-learning Management System Project 1.0 via the subject_code parameter. |
CVE-2024-50826 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/add_content.php in kashipara E-learning Management System Project 1.0 via the title and content parameters. |
CVE-2024-50825 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/school_year.php in kashipara E-learning Management System Project 1.0 via the school_year parameter. |
CVE-2024-50824 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/class.php in kashipara E-learning Management System Project 1.0 via the class_name parameter. |
CVE-2024-50835 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/edit_student.php in KASHIPARA E-learning Management System Project 1.0 via the cys, un, ln, fn, and id parameters. |
CVE-2024-50834 | High | 7.2 | — | 2024-11-14 | A SQL Injection was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0 via the firstname and lastname parameters. |
CVE-2024-50832 | High | 7.2 | — | 2024-11-14 | A SQL Injection vulnerability was found in /admin/edit_class.php in kashipara E-learning Management System Project 1.0 via the class_name parameter. |
CVE-2024-50838 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/department.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50837 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/admin_user.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50842 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/school_year.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50841 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/calendar_of_events.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50840 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/class.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50839 | Medium | 5.4 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/add_subject.php in KASHIPARA E-learning Management System Project 1.0. |
CVE-2024-50836 | Medium | 4.8 | — | 2024-11-14 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /admin/teachers.php in KASHIPARA E-learning Management System Project 1.0. |
Fortinet · 17 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-36513 | High | 8.2 | — | 2024-11-12 | A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts. |
CVE-2024-47574 | High | 7.8 | — | 2024-11-13 | A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitra… |
CVE-2024-40592 | High | 7.5 | — | 2024-11-12 | An improper verification of cryptographic signature vulnerability [CWE-347] in FortiClient MacOS version 7.4.0, version 7.2.4 and below, version 7.0.10 and below, version 6.4.10 and below may allow a local authenticated attacker to swap th… |
CVE-2024-23666 | High | 7.5 | — | 2024-11-12 | A client-side enforcement of server-side security in Fortinet FortiAnalyzer-BigData at least version 7.4.0 and 7.2.0 through 7.2.6 and 7.0.1 through 7.0.6 and 6.4.5 through 6.4.7 and 6.2.5, FortiManager version 7.4.0 through 7.4.1 and 7… |
CVE-2023-50176 | High | 7.5 | — | 2024-11-12 | A session fixation in Fortinet FortiOS version 7.4.0 through 7.4.3 and 7.2.0 through 7.2.7 and 7.0.0 through 7.0.13 allows attacker to execute unauthorized code or commands via phishing SAML authentication link. |
CVE-2024-36507 | High | 7.3 | — | 2024-11-12 | A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0 allows an attacker to run arbitrary code via DLL hijacking and social engineering. |
CVE-2024-32118 | Medium | 6.7 | — | 2024-11-12 | Multiple improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabilities [CWE-78] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, Fortinet FortiAnalyzer version 7.4.0 throug… |
CVE-2024-31496 | Medium | 6.7 | — | 2024-11-12 | A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData 7.4.0 and before 7.2.7 allows… |
CVE-2024-33505 | Medium | 5.6 | — | 2024-11-12 | A heap-based buffer overflow in Fortinet FortiAnalyzer version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0 through 6.4.14, FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.5, 7.0.0 through 7.0.12, 6.4.0… |
CVE-2023-47543 | Medium | 5.4 | — | 2024-11-12 | An authorization bypass through user-controlled key vulnerability [CWE-639] in Fortinet FortiPortal version 7.0.0 through 7.0.3 allows an authenticated attacker to interact with ressources of other organizations via HTTP or HTTPS requests. |
CVE-2024-26011 | Medium | 5.3 | — | 2024-11-12 | A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiPr… |
CVE-2024-32116 | Medium | 5.1 | — | 2024-11-12 | Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiManager version 7.4.0 through 7.4.2 and before 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and before 7.2.5 and FortiAnalyzer-BigData version 7.4.0 and before… |
CVE-2024-32117 | Medium | 4.9 | — | 2024-11-12 | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiManager version 7.4.0 through 7.4.2 and below 7.2.5, FortiAnalyzer version 7.4.0 through 7.4.2 and below 7.2.5 & Fort… |
CVE-2024-33510 | Medium | 4.3 | — | 2024-11-12 | An improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability [CWE-74] in FortiOS version 7.4.3 and below, version 7.2.8 and below, version 7.0.16 and below; FortiProxy version 7.4.3 an… |
CVE-2024-36509 | Medium | 4.2 | — | 2024-11-12 | An exposure of sensitive system information to an unauthorized control sphere vulnerability [CWE-497] in FortiWeb version 7.6.0, version 7.4.3 and below, version 7.2.10 and below, version 7.0.10 and below, version 6.3.23 and below may allo… |
CVE-2023-44255 | Medium | 4.1 | — | 2024-11-12 | An exposure of sensitive information to an unauthorized actor [CWE-200] in Fortinet FortiManager before 7.4.2, FortiAnalyzer before 7.4.2 and FortiAnalyzer-BigData before 7.2.5 may allow a privileged attacker with administrative read permi… |
CVE-2024-35274 | Low | 2.3 | — | 2024-11-12 | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiAnalyzer versions below 7.4.2, Fortinet FortiManager versions below 7.4.2 and Fortinet FortiAnalyzer-BigData version… |
Nextcloud · 17 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52508 | High | 8.2 | — | 2024-11-15 | Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. |
CVE-2024-52511 | Medium | 6.3 | — | 2024-11-15 | Nextcloud Tables allows users to to create tables with individual columns. |
CVE-2024-52520 | Medium | 5.7 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52515 | Medium | 5.7 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52523 | Medium | 4.6 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52517 | Medium | 4.6 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52518 | Medium | 4.4 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52510 | Medium | 4.2 | — | 2024-11-15 | The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. |
CVE-2024-52514 | Medium | 4.1 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52509 | Low | 3.5 | — | 2024-11-15 | Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. |
CVE-2024-52507 | Low | 3.5 | — | 2024-11-15 | Nextcloud Tables allows users to to create tables with individual columns. |
CVE-2024-52512 | Low | 3.3 | — | 2024-11-15 | user_oidc app is an OpenID Connect user backend for Nextcloud. |
CVE-2024-52516 | Low | 3.0 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52519 | Low | 2.7 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52513 | Low | 2.6 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52521 | Low | 2.6 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
CVE-2024-52525 | Low | 1.8 | — | 2024-11-15 | Nextcloud Server is a self hosted personal cloud system. |
Intel · 14 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-36482 | High | 8.2 | — | 2024-11-13 | Improper input validation in some Intel(R) CIP software before version 2.4.10852 may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-32483 | High | 8.2 | — | 2024-11-13 | Improper access control for some Intel(R) EMA software before version 1.13.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-41167 | High | 7.5 | — | 2024-11-13 | Improper input validation in UEFI firmware in some Intel(R) Server Board M10JNP2SB Family may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-39609 | High | 7.5 | — | 2024-11-13 | Improper Access Control in UEFI firmware for some Intel(R) Server Board M70KLP may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-36488 | High | 7.3 | — | 2024-11-13 | Improper Access Control in some Intel(R) DSA before version 24.3.26.8 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-29079 | Medium | 6.8 | — | 2024-11-13 | Insufficient control flow management in some Intel(R) VROC software before version 8.6.0.3001 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-36294 | Medium | 6.7 | — | 2024-11-13 | Insecure inherited permissions for some Intel(R) DSA software before version 24.3.26.8 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-36276 | Medium | 6.7 | — | 2024-11-13 | Insecure inherited permissions for some Intel(R) CIP software before version 2.4.10852 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-36245 | Medium | 6.7 | — | 2024-11-13 | Uncontrolled search path element in some Intel(R) VTune(TM) Profiler software before version 2024.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2024-23198 | Medium | 6.6 | — | 2024-11-13 | Improper input validation in firmware for some Intel(R) PROSet/Wireless Software and Intel(R) Killer(TM) Wi-Fi products before version 23.40 may allow an unauthenticated user to enable denial of service via adjacent access. |
CVE-2024-37027 | Medium | 6.1 | — | 2024-11-13 | Improper Input validation in some Intel(R) VTune(TM) Profiler software before version 2024.2.0 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-28049 | Medium | 5.7 | — | 2024-11-13 | Improper input validation in firmware for some Intel(R) PROSet/Wireless Software and Intel(R) Killer(TM) Wi-Fi wireless products before version 23.40 may allow an unauthenticated user to enable denial of service via adjacent access. |
CVE-2024-32485 | Low | 3.9 | — | 2024-11-13 | Improper Input Validation in some Intel(R) VROC software before version 8.6.0.2003 may allow an authenticated user to potentially enable denial of service via local access. |
CVE-2024-25563 | Low | 3.4 | — | 2024-11-13 | Improper initialization in firmware for some Intel(R) PROSet/Wireless Software and Intel(R) Killer(TM) Wi-Fi before version 23.40 may allow a privileged user to potentially enable information disclosure via local access. |
Librenms · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49754 | High | 7.5 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-52526 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-51497 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-51496 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-51495 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-51494 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-50355 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-50352 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-50351 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-50350 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-49764 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-49759 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
CVE-2024-49758 | Medium | 4.8 | — | 2024-11-15 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. |
Amd · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-21976 | High | 8.8 | — | 2024-11-12 | Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution. |
CVE-2024-21975 | High | 8.8 | — | 2024-11-12 | Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution. |
CVE-2024-21974 | High | 8.8 | — | 2024-11-12 | Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution. |
CVE-2024-21958 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD Provisioning Console installation directory could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary code execution. |
CVE-2024-21957 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD Management Console installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-21946 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD RyzenTM Master Utility installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-21945 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD RyzenTM Master monitoring SDK installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-21939 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD Cloud Manageability Service (ACMS) Software installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-21938 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD Management Plugin for the Microsoft® System Center Configuration Manager (SCCM) installation directory could allow an attacker to achieve privilege escalation, potentially resulting in arbitrary cod… |
CVE-2024-21937 | High | 7.3 | — | 2024-11-12 | Incorrect default permissions in the AMD HIP SDK installation directory could allow an attacker to achieve privilege escalation potentially resulting in arbitrary code execution. |
CVE-2024-21949 | Medium | 5.5 | — | 2024-11-12 | Improper validation of user input in the NPU driver could allow an attacker to provide a buffer with unexpected size, potentially leading to system crash. |
Glpi-project · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-40638 | High | 8.1 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-45610 | Medium | 6.5 | — | 2024-11-15 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. |
CVE-2024-45609 | Medium | 6.5 | — | 2024-11-15 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. |
CVE-2024-45608 | Medium | 6.5 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-43418 | Medium | 6.5 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-43417 | Medium | 6.5 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-41679 | Medium | 6.5 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-41678 | Medium | 6.5 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-45611 | Medium | 5.7 | — | 2024-11-15 | GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. |
CVE-2024-38370 | Medium | 5.3 | — | 2024-11-15 | GLPI is a free asset and IT management software package. |
CVE-2024-47759 | Medium | 4.8 | — | 2024-11-15 | GLPI is a free Asset and IT management software package. |
Anisha · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11241 | High | 7.3 | — | 2024-11-15 | A vulnerability was found in code-projects Job Recruitment 1.0. |
CVE-2024-11099 | High | 7.3 | — | 2024-11-12 | A vulnerability was found in code-projects Job Recruitment 1.0 and classified as critical. |
CVE-2024-11077 | High | 7.3 | — | 2024-11-11 | A vulnerability, which was classified as critical, was found in code-projects Job Recruitment 1.0. |
CVE-2024-11245 | Medium | 6.3 | — | 2024-11-15 | A vulnerability, which was classified as critical, has been found in code-projects Farmacia 1.0. |
CVE-2024-11244 | Medium | 6.3 | — | 2024-11-15 | A vulnerability classified as critical was found in code-projects Farmacia 1.0. |
CVE-2024-11127 | Medium | 6.3 | — | 2024-11-12 | A vulnerability was found in code-projects Job Recruitment up to 1.0. |
CVE-2024-11076 | Medium | 6.3 | — | 2024-11-11 | A vulnerability, which was classified as critical, has been found in code-projects Job Recruitment 1.0. |
CVE-2024-50969 | Medium | 6.1 | — | 2024-11-13 | A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter. |
CVE-2024-11246 | Low | 3.5 | — | 2024-11-15 | A vulnerability, which was classified as problematic, was found in code-projects Farmacia 1.0. |
CVE-2024-11078 | Low | 3.5 | — | 2024-11-11 | A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. |
Hewlett Packard Enterprise (Hpe) · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-24459 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of S1Setup Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections and sen… |
CVE-2024-24458 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ENB Configuration Transfer messages containing invalid PLMN Identities in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiat… |
CVE-2024-24457 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Setup List Context SURes messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating conn… |
CVE-2024-24455 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling a UE Context Release message containing an invalid UE identifier in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connec… |
CVE-2024-24454 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Modify Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connections an… |
CVE-2024-24453 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB NotToBeModifiedBearerModInd information element in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly i… |
CVE-2024-24452 | Medium | 5.9 | — | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Release Indication messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular network by repeatedly initiating connection… |
CVE-2024-51765 | Medium | 5.5 | — | 2024-11-15 | A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). |
CVE-2024-51764 | Medium | 5.5 | — | 2024-11-15 | A security vulnerability has been identified in HPE Data Management Framework (DMF) Suite (CXFS). |
Moodle · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-43439 | Medium | 5.4 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43437 | Medium | 5.4 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43435 | Medium | 5.3 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43433 | Medium | 5.3 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43432 | Medium | 5.3 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43430 | Medium | 5.3 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-43429 | Medium | 5.3 | — | 2024-11-11 | A flaw was found in moodle. |
CVE-2024-48900 | Medium | 4.3 | — | 2024-11-13 | A vulnerability was found in Moodle. |
CVE-2024-43427 | Low | 3.7 | — | 2024-11-11 | A flaw was found in moodle. |
Baxter · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48967 | Critical | 10.0 | — | 2024-11-14 | The ventilator and the Service PC lack sufficient audit logging capabilities to allow for detection of malicious activity and subsequent forensic examination. |
CVE-2024-48966 | Critical | 10.0 | — | 2024-11-14 | The software tools used by service personnel to test & calibrate the ventilator do not support user authentication. |
CVE-2024-48974 | Critical | 9.3 | — | 2024-11-14 | The ventilator does not perform proper file integrity checks when adopting firmware updates. |
CVE-2024-48973 | Critical | 9.3 | — | 2024-11-14 | The debug port on the ventilator's serial interface is enabled by default. |
CVE-2024-48971 | Critical | 9.3 | — | 2024-11-14 | The Clinician Password and Serial Number Clinician Password are hard-coded into the ventilator in plaintext form. |
CVE-2024-48970 | Critical | 9.3 | — | 2024-11-14 | The ventilator's microcontroller lacks memory protection. |
CVE-2024-9834 | Critical | 9.3 | — | 2024-11-14 | Improper data protection on the ventilator's serial interface could allow an attacker to send and receive messages that result in unauthorized disclosure of information and/or have unintended impacts on device settings and performance. |
CVE-2024-9832 | Critical | 9.3 | — | 2024-11-14 | There is no limit on the number of failed login attempts permitted with the Clinician Password or the Serial Number Clinician Password. |
Ibm · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-41784 | High | 7.5 | — | 2024-11-15 | IBM Sterling Secure Proxy 6.0.0.0, 6.0.0.1, 6.0.0.2, 6.0.0.3, and 6.1.0.0 could allow a remote attacker to traverse directories on the system. |
CVE-2024-45088 | Medium | 6.4 | — | 2024-11-11 | IBM Maximo Asset Management 7.6.1.3 is vulnerable to stored cross-site scripting. |
CVE-2024-41785 | Medium | 6.1 | — | 2024-11-15 | IBM Concert Software 1.0.0 through 1.0.1 is vulnerable to cross-site scripting. |
CVE-2024-43189 | Medium | 5.9 | — | 2024-11-15 | IBM Concert Software 1.0.0 through 1.0.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. |
CVE-2024-45670 | Medium | 5.6 | — | 2024-11-14 | IBM Security SOAR 51.0.1.0 and earlier contains a mechanism for users to recover or change their passwords without knowing the original password, but the user account must be compromised prior to the weak recovery mechanism. |
CVE-2024-45642 | Medium | 5.3 | — | 2024-11-14 | IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. |
CVE-2024-45087 | Medium | 4.8 | — | 2024-11-11 | IBM WebSphere Application Server 8.5 and 9.0 is vulnerable to cross-site scripting. |
CVE-2024-45099 | Low | 3.1 | — | 2024-11-14 | IBM Security ReaQta 3.12 is vulnerable to cross-site scripting. |
Palo Alto Networks · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2551 | High | 7.5 | — | 2024-11-14 | A null pointer dereference vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop a core system service on the firewall by sending a crafted packet through the data plane that causes a denial of ser… |
CVE-2024-2550 | High | 7.5 | — | 2024-11-14 | A null pointer dereference vulnerability in the GlobalProtect gateway in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to stop the GlobalProtect service on the firewall by sending a specially crafted packet that ca… |
CVE-2024-5919 | Medium | 6.5 | — | 2024-11-14 | A blind XML External Entities (XXE) injection vulnerability in the Palo Alto Networks PAN-OS software enables an authenticated attacker to exfiltrate arbitrary files from firewalls to an attacker controlled server. |
CVE-2024-2552 | Medium | 6.0 | — | 2024-11-14 | A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions in the management plane and delete files on the firewall. |
CVE-2024-5917 | Medium | 4.9 | — | 2024-11-14 | A server-side request forgery in PAN-OS software enables an authenticated attacker with administrative privileges to use the administrative web interface as a proxy, which enables the attacker to view internal network resources not otherwi… |
CVE-2024-5920 | Medium | 4.8 | — | 2024-11-14 | A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-write Panorama administrator to push a specially crafted configuration to a PAN-OS node. |
CVE-2024-5918 | Medium | 4.3 | — | 2024-11-14 | An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a diff… |
CVE-2024-9472 | — | — | — | 2024-11-14 | A null pointer dereference in Palo Alto Networks PAN-OS software on PA-800 Series, PA-3200 Series, PA-5200 Series, and PA-7000 Series hardware platforms when Decryption policy is enabled allows an unauthenticated attacker to crash PAN-OS b… |
Ampache · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51487 | High | 8.1 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51485 | High | 8.1 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51484 | High | 8.1 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51490 | Medium | 5.5 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51486 | Medium | 5.5 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51489 | Medium | 5.4 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
CVE-2024-51488 | Medium | 5.4 | — | 2024-11-11 | Ampache is a web based audio/video streaming application and file manager. |
D-link · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11068 | Critical | 9.8 | — | 2024-11-11 | The D-Link DSL6740C modem has an Incorrect Use of Privileged APIs vulnerability, allowing unauthenticated remote attackers to modify any user’s password by leveraging the API, thereby granting access to Web, SSH, and Telnet services using… |
CVE-2024-11067 | High | 7.5 | — | 2024-11-11 | The D-Link DSL6740C modem has a Path Traversal Vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. |
CVE-2024-11066 | High | 7.2 | — | 2024-11-11 | The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through the specific web page. |
CVE-2024-11065 | High | 7.2 | — | 2024-11-11 | The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet. |
CVE-2024-11064 | High | 7.2 | — | 2024-11-11 | The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet. |
CVE-2024-11063 | High | 7.2 | — | 2024-11-11 | The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet. |
CVE-2024-11062 | High | 7.2 | — | 2024-11-11 | The D-Link DSL6740C modem has an OS Command Injection vulnerability, allowing remote attackers with administrator privileges to inject and execute arbitrary system commands through a specific functionality provided by SSH and Telnet. |
Freebsd · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51564 | High | 7.5 | — | 2024-11-12 | A guest can trigger an infinite loop in the hda audio driver. |
CVE-2024-45289 | High | 7.5 | — | 2024-11-12 | The fetch(3) library uses environment variables for passing certain information, including the revocation file pathname. |
CVE-2024-51566 | Medium | 6.5 | — | 2024-11-12 | The NVMe driver queue processing is vulernable to guest-induced infinite loops. |
CVE-2024-51565 | Medium | 6.5 | — | 2024-11-12 | The hda driver is vulnerable to a buffer over-read from a guest-controlled value. |
CVE-2024-51563 | Medium | 6.5 | — | 2024-11-12 | The virtio_vq_recordon function is subject to a time-of-check to time-of-use (TOCTOU) race condition. |
CVE-2024-51562 | Medium | 6.5 | — | 2024-11-12 | The NVMe driver function nvme_opc_get_log_page is vulnerable to a buffer over-read from a guest-controlled value. |
CVE-2024-39281 | Medium | 5.3 | — | 2024-11-12 | The command ctl_persistent_reserve_out allows the caller to specify an arbitrary size which will be passed to the kernel's memory allocator. |
Justdan96 · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49778 | High | 8.8 | — | 2024-11-14 | A heap-based buffer overflow in tsMuxer version nightly-2024-05-12-02-01-18 allows attackers to cause Denial of Service (DoS) and Code Execution via a crafted MOV video file. |
CVE-2024-49777 | High | 8.8 | — | 2024-11-14 | A heap-based buffer overflow in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Denial of Service (DoS), Information Disclosure and Code Execution via a crafted MKV video file. |
CVE-2024-41209 | High | 8.8 | — | 2024-11-14 | A heap-based buffer overflow in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Denial of Service (DoS) and Code Execution via a crafted MOV video file. |
CVE-2024-49776 | Medium | 6.5 | — | 2024-11-14 | A negative-size-param in tsMuxer version nightly-2024-04-05-01-53-02 allows attackers to cause Denial of Service (DoS) via a crafted TS video file. |
CVE-2024-41217 | Medium | 6.5 | — | 2024-11-14 | A heap-based buffer overflow in tsMuxer version nightly-2024-05-10-02-00-45 allows attackers to cause Denial of Service (DoS) via a crafted MKV video file. |
CVE-2024-41206 | Medium | 6.5 | — | 2024-11-14 | A stack-based buffer over-read in tsMuxer version nightly-2024-03-14-01-51-12 allows attackers to cause Information Disclosure via a crafted TS video file. |
CVE-2024-52613 | Medium | 5.5 | — | 2024-11-14 | A heap-based buffer under-read in tsMuxer version nightly-2024-05-12-02-01-18 allows attackers to cause Denial of Service (DoS) via a crafted MOV video file. |
Sap_se · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47590 | High | 8.8 | — | 2024-11-12 | An unauthenticated attacker can create a malicious link which they can make publicly available. |
CVE-2024-42372 | Medium | 6.5 | — | 2024-11-12 | Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the applicat… |
CVE-2024-47592 | Medium | 5.3 | — | 2024-11-12 | SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. |
CVE-2024-47586 | Medium | 5.3 | — | 2024-11-12 | SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. |
CVE-2024-47588 | Medium | 4.7 | — | 2024-11-12 | In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. |
CVE-2024-47593 | Medium | 4.3 | — | 2024-11-12 | SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server i… |
CVE-2024-47587 | Low | 3.5 | — | 2024-11-12 | Cash Operations does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges causing low impact to confidentiality to the application. |
Schneider Electric · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10575 | Critical | 9.8 | — | 2024-11-13 | CWE-862: Missing Authorization vulnerability exists that could cause unauthorized access when enabled on the network and potentially impacting connected devices. |
CVE-2024-8938 | High | 8.1 | — | 2024-11-13 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution after a successful Man-In-The-Middle attack followed by sending a crafted Modbus fu… |
CVE-2024-9409 | High | 7.5 | — | 2024-11-13 | CWE-400: An Uncontrolled Resource Consumption vulnerability exists that could cause the device to become unresponsive resulting in communication loss when a large amount of IGMP packets is present in the network. |
CVE-2024-8935 | High | 7.5 | — | 2024-11-13 | CWE-290: Authentication Bypass by Spoofing vulnerability exists that could cause a denial of service and loss of confidentiality and integrity of controllers when conducting a Man-In-The-Middle attack between the controller and the enginee… |
CVE-2024-8933 | High | 7.5 | — | 2024-11-13 | CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integri… |
CVE-2024-8937 | Medium | 6.5 | — | 2024-11-13 | CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution after a successful Man-In-The Middle attack followed by sending a crafted Modbus fu… |
CVE-2024-8936 | Medium | 6.5 | — | 2024-11-13 | CWE-20: Improper Input Validation vulnerability exists that could lead to loss of confidentiality of controller memory after a successful Man-In-The-Middle attack followed by sending a crafted Modbus function call used to tamper with memor… |
Grand Vice Info · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11020 | Critical | 9.8 | — | 2024-11-11 | Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. |
CVE-2024-11018 | Critical | 9.8 | — | 2024-11-11 | Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on the server. |
CVE-2024-11016 | Critical | 9.8 | — | 2024-11-11 | Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. |
CVE-2024-11017 | High | 8.8 | — | 2024-11-11 | Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code execution on the server. |
CVE-2024-11019 | Medium | 6.1 | — | 2024-11-11 | Webopac from Grand Vice info has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript code in the user's browser through phishing techniques. |
CVE-2024-11021 | Medium | 5.4 | — | 2024-11-11 | Webopac from Grand Vice info has Stored Cross-site Scripting vulnerability. |
Jenkins · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52554 | High | 8.8 | — | 2024-11-13 | Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission… |
CVE-2024-52553 | High | 8.8 | — | 2024-11-13 | Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login. |
CVE-2024-52552 | High | 8.0 | — | 2024-11-13 | Jenkins Authorize Project Plugin 1.7.2 and earlier evaluates a string containing the job name with JavaScript on the Authorization view, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Conf… |
CVE-2024-52551 | High | 8.0 | — | 2024-11-13 | Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to res… |
CVE-2024-52550 | High | 8.0 | — | 2024-11-13 | Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild… |
CVE-2024-52549 | Medium | 4.3 | — | 2024-11-13 | Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/R… |
Linuxfoundation · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-31670 | High | 7.7 | — | 2024-11-14 | Harbor fails to validate the user permissions when updating tag retention policies. By sending a request to update a tag retention policy with an id that belongs to a project that the currently authenticated user doesn’t have access to… |
CVE-2022-31666 | High | 7.7 | — | 2024-11-14 | Harbor fails to validate user permissions while deleting Webhook policies, allowing malicious users to view, update and delete Webhook policies of other users. The attacker could modify Webhook policies configured in other projects. |
CVE-2022-31671 | High | 7.4 | — | 2024-11-14 | Harbor fails to validate user permissions when reading and updating job execution logs through the P2P preheat execution logs. |
CVE-2022-31668 | High | 7.4 | — | 2024-11-14 | Harbor fails to validate the user permissions when updating p2p preheat policies. By sending a request to update a p2p preheat policy with an id that belongs to a project that the currently authenticated user doesn't have access to, the at… |
CVE-2022-31669 | Medium | 6.4 | — | 2024-11-14 | Harbor fails to validate the user permissions when updating tag immutability policies. By sending a request to update a tag immutability policy with an id that belongs to a project that the currently authenticated user doesn’t have acces… |
CVE-2022-31667 | Medium | 6.4 | — | 2024-11-14 | Harbor fails to validate the user permissions when updating a robot account that belongs to a project that the authenticated user doesn’t have access to. By sending a request that attempts to update a robot account, and specifying a robo… |
1000 Projects · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11258 | High | 7.3 | — | 2024-11-15 | A vulnerability classified as critical was found in 1000 Projects Beauty Parlour Management System 1.0. |
CVE-2024-11257 | High | 7.3 | — | 2024-11-15 | A vulnerability classified as critical has been found in 1000 Projects Beauty Parlour Management System 1.0. |
CVE-2024-11256 | High | 7.3 | — | 2024-11-15 | A vulnerability was found in 1000 Projects Portfolio Management System MCA 1.0 and classified as critical. |
CVE-2024-11100 | High | 7.3 | — | 2024-11-12 | A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0. |
CVE-2024-11101 | Medium | 4.7 | — | 2024-11-12 | A vulnerability was found in 1000 Projects Beauty Parlour Management System 1.0. |
Apache · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50306 | Critical | 9.1 | — | 2024-11-14 | Unchecked return value can allow Apache Traffic Server to retain privileges on startup. |
CVE-2024-50386 | High | 8.5 | — | 2024-11-12 | Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. |
CVE-2024-45784 | High | 7.5 | — | 2024-11-15 | Apache Airflow versions before 2.10.3 contain a vulnerability that could expose sensitive configuration variables in task logs. |
CVE-2024-50305 | High | 7.5 | — | 2024-11-14 | Valid Host header field can cause Apache Traffic Server to crash on some platforms. |
CVE-2024-38479 | High | 7.5 | — | 2024-11-14 | Improper Input Validation vulnerability in Apache Traffic Server. |
Cybelesoft · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-40404 | Critical | 9.8 | — | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established. |
CVE-2024-40405 | High | 8.1 | — | 2024-11-13 | Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request. |
CVE-2024-40407 | High | 7.5 | — | 2024-11-13 | A full path disclosure in Cybele Software Thinfinity Workspace before v7.0.2.113 allows attackers to obtain the root path of the application via unspecified vectors. |
CVE-2024-40408 | High | 7.3 | — | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. |
CVE-2024-40410 | Medium | 4.8 | — | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption. |
Dell · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49560 | High | 7.8 | — | 2024-11-12 | Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a command injection vulnerability. |
CVE-2024-49558 | High | 7.8 | — | 2024-11-12 | Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Privilege Management vulnerability. |
CVE-2024-49557 | High | 7.8 | — | 2024-11-12 | Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. |
CVE-2024-48837 | High | 7.8 | — | 2024-11-12 | Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) an Execution with Unnecessary Privileges vulnerability. |
CVE-2024-48838 | Low | 3.3 | — | 2024-11-12 | Dell SmartFabric OS10 Software, version(s) 10.5.6.x, 10.5.5.x, 10.5.4.x, 10.5.3.x, contain(s) a Files or Directories Accessible to External Parties vulnerability. |
Gitlab · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9693 | High | 8.5 | — | 2024-11-14 | An issue was discovered in GitLab CE/EE affecting all versions starting from 16.0 prior to 17.3.7, starting from 17.4 prior to 17.4.4, and starting from 17.5 prior to 17.5.2, which could have allowed unauthorized access to the Kubernetes a… |
CVE-2024-7404 | Medium | 6.8 | — | 2024-11-14 | An issue was discovered in GitLab CE/EE affecting all versions starting from 17.2 prior to 17.3.7, starting from 17.4 prior to 17.4.4 and starting from 17.5 prior to 17.5.2, which could have allowed an attacker gaining full API access as t… |
CVE-2024-8648 | Medium | 6.1 | — | 2024-11-14 | An issue has been discovered in GitLab CE/EE affecting all versions from 16 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. |
CVE-2024-8180 | Medium | 5.4 | — | 2024-11-14 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.3.7, 17.4 before 17.4.4, and 17.5 before 17.5.2. |
CVE-2024-9633 | Low | 3.1 | — | 2024-11-14 | An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.3 before 17.4.2, all versions starting from 17.5 before 17.5.4, all versions starting from 17.6 before 17.6.2. |
Kognetiks · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10684 | Medium | 6.1 | — | 2024-11-13 | The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dir' parameter in all versions up to, and including, 2.1.7 due to insufficient input sanitization and output escaping. |
CVE-2024-10531 | Medium | 5.3 | — | 2024-11-13 | The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_assistant() function in all versions up to, and including, 2.1.7. |
CVE-2024-10529 | Medium | 5.3 | — | 2024-11-13 | The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_assistant() function in all versions up to, and including, 2.1.7. |
CVE-2024-11143 | Medium | 4.3 | — | 2024-11-13 | The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.8. |
CVE-2024-10530 | Medium | 4.3 | — | 2024-11-13 | The Kognetiks Chatbot for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the add_new_assistant() function in all versions up to, and including, 2.1.7. |
Mayurik · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11212 | Medium | 6.3 | — | 2024-11-14 | A vulnerability, which was classified as critical, has been found in SourceCodester Best Employee Management System 1.0. |
CVE-2024-11214 | Medium | 4.7 | — | 2024-11-14 | A vulnerability has been found in SourceCodester Best Employee Management System 1.0 and classified as critical. |
CVE-2024-11213 | Medium | 4.7 | — | 2024-11-14 | A vulnerability, which was classified as critical, was found in SourceCodester Best Employee Management System 1.0. |
CVE-2024-11073 | Medium | 4.3 | — | 2024-11-11 | A vulnerability classified as problematic has been found in SourceCodester Hospital Management System 1.0. |
CVE-2024-11102 | Low | 3.5 | — | 2024-11-12 | A vulnerability was found in SourceCodester Hospital Management System 1.0. |
Rockwell Automation · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10943 | Critical | 9.1 | — | 2024-11-12 | An authentication bypass vulnerability exists in the affected product. |
CVE-2024-10944 | High | 8.4 | — | 2024-11-12 | A Remote Code Execution vulnerability exists in the affected product. |
CVE-2024-6068 | High | 7.3 | — | 2024-11-14 | A memory corruption vulnerability exists in the affected products when parsing DFT files. |
CVE-2024-10945 | High | 7.3 | — | 2024-11-12 | A Local Privilege Escalation vulnerability exists in the affected product. |
CVE-2024-37365 | High | 7.3 | — | 2024-11-12 | A remote code execution vulnerability exists in the affected product. |
Ami · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-33658 | High | 7.8 | — | 2024-11-12 | APTIOV contains a vulnerability in BIOS where an attacker may cause an Improper Restriction of Operations within the Bounds of a Memory Buffer by local. |
CVE-2024-42442 | High | 7.2 | — | 2024-11-12 | APTIOV contains a vulnerability in the BIOS where a user or attacker may cause an improper restriction of operations within the bounds of a memory buffer over the network. |
CVE-2024-2315 | High | 7.1 | — | 2024-11-12 | APTIOV contains a vulnerability in BIOS where may cause Improper Access Control by a local attacker. |
CVE-2024-33660 | Medium | 4.3 | — | 2024-11-12 | An exploit is possible where an actor with physical access can manipulate SPI flash without being detected. |
Citrix · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8535 | High | 8.1 | — | 2024-11-12 | Authenticated user can access unintended user capabilities in NetScaler ADC and NetScaler Gateway if the appliance must be configured as a Gateway (SSL VPN, ICA Proxy, CVPN, RDP Proxy) with KCDAccount configuration for Kerberos SSO to acce… |
CVE-2024-8534 | High | 8.1 | — | 2024-11-12 | Memory safety vulnerability leading to memory corruption and Denial of Service in NetScaler ADC and Gateway if the appliance must be configured as a Gateway (VPN Vserver) with RDP Feature enabled OR the appliance must be configured as a Ga… |
CVE-2024-8069 | High | 8.0 | KEV | 2024-11-12 | Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server |
CVE-2024-8068 | High | 8.0 | KEV | 2024-11-12 | Privilege escalation to NetworkService Account access in Citrix Session Recording when an attacker is an authenticated user in the same Windows Active Directory domain as the session recording server domain |
Code-projects · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11250 | Medium | 6.3 | — | 2024-11-15 | A vulnerability was found in code-projects Inventory Management up to 1.0. |
CVE-2024-11096 | Medium | 6.3 | — | 2024-11-12 | A vulnerability, which was classified as critical, was found in code-projects Task Manager 1.0. |
CVE-2024-11243 | Medium | 4.3 | — | 2024-11-15 | A vulnerability classified as problematic has been found in code-projects Online Shop Store 1.0. |
CVE-2024-11259 | Low | 3.5 | — | 2024-11-15 | A vulnerability, which was classified as problematic, has been found in code-projects Farmacia 1.0. |
Debian · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49369 | Critical | 9.8 | — | 2024-11-12 | Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. |
CVE-2024-52533 | Critical | 9.8 | — | 2024-11-11 | gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. |
CVE-2024-52301 | High | 7.5 | — | 2024-11-12 | Laravel is a web application framework. |
CVE-2024-10978 | Medium | 4.2 | — | 2024-11-14 | Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. |
Dlink · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-28729 | Critical | 9.8 | — | 2024-11-12 | An issue in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to execute arbitrary code via a crafted request. |
CVE-2024-51186 | High | 8.0 | — | 2024-11-11 | D-Link DIR-820L 1.05b03 was discovered to contain a remote code execution (RCE) vulnerability via the ping_addr parameter in the ping_v4 and ping_v6 functions. |
CVE-2024-28730 | Medium | 5.4 | — | 2024-11-12 | Cross Site Scripting vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the file upload feature of the VPN configuration module. |
CVE-2024-28731 | Medium | 4.3 | — | 2024-11-12 | Cross Site Request Forgery vulnerability in DLink DWR 2000M 5G CPE With Wifi 6 Ax1800 and Dlink DWR 5G CPE DWR-2000M_1.34ME allows a local attacker to obtain sensitive information via the Port forwarding option. |
Lunary · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-3502 | High | 8.1 | — | 2024-11-14 | In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists where account recovery hashes of users are inadvertently exposed to unauthorized actors. |
CVE-2024-3501 | High | 8.1 | — | 2024-11-14 | In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. |
CVE-2024-3379 | High | 8.1 | — | 2024-11-14 | In lunary-ai/lunary versions 1.2.2 through 1.2.6, an incorrect authorization vulnerability allows unprivileged users to re-generate the private key for projects they do not have access to. |
CVE-2024-3760 | High | 7.5 | — | 2024-11-14 | In lunary-ai/lunary version 1.2.7, there is a lack of rate limiting on the forgot password page, leading to an email bombing vulnerability. |
51mis · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11122 | Medium | 6.3 | — | 2024-11-12 | A vulnerability, which was classified as critical, has been found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. |
CVE-2024-11121 | Medium | 6.3 | — | 2024-11-12 | A vulnerability classified as critical was found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. |
CVE-2024-11123 | Medium | 4.3 | — | 2024-11-12 | A vulnerability, which was classified as problematic, was found in 上海灵当信息科技有限公司 Lingdang CRM up to 8.6.4.3. |
Angeljudesuarez · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50972 | High | 7.2 | — | 2024-11-13 | A SQL injection vulnerability in printtool.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the borrow_id parameter. |
CVE-2024-50971 | High | 7.2 | — | 2024-11-13 | A SQL injection vulnerability in print.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the map_id parameter. |
CVE-2024-11074 | Medium | 6.3 | — | 2024-11-11 | A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. |
Apereo · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11209 | Medium | 6.3 | — | 2024-11-14 | A vulnerability was found in Apereo CAS 6.6. |
CVE-2024-11207 | Medium | 4.3 | — | 2024-11-14 | A vulnerability has been found in Apereo CAS 6.6 and classified as problematic. |
CVE-2024-11208 | Low | 3.7 | — | 2024-11-14 | A vulnerability was found in Apereo CAS 6.6 and classified as problematic. |
Blackberry · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51721 | High | 7.3 | — | 2024-11-12 | A code injection vulnerability in the SecuSUITE Server Web Administration Portal of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially inject script commands or other executable content into the server that would… |
CVE-2024-51722 | Medium | 6.4 | — | 2024-11-12 | A local privilege escalation vulnerability in the SecuSUITE Server (System Configuration) of SecuSUITE versions 5.0.420 and earlier could allow a successful attacker that had gained control of code running under one of the system accounts… |
CVE-2024-51720 | Medium | 4.8 | — | 2024-11-12 | An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account… |
Chatwoot · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3742 | High | 8.8 | — | 2024-11-15 | A Server-Side Request Forgery (SSRF) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.5.0. |
CVE-2021-3740 | Medium | 6.8 | — | 2024-11-15 | A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. |
CVE-2021-3741 | Medium | 5.4 | — | 2024-11-15 | A stored cross-site scripting (XSS) vulnerability was discovered in chatwoot/chatwoot, affecting all versions prior to 2.6. |
Craftcms · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52291 | High | 8.4 | — | 2024-11-13 | Craft is a content management system (CMS). |
CVE-2024-52292 | High | 7.7 | — | 2024-11-13 | Craft is a content management system (CMS). |
CVE-2024-52293 | High | 7.2 | — | 2024-11-13 | Craft is a content management system (CMS). |
Delta Electronics · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47131 | High | 7.8 | — | 2024-11-11 | If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code. |
CVE-2024-39605 | High | 7.8 | — | 2024-11-11 | If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetParameter can be exploited, allowing the attacker to remotely execute arbitrary code. |
CVE-2024-39354 | High | 7.8 | — | 2024-11-11 | If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in CEtherIPTagItem can be exploited, allowing the attacker to remotely execute arbitrary code. |
Gnome · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52532 | High | 7.5 | — | 2024-11-11 | GNOME libsoup before 3.6.1 has an infinite loop, and memory consumption. |
CVE-2024-52530 | High | 7.5 | — | 2024-11-11 | GNOME libsoup before 3.6.0 allows HTTP request smuggling in some configurations because '\0' characters at the end of header names are ignored, i.e., a "Transfer-Encoding\0: chunked" header is treated the same as a "Transfer-Encoding: chun… |
CVE-2024-52531 | Medium | 6.5 | — | 2024-11-11 | GNOME libsoup before 3.6.1 allows a buffer overflow in applications that perform conversion to UTF-8 in soup_header_parse_param_list_strict. |
Helix · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10345 | — | — | — | 2024-11-11 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the shutdown function was identified. |
CVE-2024-10344 | — | — | — | 2024-11-11 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the refuse function was identified. |
CVE-2024-10314 | — | — | — | 2024-11-11 | In Helix Core versions prior to 2024.2, an unauthenticated remote Denial of Service (DoS) via the auto-generation function was identified. |
Janeczku · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3988 | Medium | 6.1 | — | 2024-11-15 | A Cross-site Scripting (XSS) vulnerability exists in janeczku/calibre-web, specifically in the file `edit_books.js`. |
CVE-2021-3987 | Medium | 4.3 | — | 2024-11-15 | An improper access control vulnerability exists in janeczku/calibre-web. |
CVE-2021-3986 | Medium | 4.3 | — | 2024-11-15 | A vulnerability in janeczku/calibre-web allows unauthorized users to view the names of private shelves belonging to other users. |
Mutt · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49393 | Medium | 6.5 | — | 2024-11-12 | In neomutt and mutt, the To and Cc email headers are not validated by cryptographic signing which allows an attacker that intercepts a message to change their value and include himself as a one of the recipients to compromise message confi… |
CVE-2024-49395 | Medium | 5.3 | — | 2024-11-12 | In mutt and neomutt, PGP encryption does not use the --hidden-recipient mode which may leak the Bcc email header field by inferring from the recipients info. |
CVE-2024-49394 | Medium | 5.3 | — | 2024-11-12 | In mutt and neomutt the In-Reply-To email header field is not protected by cryptographic signing which allows an attacker to reuse an unencrypted but signed email message to impersonate the original sender. |
Northmule · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10854 | Medium | 4.3 | — | 2024-11-13 | The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the buy_one_click_import_options AJAX action in all versions up to, and including, 2.2.9. |
CVE-2024-10853 | Medium | 4.3 | — | 2024-11-13 | The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the removeorder AJAX action in all versions up to, and including, 2.2.9. |
CVE-2024-10852 | Medium | 4.3 | — | 2024-11-13 | The Buy one click WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the buy_one_click_export_options AJAX action in all versions up to, and including, 2.2.9. |
Openafs · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10397 | High | 7.8 | — | 2024-11-14 | A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code. |
CVE-2024-10394 | High | 7.8 | — | 2024-11-14 | A local user can bypass the OpenAFS PAG (Process Authentication Group) throttling mechanism in Unix clients, allowing the user to create a PAG using an existing id number, effectively joining the PAG and letting the user steal the credenti… |
CVE-2024-10396 | Medium | 6.5 | — | 2024-11-14 | An authenticated user can provide a malformed ACL to the fileserver's StoreACL RPC, causing the fileserver to crash, possibly expose uninitialized memory, and possibly store garbage data in the audit log. |
Progress · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10013 | High | 7.8 | — | 2024-11-13 | In Progress Telerik UI for WinForms versions prior to 2024 Q4 (2024.4.1113), a code execution attack is possible through an insecure deserialization vulnerability. |
CVE-2024-7295 | High | 7.1 | — | 2024-11-13 | In Progress® Telerik® Report Server versions prior to 2024 Q4 (10.3.24.1112), the encryption of local asset data used an older algorithm which may allow a sophisticated actor to decrypt this information. |
CVE-2024-8049 | Medium | 6.5 | — | 2024-11-13 | In Progress Telerik Document Processing Libraries, versions prior to 2024 Q4 (2024.4.1106), importing a document with unsupported features can lead to excessive processing, leading to excessive use of computing resources leaving the applic… |
Razormist · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11262 | Medium | 5.3 | — | 2024-11-15 | A vulnerability has been found in SourceCodester Student Record Management System 1.0 and classified as critical. |
CVE-2024-11261 | Medium | 5.3 | — | 2024-11-15 | A vulnerability, which was classified as critical, was found in SourceCodester Student Record Management System 1.0. |
CVE-2024-11097 | Low | 3.3 | — | 2024-11-12 | A vulnerability has been found in SourceCodester Student Record Management System 1.0 and classified as problematic. |
Red Hat · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-2232 | High | 7.5 | — | 2024-11-14 | A flaw was found in the Keycloak package. |
CVE-2024-11079 | Medium | 5.5 | — | 2024-11-12 | A flaw was found in Ansible-Core. |
CVE-2024-11217 | Medium | 4.9 | — | 2024-11-15 | A vulnerability was found in the OAuth-server. |
Royal-elementor-addons · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9682 | Medium | 6.4 | — | 2024-11-13 | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Form Builder widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and outpu… |
CVE-2024-9668 | Medium | 6.4 | — | 2024-11-13 | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output e… |
CVE-2024-9059 | Medium | 6.4 | — | 2024-11-13 | The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Google Maps widget in all versions up to, and including, 1.7.1001 due to insufficient input sanitization and output escaping. |
Softbank Corp. · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45827 | High | 8.0 | — | 2024-11-12 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier. |
CVE-2024-29075 | Medium | 4.6 | — | 2024-11-12 | Active debug code vulnerability exists in Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier. |
CVE-2024-47799 | Low | 3.5 | — | 2024-11-12 | Exposure of sensitive system information to an unauthorized control sphere issue exists in Mesh Wi-Fi router RP562B firmware version v1.0.2 and earlier. |
Vaemendis · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47915 | High | 7.5 | — | 2024-11-14 | VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
CVE-2024-45254 | High | 7.5 | — | 2024-11-14 | VaeMendis - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
CVE-2024-47914 | Medium | 4.5 | — | 2024-11-14 | VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF) |
Wpdeveloper · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8979 | High | 8.0 | — | 2024-11-15 | The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_conte… |
CVE-2024-8961 | Medium | 6.4 | — | 2024-11-15 | The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nomore_items_text’ parameter in all versions up to, and i… |
CVE-2024-8978 | Medium | 5.7 | — | 2024-11-15 | The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'init_conte… |
Xwiki · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52300 | Critical | 9.0 | — | 2024-11-13 | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. |
CVE-2024-52299 | High | 7.5 | — | 2024-11-13 | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. |
CVE-2024-52298 | High | 7.5 | — | 2024-11-13 | macro-pdfviewer is a PDF Viewer Macro for XWiki using Mozilla pdf.js. |
Acronis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-34014 | Medium | 5.5 | — | 2024-11-11 | Arbitrary file overwrite during recovery due to improper symbolic link handling. |
CVE-2024-34015 | Low | 3.3 | — | 2024-11-11 | Sensitive information disclosure during file browsing due to improper symbolic link handling. |
Apple · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11115 | High | 8.8 | — | 2024-11-12 | Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. |
CVE-2024-9843 | Medium | 5.0 | — | 2024-11-12 | A buffer over-read in Ivanti Secure Access Client before 22.7R4 allows a local unauthenticated attacker to cause a denial of service. |
Dompdf · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3902 | Critical | 9.8 | — | 2024-11-15 | An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. |
CVE-2021-3838 | Critical | 9.8 | — | 2024-11-15 | DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. |
Element-hq · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51750 | Medium | 5.0 | — | 2024-11-12 | Element is a Matrix web client built using the Matrix React SDK. |
CVE-2024-51749 | Low | 3.5 | — | 2024-11-12 | Element is a Matrix web client built using the Matrix React SDK. |
Eyoucms · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11210 | Medium | 5.4 | — | 2024-11-14 | A vulnerability was found in EyouCMS 1.51. |
CVE-2024-11211 | Medium | 4.7 | — | 2024-11-14 | A vulnerability classified as critical has been found in EyouCMS up to 1.6.7. |
Geeeeeeeek · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50651 | Medium | 6.5 | — | 2024-11-15 | java_shop 1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. |
CVE-2024-50652 | Medium | 4.3 | — | 2024-11-15 | A file upload vulnerability in java_shop 1.0 allows attackers to upload arbitrary files by modifying the avatar function. |
Gotomain · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52296 | Medium | 6.5 | — | 2024-11-12 | libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. |
CVE-2024-52288 | Medium | 5.1 | — | 2024-11-11 | libosdp is an implementation of IEC 60839-11-5 OSDP (Open Supervised Device Protocol) and provides a C library with support for C++, Rust and Python3. |
Hcl Software · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-30133 | Medium | 5.3 | — | 2024-11-12 | HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. |
CVE-2024-42188 | Low | 3.7 | — | 2024-11-14 | HCL Connections is vulnerable to a broken access control vulnerability that may allow an unauthorized user to update data in certain scenarios. |
Kanboard · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51748 | Critical | 9.1 | — | 2024-11-11 | Kanboard is project management software that focuses on the Kanban methodology. |
CVE-2024-51747 | Critical | 9.1 | — | 2024-11-11 | Kanboard is project management software that focuses on the Kanban methodology. |
Landray · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11238 | Medium | 6.5 | — | 2024-11-15 | A vulnerability, which was classified as critical, was found in Landray EKP up to 16.0. |
CVE-2024-11239 | Medium | 5.4 | — | 2024-11-15 | A vulnerability has been found in Landray EKP up to 16.0 and classified as critical. |
Linux · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50263 | Medium | 5.5 | — | 2024-11-11 | In the Linux kernel, the following vulnerability has been resolved: fork: only invoke khugepaged, ksm hooks if no error There is no reason to invoke these hooks early against an mm that is in an incomplete state. |
CVE-2023-4458 | Medium | 4.0 | — | 2024-11-14 | A flaw was found within the parsing of extended attributes in the kernel ksmbd module. |
Matrix-org · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52505 | Medium | 5.4 | — | 2024-11-14 | matrix-appservice-irc is a Node.js IRC bridge for the Matrix messaging protocol. |
CVE-2024-50336 | — | — | — | 2024-11-12 | matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. |
Mz-automation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45971 | Critical | 9.8 | — | 2024-11-15 | Multiple Buffer overflows in the MMS Client in MZ Automation LibIEC61850 before commit 1f52be9ddeae00e69cd43e4cac3cb4f0c880c4f0 allow a malicious server to cause a stack-based buffer overflow via the MMS IdentifyResponse message. |
CVE-2024-45970 | Critical | 9.8 | — | 2024-11-15 | Multiple Buffer overflows in the MMS Client in MZ Automation LibIEC61850 before commit ac925fae8e281ac6defcd630e9dd756264e9c5bc allow a malicious server to cause a stack-based buffer overflow via the MMS FileDirResponse message. |
Opensuse · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49505 | Medium | 6.1 | — | 2024-11-13 | A Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in openSUSE Tumbleweed MirrorCache allows the execution of arbitrary JS via reflected XSS in the REGEX and P parameters. |
CVE-2024-49506 | — | — | — | 2024-11-13 | Insecure creation of temporary files allows local users on systems with non-default configurations to cause denial of service or set the encryption key for a filesystem |
Phpipam · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0787 | Medium | 5.9 | — | 2024-11-15 | phpIPAM version 1.5.1 contains a vulnerability where an attacker can bypass the IP block mechanism to brute force passwords for users by using the 'X-Forwarded-For' header. |
CVE-2022-1226 | Medium | 4.8 | — | 2024-11-15 | A Cross-Site Scripting (XSS) vulnerability in phpipam/phpipam versions prior to 1.4.7 allows attackers to execute arbitrary JavaScript code in the browser of a victim. |
Razorpay · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10851 | Medium | 6.1 | — | 2024-11-13 | The Razorpay Payment Button Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. |
CVE-2024-10850 | Medium | 6.1 | — | 2024-11-13 | The Razorpay Payment Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and includi… |
Sonatype · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5082 | — | — | — | 2024-11-14 | A Remote Code Execution vulnerability has been discovered in Sonatype Nexus Repository 2. This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1. |
CVE-2024-5083 | — | — | — | 2024-11-14 | A stored Cross-site Scripting vulnerability has been discovered in Sonatype Nexus Repository 2 This issue affects Nexus Repository 2 OSS/Pro versions up to and including 2.15.1. |
Sound Research · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-2208 | High | 8.8 | — | 2024-11-12 | Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. |
CVE-2024-2207 | Medium | 6.0 | — | 2024-11-12 | Potential vulnerabilities have been identified in the audio package for certain HP PC products using the Sound Research SECOMN64 driver, which might allow escalation of privilege. |
Suse · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2022-45157 | Critical | 9.1 | — | 2024-11-13 | A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. |
CVE-2024-49504 | — | — | — | 2024-11-13 | grub2 allowed attackers with access to the grub shell to access files on the encrypted disks. |
Tenda · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11248 | High | 8.8 | — | 2024-11-15 | A vulnerability was found in Tenda AC10 16.03.10.13 and classified as critical. |
CVE-2024-11061 | High | 8.8 | — | 2024-11-11 | A vulnerability classified as critical was found in Tenda AC10 16.03.10.13. |
Tibco Software Inc · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10218 | — | — | — | 2024-11-12 | XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence |
CVE-2024-10217 | — | — | — | 2024-11-12 | XSS Attack in mar.jar, Monitoring Archive Utility (MAR Utility), monitoringconsolecommon.jar in TIBCO Software Inc TIBCO Hawk and TIBCO Operational Intelligence |
Vanquish · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11150 | Critical | 9.8 | — | 2024-11-13 | The WordPress User Extra Fields plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_tmp_uploaded_file() function in all versions up to, and including, 16.6. |
CVE-2024-10800 | High | 8.8 | — | 2024-11-13 | The WordPress User Extra Fields plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the ajax_save_fields() function in all versions up to, and including, 16.6. |
Wpmonks · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52384 | Critical | 9.9 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in wpmonks Sage AI: Chatbots, OpenAI GPT-4 Bulk Articles, Dalle-3 Image Generation ai-content-generator allows Upload a Web Shell to a Web Server.This issue affects Sage AI: Cha… |
CVE-2024-10717 | Medium | 6.5 | — | 2024-11-13 | The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and includi… |
Yugabytedb · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11193 | Medium | 6.5 | — | 2024-11-13 | An information disclosure vulnerability exists in Yugabyte Anywhere, where the LDAP bind password is logged in plaintext within application logs. |
CVE-2024-11165 | — | — | — | 2024-11-13 | An information disclosure vulnerability exists in the backup configuration process where the SAS token is not masked in the configuration response. |
Zyxel · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8881 | Medium | 6.8 | — | 2024-11-12 | A post-authentication command injection vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to execute s… |
CVE-2024-8882 | Medium | 4.5 | — | 2024-11-12 | A buffer overflow vulnerability in the CGI program in the Zyxel GS1900-48 switch firmware version V2.80(AAHN.1)C0 and earlier could allow an authenticated, LAN-based attacker with administrator privileges to cause denial of service (DoS) c… |
07fly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51156 | Medium | 4.7 | — | 2024-11-14 | 07FLYCMS V1.3.9 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component 'erp.07fly.net:80/admin/SysNotifyUser/del.html?id=93'. |
Adonesevangelista · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50968 | High | 7.5 | — | 2024-11-14 | A business logic vulnerability exists in the Add to Cart function of itsourcecode Agri-Trading Online Shopping System 1.0, which allows remote attackers to manipulate the quant parameter when adding a product to the cart. |
Advancedcustomfields · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9529 | Medium | 6.6 | — | 2024-11-15 | The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its sett… |
Advancedformintegration · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10877 | Medium | 6.1 | — | 2024-11-13 | The AFI – The Easiest Integration Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including… |
Airties · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9477 | Medium | 6.1 | — | 2024-11-13 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AirTies Air4443 Firmware allows Cross-Site Scripting (XSS). |
Aitool · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52383 | High | 7.5 | — | 2024-11-14 | Missing Authorization vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One ai-auto-tool allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Auto Tool… |
Algolplus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10828 | High | 8.1 | — | 2024-11-13 | The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.5 via deserialization of untrusted input during Order export when the "Try to convert serialized… |
Andsonsdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51837 | High | 8.5 | — | 2024-11-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sophia M Williams WP Contest wp-contest allows SQL Injection.This issue affects WP Contest: from n/a through <= 1.0.0. |
Appointmind · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51679 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in gentlesource Appointmind appointmind allows Stored XSS.This issue affects Appointmind: from n/a through <= 4.0.0. |
Appspace · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-27704 | Medium | 6.5 | — | 2024-11-12 | Appspace 6.2.4 is affected by Incorrect Access Control via the Appspace Web Portal password reset page. |
Arm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9413 | High | 8.0 | — | 2024-11-13 | The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware. |
Arttia Creative · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52375 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in Arttia Creative Datasets Manager by Arttia Creative datasets-manager-by-arttia-creative.This issue affects Datasets Manager by Arttia Creative: from n/a through <= 1.5. |
Ateeq Rafeeq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51793 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Upload a Web Shell to a Web Server.This issue affects RepairBuddy: from n/a through <= 3.8115. |
Autodesk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9500 | High | 7.8 | — | 2024-11-15 | A maliciously crafted DLL file when placed in temporary files and folders that are leveraged by the Autodesk Installer could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to insecure privilege management. |
Avigilon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45253 | High | 7.5 | — | 2024-11-14 | Avigilon – CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Avovkdesign · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9578 | Medium | 5.3 | — | 2024-11-13 | The Hide Links plugin for WordPress is vulnerable to unauthorized shortcode execution due to do_shortcode being hooked through the comment_text filter in all versions up to and including 1.4.2. |
Axelkeller · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10629 | High | 8.8 | — | 2024-11-13 | The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.9. |
Ays-pro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10571 | Critical | 9.8 | — | 2024-11-14 | The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. |
Backpackforlaravel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52306 | High | 7.6 | — | 2024-11-13 | FileManager provides a Backpack admin interface for files and folder. |
Bdthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52377 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in bdthemes Instant Image Generator ai-image allows Upload a Web Shell to a Web Server.This issue affects Instant Image Generator: from n/a through <= 1.5.2. |
Blueglass · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10104 | Medium | 5.9 | — | 2024-11-15 | The Jobs for WordPress plugin before 2.7.8 does not sanitise and escape some of its Job settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks |
Boa Web Server · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47916 | High | 7.5 | — | 2024-11-14 | Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
Bosch Rexroth Ag · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48989 | High | 7.5 | — | 2024-11-13 | A vulnerability in the PROFINET stack implementation of the IndraDrive (all versions) of Bosch Rexroth allows an attacker to cause a denial of service, rendering the device unresponsive by sending arbitrary UDP messages. |
Broadcom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7516 | High | 7.1 | — | 2024-11-12 | A vulnerability in Brocade Fabric OS versions before 9.2.2 could allow man-in-the-middle attackers to conduct remote Service Session Hijacking that may arise from the attacker's ability to forge an SSH key while the Brocade Fabric OS Switc… |
Bu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52351 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BU Web Team BU Slideshow bu-slideshow allows Stored XSS.This issue affects BU Slideshow: from n/a through <= 2.3.10. |
Budgetcontrol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52528 | — | — | — | 2024-11-15 | Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget Control. |
Chamilo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51142 | Medium | 5.4 | — | 2024-11-15 | Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. |
Ciprian Popescu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51684 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu W3P SEO wp-perfect-plugin allows Stored XSS.This issue affects W3P SEO: from n/a through < 1.8.6. |
Cleancoder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-39610 | Medium | 6.1 | — | 2024-11-15 | Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. |
Clementine-player · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50986 | High | 7.3 | — | 2024-11-15 | An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. |
Cli · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52308 | High | 8.0 | — | 2024-11-14 | The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. |
Cloud Foundry · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-38826 | — | — | — | 2024-11-11 | Authenticated users can upload specifically crafted files to leak server resources. |
Cmanon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10038 | Medium | 6.1 | — | 2024-11-13 | The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. |
Cmorillas1 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10311 | High | 7.5 | — | 2024-11-15 | The External Database Based Actions plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.1. |
Cmsminds · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52376 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in cmsMinds Boat Rental Plugin for WordPress boat-rental-system allows Upload a Web Shell to a Web Server.This issue affects Boat Rental Plugin for WordPress: from n/a through <… |
Cool Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52354 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cool Plugins Web Stories Widgets For Elementor shortcodes-for-amp-web-stories-and-elementor-widget allows Stored XSS.This issue affects W… |
Craigk5n · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1097 | Medium | 5.4 | — | 2024-11-15 | A stored cross-site scripting (XSS) vulnerability exists in craigk5n/webcalendar version 1.3.0. |
Crm2go · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52350 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nrmendez CRM 2go crm2go allows DOM-Based XSS.This issue affects CRM 2go: from n/a through <= 1.0. |
Crmeb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50653 | High | 7.5 | — | 2024-11-15 | CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. |
Crocoblock · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10323 | Medium | 6.4 | — | 2024-11-12 | The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.18 due to insufficient input sanitization and output escaping. |
Cyberchimps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52358 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows DOM-Based XSS.This issue affects Responsive Addons for… |
Dang Ngoc Binh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51792 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in Dang Ngoc Binh Audio Record audio-record allows Upload a Web Shell to a Web Server.This issue affects Audio Record: from n/a through <= 1.0. |
Dataease · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52295 | Critical | 9.8 | — | 2024-11-13 | DataEase is an open source data visualization analysis tool. |
Dataprom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10534 | Critical | 9.8 | — | 2024-11-15 | Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection. |
Decidim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-45594 | High | 7.7 | — | 2024-11-13 | Decidim is a participatory democracy framework. |
Decidim-ice · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-43415 | Critical | 9.0 | — | 2024-11-12 | An improper neutralization of special elements used in an SQL command in the papertrail/version- model of the decidim_awesome-module <= v0.11.1 (> 0.9.0) allows an authenticated admin user to manipulate sql queries to disclose information… |
Dedecms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11138 | Low | 2.7 | — | 2024-11-12 | A vulnerability classified as problematic has been found in DedeCMS 5.7.116. |
Devolutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10971 | Medium | 4.3 | — | 2024-11-12 | Improper access control in the Password History feature in Devolutions DVLS 2024.3.6 and earlier allows a malicious authenticated user to obtain sensitive data via faulty permission. |
Digistar · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11126 | Low | 3.1 | — | 2024-11-12 | A vulnerability was found in Digistar AG-30 Plus 2.6b. |
Dolibarr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3991 | Medium | 4.3 | — | 2024-11-15 | An Improper Authorization vulnerability exists in Dolibarr versions prior to the 'develop' branch. |
Donnellc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52371 | High | 8.6 | — | 2024-11-14 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway | globe-gateway-e4.This issue affects Global Gateway e4 | Payeezy Gateway |: from n/a through <= 2… |
Dothattask · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52374 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in DoThatTask Do That Task do-that-task allows Upload a Web Shell to a Web Server.This issue affects Do That Task: from n/a through <= 1.5.5. |
Dotnetzip.semverd_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-48510 | Critical | 9.8 | — | 2024-11-13 | Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer su… |
Duongancol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10794 | Medium | 4.3 | — | 2024-11-13 | The Boostify Header Footer Builder for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.3.6 via the 'bhf' shortcode due to insufficient restrictions on which posts can be included. |
Easyphp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11215 | Medium | 6.5 | — | 2024-11-14 | Absolute path traversal (incorrect restriction of a path to a restricted directory) vulnerability in the EasyPHP web server, affecting version 14.1. |
Eclipse · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10917 | Low | 3.7 | — | 2024-11-11 | In Eclipse OpenJ9 versions up to 0.47, the JNI function GetStringUTFLength may return an incorrect value which has wrapped around. |
Ehues · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51882 | High | 8.5 | — | 2024-11-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopalkumar315 Gboy Custom Google Map gboy-custom-google-map allows Blind SQL Injection.This issue affects Gboy Custom Google Map: from n/… |
Elastic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-37285 | Critical | 9.1 | — | 2024-11-14 | A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. |
Emlog · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50655 | Medium | 5.4 | — | 2024-11-15 | emlog pro <=2.3.18 is vulnerable to Cross Site Scripting (XSS), which allows attackers to write malicious JavaScript code in published articles. |
Engeniustech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-36061 | Critical | 9.8 | — | 2024-11-11 | EnGenius EWS356-FIT devices through 1.1.30 allow blind OS command injection. |
Eric Teubert · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52393 | Critical | 9.1 | — | 2024-11-14 | Deserialization of Untrusted Data vulnerability in Eric Teubert Podlove Podcast Publisher podlove-podcasting-plugin-for-wordpress.This issue affects Podlove Podcast Publisher: from n/a through <= 4.1.15. |
Ersatzpole · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51573 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ersatzpole ML Responsive Audio player with playlist Shortcode mlr-audio allows Stored XSS.This issue affects ML Responsive Audio player w… |
Erzhongxmu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11251 | Medium | 6.3 | — | 2024-11-15 | A vulnerability was found in erzhongxmu Jeewms up to 20241108. |
Fahadmahmood · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9835 | Medium | 4.8 | — | 2024-11-12 | The RSS Feed Widget WordPress plugin before 3.0.1 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers |
Faizalbahasan · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52379 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in faizalbahasan kineticPay for WooCommerce kineticpay-for-woocommerce allows Upload a Web Shell to a Web Server.This issue affects kineticPay for WooCommerce: from n/a through… |
Fbtopcn · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10577 | Medium | 6.1 | — | 2024-11-13 | The 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing escaping on a URL in all versions up to, and including, 2.7.3. |
Fedoraproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-4134 | Medium | 5.5 | — | 2024-11-14 | A use-after-free vulnerability was found in the cyttsp4_core driver in the Linux kernel. |
Fortra · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-3334 | Medium | 4.3 | — | 2024-11-15 | A security bypass vulnerability exists in the Removable Media Encryption (RME)component of Digital Guardian Windows Agents prior to version 8.2.0. |
Fraudlabspro · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51688 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in fraudlabspro FraudLabs Pro SMS Verification fraudlabs-pro-sms-verification allows Stored XSS.This issue affects FraudLabs Pro SMS Verification: from n/a through <= 1.10.1. |
Fruitcakestudios · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51843 | High | 8.5 | — | 2024-11-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in fruitcakestudios Horsemanager fruitcake-horsemanager allows Blind SQL Injection.This issue affects Horsemanager: from n/a through <= 1.3. |
Funnelkit · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9186 | High | 8.6 | — | 2024-11-14 | The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit WordPress plugin before 3.3.0 does not sanitize and escape the bwfan-track-id parameter before using it in a SQL statement, allowing… |
Futuriowp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10695 | Medium | 4.3 | — | 2024-11-12 | The Futurio Extra plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.0.13 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. |
Gabriel Serafini · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52353 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gabriel Serafini Christian Science Bible Lesson Subjects christian-science-bible-lesson-subjects allows DOM-Based XSS.This issue affects… |
Geekrmx · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51659 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in GeekRMX Twitter @Anywhere Plus twitter-anywhere-plus allows Stored XSS.This issue affects Twitter @Anywhere Plus: from n/a through <= 2.0. |
Geovision · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11120 | Critical | 9.8 | KEV | 2024-11-15 | Certain EOL GeoVision devices have an OS Command Injection vulnerability. |
Get-simple · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11125 | Medium | 4.3 | — | 2024-11-12 | A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. |
Getflightpath · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50983 | Medium | 5.4 | — | 2024-11-15 | FlightPath 7.5 contains a Cross Site Scripting (XSS) vulnerability, which allows authenticated remote attackers with administrative rights to inject arbitrary JavaScript in the web browser of a user by including a malicious payload into th… |
Getumbrel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49379 | — | — | — | 2024-11-13 | Umbrel is a home server OS for self-hosting. |
Giskard-ai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52524 | — | — | — | 2024-11-14 | Giskard is an evaluation and testing framework for AI systems. |
Gliffy · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10315 | — | — | — | 2024-11-11 | In Gliffy Online an insecure configuration was discovered in versions before 4.14.0-6. |
Gogs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-44625 | High | 8.8 | — | 2024-11-15 | Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. |
Gpac · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-4679 | Medium | 5.5 | — | 2024-11-15 | A use after free vulnerability exists in GPAC version 2.3-DEV-revrelease, specifically in the gf_filterpacket_del function in filter_core/filter.c at line 38. |
Grafana Labs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9476 | — | — | — | 2024-11-13 | A vulnerability in Grafana Labs Grafana OSS and Enterprise allows Privilege Escalation allows users to gain access to resources from other organizations within the same Grafana instance via the Grafana Cloud Migration Assistant.This vulner… |
Guchengwuyue · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50648 | Critical | 9.8 | — | 2024-11-15 | yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. |
Hashthemes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10802 | Medium | 5.3 | — | 2024-11-13 | The Hash Elements plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the hash_elements_get_posts_title_by_id() function in all versions up to, and including, 1.4.7. |
Hb Websol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51790 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in HB WEBSOL HB AUDIO GALLERY hb-audio-gallery allows Upload a Web Shell to a Web Server.This issue affects HB AUDIO GALLERY: from n/a through <= 3.0. |
Henrik Hoff · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51658 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in Henrik Hoff WP Course Manager wp-course-manager allows Stored XSS.This issue affects WP Course Manager: from n/a through <= 1.3. |
Hive Support · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52370 | Critical | 9.9 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in Hive Support Hive Support hive-support allows Upload a Web Shell to a Web Server.This issue affects Hive Support: from n/a through <= 1.1.1. |
Hyumika · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52355 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MiKa OSM osm.This issue affects OSM: from n/a through <= 6.1.2. |
Ibphoenix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11240 | Low | 3.5 | — | 2024-11-15 | A vulnerability was found in IBPhoenix ibWebAdmin up to 1.0.2 and classified as problematic. |
Icdsoft · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11028 | Critical | 9.8 | — | 2024-11-13 | The MultiManager WP – Manage All Your WordPress Sites Easily plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. |
Imartinez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4343 | Critical | 9.8 | — | 2024-11-14 | A Python command injection vulnerability exists in the `SagemakerLLM` class's `complete()` method within `./private_gpt/components/llm/custom/sagemaker.py` of the imartinez/privategpt application, versions up to and including 0.3.0. |
Itg Computer Technology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7787 | — | — | — | 2024-11-14 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ITG Computer Technology vSRM Supplier Relationship Management System allows Reflected XSS, Cross-Site Scripting (XSS). |
Jetbrains · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52555 | Medium | 6.3 | — | 2024-11-15 | In JetBrains WebStorm before 2024.3 code execution in Untrusted Project mode was possible via type definitions installer script |
Jinher Network · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11060 | Medium | 6.3 | — | 2024-11-11 | A vulnerability classified as critical has been found in Jinher Network Collaborative Management Platform 金和数字化智能办公平台 1.0. |
Johndarrel · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10825 | Medium | 6.1 | — | 2024-11-15 | The Hide My WP Ghost – Security & Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL in all versions up to, and including, 5.3.01 due to insufficient input sanitization and output escaping. |
Joplin_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-49362 | High | 7.7 | — | 2024-11-14 | Joplin is a free, open source note taking and to-do application. |
Joshua Wolfe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51788 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in Joshua Wolfe The Novel Design Store Directory noveldesign-store-directory allows Upload a Web Shell to a Web Server.This issue affects The Novel Design Store Directory: from… |
Kaminskym · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8874 | Medium | 6.1 | — | 2024-11-13 | The AJAX Login and Registration modal popup + inline form plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2… |
Ketr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51164 | Critical | 9.1 | — | 2024-11-15 | Multiple parameters have SQL injection vulnerability in JEPaaS 7.2.8 via /je/login/btnLog/insertBtnLog, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the information stored in the… |
Kimberlynorris · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8985 | Medium | 6.4 | — | 2024-11-13 | The Social Proof (Testimonial) Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's spslider-block shortcode in all versions up to, and including, 2.2.4 due to insufficient input sanitization and output… |
Kodcloud · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51037 | Medium | 5.3 | — | 2024-11-15 | An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function. |
Labs64 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52378 | High | 7.5 | — | 2024-11-14 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in labs64 DigiPass digipass allows Absolute Path Traversal.This issue affects DigiPass: from n/a through <= 0.3.0. |
Leevio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10538 | Medium | 6.4 | — | 2024-11-12 | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the before_label parameter in the Image Comparison widget in all versions up to, and including, 3.12.5 due to insufficient input sanitizat… |
Lollms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-5125 | High | 7.3 | — | 2024-11-14 | parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. |
Lqd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52357 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in lqd LIQUID BLOCKS liquid-blocks allows Stored XSS.This issue affects LIQUID BLOCKS: from n/a through <= 1.2.0. |
Lsquared · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51820 | High | 8.5 | — | 2024-11-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wplsquared L Squared Hub WP l-squared-hub-wp-virtual-device allows SQL Injection.This issue affects L Squared Hub WP: from n/a through <=… |
Made I.t. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51791 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. |
Mailmunch · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9614 | Medium | 6.1 | — | 2024-11-13 | The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. |
Masterbip · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51571 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in masterbip MasterBip para Elementor masterbip-for-elementor allows DOM-Based XSS.This issue affects MasterBip para Elementor: from n/a thr… |
Matthewmueller · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-21541 | High | 7.3 | — | 2024-11-13 | Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. |
Mcafee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25254 | Critical | 9.8 | — | 2024-11-11 | SuperScan v4.1 was discovered to contain a buffer overflow via the Hostname/IP parameter. |
Md. Abdullah Al Masum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51575 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md. |
Mdaemon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11182 | Medium | 6.1 | KEV | 2024-11-15 | An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. |
Medmatech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52382 | Critical | 9.8 | — | 2024-11-14 | Missing Authorization vulnerability in medmatech Matix Popup Builder medma-matix allows Privilege Escalation.This issue affects Matix Popup Builder: from n/a through <= 1.0.0. |
Melapress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10793 | High | 7.2 | — | 2024-11-15 | The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. |
Mendix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-50313 | Medium | 5.3 | — | 2024-11-12 | A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.16.0 only if the basic authentication mechanism is used by the application), Mendix Runtime V10.12 (All versions < V10.12.7 only if the basic authentication mech… |
Michelwppi · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9357 | Medium | 6.1 | — | 2024-11-12 | The xili-tidy-tags plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'action' parameter in all versions up to, and including, 1.12.04 due to insufficient input sanitization and output escaping. |
Miloandrew · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52352 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in miloandrew Postcasa Shortcode postcasa allows DOM-Based XSS.This issue affects Postcasa Shortcode: from n/a through <= 1.0. |
Mobisoft974 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10245 | Critical | 9.8 | — | 2024-11-12 | The Relais 2FA plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0. |
Mongodb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10921 | Medium | 6.8 | — | 2024-11-14 | An authorized user may trigger crashes or receive the contents of buffer over-reads of Server memory by issuing specially crafted requests that construct malformed BSON in the MongoDB Server. |
Mozilla · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11159 | Medium | 4.3 | — | 2024-11-13 | Using remote content in OpenPGP encrypted messages can lead to the disclosure of plaintext. |
Netapp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-3447 | Medium | 6.0 | — | 2024-11-14 | A heap-based buffer overflow was found in the SDHCI device emulation of QEMU. |
Nicejob · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10887 | Medium | 6.4 | — | 2024-11-13 | The NiceJob plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes (nicejob-lead, nicejob-review, nicejob-engage, nicejob-badge, nicejob-stories) in all versions up to, and including, 3.7.1… |
Nomysoft Informatics · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8074 | — | — | — | 2024-11-12 | Missing Authentication for Critical Function, Missing Authorization vulnerability in Nomysoft Informatics Nomysem allows Collect Data as Provided by Users. |
Open-emr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-0875 | Medium | 4.8 | — | 2024-11-15 | A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. |
Openbsd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10934 | Critical | 9.8 | — | 2024-11-15 | In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server. |
Openssl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4741 | High | 7.5 | — | 2024-11-13 | Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corrupti… |
Opentext™ · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10923 | — | — | — | 2024-11-12 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ ALM Octane Management allows Stored XSS. The vulnerability could result in a remote code execution attack. |
Optimal Access · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52369 | Critical | 9.9 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in Optimal Access KBucket kbucket allows Upload a Web Shell to a Web Server.This issue affects KBucket: from n/a through <= 4.2.2. |
Orchidsoftware · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51992 | Medium | 4.1 | — | 2024-11-11 | Orchid is a @laravel package that allows for rapid application development of back-office applications, admin/user panels, and dashboards. |
Oretnom23 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11247 | Low | 3.5 | — | 2024-11-15 | A vulnerability has been found in SourceCodester Online Eyewear Shop 1.0 and classified as problematic. |
Osamataher · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52302 | — | — | — | 2024-11-14 | common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. |
Pimcore · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-2332 | Medium | 4.8 | — | 2024-11-15 | A stored Cross-site Scripting (XSS) vulnerability exists in the Conditions tab of Pricing Rules in pimcore/pimcore versions 10.5.19. |
Ping Identity · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-23983 | — | — | — | 2024-11-11 | Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules. |
Platform.ly · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51687 | High | 7.1 | — | 2024-11-14 | Cross-Site Request Forgery (CSRF) vulnerability in Platform.ly Platform.ly Official platformly allows Stored XSS.This issue affects Platform.ly Official: from n/a through <= 1.1.3. |
Pluginus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52396 | Medium | 4.9 | — | 2024-11-14 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RealMag777 WOLF bulk-editor allows Path Traversal.This issue affects WOLF: from n/a through <= 1.0.8.3. |
Poznan Supercomputing And Networking Center · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7124 | — | — | — | 2024-11-14 | Improper Neutralization of Input During Web Page Generation vulnerability in DInGO dLibra software in the parameter 'filter' in the endpoint 'indexsearch' allows a Reflected Cross-Site Scripting (XSS). |
Progress Software · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10012 | High | 7.8 | — | 2024-11-13 | In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1111), a code execution attack is possible through an insecure deserialization vulnerability. |
Progress Software Corporation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9999 | Medium | 6.5 | — | 2024-11-12 | In WS_FTP Server versions before 8.8.9 (2022.0.9), an Incorrect Implementation of Authentication Algorithm in the Web Transfer Module allows users to skip the second-factor verification and log in with username and password only. |
Project Worlds · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11059 | Medium | 6.3 | — | 2024-11-11 | A vulnerability was found in Project Worlds Free Download Online Shopping System up to 192.168.1.88. |
Psf · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1682 | Medium | 4.3 | — | 2024-11-14 | An unclaimed Amazon S3 bucket, 'codeconf', is referenced in an audio file link within the .rst documentation file. |
Public · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11175 | Low | 3.5 | — | 2024-11-13 | A vulnerability was found in Public CMS 5.202406.d and classified as problematic. |
Publiccms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11070 | Low | 3.5 | — | 2024-11-11 | A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS 5.202406.d. |
Pyload · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-1240 | Medium | 6.1 | — | 2024-11-15 | An open redirection vulnerability exists in pyload/pyload version 0.5.0. |
Python Software Foundation · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11168 | Low | 3.7 | — | 2024-11-12 | The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts (`[]`), allowing hosts that weren't IPv6 or IPvFuture. |
Qemu · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7730 | High | 7.4 | — | 2024-11-14 | A heap buffer overflow was found in the virtio-snd device in QEMU. |
Qriouslad · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10790 | Medium | 5.4 | — | 2024-11-12 | The Admin and Site Enhancements (ASE) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 7.5.1 due to insufficient input sanitization and output escaping. |
Rclone · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52522 | — | — | — | 2024-11-15 | Rclone is a command-line program to sync files and directories to and from different cloud storage providers. |
Really Simple Plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10924 | Critical | 9.8 | — | 2024-11-15 | The Really Simple Security (Free, Pro, and Pro Multisite) plugins for WordPress are vulnerable to authentication bypass in versions 9.0.0 to 9.1.1.1. |
Richteam · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51845 | High | 8.5 | — | 2024-11-11 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in richteam Share Buttons – Social Media rich-web-share-button allows Blind SQL Injection.This issue affects Share Buttons – Social Media: f… |
Rss_feed_widget_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9836 | Medium | 5.9 | — | 2024-11-12 | The RSS Feed Widget WordPress plugin before 3.0.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and… |
Salt · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-34049 | Medium | 6.7 | — | 2024-11-14 | The Salt-SSH pre-flight option copies the script to the target at a predictable path, which allows an attacker to force Salt-SSH to run their script. |
Sap · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47595 | Medium | 6.3 | — | 2024-11-12 | An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. |
Scottpaterson · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10685 | Medium | 6.1 | — | 2024-11-12 | The Contact Form 7 Redirect & Thank You Page plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escapin… |
Shawfactor · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51572 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shawfactor LH QR Codes lh-qr-codes allows Stored XSS.This issue affects LH QR Codes: from n/a through <= 1.06. |
Shoaib Rehmat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52381 | High | 8.1 | — | 2024-11-14 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Shoaib Rehmat ZIJ KART zij-kart allows PHP Local File Inclusion.This issue affects ZIJ KART: from n/a through <= 1.1. |
Simple Goods · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51574 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Simple Goods Simple Goods simple-goods allows Stored XSS.This issue affects Simple Goods: from n/a through <= 0.1.3. |
Simplefilelist · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10146 | Medium | 5.4 | — | 2024-11-14 | The Simple File List WordPress plugin before 6.1.13 does not sanitise and escape a generated URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against admins. |
Smartwpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10582 | Medium | 4.3 | — | 2024-11-15 | The Music Player for Elementor – Audio Player & Podcast Player plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the import_mpfe_template() function in all versions up to, and incl… |
Smub · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10593 | Medium | 4.3 | — | 2024-11-13 | The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.1.6. |
Sodah · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10816 | High | 7.5 | — | 2024-11-13 | The LUNA RADIO PLAYER plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.24.01.24 via the js/fallback.php file. |
Softpulseinfotech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52380 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in softpulseinfotech Picsmize picsmize allows Upload a Web Shell to a Web Server.This issue affects Picsmize: from n/a through <= 1.0.0. |
Staxwp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10778 | Medium | 4.3 | — | 2024-11-13 | The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which pos… |
Stirling-tools · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52286 | — | — | — | 2024-11-11 | Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. |
Sylius · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3841 | Medium | 5.4 | — | 2024-11-15 | sylius/sylius versions prior to 1.9.10, 1.10.11, and 1.11.2 are vulnerable to stored cross-site scripting (XSS) through SVG files. |
Symfony · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51996 | High | 7.5 | — | 2024-11-13 | Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. |
Synology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10443 | Critical | 9.8 | — | 2024-11-15 | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-079… |
Tcl · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11136 | — | — | — | 2024-11-14 | The default TCL Camera application exposes a provider vulnerable to path traversal vulnerability. |
Team Devexhub · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52373 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in Team Devexhub Devexhub Gallery devexhub-gallery allows Upload a Web Shell to a Web Server.This issue affects Devexhub Gallery: from n/a through <= 2.0.1. |
Tecno · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11206 | High | 7.5 | — | 2024-11-14 | Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information. |
Themeisle · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10672 | Low | 2.7 | — | 2024-11-12 | The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. |
Themeum · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10897 | Medium | 4.3 | — | 2024-11-15 | The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. |
Thimpress · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9609 | Medium | 6.1 | — | 2024-11-15 | The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'learnpress_import_form_server' parameter in all versions up to, and including, 4.0.4 due to ins… |
Thinkaquamarine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9426 | Medium | 6.4 | — | 2024-11-13 | The Aqua SVG Sprite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.14 due to insufficient input sanitization and output escaping. |
Timgeyssens · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11124 | Medium | 4.7 | — | 2024-11-12 | A vulnerability has been found in TimGeyssens UIOMatic 5 and classified as critical. |
Tobychui · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52010 | — | — | — | 2024-11-12 | Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. |
Tolgee · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52297 | Critical | 9.8 | — | 2024-11-12 | Tolgee is an open-source localization platform. |
Tp-link · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11237 | High | 7.5 | — | 2024-11-15 | A vulnerability, which was classified as critical, has been found in TP-Link VN020 F3v(T) TT_V6.2.1021. |
Tripetto · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10260 | High | 7.2 | — | 2024-11-15 | The Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via File uploads in all versions up to, and including, 8.0.11 due to insufficient input sanitization and output escaping. |
Tychesoftwares · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10882 | Medium | 6.1 | — | 2024-11-13 | The Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and inc… |
Ujw0l · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-51789 | Critical | 10.0 | — | 2024-11-11 | Unrestricted Upload of File with Dangerous Type vulnerability in UjW0L Image Classify image-classify allows Upload a Web Shell to a Web Server.This issue affects Image Classify: from n/a through <= 1.0.0. |
Unclebob · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-42499 | Medium | 5.3 | — | 2024-11-15 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. |
Unknown · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10820 | Critical | 9.8 | — | 2024-11-13 | The WooCommerce Upload Files plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 84.3. |
Unopim · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52305 | Medium | 6.5 | — | 2024-11-13 | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. |
Usememos · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-0109 | Medium | 5.4 | — | 2024-11-15 | A stored cross-site scripting (XSS) vulnerability was discovered in usememos/memos version 0.9.1. |
Vektor,inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52268 | Medium | 4.8 | — | 2024-11-13 | Cross-site scripting vulnerability exists in VK All in One Expansion Unit versions prior to 9.100.1.0. |
Viwis · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-8001 | Medium | 5.3 | — | 2024-11-13 | A vulnerability was found in VIWIS LMS 9.11. |
Wallabag · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-0737 | Medium | 6.5 | — | 2024-11-15 | wallabag version 2.5.2 contains a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to arbitrarily delete user accounts via the /account/delete endpoint. |
Webangon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52356 | Medium | 6.5 | — | 2024-11-11 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webangon The Pack Elementor addons the-pack-addon allows Stored XSS.This issue affects The Pack Elementor addons: from n/a through <= 2.1… |
Webtechglobal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52372 | Critical | 10.0 | — | 2024-11-14 | Unrestricted Upload of File with Dangerous Type vulnerability in WebTechGlobal Easy CSV Importer BETA easy-csv-importer allows Upload a Web Shell to a Web Server.This issue affects Easy CSV Importer BETA: from n/a through <= 7.0.0. |
Wedevs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10174 | High | 7.3 | — | 2024-11-13 | The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstrac… |
Wpeka · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10113 | Medium | 6.4 | — | 2024-11-15 | The WP AdCenter – Ad Manager & Adsense Ads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpadcenter_ad shortcode in all versions up to, and including, 2.5.7 due to insufficient input sanitization and ou… |
Wpslickstream · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10179 | Medium | 6.4 | — | 2024-11-12 | The Slickstream: Engagement and Conversions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's slick-grid shortcode in all versions up to, and including, 1.4.4 due to insufficient input sanitization and outp… |
Wpvivid · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-10962 | High | 8.8 | — | 2024-11-14 | The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data'… |
Yotpo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-9356 | Medium | 6.1 | — | 2024-11-15 | The Yotpo: Product & Photo Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'yotpo_user_email' and 'yotpo_user_name' parameters in all versions up to, and including, 1.7.9 due to insuffic… |
Zenml · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-4311 | Medium | 5.4 | — | 2024-11-14 | zenml-io/zenml version 0.56.4 is vulnerable to an account takeover due to the lack of rate-limiting in the password change function. |
Zephyrproject · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-11263 | Critical | 9.3 | — | 2024-11-15 | When the Global Pointer (GP) relative addressing is enabled (CONFIG_RISCV_GP=y), the gp reg points at 0x800 bytes past the start of the .sdata section which is then used by the linker to relax accesses to global symbols. |