Security Bulletin 18 Dec 2024

Published on 18 Dec 2024

SingCERT's Security Bulletin summarises the list of vulnerabilities collated from the National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) in the past week.

The vulnerabilities are tabled based on severity, in accordance to their CVSSv3 base scores:


Criticalvulnerabilities with a base score of 9.0 to 10.0
Highvulnerabilities with a base score of 7.0 to 8.9
Mediumvulnerabilities with a base score of 4.0 to 6.9
Lowvulnerabilities with a base score of 0.1 to 3.9
Nonevulnerabilities with a base score of 0.0

For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerability entries.

CRITICAL VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2024-54261Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HK Digital Agency LLC TAX SERVICE Electronic HDM allows SQL Injection.This issue affects TAX SERVICE Electronic HDM: from n/a through 1.1.2.10https://nvd.nist.gov/vuln/detail/CVE-2024-54261
CVE-2024-21577ComfyUI-Ace-Nodes is vulnerable to Code Injection. The ACE_ExpressionEval node contains an eval() in its entrypoint function that accepts arbitrary user-controlled data. A user can create a workflow that results in executing arbitrary code on the server.10https://nvd.nist.gov/vuln/detail/CVE-2024-21577
CVE-2024-21576ComfyUI-Bmad-Nodes is vulnerable to Code Injection. The issue stems from a validation bypass in the BuildColorRangeHSVAdvanced, FilterContour and FindContour custom nodes. In the entrypoint function to each node, there’s a call to eval which can be triggered by generating a workflow that injects a crafted string into the node. This can result in executing arbitrary code on the server.10https://nvd.nist.gov/vuln/detail/CVE-2024-21576
CVE-2024-21574The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server.10https://nvd.nist.gov/vuln/detail/CVE-2024-21574
CVE-2024-54370Unrestricted Upload of File with Dangerous Type vulnerability in SuitePlugins Video & Photo Gallery for Ultimate Member allows Upload a Web Shell to a Web Server.This issue affects Video & Photo Gallery for Ultimate Member: from n/a through 1.1.0.9.9https://nvd.nist.gov/vuln/detail/CVE-2024-54370
CVE-2024-54262Unrestricted Upload of File with Dangerous Type vulnerability in Siddharth Nagar Import Export For WooCommerce allows Upload a Web Shell to a Web Server.This issue affects Import Export For WooCommerce: from n/a through 1.5.9.9https://nvd.nist.gov/vuln/detail/CVE-2024-54262
CVE-2024-55877XWiki Platform is a generic wiki platform. Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. It is possible to manually apply the patch to the page `XWiki.XWikiSyntaxMacrosList` as a workaround.9.9https://nvd.nist.gov/vuln/detail/CVE-2024-55877
CVE-2024-55662XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`.9.9https://nvd.nist.gov/vuln/detail/CVE-2024-55662
CVE-2024-8972Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobil365 Informatics Saha365 App allows SQL Injection.This issue affects Saha365 App: before 30.09.2024.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-8972
CVE-2024-50379Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue.
9.8https://nvd.nist.gov/vuln/detail/CVE-2024-50379
CVE-2024-12356A critical vulnerability has been discovered in Privileged Remote Access (PRA) and Remote Support (RS) products which can allow an unauthenticated attacker to inject commands that are run as a site user.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-12356
CVE-2024-55085GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55085
CVE-2024-52949iptraf-ng 1.2.1 has a stack-based buffer overflow.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-52949
CVE-2024-29671Buffer Overflow vulnerability in NEXTU FLATA AX1500 Router v.1.0.2 allows a remote attacker to execute arbitrary code via the POST request handler component.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-29671
CVE-2024-55557ui/pref/ProxyPrefView.java in weasis-core in Weasis 4.5.1 has a hardcoded key for symmetric encryption of proxy credentials.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55557
CVE-2024-54229Incorrect Privilege Assignment vulnerability in Straightvisions GmbH SV100 Companion allows Privilege Escalation.This issue affects SV100 Companion: from n/a through 2.0.02.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54229
CVE-2024-43234Authentication Bypass Using an Alternate Path or Channel vulnerability in Envato Security Team Woffice allows Authentication Bypass.This issue affects Woffice: from n/a through 5.4.14.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-43234
CVE-2024-56012Cross-Site Request Forgery (CSRF) vulnerability in Pearlbells Flash News / Post (Responsive) allows Privilege Escalation.This issue affects Flash News / Post (Responsive): from n/a through 4.1.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-56012
CVE-2024-54367Deserialization of Untrusted Data vulnerability in ForumWP ForumWP allows Object Injection.This issue affects ForumWP: from n/a through 2.1.0.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54367
CVE-2024-54363Incorrect Privilege Assignment vulnerability in nssTheme Wp NssUser Register allows Privilege Escalation.This issue affects Wp NssUser Register: from n/a through 1.0.0.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54363
CVE-2024-49775A vulnerability has been identified in Opcenter Execution Foundation (All versions), Opcenter Intelligence (All versions), Opcenter Quality (All versions), Opcenter RDL (All versions), SIMATIC PCS neo V4.0 (All versions), SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions < V5.0 Update 1), SINEC NMS (All versions if operated in conjunction with UMC < V2.15), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions). Affected products contain a heap-based buffer overflow vulnerability in the integrated UMC component.\r
This could allow an unauthenticated remote attacker to execute arbitrary code.
9.8https://nvd.nist.gov/vuln/detail/CVE-2024-49775
CVE-2024-55956In Cleo Harmony before 5.8.0.24, VLTrader before 5.8.0.24, and LexiCom before 5.8.0.24, an unauthenticated user can import and execute arbitrary Bash or PowerShell commands on the host system by leveraging the default settings of the Autorun directory.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55956
CVE-2024-54297Authentication Bypass Using an Alternate Path or Channel vulnerability in www.vbsso.com vBSSO-lite allows Authentication Bypass.This issue affects vBSSO-lite: from n/a through 1.4.3.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54297
CVE-2024-54296Authentication Bypass Using an Alternate Path or Channel vulnerability in Codexpert, Inc CoSchool LMS allows Authentication Bypass.This issue affects CoSchool LMS: from n/a through 1.2.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54296
CVE-2024-54295Authentication Bypass Using an Alternate Path or Channel vulnerability in InspireUI ListApp Mobile Manager allows Authentication Bypass.This issue affects ListApp Mobile Manager: from n/a through 1.7.7.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54295
CVE-2024-54294Authentication Bypass Using an Alternate Path or Channel vulnerability in appgenixinfotech Firebase OTP Authentication allows Authentication Bypass.This issue affects Firebase OTP Authentication: from n/a through 1.0.1.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54294
CVE-2024-54293Incorrect Privilege Assignment vulnerability in CE21 CE21 Suite allows Privilege Escalation.This issue affects CE21 Suite: from n/a through 2.2.0.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54293
CVE-2024-54273Deserialization of Untrusted Data vulnerability in PickPlugins Mail Picker allows Object Injection.This issue affects Mail Picker: from n/a through 1.0.14.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54273
CVE-2024-54239Missing Authorization vulnerability in dugudlabs Eyewear prescription form allows Privilege Escalation.This issue affects Eyewear prescription form: from n/a through 4.0.18.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54239
CVE-2024-9290The Super Backup & Clone - Migrate for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and a missing capability check on the ibk_restore_migrate_check() function in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-9290
CVE-2024-55875http4k is a functional toolkit for Kotlin HTTP applications. Prior to version 5.41.0.0, there is a potential XXE (XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. Version 5.41.0.0 contains a patch for the issue.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55875
CVE-2024-54811A SQL injection vulnerability in /index.php in PHPGurukul Park Ticketing Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "login" parameter.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54811
CVE-2024-54810A SQL Injection vulnerability was found in /preschool/admin/password-recovery.php in PHPGurukul Pre-School Enrollment System Project v1.0, which allows remote attackers to execute arbitrary code via the mobileno parameter.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54810
CVE-2024-55099A SQL Injection vulnerability was found in /admin/index.php in phpgurukul Online Nurse Hiring System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the username parameter.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-55099
CVE-2024-54842A SQL injection vulnerability was found in phpgurukul Online Nurse Hiring System v1.0 in /admin/password-recovery.php via the mobileno parameter.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54842
CVE-2024-10124The Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation due to a missing capability check on the tp_install() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. This vulnerability was partially patched in version 1.1.1.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-10124
CVE-2024-11015The Sign In With Google plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.8.0. This is due to the 'authenticate_user' user function not implementing sufficient null value checks when setting the access token and user information. This makes it possible for unauthenticated attackers to log in as the first user who has signed in using Google OAuth, which could be the site administrator.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-11015
CVE-2024-54534The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to memory corruption.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54534
CVE-2024-54506An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.2. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54506
CVE-2024-54492This issue was addressed by using HTTPS when sending information over the network. This issue is fixed in macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, iPadOS 17.7.3, visionOS 2.2. An attacker in a privileged network position may be able to alter network traffic.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54492
CVE-2024-54465A logic issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2. An app may be able to elevate privileges.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-54465
CVE-2024-44299The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-44299
CVE-2024-44242The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-44242
CVE-2024-44241The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.9.8https://nvd.nist.gov/vuln/detail/CVE-2024-44241
CVE-2024-49112Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability9.8https://nvd.nist.gov/vuln/detail/CVE-2024-49112
CVE-2024-11948GFI Archiver Telerik Web UI Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Telerik Web UI. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-24041.
9.8https://nvd.nist.gov/vuln/detail/CVE-2024-11948
CVE-2024-11737CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of
confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device.
9.8https://nvd.nist.gov/vuln/detail/CVE-2024-11737
CVE-2024-54372Cross-Site Request Forgery (CSRF) vulnerability in Sourov Amin Insertify allows Code Injection.This issue affects Insertify: from n/a through 1.1.4.9.6https://nvd.nist.gov/vuln/detail/CVE-2024-54372
CVE-2024-54368Cross-Site Request Forgery (CSRF) vulnerability in Ruben Garza, Jr. GitSync allows Code Injection.This issue affects GitSync: from n/a through 1.1.0.9.6https://nvd.nist.gov/vuln/detail/CVE-2024-54368
CVE-2024-12641TenderDocTransfer from Chunghwa Telecom has a Reflected Cross-site scripting vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. Since the web server set by the application supports Node.Js features, attackers can further leverage this to run OS commands.9.6https://nvd.nist.gov/vuln/detail/CVE-2024-12641
CVE-2024-11986Improper input handling in the 'Host Header' allows an unauthenticated attacker to store a payload in web application logs. When an Administrator views the logs using the application's standard functionality, it enables the execution of the payload, resulting in Stored XSS or 'Cross-Site Scripting'.9.6https://nvd.nist.gov/vuln/detail/CVE-2024-11986
CVE-2024-10205Authentication Bypass
vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics

component

).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.3-00; Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00.
9.4https://nvd.nist.gov/vuln/detail/CVE-2024-10205
CVE-2024-54280Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design WPBookit allows SQL Injection.This issue affects WPBookit: from n/a through 1.6.0.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-54280
CVE-2024-55988Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Amol Nirmala Waman Navayan CSV Export allows Blind SQL Injection.This issue affects Navayan CSV Export: from n/a through 1.0.9.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55988
CVE-2024-55982Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in richteam Share Buttons – Social Media allows Blind SQL Injection.This issue affects Share Buttons – Social Media: from n/a through 1.0.2.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55982
CVE-2024-55981Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nabajit Roy Nabz Image Gallery allows SQL Injection.This issue affects Nabz Image Gallery: from n/a through v1.00.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55981
CVE-2024-55980Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webriderz Wr Age Verification allows SQL Injection.This issue affects Wr Age Verification: from n/a through 2.0.0.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55980
CVE-2024-55978Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WalletStation.com Code Generator Pro allows SQL Injection.This issue affects Code Generator Pro: from n/a through 1.2.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55978
CVE-2024-55977Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in launch-page-importer LaunchPage.app Importer allows SQL Injection.This issue affects LaunchPage.app Importer: from n/a through 1.1.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55977
CVE-2024-55976Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mike Leembruggen Critical Site Intel allows SQL Injection.This issue affects Critical Site Intel: from n/a through 1.0.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55976
CVE-2024-55972Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Chris Carvache eTemplates allows SQL Injection.This issue affects eTemplates: from n/a through 0.2.1.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-55972
CVE-2024-54361Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in outstrip Instant Appointment allows SQL Injection.This issue affects Instant Appointment: from n/a through 1.2.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-54361
CVE-2024-54292Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Appsplate Appsplate allows SQL Injection.This issue affects Appsplate: from n/a through 2.1.3.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-54292
CVE-2024-54234Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wp-buy Limit Login Attempts allows SQL Injection.This issue affects Limit Login Attempts: from n/a through 5.5.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-54234
CVE-2024-49147Deserialization of untrusted data in Microsoft Update Catalog allows an unauthorized attacker to elevate privileges on the website’s webserver.9.3https://nvd.nist.gov/vuln/detail/CVE-2024-49147
CVE-2024-54285Unrestricted Upload of File with Dangerous Type vulnerability in SeedProd LLC SeedProd Pro allows Upload a Web Shell to a Web Server.This issue affects SeedProd Pro: from n/a through 6.18.10.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-54285
CVE-2024-54369Missing Authorization vulnerability in ThemeHunk Zita Site Builder allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Zita Site Builder: from n/a through 1.0.2.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-54369
CVE-2024-55969DocIO in Syncfusion Essential Studio for ASP.NET MVC before 27.1.55 throws XMLException during the resaving of a DOCX document with an external reference XML, aka I640714.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-55969
CVE-2023-29476In Menlo On-Premise Appliance before 2.88, web policy may not be consistently applied properly to intentionally malformed client requests. This is fixed in 2.88.2+, 2.89.1+, and 2.90.1+.9.1https://nvd.nist.gov/vuln/detail/CVE-2023-29476
CVE-2022-46838Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.9.1https://nvd.nist.gov/vuln/detail/CVE-2022-46838
CVE-2024-11834Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-11834
CVE-2024-55879XWiki Platform is a generic wiki platform. Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.9 and 16.3.0. No known workarounds are available except upgrading.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-55879
CVE-2024-45337Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. The documentation for ServerConfig.PublicKeyCallback says that "A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions. For example, an attacker may send public keys A and B, and then authenticate with A. PublicKeyCallback would be called only twice, first with A and then with B. A vulnerable application may then make authorization decisions based on key B for which the attacker does not actually control the private key. Since this API is widely misused, as a partial mitigation golang.org/x/cry...@v0.31.0 enforces the property that, when successfully authenticating via public key, the last key passed to ServerConfig.PublicKeyCallback will be the key used to authenticate the connection. PublicKeyCallback will now be called multiple times with the same key, if necessary. Note that the client may still not control the last key passed to PublicKeyCallback if the connection is then authenticated with a different method, such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. Users should be using the Extensions field of the Permissions return value from the various authentication callbacks to record data associated with the authentication attempt instead of referencing external state. Once the connection is established the state corresponding to the successful authentication attempt can be retrieved via the ServerConn.Permissions field. Note that some third-party libraries misuse the Permissions type by sharing it across authentication attempts; users of third-party libraries should refer to the relevant projects for guidance.9.1https://nvd.nist.gov/vuln/detail/CVE-2024-45337
CVE-2024-55884In the Mullvad VPN client 2024.6 (Desktop), 2024.8 (iOS), and 2024.8-beta1 (Android), the exception-handling alternate stack can be exhausted, leading to heap-based out-of-bounds writes in enable() in exception_logging/unix.rs, aka MLLVD-CR-24-01. NOTE: achieving code execution is considered non-trivial.9https://nvd.nist.gov/vuln/detail/CVE-2024-55884

OTHER VULNERABILITIES
CVE NumberDescriptionBase ScoreReference
CVE-2024-8326The s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 241114 via the 'sc_get_details' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including user data and database configuration information, which can lead to reading, updating, or dropping database tables. The vulnerability was partially patched in version 241114.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-8326
CVE-2024-12293The User Role Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.64.3. This is due to missing or incorrect nonce validation on the update_roles() function. This makes it possible for unauthenticated attackers to add or remove roles for arbitrary users, including escalating their privileges to administrator, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12293
CVE-2024-11999CWE-1104: Use of Unmaintained Third-Party Components vulnerability exists that could cause complete
control of the device when an authenticated user installs malicious code into HMI product.
8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11999
CVE-2024-38499CA Client Automation (ITCM) allows non-admin/non-root users to encrypt a string using CAF CLI and SD_ACMD CLI. This would allow the non admin user to access the critical encryption keys which further causes the exploitation of stored credentials. This fix doesn't allow a non-admin/non-root user to execute "caf encrypt"/"sd_acmd encrypt" commands.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-38499
CVE-2024-56013Authentication Bypass Using an Alternate Path or Channel vulnerability in Wovax, LLC. Wovax IDX allows Authentication Bypass.This issue affects Wovax IDX: from n/a through 1.2.2.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-56013
CVE-2024-54379Missing Authorization vulnerability in Blokhaus Minterpress allows Privilege Escalation.This issue affects Minterpress: from n/a through 1.0.5.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54379
CVE-2024-54378Missing Authorization vulnerability in Quietly Quietly Insights allows Privilege Escalation.This issue affects Quietly Insights: from n/a through 1.2.2.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54378
CVE-2024-54365Incorrect Privilege Assignment vulnerability in Halim KH Easy User Settings allows Privilege Escalation.This issue affects KH Easy User Settings: from n/a through 1.0.0.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54365
CVE-2024-54352Cross-Site Request Forgery (CSRF) vulnerability in Sabri Taieb Sogrid allows Privilege Escalation.This issue affects Sogrid: from n/a through 1.5.2.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54352
CVE-2024-53376CyberPanel before 2.3.8 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the phpSelection field to the websites/submitWebsiteCreation URI.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-53376
CVE-2024-55661Laravel Pulse is a real-time application performance monitoring tool and dashboard for Laravel applications. A vulnerability has been discovered in Laravel Pulse prior to version 1.3.1 that could allow remote code execution through the public `remember()` method in the `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries` trait. This method is accessible via Livewire components and can be exploited to call arbitrary callables within the application. An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method in which the callable is a function or static method and the callable has no parameters or no strict parameter types. The vulnerable to component is `remember(callable $query, string $key = '')` method in `Laravel\\Pulse\\Livewire\\Concerns\\RemembersQueries`, and the vulnerability affects all Pulse card components that use this trait. Version 1.3.1 contains a patch.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-55661
CVE-2024-54336Authentication Bypass Using an Alternate Path or Channel vulnerability in Projectopia Projectopia allows Authentication Bypass.This issue affects Projectopia: from n/a through 5.1.7.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54336
CVE-2024-54248Cross-Site Request Forgery (CSRF) vulnerability in Michael DUMONTET eewee admin custom allows Privilege Escalation.This issue affects eewee admin custom: from n/a through 1.8.2.4.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54248
CVE-2023-33996Missing Authorization vulnerability in СleanTalk - Anti-Spam Protection Spam protection, AntiSpam, FireWall by CleanTalk allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spam protection, AntiSpam, FireWall by CleanTalk: from n/a through 6.10.8.8https://nvd.nist.gov/vuln/detail/CVE-2023-33996
CVE-2024-22461Dell RecoverPoint for Virtual Machines 6.0.x contains an OS Command injection vulnerability. A low privileged remote attacker could potentially exploit this vulnerability by running any command as root, leading to gaining of root-level access and compromise of complete system.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-22461
CVE-2024-12040The Product Carousel Slider & Grid Ultimate for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.9.10 via the 'theme' attribute of the `wcpcsu` shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12040
CVE-2024-10590The Opt-In Downloads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the admin_upload() function in all versions up to, and including, 4.07. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Due to the presence of an .htaccess file, this can only be exploited to achieve RCE on NGINX servers, unless another vulnerability is present.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-10590
CVE-2024-11689The HQ Rental Software plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.29. This is due to missing or incorrect nonce validation on the displaySettingsPage() function. This makes it possible for unauthenticated attackers to update arbitrary options that can be leveraged for privilege escalation via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11689
CVE-2024-11443The de:branding plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the debranding_save() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11443
CVE-2024-54505A type confusion issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to memory corruption.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54505
CVE-2024-54498A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to break out of its sandbox.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-54498
CVE-2024-55587python-libarchive through 4.2.1 allows directory traversal (to create files) in extract in zip.py for ZipFile.extractall and ZipFile.extract.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-55587
CVE-2024-49125Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49125
CVE-2024-49117Windows Hyper-V Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49117
CVE-2024-49104Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49104
CVE-2024-49102Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49102
CVE-2024-49093Windows Resilient File System (ReFS) Elevation of Privilege Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49093
CVE-2024-49086Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49086
CVE-2024-49085Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49085
CVE-2024-49080Windows IP Routing Management Snapin Remote Code Execution Vulnerability8.8https://nvd.nist.gov/vuln/detail/CVE-2024-49080
CVE-2024-12382Use after free in Translate in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12382
CVE-2024-12381Type Confusion in V8 in Google Chrome prior to 131.0.6778.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)8.8https://nvd.nist.gov/vuln/detail/CVE-2024-12381
CVE-2024-11949GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability.

The specific flaw exists within the Store Service, which listens on TCP port 8018 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24331.
8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11949
CVE-2024-11947GFI Archiver Core Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability.

The specific flaw exists within the Core Service, which listens on TCP port 8017 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24029.
8.8https://nvd.nist.gov/vuln/detail/CVE-2024-11947
CVE-2024-28139The www-data user can elevate its privileges because sudo is configured to allow the execution of the mount command as root without a password. Therefore, the privileges can be escalated to the root user. The risk has been accepted by the vendor and won't be fixed in the near future.8.8https://nvd.nist.gov/vuln/detail/CVE-2024-28139
CVE-2024-12092A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator on Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.8.7https://nvd.nist.gov/vuln/detail/CVE-2024-12092
CVE-2024-12091A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.8.7https://nvd.nist.gov/vuln/detail/CVE-2024-12091
CVE-2024-12090A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator on Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.8.7https://nvd.nist.gov/vuln/detail/CVE-2024-12090
CVE-2024-12089A stored Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session.8.7https://nvd.nist.gov/vuln/detail/CVE-2024-12089
CVE-2024-11274An issue was discovered in GitLab CE/EE affecting all versions starting from 16.1 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, injection of NEL headers in k8s proxy response could lead to session data exfiltration.8.7https://nvd.nist.gov/vuln/detail/CVE-2024-11274
CVE-2024-11858A flaw was found in Radare2, which contains a command injection vulnerability caused by insufficient input validation when handling Pebble Application files. Maliciously crafted inputs can inject shell commands during command parsing, leading to unintended behavior during file processing​8.6https://nvd.nist.gov/vuln/detail/CVE-2024-11858
CVE-2024-55887Ucum-java is a FHIR Java library providing UCUM Services. In versions prior to 1.0.9, XML parsing performed by the UcumEssenceService is vulnerable to XML external entity injections. A processed XML file with a malicious DTD tag could produce XML containing data from the host system. This impacts use cases where ucum is being used to within a host where external clients can submit XML. Release 1.0.9 of Ucum-java fixes this vulnerability. As a workaround, ensure that the source xml for instantiating UcumEssenceService is trusted.8.6https://nvd.nist.gov/vuln/detail/CVE-2024-55887
CVE-2024-52063Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries, Routing Service) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.0.0 before 7.3.0.5, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.1.40, from 5.0.0 before 5.3.1.45.8.6https://nvd.nist.gov/vuln/detail/CVE-2024-52063
CVE-2024-21575ComfyUI-Impact-Pack is vulnerable to Path Traversal. The issue stems from missing validation of the `image.filename` field in a POST request sent to the `/upload/temp` endpoint added by the extension to the server. This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE).8.6https://nvd.nist.gov/vuln/detail/CVE-2024-21575
CVE-2024-55987Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ritesh Sanap Advanced What should we write next about allows SQL Injection.This issue affects Advanced What should we write next about: from n/a through 1.0.3.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-55987
CVE-2024-55986Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in serviceonline Service allows Blind SQL Injection.This issue affects Service: from n/a through 1.0.4.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-55986
CVE-2024-55979Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Webriderz Wr Age Verification allows SQL Injection.This issue affects Wr Age Verification: from n/a through 2.0.0.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-55979
CVE-2024-55974Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AMS Nexe Iberica Mimoos allows SQL Injection.This issue affects Mimoos: from n/a through 1.2.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-55974
CVE-2024-55973Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ryan Nystrom TSB Occasion Editor allows SQL Injection.This issue affects TSB Occasion Editor: from n/a through 1.2.1.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-55973
CVE-2024-54304Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hive Support Hive Support – WordPress Help Desk allows SQL Injection.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.2.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-54304
CVE-2024-54258Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in anzia Ni CRM Lead allows SQL Injection.This issue affects Ni CRM Lead: from n/a through 1.3.0.8.5https://nvd.nist.gov/vuln/detail/CVE-2024-54258
CVE-2024-54098Service logic error vulnerability in the system service module
Impact: Successful exploitation of this vulnerability may affect service integrity.
8.5https://nvd.nist.gov/vuln/detail/CVE-2024-54098
CVE-2024-42407Insertion of Sensitive Information into Log File (CWE-532) in the Gallagher Command Centre Alarm Transmitter feature could allow an authenticated Operator to view some security sensitive information to which they have not been granted access.

This issue affects: Command Centre Server 9.10 prior to 9.10.2149 (MR4), 9.00 prior to 9.00.2374 (MR5), 8.90 prior to 8.90.2356 (MR6), all versions of 8.80 and prior.
8.5https://nvd.nist.gov/vuln/detail/CVE-2024-42407
CVE-2024-10095In Progress Telerik UI for WPF versions prior to 2024 Q4 (2024.4.1213), a code execution attack is possible through an insecure deserialization vulnerability.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-10095
CVE-2024-28146The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-28146
CVE-2024-28143The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue.8.4https://nvd.nist.gov/vuln/detail/CVE-2024-28143
CVE-2024-49105Remote Desktop Client Remote Code Execution Vulnerability8.4https://nvd.nist.gov/vuln/detail/CVE-2024-49105
CVE-2024-49063Microsoft/Muzic Remote Code Execution Vulnerability8.4https://nvd.nist.gov/vuln/detail/CVE-2024-49063
CVE-2024-53290Dell ThinOS version 2408 contains an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Command execution8.4https://nvd.nist.gov/vuln/detail/CVE-2024-53290
CVE-2023-38385Missing Authorization vulnerability in Artbees JupiterX Core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JupiterX Core: from 3.0.0 through 3.3.0.8.3https://nvd.nist.gov/vuln/detail/CVE-2023-38385
CVE-2024-54359Missing Authorization vulnerability in Saul Morales Pacheco Banner System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Banner System: from n/a through 1.0.0.8.2https://nvd.nist.gov/vuln/detail/CVE-2024-54359
CVE-2024-12668Velocidex WinPmem versions below 4.1 suffer from an Out of Bounds Write vulnerability. By using an IO Control, a user space program can trick the driver into writing a 0 into any chosen memory location. In conjunction with information leakage from the WinPmem driver, attackers can discover the location in memory for the g_CiOptions global symbol. This can be leveraged to disable signed driver enforcement on the target system - allowing attackers to load unsigned drivers.8.2https://nvd.nist.gov/vuln/detail/CVE-2024-12668
CVE-2024-54514The issue was addressed with improved checks. This issue is fixed in watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to break out of its sandbox.8.2https://nvd.nist.gov/vuln/detail/CVE-2024-54514
CVE-2024-49068Microsoft SharePoint Elevation of Privilege Vulnerability8.2https://nvd.nist.gov/vuln/detail/CVE-2024-49068
CVE-2024-6001An improper certificate validation vulnerability was reported in LADM that could allow a network attacker with the ability to redirect an update request to a remote server and execute code with elevated privileges.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-6001
CVE-2024-12646The topm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-12646
CVE-2024-12643The tbm-client from Chunghwa Telecom has an Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-12643
CVE-2024-12642TenderDocTransfer from Chunghwa Telecom has an Arbitrary File Write vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to write arbitrary files to any path on the user's system.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-12642
CVE-2024-56083Cognition Devin before 2024-12-12 provides write access to code by an attacker who discovers the https://vscode-randomly_generated_string.devinapps.com URL (aka the VSCode live share URL) for a specific "Use Devin's Machine" session. For example, this URL may be discovered if a customer posts a screenshot of a Devin session to social media, or publicly streams their Devin session.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-56083
CVE-2024-11721The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.24.5. This is due to insufficient controls on the user role select field when utilizing the 'Role' field in a form. This makes it possible for unauthenticated attackers to create new administrative user accounts, even when the administrative user role has not been provided as an option to the user, granted that unauthenticated users have been provided access to the form.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-11721
CVE-2023-41130Missing Authorization vulnerability in Premmerce Premmerce User Roles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premmerce User Roles: from n/a through 1.0.12.8.1https://nvd.nist.gov/vuln/detail/CVE-2023-41130
CVE-2024-10783The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the register_site function in all versions up to, and including, 5.2 when a site is left in an unconfigured state. This makes it possible for unauthenticated attackers to log in as an administrator on instances where MainWP Child is not yet connected to the MainWP Dashboard. IMPORTANT: this only affects sites who have MainWP Child installed and have not yet connected to the MainWP Dashboard, and do not have the unique security ID feature enabled. Sites already connected to the MainWP Dashboard plugin and do not have the unique security ID feature enabled, are NOT affected and not required to upgrade. Please note 5.2.1 contains a partial patch, though we consider 5.3 to be the complete patch.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-10783
CVE-2024-12312The Print Science Designer plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.152 via deserialization of untrusted input through the 'designer-saved-projects' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-12312
CVE-2024-10111The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.26.3. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the username and the user does not have an already-existing account for the service returning the token.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-10111
CVE-2024-49132Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49132
CVE-2024-49128Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49128
CVE-2024-49127Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49127
CVE-2024-49126Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49126
CVE-2024-49124Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49124
CVE-2024-49123Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49123
CVE-2024-49122Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49122
CVE-2024-49120Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49120
CVE-2024-49119Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49119
CVE-2024-49118Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49118
CVE-2024-49116Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49116
CVE-2024-49115Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49115
CVE-2024-49108Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49108
CVE-2024-49106Windows Remote Desktop Services Remote Code Execution Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49106
CVE-2024-49057Microsoft Defender for Endpoint on Android Spoofing Vulnerability8.1https://nvd.nist.gov/vuln/detail/CVE-2024-49057
CVE-2024-45404OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the account. This is because the otpLogin mutation does not implement One Time Password rate limiting. As of time of publication, it is unknown whether a patch is available.8.1https://nvd.nist.gov/vuln/detail/CVE-2024-45404
CVE-2024-10476Default credentials are used in the above listed BD Diagnostic Solutions products. If exploited, threat actors may be able to access, modify or delete data, including sensitive information such as protected health information (PHI) and personally identifiable information (PII). Exploitation of this vulnerability may allow an attacker to shut down or otherwise impact the availability of the system. Note: BD Synapsys™ Informatics
Solution is only in scope of
this vulnerability when
installed on a NUC server. BD Synapsys™
Informatics Solution installed
on a customer-provided virtual machine or on the BD Kiestra™ SCU hardware is
not in scope.
8https://nvd.nist.gov/vuln/detail/CVE-2024-10476
CVE-2024-37774A Cross-Site Request Forgery (CSRF) in Sunbird DCIM dcTrack v9.1.2 allows authenticated attackers to escalate their privileges by forcing an Administrator user to perform sensitive requests in some admin screens.8https://nvd.nist.gov/vuln/detail/CVE-2024-37774
CVE-2021-26280Locally installed application can bypass the permission check and perform system operations that require permission.7.9https://nvd.nist.gov/vuln/detail/CVE-2021-26280
CVE-2024-54139Combodo iTop is an open source and web-based IT service management platform. Prior to versions 2.7.11, 3.1.2, and 3.2.0., iTop has a cross-site scripting vulnerability that can lead to cross-site request forgery on the `_table_id` parameter. Versions 2.7.11, 3.1.2, and 3.2.0 contain a patch for the issue.7.9https://nvd.nist.gov/vuln/detail/CVE-2024-54139
CVE-2024-12671A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12671
CVE-2024-12670A maliciously crafted DWF file, when parsed through Autodesk Navisworks, can be used to cause a Heap-based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12670
CVE-2024-12669A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can be used to cause a Heap-based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12669
CVE-2024-12200A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12200
CVE-2024-12199A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12199
CVE-2024-12198A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12198
CVE-2024-12197A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12197
CVE-2024-12194A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12194
CVE-2024-12193A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12193
CVE-2024-12192A maliciously crafted DWF file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12192
CVE-2024-12191A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12191
CVE-2024-12179A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can be used to cause a Heap-based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12179
CVE-2024-12178A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12178
CVE-2024-11422A maliciously crafted DWFX file, when parsed through Autodesk Navisworks, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-11422
CVE-2024-4762An improper validation vulnerability was reported in the firmware update mechanism of LADM and LDCC that could allow a local attacker to escalate privileges.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-4762
CVE-2024-31891IBM Storage Scale GUI 5.1.9.0 through 5.1.9.6 and 5.2.0.0 through 5.2.1.1

contains a local privilege escalation vulnerability. A malicious actor with command line access to the 'scalemgmt' user can elevate privileges to gain root access to the host operating system.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-31891
CVE-2024-47892Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-47892
CVE-2024-46971Software installed and run as a non-privileged user may conduct GPU system calls to read and write freed physical memory from the GPU.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-46971
CVE-2024-9508Horner Automation Cscape contains a memory corruption vulnerability, which
could allow an attacker to disclose information and execute arbitrary
code.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-9508
CVE-2024-12212The vulnerability occurs in the parsing of CSP files. The issues result
from the lack of proper validation of user-supplied data, which could
allow reading past the end of allocated data structures, resulting in
execution of arbitrary code.
7.8https://nvd.nist.gov/vuln/detail/CVE-2024-12212
CVE-2024-54529A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to execute arbitrary code with kernel privileges.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-54529
CVE-2024-54515A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.2. A malicious app may be able to gain root privileges.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-54515
CVE-2024-54489A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. Running a mount command may unexpectedly execute arbitrary code.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-54489
CVE-2024-44291A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. A malicious app may be able to gain root privileges.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-44291
CVE-2024-49142Microsoft Access Remote Code Execution Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49142
CVE-2024-49138Windows Common Log File System Driver Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49138
CVE-2024-49114Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49114
CVE-2024-49090Windows Common Log File System Driver Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49090
CVE-2024-49088Windows Common Log File System Driver Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49088
CVE-2024-49079Input Method Editor (IME) Remote Code Execution Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49079
CVE-2024-49076Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49076
CVE-2024-49074Windows Kernel-Mode Driver Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49074
CVE-2024-49072Windows Task Scheduler Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49072
CVE-2024-49069Microsoft Excel Remote Code Execution Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-49069
CVE-2024-43600Microsoft Office Elevation of Privilege Vulnerability7.8https://nvd.nist.gov/vuln/detail/CVE-2024-43600
CVE-2024-9845Under specific circumstances, insecure permissions in Ivanti Automation before version 2024.4.0.1 allows a local authenticated attacker to achieve local privilege escalation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-9845
CVE-2024-8496Under specific circumstances, insecure permissions in Ivanti Workspace Control before version 10.18.40.0 allows a local authenticated attacker to achieve local privilege escalation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-8496
CVE-2024-11598Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-11598
CVE-2024-11597Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-11597
CVE-2024-10251Under specific circumstances, insecure permissions in Ivanti Security Controls before version 2024.4.1 allows a local authenticated attacker to achieve local privilege escalation.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-10251
CVE-2024-53289Dell ThinOS version 2408 contains a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.7.8https://nvd.nist.gov/vuln/detail/CVE-2024-53289
CVE-2024-9624The WP All Import Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.9.3 due to missing SSRF protection on the pmxi_curl_download function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. On cloud platforms, it might allow attackers to read the Instance metadata.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-9624
CVE-2024-8058An improper parsing vulnerability was reported in the FileZ client that could allow a crafted file in the FileZ directory to read arbitrary files on the device due to URL preloading.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-8058
CVE-2024-54284Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-54284
CVE-2024-54283Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SeedProd LLC SeedProd Pro allows SQL Injection.This issue affects SeedProd Pro: from n/a through 6.18.10.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-54283
CVE-2024-55990Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ewald Harmsen Mollie for Contact Form 7 allows Blind SQL Injection.This issue affects Mollie for Contact Form 7: from n/a through 5.0.0.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-55990
CVE-2024-55989Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kyle M. Brown WP Simple Pay Lite Manager allows SQL Injection.This issue affects WP Simple Pay Lite Manager: from n/a through 1.4.7.6https://nvd.nist.gov/vuln/detail/CVE-2024-55989
CVE-2023-35037Missing Authorization vulnerability in Surfer Surfer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Surfer: from n/a through 1.3.2.357.7.6https://nvd.nist.gov/vuln/detail/CVE-2023-35037
CVE-2024-9779A flaw was found in Open Cluster Management (OCM) when a user has access to the worker nodes which contain the cluster-manager or klusterlet deployments. The cluster-manager deployment uses a service account with the same name "cluster-manager" which is bound to a ClusterRole also named "cluster-manager", which includes the permission to create Pod resources. If this deployment runs a pod on an attacker-controlled node, the attacker can obtain the cluster-manager's token and steal any service account token by creating and mounting the target service account to control the whole cluster.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-9779
CVE-2024-51479Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For example: * [Not affected] `https://example.com/` * [Affected] `https://example.com/foo` * [Not affected] `https://example.com/foo/bar`. This issue is patched in Next.js `14.2.15` and later. If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version. There are no official workarounds for this vulnerability.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-51479
CVE-2024-36832A NULL pointer dereference in D-Link DAP-1513 REVA_FIRMWARE_1.01 allows attackers to cause a Denial of Service (DoS) via a crafted web request without authentication. The vulnerability occurs in the /bin/webs binary of the firmware. When /bin/webs receives a carefully constructed HTTP request, it will crash and exit due to a null pointer reference, leading to a denial of service attack to the device.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-36832
CVE-2024-37775Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-37775
CVE-2024-11144The server lacks thread safety and can be crashed by anomalous data sent by an anonymous user from a remote network. The crash causes the FTP service to become unavailable, affecting all users and processes that rely on it for file transfers. If the crash occurs during file upload or download, it could lead to incomplete file transfers, potentially corrupting data. The repeated crash might also affect the stability of the underlying system, especially if it leads to resource leaks or affects other services.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-11144
CVE-2024-54376Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Spider-themes EazyDocs.This issue affects EazyDocs: from n/a through 2.5.5.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54376
CVE-2024-54279Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPNERD WP-NERD Toolkit.This issue affects WP-NERD Toolkit: from n/a through 1.1.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54279
CVE-2024-54380Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Filippo Bodei WP Cookies Enabler allows PHP Local File Inclusion.This issue affects WP Cookies Enabler: from n/a through 1.0.1.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54380
CVE-2024-54375Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sabri Taieb Woolook allows PHP Local File Inclusion.This issue affects Woolook: from n/a through 1.7.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54375
CVE-2024-54374Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Sabri Taieb Sogrid allows PHP Local File Inclusion.This issue affects Sogrid: from n/a through 1.5.6.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54374
CVE-2024-54373Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Chris Gårdenberg, MultiNet Interactive AB EduAdmin Booking allows PHP Local File Inclusion.This issue affects EduAdmin Booking: from n/a through 5.2.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54373
CVE-2024-8798No proper validation of the length of user input in olcp_ind_handler in zephyr/subsys/bluetooth/services/ots/ots_client.c.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-8798
CVE-2024-56073An issue was discovered in FastNetMon Community Edition through 1.2.7. Zero-length templates for Netflow v9 allow remote attackers to cause a denial of service (divide-by-zero error and application crash).7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56073
CVE-2024-56072An issue was discovered in FastNetMon Community Edition through 1.2.7. The sFlow v5 plugin allows remote attackers to cause a denial of service (application crash) via a crafted packet that specifies many sFlow samples.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-56072
CVE-2024-55970File Manager in Syncfusion Essential Studio for ASP.NET MVC before 27.1.55 has a traversal issue that is related to the request parameter, aka I644734.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-55970
CVE-2024-31892IBM Storage Scale GUI 5.1.9.0 through 5.1.9.6 and 5.2.0.0 through 5.2.1.1 could allow a user to perform unauthorized actions after intercepting and modifying a csv file due to improper neutralization of formula elements.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-31892
CVE-2024-11711The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'resumeid' parameter in all versions up to, and including, 2.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-11711
CVE-2023-39920Missing Authorization vulnerability in Themeisle Redirection for Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Redirection for Contact Form 7: from n/a through 2.9.2.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-39920
CVE-2023-32585Missing Authorization vulnerability in Total-Soft Portfolio Gallery – Responsive Image Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery – Responsive Image Gallery: from n/a through 1.4.6.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-32585
CVE-2023-32520Missing Authorization vulnerability in Webcodin WCP Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCP Contact Form: from n/a through 3.1.0.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-32520
CVE-2023-30490Missing Authorization vulnerability in Matthew Ruddy Easing Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easing Slider : from n/a through 3.0.8.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-30490
CVE-2023-25988Missing Authorization vulnerability in Video Gallery by Total-Soft Video Gallery – YouTube Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Gallery – YouTube Gallery: from n/a through 1.7.6.7.5https://nvd.nist.gov/vuln/detail/CVE-2023-25988
CVE-2024-21544Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method.\rAn attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-21544
CVE-2024-47238Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-47238
CVE-2024-8233An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-8233
CVE-2024-4109A flaw was found in Undertow. An HTTP request header value from a previous stream may be incorrectly reused for a request associated with a subsequent stream on the same HTTP/2 connection. This issue can potentially lead to information leakage between requests.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-4109
CVE-2024-12172The WP Courses LMS – Online Courses Builder, eLearning Courses, Courses Solution, Education Courses plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wpc_update_user_meta_option() function in all versions up to, and including, 3.2.21. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary user's metadata which can be levereged to block an administrator from accessing their site when wp_capabilities is set to 0.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-12172
CVE-2024-54508The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to an unexpected process crash.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54508
CVE-2024-54479The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to an unexpected process crash.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-54479
CVE-2024-49129Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability7.5https://nvd.nist.gov/vuln/detail/CVE-2024-49129
CVE-2024-49121Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability7.5https://nvd.nist.gov/vuln/detail/CVE-2024-49121
CVE-2024-49113Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability7.5https://nvd.nist.gov/vuln/detail/CVE-2024-49113
CVE-2024-49096Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability7.5https://nvd.nist.gov/vuln/detail/CVE-2024-49096
CVE-2024-49075Windows Remote Desktop Services Denial of Service Vulnerability7.5https://nvd.nist.gov/vuln/detail/CVE-2024-49075
CVE-2024-47542GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-47542
CVE-2024-47541GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10.7.5https://nvd.nist.gov/vuln/detail/CVE-2024-47541
CVE-2024-12397A flaw was found in Quarkus-HTTP, which incorrectly parses cookies with
certain value-delimiting characters in incoming requests. This issue could
allow an attacker to construct a cookie value to exfiltrate HttpOnly cookie
values or spoof arbitrary additional cookie values, leading to unauthorized
data access or modification. The main threat from this flaw impacts data
confidentiality and integrity.
7.4https://nvd.nist.gov/vuln/detail/CVE-2024-12397
CVE-2024-49070Microsoft SharePoint Remote Code Execution Vulnerability7.4https://nvd.nist.gov/vuln/detail/CVE-2024-49070
CVE-2024-10972Velocidex WinPmem versions 4.1 and below suffer from an Improper Input Validation vulnerability whereby an attacker with admin access can trigger a BSOD with a parallel thread changing the memory’s access right under the control of the user-mode application. This is due to verification only being performed at the beginning of the routine allowing the userspace to change page permissions half way through the routine.  A valid workaround is a rule to detect unauthorized loading of winpmem outside incident response operations.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-10972
CVE-2023-36510Missing Authorization vulnerability in Reservation Diary ReDi Restaurant Reservation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReDi Restaurant Reservation: from n/a through 23.0211.7.3https://nvd.nist.gov/vuln/detail/CVE-2023-36510
CVE-2023-32507Missing Authorization vulnerability in wp3sixty Woo Custom Emails allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Woo Custom Emails: from n/a through 2.2.7.3https://nvd.nist.gov/vuln/detail/CVE-2023-32507
CVE-2024-54097Security vulnerability in the HiView module
Impact: Successful exploitation of this vulnerability may affect feature implementation and integrity.
7.3https://nvd.nist.gov/vuln/detail/CVE-2024-54097
CVE-2024-10910The The Grid Plus – Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-10910
CVE-2024-12497A vulnerability classified as critical has been found in 1000 Projects Attendance Tracking Management System 1.0. Affected is an unknown function of the file /admin/check_admin_login.php. The manipulation of the argument admin_user_name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-12497
CVE-2024-49107WmsRepair Service Elevation of Privilege Vulnerability7.3https://nvd.nist.gov/vuln/detail/CVE-2024-49107
CVE-2024-43594System Center Operations Manager Elevation of Privilege Vulnerability7.3https://nvd.nist.gov/vuln/detail/CVE-2024-43594
CVE-2024-12484A vulnerability classified as critical was found in Codezips Technical Discussion Forum 1.0. This vulnerability affects unknown code of the file /signuppost.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.7.3https://nvd.nist.gov/vuln/detail/CVE-2024-12484
CVE-2024-12024The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the em_ticket_category_data and em_ticket_individual_data parameters in all versions up to, and including, 4.0.5.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrative user accesses an injected page.\r
Note: this vulnerability requires the "Guest Submissions" setting to be enabled. It is disabled by default.
7.2https://nvd.nist.gov/vuln/detail/CVE-2024-12024
CVE-2024-55104Online Nurse Hiring System v1.0 was discovered to contain multiple SQL injection vulnerabilities in the component /admin/add-nurse.php via the gender and emailid parameters.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-55104
CVE-2024-55103Online Nurse Hiring System v1.0 was discovered to contain a SQL injection vulnerability in the component /admin/profile.php via the fullname parameter.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-55103
CVE-2024-54385Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through 2.0.82.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-54385
CVE-2024-11720The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via submission forms in all versions up to, and including, 3.24.5 due to insufficient input sanitization and output escaping on the new Taxonomy form. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when lower-level users have been granted access to submit specific forms, which is disabled by default.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-11720
CVE-2024-10646The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form's subject parameter in all versions up to, and including, 5.2.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-10646
CVE-2024-9698The Crafthemes Demo Import plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'process_uploaded_files' function in all versions up to, and including, 3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-9698
CVE-2024-54330Server-Side Request Forgery (SSRF) vulnerability in Hep Hep Hurra (HHH) Hurrakify allows Server Side Request Forgery.This issue affects Hurrakify: from n/a through 2.4.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-54330
CVE-2024-54282Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu allows Object Injection.This issue affects WP Mega Menu: from n/a through 1.4.2.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-54282
CVE-2024-11052The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the calculations parameter in all versions up to, and including, 3.8.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-11052
CVE-2024-10499The AI Engine WordPress plugin before 2.6.5 does not sanitize and escape a parameter from one of its RESP API endpoint before using it in a SQL statement, allowing admins to perform SQL injection attacks7.2https://nvd.nist.gov/vuln/detail/CVE-2024-10499
CVE-2024-49091Windows Domain Name Service Remote Code Execution Vulnerability7.2https://nvd.nist.gov/vuln/detail/CVE-2024-49091
CVE-2024-49089Windows Routing and Remote Access Service (RRAS) Remote Code Execution Vulnerability7.2https://nvd.nist.gov/vuln/detail/CVE-2024-49089
CVE-2024-53292Dell VxVerify, versions prior to x.40.405, contain a Plain-text Password Storage Vulnerability in the shell wrapper. A local high privileged attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable component with privileges of the compromised account.7.2https://nvd.nist.gov/vuln/detail/CVE-2024-53292
CVE-2024-56017Cross-Site Request Forgery (CSRF) vulnerability in Tom Royal Stop Registration Spam allows Stored XSS.This issue affects Stop Registration Spam: from n/a through 1.23.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56017
CVE-2024-54257Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Molefed allows Reflected XSS.This issue affects tydskrif: from n/a through 1.1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54257
CVE-2024-54249Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jules Colle Advanced Options Editor allows Reflected XSS.This issue affects Advanced Options Editor: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54249
CVE-2024-56015Cross-Site Request Forgery (CSRF) vulnerability in John Godley Tidy Up allows Reflected XSS.This issue affects Tidy Up: from n/a through 1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56015
CVE-2024-54440Cross-Site Request Forgery (CSRF) vulnerability in blueskyy WP-Ban-User allows Stored XSS.This issue affects WP-Ban-User: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54440
CVE-2024-54439Cross-Site Request Forgery (CSRF) vulnerability in Alok Tiwari Amazon Product Price allows Stored XSS.This issue affects Amazon Product Price: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54439
CVE-2024-54438Cross-Site Request Forgery (CSRF) vulnerability in GAxx Gaxx Keywords allows Stored XSS.This issue affects Gaxx Keywords: from n/a through 0.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54438
CVE-2024-54437Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Merrill M. Mayer jCarousel allows Stored XSS.This issue affects jCarousel: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54437
CVE-2024-54436Cross-Site Request Forgery (CSRF) vulnerability in Jettochkin Jet Footer Code allows Stored XSS.This issue affects Jet Footer Code: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54436
CVE-2024-54435Cross-Site Request Forgery (CSRF) vulnerability in Thomas Hoefter Onlywire Multi Autosubmitter allows Stored XSS.This issue affects Onlywire Multi Autosubmitter: from n/a through 1.2.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54435
CVE-2024-54434Cross-Site Request Forgery (CSRF) vulnerability in Phoetry phZoom allows Stored XSS.This issue affects phZoom: from n/a through 1.2.92.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54434
CVE-2024-54433Cross-Site Request Forgery (CSRF) vulnerability in Simple Booking Simple Booking Widget allows Stored XSS.This issue affects Simple Booking Widget: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54433
CVE-2024-54432Cross-Site Request Forgery (CSRF) vulnerability in Shambhu Prasad Patnaik WP Flipkart Importer allows Stored XSS.This issue affects WP Flipkart Importer: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54432
CVE-2024-54431Cross-Site Request Forgery (CSRF) vulnerability in Mohamed Riyaz Admin Customization allows Stored XSS.This issue affects Admin Customization: from n/a through 2.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54431
CVE-2024-54429Cross-Site Request Forgery (CSRF) vulnerability in Ivan Ovsyannikov Aphorismus allows Stored XSS.This issue affects Aphorismus: from n/a through 1.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54429
CVE-2024-54428Cross-Site Request Forgery (CSRF) vulnerability in onigetoc Add image to Post allows Stored XSS.This issue affects Add image to Post: from n/a through 0.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54428
CVE-2024-54427Cross-Site Request Forgery (CSRF) vulnerability in Linda MacPhee-Cobb Category of Posts allows Stored XSS.This issue affects Category of Posts: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54427
CVE-2024-54426Cross-Site Request Forgery (CSRF) vulnerability in Andy Fradelakis LeaderBoard Plugin allows Stored XSS.This issue affects LeaderBoard Plugin: from n/a through 1.2.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54426
CVE-2024-54425Cross-Site Request Forgery (CSRF) vulnerability in LionScripts.com LionScripts: Site Maintenance & Noindex Nofollow Plugin allows Stored XSS.This issue affects LionScripts: Site Maintenance & Noindex Nofollow Plugin: from n/a through 2.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54425
CVE-2024-54424Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ilya Chekalskiy Like in Vk.com allows Stored XSS.This issue affects Like in Vk.com: from n/a through 0.5.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54424
CVE-2024-54423Cross-Site Request Forgery (CSRF) vulnerability in Jesse Overright Social Media Sharing allows Stored XSS.This issue affects Social Media Sharing: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54423
CVE-2024-54422Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gaowei Tang Evernote Sync allows Reflected XSS.This issue affects Evernote Sync: from n/a through 3.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54422
CVE-2024-54421Cross-Site Request Forgery (CSRF) vulnerability in Sanjay Singh Negi Floating Video Player allows Stored XSS.This issue affects Floating Video Player: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54421
CVE-2024-54420Cross-Site Request Forgery (CSRF) vulnerability in Aleksander Novikov Metrika allows Cross Site Request Forgery.This issue affects Metrika: from n/a through 1.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54420
CVE-2024-54416Cross-Site Request Forgery (CSRF) vulnerability in Navdeep Kumar Wp Login with Ajax allows Stored XSS.This issue affects Wp Login with Ajax: from n/a through 0.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54416
CVE-2024-54415Cross-Site Request Forgery (CSRF) vulnerability in Cyle Conoly WP-HideThat allows Stored XSS.This issue affects WP-HideThat: from n/a through 1.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54415
CVE-2024-54414Cross-Site Request Forgery (CSRF) vulnerability in geoWP Geoportail Shortcode allows Stored XSS.This issue affects Geoportail Shortcode: from n/a through 2.4.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54414
CVE-2024-54413Cross-Site Request Forgery (CSRF) vulnerability in Stefan Brandt Display Future Posts allows Stored XSS.This issue affects Display Future Posts: from n/a through 0.2.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54413
CVE-2024-54412Cross-Site Request Forgery (CSRF) vulnerability in Ecommerce Templates ECT Product Carousel allows Stored XSS.This issue affects ECT Product Carousel: from n/a through 1.9.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54412
CVE-2024-54411Cross-Site Request Forgery (CSRF) vulnerability in hosting.io, campaigns.io WP Controller allows Stored XSS.This issue affects WP Controller: from n/a through 3.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54411
CVE-2024-54410Cross-Site Request Forgery (CSRF) vulnerability in Toby Cox SOPA Blackout allows Stored XSS.This issue affects SOPA Blackout: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54410
CVE-2024-54409Cross-Site Request Forgery (CSRF) vulnerability in fzmaster @ XPD XPD Reduce Image Filesize allows Stored XSS.This issue affects XPD Reduce Image Filesize: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54409
CVE-2024-54407Cross-Site Request Forgery (CSRF) vulnerability in 随意的风 CK and SyntaxHighlighter allows Stored XSS.This issue affects CK and SyntaxHighlighter: from n/a through 3.4.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54407
CVE-2024-54406Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Reza Moallemi Comments On Feed allows Reflected XSS.This issue affects Comments On Feed: from n/a through 1.2.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54406
CVE-2024-54405Cross-Site Request Forgery (CSRF) vulnerability in Andy Chapman ECT Social Share allows Stored XSS.This issue affects ECT Social Share: from n/a through 1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54405
CVE-2024-54404Cross-Site Request Forgery (CSRF) vulnerability in Nazmul Ahsan MDC Comment Toolbar allows Stored XSS.This issue affects MDC Comment Toolbar: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54404
CVE-2024-54403Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Scott Visual Recent Posts allows Reflected XSS.This issue affects Visual Recent Posts: from n/a through 1.2.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54403
CVE-2024-54401Cross-Site Request Forgery (CSRF) vulnerability in Turcu Ciprian Advanced Fancybox allows Stored XSS.This issue affects Advanced Fancybox: from n/a through 1.1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54401
CVE-2024-54400Cross-Site Request Forgery (CSRF) vulnerability in MELONIQ.NET AppMaps allows Stored XSS.This issue affects AppMaps: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54400
CVE-2024-54399Cross-Site Request Forgery (CSRF) vulnerability in CRUDLab CRUDLab Google Plus Button allows Stored XSS.This issue affects CRUDLab Google Plus Button: from n/a through 1.0.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54399
CVE-2024-54398Cross-Site Request Forgery (CSRF) vulnerability in Project Caruso Flaming Forms allows Stored XSS.This issue affects Flaming Forms: from n/a through 1.0.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54398
CVE-2024-54397Cross-Site Request Forgery (CSRF) vulnerability in Antonio Gocaj Go Animate allows Stored XSS.This issue affects Go Animate: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54397
CVE-2024-54395Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Becky Sanders Increase Sociability allows Reflected XSS.This issue affects Increase Sociability: from n/a through 1.3.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54395
CVE-2024-54394Cross-Site Request Forgery (CSRF) vulnerability in Web solution soft Mandrill WP allows Stored XSS.This issue affects Mandrill WP: from n/a through 1.0.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54394
CVE-2024-54393Cross-Site Request Forgery (CSRF) vulnerability in Sheikh Heera WP Fiddle allows Stored XSS.This issue affects WP Fiddle: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54393
CVE-2024-54392Cross-Site Request Forgery (CSRF) vulnerability in Midoks WP微信机器人 allows Stored XSS.This issue affects WP微信机器人: from n/a through 5.3.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54392
CVE-2024-54391Cross-Site Request Forgery (CSRF) vulnerability in Matt Walters WordPress Filter allows Stored XSS.This issue affects WordPress Filter: from n/a through 1.4.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54391
CVE-2024-54390Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bouzid Nazim Zitouni TagGator allows Reflected XSS.This issue affects TagGator: from n/a through 1.54.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54390
CVE-2024-54389Cross-Site Request Forgery (CSRF) vulnerability in Eduardo Chiaro addWeather allows Cross Site Request Forgery.This issue affects addWeather: from n/a through 2.5.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54389
CVE-2024-54388Cross-Site Request Forgery (CSRF) vulnerability in Phuc Pham Multiple Admin Emails allows Cross Site Request Forgery.This issue affects Multiple Admin Emails: from n/a through 1.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54388
CVE-2024-54387Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jaytesh Barange Posts Date Ranges allows Reflected XSS.This issue affects Posts Date Ranges: from n/a through 2.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54387
CVE-2024-54386Cross-Site Request Forgery (CSRF) vulnerability in Get Push Monkey LLC Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart allows Cross Site Request Forgery.This issue affects Push Monkey Pro – Web Push Notifications and WooCommerce Abandoned Cart: from n/a through 3.9.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54386
CVE-2024-54364Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spartac Feedpress Generator allows Reflected XSS.This issue affects Feedpress Generator: from n/a through 1.2.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54364
CVE-2024-54358Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Avatar 3D Creator 3D Avatar User Profile allows Reflected XSS.This issue affects 3D Avatar User Profile: from n/a through 1.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54358
CVE-2024-54353Cross-Site Request Forgery (CSRF) vulnerability in WPGear Hack-Info allows Stored XSS.This issue affects Hack-Info: from n/a through 3.17.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54353
CVE-2024-54332Cross-Site Request Forgery (CSRF) vulnerability in WPFactory WP Currency Exchange Rates allows Stored XSS.This issue affects WP Currency Exchange Rates: from n/a through 1.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54332
CVE-2024-54331Cross-Site Request Forgery (CSRF) vulnerability in Micha I Plant A Tree allows Stored XSS.This issue affects I Plant A Tree: from n/a through 1.7.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54331
CVE-2024-12644The tbm-client from Chunghwa Telecom has an Arbitrary File vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability. Attackers can copy arbitrary files on the user's system and paste them into any path, which poses a potential risk of information leakage or could consume hard drive space by copying files in large volumes.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-12644
CVE-2024-56086An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads in Report Templates. These are executed when the backup process is initiated, leading to Remote Code Execution.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56086
CVE-2024-56084An issue was discovered in Logpoint UniversalNormalizer before 5.7.0. Authenticated users can inject payloads while creating Universal Normalizer. These are executed, leading to Remote Code Execution.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-56084
CVE-2024-54351Cross-Site Request Forgery (CSRF) vulnerability in Tom Landis Fancy Roller Scroller allows Stored XSS.This issue affects Fancy Roller Scroller: from n/a through 1.4.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54351
CVE-2024-54347Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BAKKBONE Australia FloristPress allows Reflected XSS.This issue affects FloristPress: from n/a through 7.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54347
CVE-2024-54344Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Fahad Mahmood WP Quick Shop allows Reflected XSS.This issue affects WP Quick Shop: from n/a through 1.3.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54344
CVE-2024-54343Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Howard Ehrenberg Connect Contact Form 7 to Constant Contact allows Reflected XSS.This issue affects Connect Contact Form 7 to Constant Contact: from n/a through 1.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54343
CVE-2024-54342Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in STAGGS Staggs Product Configurator for WooCommerce allows Reflected XSS.This issue affects Staggs Product Configurator for WooCommerce: from n/a through 2.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54342
CVE-2024-54341Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LabelGrid LabelGrid Tools allows Reflected XSS.This issue affects LabelGrid Tools: from n/a through 1.3.58.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54341
CVE-2024-54340Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sylvia van Os Simple Presenter allows Reflected XSS.This issue affects Simple Presenter: from n/a through 1.5.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54340
CVE-2024-54339Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jbd7 geoFlickr allows Reflected XSS.This issue affects geoFlickr: from n/a through 1.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54339
CVE-2024-54337Cross-Site Request Forgery (CSRF) vulnerability in DevriX DX Dark Site allows Stored XSS.This issue affects DX Dark Site: from n/a through 1.0.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54337
CVE-2024-54335Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZebraSoft Monaco ImmoToolBox Connect allows Reflected XSS.This issue affects ImmoToolBox Connect: from n/a through 1.3.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54335
CVE-2024-54333Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silverplugins217 Check Pincode For Woocommerce allows Reflected XSS.This issue affects Check Pincode For Woocommerce: from n/a through 1.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54333
CVE-2024-54329Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metup s.r.l. CleverNode Related Content allows Reflected XSS.This issue affects CleverNode Related Content: from n/a through 1.1.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54329
CVE-2024-54328Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Link Nacional Invoice Payment for WooCommerce allows Reflected XSS.This issue affects Invoice Payment for WooCommerce: from n/a through 1.7.2.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54328
CVE-2024-54327Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in universam UNIVERSAM allows Reflected XSS.This issue affects UNIVERSAM: from n/a through n/a.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54327
CVE-2024-54325Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DealerTrend CarDealerPress allows Reflected XSS.This issue affects CarDealerPress: from n/a through 6.6.2410.02.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54325
CVE-2024-54324Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cloud Inn SMSify allows Reflected XSS.This issue affects SMSify: from n/a through 6.0.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54324
CVE-2024-54322Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ederson Peka Media Downloader allows Reflected XSS.This issue affects Media Downloader: from n/a through 0.4.7.4.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54322
CVE-2024-54320Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ICDSoft Hosting ICDSoft Reseller Store allows Reflected XSS.This issue affects ICDSoft Reseller Store: from n/a through 2.4.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54320
CVE-2024-54319Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MultiNet Interactive AB Kundgenerator allows Reflected XSS.This issue affects Kundgenerator: from n/a through 1.0.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54319
CVE-2024-54312Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ووکامرس فارسی Persian Woocommerce SMS allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through 7.0.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54312
CVE-2024-54305Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in woocs J&T Express Malaysia allows Reflected XSS.This issue affects J&T Express Malaysia: from n/a through 2.0.13.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54305
CVE-2024-54303Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ido Kobelkowsky / yalla ya! Simple Payment allows Reflected XSS.This issue affects Simple Payment: from n/a through 2.3.7.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54303
CVE-2024-54302Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Ratudi VForm allows Reflected XSS.This issue affects VForm: from n/a through 3.0.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54302
CVE-2024-54301Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FormFacade FormFacade allows Reflected XSS.This issue affects FormFacade: from n/a through 1.3.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54301
CVE-2024-54299Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Revi Revi.io allows Reflected XSS.This issue affects Revi.io: from n/a through 5.7.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54299
CVE-2024-54290Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Fletcher Role Includer allows Reflected XSS.This issue affects Role Includer: from n/a through 1.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54290
CVE-2024-54288Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LDD Web Design LDD Directory Lite allows Reflected XSS.This issue affects LDD Directory Lite: from n/a through 3.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54288
CVE-2024-54275Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wibergs Web CSV to html allows Reflected XSS.This issue affects CSV to html: from n/a through 3.04.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54275
CVE-2024-54274Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Octrace Studio WordPress HelpDesk & Support Ticket System Plugin – Octrace Support allows Reflected XSS.This issue affects WordPress HelpDesk & Support Ticket System Plugin – Octrace Support: from n/a through 1.2.7.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54274
CVE-2024-54266Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ImageRecycle ImageRecycle pdf & image compression allows Reflected XSS.This issue affects ImageRecycle pdf & image compression: from n/a through 3.1.16.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54266
CVE-2024-54265Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager allows Reflected XSS.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.6.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54265
CVE-2024-54264Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in César Morillas Shortcodes Blocks Creator Ultimate allows Reflected XSS.This issue affects Shortcodes Blocks Creator Ultimate: from n/a through 2.2.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54264
CVE-2024-54256Missing Authorization vulnerability in Seerox Easy Blocks pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Easy Blocks pro: from n/a through 1.0.21.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54256
CVE-2024-54240Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blaze Online Blaze Online eParcel for WooCommerce allows Reflected XSS.This issue affects Blaze Online eParcel for WooCommerce: from n/a through 1.3.3.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54240
CVE-2024-54238Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Colin Tomele Board Document Manager from CHUHPL allows Reflected XSS.This issue affects Board Document Manager from CHUHPL: from n/a through 1.9.1.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54238
CVE-2024-54237Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anzia Ni CRM Lead allows Reflected XSS.This issue affects Ni CRM Lead: from n/a through 1.3.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54237
CVE-2024-54236Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anzia Ni WooCommerce Bulk Product Editor allows Reflected XSS.This issue affects Ni WooCommerce Bulk Product Editor: from n/a through 1.4.5.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54236
CVE-2024-54235Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shiptimize Shiptimize for WooCommerce allows Reflected XSS.This issue affects Shiptimize for WooCommerce: from n/a through 3.1.86.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54235
CVE-2024-54233Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Enea Overclokk Advanced Control Manager for WordPress by ItalyStrap allows Reflected XSS.This issue affects Advanced Control Manager for WordPress by ItalyStrap: from n/a through 2.16.0.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54233
CVE-2024-54231Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anzia Ni WooCommerce Order Export allows Reflected XSS.This issue affects Ni WooCommerce Order Export: from n/a through 3.1.6.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54231
CVE-2024-21543Versions of the package djoser before 2.3.0 are vulnerable to Authentication Bypass when the authenticate() function fails. This is because the system falls back to querying the database directly, granting access to users with valid credentials, and eventually bypassing custom authentication checks such as two-factor authentication, LDAP validations, or requirements from configured AUTHENTICATION_BACKENDS.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-21543
CVE-2024-55888Hush Line is an open-source whistleblower management system. Starting in version 0.1.0 and prior to version 0.3.5, the productions server appeared to have been misconfigured and missed providing any content security policy or security headers. This could result in bypassing of cross-site scripting filters. Version 0.3.5 fixed the issue.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-55888
CVE-2024-54107Read/Write vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54107
CVE-2024-54106Null pointer dereference vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54106
CVE-2024-54528A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to overwrite arbitrary files.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-54528
CVE-2024-11840The RapidLoad – Optimize Web Vitals Automatically plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the uucss_data, update_rapidload_settings, wp_ajax_update_htaccess_file, uucss_update_rule, upload_rules, get_all_rules, update_titan_settings, preload_page, and activate_module functions in all versions up to, and including, 2.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or conduct SQL injection attacks.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-11840
CVE-2024-12363Insufficient permissions in the TeamViewer Patch & Asset Management component prior to version 24.12 on Windows allows a local authenticated user to delete arbitrary files. TeamViewer Patch & Asset Management is part of TeamViewer Remote Management.7.1https://nvd.nist.gov/vuln/detail/CVE-2024-12363
CVE-2020-12487Due to the flaws in the verification of input parameters, the attacker can input carefully constructed commands to make the ABE service execute some commands with root privilege.7https://nvd.nist.gov/vuln/detail/CVE-2020-12487
CVE-2024-49097Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability7https://nvd.nist.gov/vuln/detail/CVE-2024-49097
CVE-2024-49095Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability7https://nvd.nist.gov/vuln/detail/CVE-2024-49095
CVE-2024-49084Windows Kernel Elevation of Privilege Vulnerability7https://nvd.nist.gov/vuln/detail/CVE-2024-49084
CVE-2024-49059Microsoft Office Elevation of Privilege Vulnerability7https://nvd.nist.gov/vuln/detail/CVE-2024-49059
CVE-2024-55886OpenSearch Data Prepper is a component of the OpenSearch project that accepts, filters, transforms, enriches, and routes data at scale. A vulnerability exists in the OpenTelemetry Logs source in Data Prepper starting inversion 2.1.0 and prior to version 2.10.2 where some custom authentication plugins will not perform authentication. This allows unauthorized users to ingest OpenTelemetry Logs data under certain conditions. This vulnerability does not affect the built-in `http_basic` authentication provider in Data Prepper. Pipelines which use the `http_basic` authentication provider continue to require authentication. The vulnerability exists only for custom implementations of Data Prepper’s `GrpcAuthenticationProvider` authentication plugin which implement the `getHttpAuthenticationService()` method instead of `getAuthenticationInterceptor()`. Data Prepper 2.10.2 contains a fix for this issue. For those unable to upgrade, one may use the built-in `http_basic` authentication provider in Data Prepper and/or add an authentication proxy in front of one's Data Prepper instances running the OpenTelemetry Logs source.6.9https://nvd.nist.gov/vuln/detail/CVE-2024-55886
CVE-2024-55878SimpleXLSX is software for parsing and retrieving data from Excel XLSx files. Starting in version 1.0.12 and prior to version 1.1.12, when calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Version 1.1.12 fixes the issue. As a workaround, don't use direct publication via toHTMLEx.6.8https://nvd.nist.gov/vuln/detail/CVE-2024-55878
CVE-2024-49110Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49110
CVE-2024-49092Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49092
CVE-2024-49083Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49083
CVE-2024-49082Windows File Explorer Information Disclosure Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49082
CVE-2024-49078Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49078
CVE-2024-49077Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49077
CVE-2024-49073Windows Mobile Broadband Driver Elevation of Privilege Vulnerability6.8https://nvd.nist.gov/vuln/detail/CVE-2024-49073
CVE-2024-54099File replacement vulnerability on some devices
Impact: Successful exploitation of this vulnerability will affect integrity and confidentiality.
6.7https://nvd.nist.gov/vuln/detail/CVE-2024-54099
CVE-2024-12570An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attacker with a victim's `CI_JOB_TOKEN` to obtain a GitLab session token belonging to the victim.6.7https://nvd.nist.gov/vuln/detail/CVE-2024-12570
CVE-2024-24902Dell RecoverPoint for Virtual Machines 6.0.x contains an Improper access control vulnerability. A low privileged local attacker could potentially exploit this vulnerability leading to gaining access to unauthorized data for a limited time.6.6https://nvd.nist.gov/vuln/detail/CVE-2024-24902
CVE-2024-49111Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability6.6https://nvd.nist.gov/vuln/detail/CVE-2024-49111
CVE-2024-49109Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability6.6https://nvd.nist.gov/vuln/detail/CVE-2024-49109
CVE-2024-49101Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability6.6https://nvd.nist.gov/vuln/detail/CVE-2024-49101
CVE-2024-49094Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability6.6https://nvd.nist.gov/vuln/detail/CVE-2024-49094
CVE-2024-49081Wireless Wide Area Network Service (WwanSvc) Elevation of Privilege Vulnerability6.6https://nvd.nist.gov/vuln/detail/CVE-2024-49081
CVE-2024-52792LDAP Account Manager (LAM) is a php webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. In affected versions LAM does not properly sanitize configuration values, that are set via `mainmanage.php` and `confmain.php`. This allows setting arbitrary config values and thus effectively bypassing `mitigation` of CVE-2024-23333/GHSA-fm9w-7m7v-wxqv. Configuration values for the main config or server profiles are set via `mainmanage.php` and `confmain.php`.
The values are written to `config.cfg` or `serverprofile.conf` in the format of `settingsName: settingsValue` line-by-line.
An attacker can smuggle arbitrary config values in a config file, by inserting a newline into certain config fields, followed by the value. This vulnerability has been addressed in version 9.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
6.5https://nvd.nist.gov/vuln/detail/CVE-2024-52792
CVE-2024-37607A Buffer overflow vulnerability in D-Link DAP-2555 REVA_FIRMWARE_1.20 allows remote attackers to cause a Denial of Service (DoS) via a crafted HTTP request.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-37607
CVE-2024-37606A Stack overflow vulnerability in D-Link DCS-932L REVB_FIRMWARE_2.18.01 allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-37606
CVE-2024-37605A NULL pointer dereference in D-Link DIR-860L REVB_FIRMWARE_2.04.B04_ic5b allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-37605
CVE-2024-9819Authorization Bypass Through User-Controlled Key vulnerability in NextGeography NG Analyser allows Functionality Misuse.This issue affects NG Analyser: before 2.2.711.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-9819
CVE-2024-8475Authentication Bypass by Assumed-Immutable Data vulnerability in Digital Operation Services WiFiBurada allows Manipulating User-Controlled Variables.This issue affects WiFiBurada: before 1.0.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-8475
CVE-2024-54348Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YayCommerce Brand allows Stored XSS.This issue affects Brand: from n/a through 1.1.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54348
CVE-2024-56011Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ilja Zaglov | IMBAA GmbH Responsive Google Maps | by imbaa allows Stored XSS.This issue affects Responsive Google Maps | by imbaa: from n/a through 1.2.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56011
CVE-2024-56005Cross-Site Request Forgery (CSRF) vulnerability in Posti Posti Shipping allows Cross Site Request Forgery.This issue affects Posti Shipping: from n/a through 3.10.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56005
CVE-2024-56001Missing Authorization vulnerability in Ksher Ksher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ksher: from n/a through 1.1.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-56001
CVE-2024-54443Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluginscafe Advanced Data Table For Elementor allows Stored XSS.This issue affects Advanced Data Table For Elementor: from n/a through 1.0.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54443
CVE-2024-54441Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Meini Utech World Time allows Stored XSS.This issue affects Utech World Time: from n/a through 1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54441
CVE-2024-54408Cross-Site Request Forgery (CSRF) vulnerability in Jake H. Youtube Video Grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Youtube Video Grid: from n/a through 1.9.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54408
CVE-2024-54360Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in premila Gutensee allows DOM-Based XSS.This issue affects Gutensee: from n/a through 1.0.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54360
CVE-2024-54354Missing Authorization vulnerability in Beat Kueffer Termin-Kalender allows Stored XSS.This issue affects Termin-Kalender: from n/a through 0.99.47.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54354
CVE-2024-54682Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to limit the file size for slack import file uploads which allows a user to cause a DoS via zip bomb by importing data in a team they are a team admin.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54682
CVE-2024-54083Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, 9.5.x <= 9.5.12 fail to properly validate the type of callProps which allows a user to cause a client side (webapp and mobile) DoS to users of particular channels, by sending a specially crafted post.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54083
CVE-2024-12645The topm-client from Chunghwa Telecom has an Arbitrary File Read vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains a Relative Path Traversal vulnerability, allowing attackers to read arbitrary files on the user's system.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12645
CVE-2024-54349Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mashiurz.com Plain Post allows Stored XSS.This issue affects Plain Post: from n/a through 1.0.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54349
CVE-2024-54346Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes Barter allows DOM-Based XSS.This issue affects Barter: from n/a through 1.6.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54346
CVE-2024-54345Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SKT Themes Bicycleshop allows DOM-Based XSS.This issue affects Bicycleshop: from n/a through 1.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54345
CVE-2024-54338Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Christer Fernstrom Hello Event Widgets For Elementor allows DOM-Based XSS.This issue affects Hello Event Widgets For Elementor: from n/a through 1.0.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54338
CVE-2024-54334Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zeshan B Quran Phrases About Most People Shortcodes allows DOM-Based XSS.This issue affects Quran Phrases About Most People Shortcodes: from n/a through 1.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54334
CVE-2024-54326Missing Authorization vulnerability in Eyal Fitoussi GEO my WordPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GEO my WordPress: from n/a through 4.5.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54326
CVE-2024-54318Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicejob NiceJob allows Stored XSS.This issue affects NiceJob: from n/a through 3.6.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54318
CVE-2024-54317Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Google Web Stories allows Stored XSS.This issue affects Web Stories: from n/a through 1.37.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54317
CVE-2024-54316Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NicheAddons Restaurant & Cafe Addon for Elementor allows DOM-Based XSS.This issue affects Restaurant & Cafe Addon for Elementor: from n/a through 1.5.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54316
CVE-2024-54315Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NicheAddons Events Addon for Elementor allows DOM-Based XSS.This issue affects Events Addon for Elementor: from n/a through 2.2.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54315
CVE-2024-54314Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NicheAddons Primary Addon for Elementor allows Stored XSS.This issue affects Primary Addon for Elementor: from n/a through 1.6.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54314
CVE-2024-54313Path Traversal vulnerability in FULL. FULL Customer allows Path Traversal.This issue affects FULL Customer: from n/a through 3.1.25.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54313
CVE-2024-54309Insertion of Sensitive Information Into Sent Data vulnerability in wpdebuglog PostBox allows Retrieve Embedded Sensitive Data.This issue affects PostBox: from n/a through 1.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54309
CVE-2024-54289Missing Authorization vulnerability in Awesome Support Team Awesome Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Awesome Support: from n/a through 6.3.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54289
CVE-2024-54287Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Best Wp Developer Advanced Blog Post Block allows Stored XSS.This issue affects Advanced Blog Post Block: from n/a through 1.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54287
CVE-2024-54286Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sendsmaily LLC Smaily for WP allows Stored XSS.This issue affects Smaily for WP: from n/a through 3.1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54286
CVE-2024-54277Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alireza aliniya Nias course allows DOM-Based XSS.This issue affects Nias course: from n/a through 1.2.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54277
CVE-2024-54276Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Felix Moira Poll Builder allows Stored XSS.This issue affects Poll Builder: from n/a through 1.3.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54276
CVE-2024-54272Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Radius Blocks – WordPress Gutenberg Blocks allows Stored XSS.This issue affects Radius Blocks – WordPress Gutenberg Blocks: from n/a through 2.1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54272
CVE-2024-54259Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DELUCKS GmbH DELUCKS SEO allows Path Traversal.This issue affects DELUCKS SEO: from n/a through 2.5.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54259
CVE-2024-54250Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Prodigy Commerce Prodigy Commerce allows DOM-Based XSS.This issue affects Prodigy Commerce: from n/a through 3.0.8.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54250
CVE-2024-54246Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 FAQs allows Stored XSS.This issue affects FAQs: from n/a through 1.0.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54246
CVE-2024-54245Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Clients allows Stored XSS.This issue affects Clients: from n/a through 1.1.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54245
CVE-2024-54244Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Easy Replace allows Stored XSS.This issue affects Easy Replace: from n/a through 1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54244
CVE-2024-54243Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Think201 Echoza allows Stored XSS.This issue affects Echoza: from n/a through 0.1.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54243
CVE-2024-54242Missing Authorization vulnerability in Appsbd Simple Notification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Notification: from n/a through 1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54242
CVE-2024-54241Missing Authorization vulnerability in Appsbd Elite Notification – Sales Popup, Social Proof, FOMO & WooCommerce Notification allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elite Notification – Sales Popup, Social Proof, FOMO & WooCommerce Notification: from 1.5 through n/a.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54241
CVE-2024-28980Dell RecoverPoint for VMs, version(s) 6.0.x contain(s) a Use of a Broken or Risky Cryptographic Algorithm vulnerability in the SSH. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Remote execution.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-28980
CVE-2023-41686Cross-Site Request Forgery (CSRF) vulnerability in ilGhera Woocommerce Support System allows Cross Site Request Forgery.This issue affects Woocommerce Support System: from n/a through 1.2.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-41686
CVE-2023-41664Missing Authorization vulnerability in AlphaBPO Easy Newsletter Signups allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Newsletter Signups: from n/a through 1.0.4.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-41664
CVE-2023-41649Missing Authorization vulnerability in Ovic Team Ovic Product Bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ovic Product Bundle: from n/a through 1.1.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-41649
CVE-2023-40003Missing Authorization vulnerability in weDevs WP Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Project Manager: from n/a through 2.6.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-40003
CVE-2023-37987Missing Authorization vulnerability in miniOrange YourMembership Single Sign On allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YourMembership Single Sign On: from n/a through 1.1.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-37987
CVE-2023-37971Missing Authorization vulnerability in MultiVendorX WooCommerce Product Stock Alert allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Product Stock Alert: from n/a through 2.0.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-37971
CVE-2023-37967Missing Authorization vulnerability in Designinvento DirectoryPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through 3.6.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-37967
CVE-2023-37887Missing Authorization vulnerability in WPSchoolPress Team WPSchoolPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPSchoolPress: from n/a through 2.2.7.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-37887
CVE-2023-34019Missing Authorization vulnerability in Uncanny Owl Uncanny Toolkit for LearnDash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Uncanny Toolkit for LearnDash: from n/a through 3.6.4.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-34019
CVE-2023-33994Missing Authorization vulnerability in Jason Crouse, VeronaLabs Slimstat Analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slimstat Analytics: from n/a through 5.0.5.1.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-33994
CVE-2023-33324Missing Authorization vulnerability in wppal Easy Captcha allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Captcha: from n/a through 1.0.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-33324
CVE-2023-32506Missing Authorization vulnerability in Link Whisper Link Whisper Free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Link Whisper Free: from n/a through 0.6.3.6.5https://nvd.nist.gov/vuln/detail/CVE-2023-32506
CVE-2022-47594Missing Authorization vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Blocks for Gutenberg: from n/a through 3.8.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2022-47594
CVE-2022-46796Missing Authorization vulnerability in VillaTheme CURCY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CURCY: from n/a through 2.1.25.6.5https://nvd.nist.gov/vuln/detail/CVE-2022-46796
CVE-2022-46795Missing Authorization vulnerability in Tyche Softwares Print Invoice & Delivery Notes for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through 4.7.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2022-46795
CVE-2022-45840Missing Authorization vulnerability in Lucian Apostol Auto Affiliate Links allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Auto Affiliate Links: from n/a through 6.2.1.5.6.5https://nvd.nist.gov/vuln/detail/CVE-2022-45840
CVE-2024-38488Dell RecoverPoint for Virtual Machines 6.0.x contains a vulnerability. An improper Restriction of Excessive Authentication vulnerability where a Network attacker could potentially exploit this vulnerability, leading to a brute force attack or a dictionary attack against the RecoverPoint login form and a complete system compromise.
This allows attackers to brute-force the password of valid users in an automated manner.
6.5https://nvd.nist.gov/vuln/detail/CVE-2024-38488
CVE-2024-12421The The Coupon Affiliates – Affiliate Plugin for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.16.7.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. This functionality is also vulnerable to Reflected Cross-Site Scripting. The Cross-Site Scripting was patched in version 5.16.7.1, while the arbitrary shortcode execution was patched in 5.16.7.2.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12421
CVE-2024-12420The The WPMobile.App — Android and iOS Mobile Application plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 11.52. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12420
CVE-2024-12417The The Simple Link Directory plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.4.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12417
CVE-2019-25221The Responsive Filterable Portfolio plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.6.5https://nvd.nist.gov/vuln/detail/CVE-2019-25221
CVE-2024-49071Improper authorization of an index that contains sensitive information from a Global Files search in Windows Defender allows an authorized attacker to disclose information over a network.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-49071
CVE-2024-52901IBM InfoSphere Information Server 11.7 could allow an authenticated user to GUI to not load or stop working due to improper input validation.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-52901
CVE-2024-54113Process residence vulnerability in abnormal scenarios in the print module
Impact: Successful exploitation of this vulnerability may affect power consumption.
6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54113
CVE-2024-54109Read/Write vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54109
CVE-2024-54108Read/Write vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54108
CVE-2024-12333The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.0.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_instagram_ajax_query AJAX action. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12333
CVE-2024-12406The Library Management System – Manage e-Digital Books Library plugin for WordPress is vulnerable to SQL Injection via the 'owt7_borrow_books_id' parameter in all versions up to, and including, 3.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-12406
CVE-2024-11430The SQL Chart Builder plugin for WordPress is vulnerable to SQL Injection via the 'arg1' arg of the 'gvn_schart_2' shortcode in all versions up to, and including, 2.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-11430
CVE-2024-55652PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the contents of the template document is able to execute arbitrary code on the system. By default, only users with the `admin` role are able to create or update templates. Commit 1d4219c596f4f518798492e48386a20c6e9a2fe6 patches the issue.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-55652
CVE-2024-54502The issue was addressed with improved checks. This issue is fixed in watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, Safari 18.2, iOS 18.2 and iPadOS 18.2. Processing maliciously crafted web content may lead to an unexpected process crash.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54502
CVE-2024-54486The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. Processing a maliciously crafted font may result in the disclosure of process memory.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54486
CVE-2024-54466An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An encrypted volume may be accessed by a different user without prompting for the password.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-54466
CVE-2024-44248This issue was addressed through improved state management. This issue is fixed in macOS Ventura 13.7.2, macOS Sonoma 14.7.2. A user with screen sharing access may be able to view another user's screen.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-44248
CVE-2024-44220The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. Parsing a maliciously crafted video file may lead to unexpected system termination.6.5https://nvd.nist.gov/vuln/detail/CVE-2024-44220
CVE-2024-49064Microsoft SharePoint Information Disclosure Vulnerability6.5https://nvd.nist.gov/vuln/detail/CVE-2024-49064
CVE-2024-49062Microsoft SharePoint Information Disclosure Vulnerability6.5https://nvd.nist.gov/vuln/detail/CVE-2024-49062
CVE-2020-12484When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks.6.4https://nvd.nist.gov/vuln/detail/CVE-2020-12484
CVE-2024-11906The TPG Get Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tpg_get_posts' shortcode in all versions up to, and including, 3.6.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11906
CVE-2024-11905The Animated Counters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animatedcounte' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11905
CVE-2024-11902The Slope Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'slope-reservations' shortcode in all versions up to, and including, 4.2.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11902
CVE-2024-11900The Portfolio – Filterable Masonry Portfolio Gallery for Professionals plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'portfolio-pro' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11900
CVE-2024-12443The CRM Perks – WordPress HelpDesk Integration – Zendesk, Freshdesk, HelpScout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'crm-perks-tickets' shortcode in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12443
CVE-2024-12446The Post to Pdf plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gmptp_single_post' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12446
CVE-2024-12501The Simple Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 2.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12501
CVE-2024-12474The GeoDataSource Country Region DropDown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gds-country-dropdown' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12474
CVE-2024-12459The Ganohrs Toggle Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'toggle' shortcode in all versions up to, and including, 0.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12459
CVE-2024-11752The Eveeno plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'eveeno' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11752
CVE-2024-12523The States Map US plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'states_map' shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12523
CVE-2024-12517The WooCommerce Cart Count Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cart_button' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12517
CVE-2024-12502The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-landing' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12502
CVE-2024-12458The Smart PopUp Blaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'spb-button' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12458
CVE-2024-12448The Posts and Products Views for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'papvfwc_views' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12448
CVE-2024-11894The The Permalinker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'permalink' shortcode in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11894
CVE-2024-11889The My IDX Home Search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'homeasap-idx-search' shortcode in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11889
CVE-2024-11888The IDer Login for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ider_login_button' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11888
CVE-2024-11884The Wp photo text slider 50 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-photo-slider' shortcode in all versions up to, and including, 8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11884
CVE-2024-11883The Connatix Video Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cnx_script_code' shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11883
CVE-2024-11879The Stripe Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stripe_donation' shortcode in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11879
CVE-2024-11877The Cricket Live Score plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'cricket_score' shortcode in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11877
CVE-2024-11876The Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kredeum_opensky' shortcode in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11876
CVE-2024-11873The glomex oEmbed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'glomex_integration' shortcode in all versions up to, and including, 0.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11873
CVE-2024-11869The Buk for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'buk' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11869
CVE-2024-11867The Companion Portfolio – Responsive Portfolio Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'companion-portfolio' shortcode in all versions up to, and including, 2.4.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11867
CVE-2024-11865The Tabs Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on tab descriptions. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11865
CVE-2024-11855The Koalendar – Events & Appointments Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘height’ parameter in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11855
CVE-2024-11770The Post Carousel & Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'post-cs' shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11770
CVE-2024-11763The Plezi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'plezi' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11763
CVE-2024-11759The Bukza plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bukza' shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11759
CVE-2024-11755The IMS Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown post settings in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11755
CVE-2024-11751The TCBD Popover plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tcbd-popover-image ' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11751
CVE-2024-11095The Visualmodo Elements plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11095
CVE-2024-11827The Out of the Block: OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ootb_query shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11827
CVE-2024-12465The Property Hive Stamp Duty Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stamp_duty_calculator_scotland' shortcode in all versions up to, and including, 1.0.22 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12465
CVE-2024-11910The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp-crowdfunding/search block in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11910
CVE-2024-11832The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JavaScript row settings in all versions up to, and including, 2.8.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11832
CVE-2024-11754The Booking System Trafft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'trafftbooking' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11754
CVE-2024-11767The NewsmanApp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'newsman_subscribe_widget' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11767
CVE-2024-9387An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-9387
CVE-2024-11760The Currency Converter Widget ⚡ PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'currency-converter-widget-pro' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11760
CVE-2024-10784The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Tile Gallery' widget in all versions up to, and including, 1.5.126 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-10784
CVE-2024-11882The FAQ And Answers – Create Frequently Asked Questions Area on WP Sites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'faq' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11882
CVE-2024-11871The Social Media Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'patreon' shortcode in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11871
CVE-2024-11785The Integrate Firebase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'firebase_show' shortcode in all versions up to, and including, 0.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11785
CVE-2024-11781The Smart Agenda – Prise de rendez-vous en ligne plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartagenda' shortcode in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11781
CVE-2024-11766The WordPress Book Plugin for Displaying Books in Grid, Flip, Slider, Popup Layout and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_book_showcase' shortcode in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11766
CVE-2024-11765The WordPress Portfolio Plugin – A Plugin for Making Filterable Portfolio Grid, Portfolio Slider and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_portfolio' shortcode in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11765
CVE-2024-11757The WP GeoNames plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp-geonames' shortcode in all versions up to, and including, 1.9.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11757
CVE-2024-12463The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arena_embed_amp' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12463
CVE-2024-11891The Perfect Font Awesome Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pfai' shortcode in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11891
CVE-2024-11875The Add infos to the events calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fuss' shortcode in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11875
CVE-2024-11750The ONLYOFFICE DocSpace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'onlyoffice-docspace' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11750
CVE-2024-11410The Top and footer bars for announcements, notifications, advertisements, promotions – YooBar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Yoo Bar settings in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11410
CVE-2024-11384The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'arenablog' shortcode in all versions up to, and including, 0.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11384
CVE-2024-10182The Cognito Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 2.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-10182
CVE-2024-12461The WP-Revive Adserver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wprevive_async' shortcode in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-12461
CVE-2024-11914The Gutenberg Blocks and Page Layouts – Attire Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attire-blocks/post-carousel' block in all versions up to, and including, 1.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11914
CVE-2024-11901The PowerBI Embed Reports plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'MO_API_POWER_BI' shortcode in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11901
CVE-2024-11442The Horizontal scroll image slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'horizontal-scroll-image-slideshow' shortcode in all versions up to, and including, 10.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11442
CVE-2024-11433The Surbma | SalesAutopilot Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sa-form' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11433
CVE-2024-11427The Catch Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catch-popup' shortcode in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11427
CVE-2024-11413The HostFact bestelformulier integratie plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bestelformulier' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.4https://nvd.nist.gov/vuln/detail/CVE-2024-11413
CVE-2021-26278The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device.6.3https://nvd.nist.gov/vuln/detail/CVE-2021-26278
CVE-2024-12478A vulnerability was found in InvoicePlane up to 1.6.1. It has been declared as critical. This vulnerability affects the function upload_file of the file /index.php/upload/upload_file/1/1. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12478
CVE-2024-54252Missing Authorization vulnerability in PINPOINT.WORLD Pinpoint Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinpoint Booking System: from n/a through 2.9.9.5.2.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-54252
CVE-2024-11012The The Notibar – Notification Bar for WordPress plugin for WordPress is vulnerable to arbitrary shortcode execution via njt_nofi_text AJAX action in all versions up to, and including, 2.1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-11012
CVE-2024-31670rizin before v0.6.3 is vulnerable to Buffer Overflow via create_cache_bins, read_cache_accel, and rz_dyldcache_new_buf functions in librz/bin/format/mach0/dyldcache.c.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-31670
CVE-2024-12492A vulnerability was found in code-projects Farmacia 1.0. It has been rated as critical. This issue affects some unknown processing of the file /visualizar-usuario.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12492
CVE-2024-12490A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /pages/teacher_save.php. The manipulation of the argument salut leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12490
CVE-2024-12489A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0. It has been classified as critical. This affects an unknown part of the file /pages/term.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12489
CVE-2024-12488A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /pages/subject_update.php. The manipulation of the argument id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12488
CVE-2024-12487A vulnerability has been found in code-projects Online Class and Exam Scheduling System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /pages/room_update.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12487
CVE-2024-12486A vulnerability, which was classified as critical, was found in code-projects Online Class and Exam Scheduling System 1.0. Affected is an unknown function of the file /pages/rank_update.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12486
CVE-2024-12485A vulnerability, which was classified as critical, has been found in code-projects Online Class and Exam Scheduling System 1.0. This issue affects some unknown processing of the file /pages/department.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12485
CVE-2024-12481A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2. It has been declared as critical. Affected by this vulnerability is the function findUser of the file wetech-cms-master\\wetech-core\\src\\main\\java\\tech\\wetech\\cms\\dao\\UserDao.java. The manipulation of the argument searchValue/gId/rId leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12481
CVE-2024-12480A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2. It has been classified as critical. Affected is the function searchTopic of the file wetech-cms-master\\wetech-core\\src\\main\\java\\tech\\wetech\\cms\\dao\\TopicDao.java. The manipulation of the argument con leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12480
CVE-2024-12479A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2 and classified as critical. This issue affects the function searchTopicByKeyword of the file wetech-cms-master\\wetech-core\\src\\main\\java\\tech\\wetech\\cms\\dao\\TopicDao.java. The manipulation of the argument keyword leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-12479
CVE-2024-28141The web application is not protected against cross-site request forgery attacks. Therefore, an attacker can trick users into performing actions on the application when they visit an attacker-controlled website or click on a malicious link. E.g. an attacker can forge malicious links to reset the admin password or create new users.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-28141
CVE-2024-52537Dell Client Platform Firmware Update Utility contains an Improper Link Resolution vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges.6.3https://nvd.nist.gov/vuln/detail/CVE-2024-52537
CVE-2024-54122Concurrent variable access vulnerability in the ability module
Impact: Successful exploitation of this vulnerability may affect availability.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54122
CVE-2024-54119Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54119
CVE-2024-54117Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54117
CVE-2024-54110Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54110
CVE-2024-54104Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54104
CVE-2024-54101Denial of service (DoS) vulnerability in the installation module
Impact: Successful exploitation of this vulnerability will affect availability.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54101
CVE-2024-54100Vulnerability of improper access control in the secure input module
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
6.2https://nvd.nist.gov/vuln/detail/CVE-2024-54100
CVE-2024-12395The WooCommerce Additional Fees On Checkout (Free) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘number’ parameter in all versions up to, and including, 1.4.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12395
CVE-2024-12469The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘status’ parameter in all versions up to, and including, 4.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12469
CVE-2024-12127The Learning Management System, eLearning, Course Builder, WordPress LMS Plugin – Sikshya LMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘page’ parameter in all versions up to, and including, 0.0.21 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12127
CVE-2024-12220The SMS for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12220
CVE-2024-12219The Stop Registration Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.23. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12219
CVE-2024-12239The PowerPack Lite for Beaver Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the navigate parameter in all versions up to, and including, 1.3.0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12239
CVE-2024-55996Missing Authorization vulnerability in Dreamfox Dreamfox Media Payment gateway per Product for Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dreamfox Media Payment gateway per Product for Woocommerce: from n/a through 3.5.6.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-55996
CVE-2024-56112CyberPanel (aka Cyber Panel) before f0cf648 allows XSS via token or username to plogical/phpmyadminsignin.php.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-56112
CVE-2024-12422The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12422
CVE-2024-12555The SIP Calculator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on a function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12555
CVE-2024-12411The WP Ad Guru – Banner ad, Responsive popup, Popup maker, Ad rotator & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12411
CVE-2024-11462The Filestack Official plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'fstab' and 'filestack_options' parameters in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11462
CVE-2024-9608The MyParcel plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 4.24.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Please note this is only exploitable when the WooCommerce store is set to Belgium.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-9608
CVE-2024-11809The Primer MyData for Woocommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'img_src' parameter in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11809
CVE-2024-12572The Hello In All Languages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12572
CVE-2024-54103Vulnerability of improper access control in the album module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.1https://nvd.nist.gov/vuln/detail/CVE-2024-54103
CVE-2024-54102Race condition vulnerability in the DDR module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
6.1https://nvd.nist.gov/vuln/detail/CVE-2024-54102
CVE-2024-12160The Seraphinite Bulk Discounts for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12160
CVE-2024-12072The Analytics Cat – Google Analytics Made Easy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute if they can successfully trick a user into performing an action, such as clicking on a specially crafted link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12072
CVE-2024-11359The Library Bookshelves plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 5.8. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11359
CVE-2024-12441The BP Email Assign Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12441
CVE-2024-12162The Video & Photo Gallery for Ultimate Member plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12162
CVE-2024-12156The AI Content Writer, RSS Feed to Post, Autoblogging SEO Help plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12156
CVE-2024-11804The Planaday API plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 11.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11804
CVE-2024-11723The kvCORE IDX plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via any parameter on pages with the kvcoreidx_listings_sitemap_ranges, kvcoreidx_listings_sitemap_page, kvcoreidx_agent_profile_sitemap, or kvcoreidx_agent_profile shortcode present in all versions up to, and including, 2.3.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11723
CVE-2024-11459The Country Blocker plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'ip' parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11459
CVE-2024-12338The Website Toolbox Community plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘websitetoolbox_username’ parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12338
CVE-2024-12260The Ultimate Endpoints With Rest Api plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12260
CVE-2024-12258The WP Service Payment Form With Authorize.net plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12258
CVE-2024-11683The Newsletter Subscriptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'token_type' parameter in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11683
CVE-2024-11419The Password for WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the get3_init_admin_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11419
CVE-2024-11417The dejure.org Vernetzungsfunktion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.97.5. This is due to missing or incorrect nonce validation on the djo_einstellungen_menue() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11417
CVE-2024-11279The Schema App Structured Data plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.2.4. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-11279
CVE-2024-28140The scanner device boots into a kiosk mode by default and opens the Scan2Net interface in a browser window. This browser is run with the permissions of the root user. There are also several other applications running as root user. This can be confirmed by running "ps aux" as the root user and observing the output.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-28140
CVE-2024-12325The Waymark plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘content’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12325
CVE-2024-12283The WP Pipes plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘x1’ parameter in all versions up to, and including, 1.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12283
CVE-2024-12004The WPC Order Notes for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.2. This is due to missing or incorrect nonce validation on the ajax_update_order_note() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.6.1https://nvd.nist.gov/vuln/detail/CVE-2024-12004
CVE-2021-26279Some parameters of the weather module are improperly stored, leaking some sensitive information.5.9https://nvd.nist.gov/vuln/detail/CVE-2021-26279
CVE-2024-54442Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lluís Cortès Better WP Login Page allows Stored XSS.This issue affects Better WP Login Page: from n/a through 1.1.2.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-54442
CVE-2024-56087An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads while querying Search Template Dashboard. These are executed, leading to Server-Side Template Injection.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56087
CVE-2024-56085An issue was discovered in Logpoint before 7.5.0. Authenticated users can inject payloads while creating Search Template Dashboard. These are executed, leading to Server-Side Template Injection.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-56085
CVE-2024-54308Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CurrencyRate.today Cryptocurrency Price Widget allows Stored XSS.This issue affects Cryptocurrency Price Widget: from n/a through 1.2.3.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-54308
CVE-2024-12289Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the initialization of the Boundary controller, which on average is measured in milliseconds during the Boundary startup process.

This vulnerability, CVE-2024-12289, is fixed in Boundary Community Edition and Boundary Enterprise 0.16.4, 0.17.3, 0.18.2.
5.9https://nvd.nist.gov/vuln/detail/CVE-2024-12289
CVE-2024-28145An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-28145
CVE-2024-54494A race condition was addressed with additional validation. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An attacker may be able to create a read-only memory mapping that can be written to.5.9https://nvd.nist.gov/vuln/detail/CVE-2024-54494
CVE-2024-10973A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitive information.5.7https://nvd.nist.gov/vuln/detail/CVE-2024-10973
CVE-2024-11358Mattermost Android Mobile Apps versions <=2.21.0 fail to properly configure file providers which allows an attacker with local access to access files via file provider.5.7https://nvd.nist.gov/vuln/detail/CVE-2024-11358
CVE-2024-54111Read/Write vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
5.7https://nvd.nist.gov/vuln/detail/CVE-2024-54111
CVE-2021-26281Some parameters of the alarm clock module are improperly stored, leaking some sensitive information.5.5https://nvd.nist.gov/vuln/detail/CVE-2021-26281
CVE-2024-12662A vulnerability classified as problematic has been found in IObit Advanced SystemCare Utimate up to 17.0.0. This affects the function 0x8001E040 in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12662
CVE-2024-12661A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0. It has been rated as problematic. Affected by this issue is the function 0x8001E024 in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12661
CVE-2024-12660A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0. It has been declared as problematic. Affected by this vulnerability is the function 0x8001E018 in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12660
CVE-2024-12659A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0. It has been classified as problematic. Affected is the function 0x8001E004 in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12659
CVE-2024-12658A vulnerability was found in IObit Advanced SystemCare Utimate up to 17.0.0 and classified as problematic. This issue affects the function 0x8001E01C in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12658
CVE-2024-12657A vulnerability has been found in IObit Advanced SystemCare Utimate up to 17.0.0 and classified as problematic. This vulnerability affects the function 0x8001E000 in the library AscRegistryFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12657
CVE-2024-12656A vulnerability, which was classified as problematic, was found in FabulaTech USB over Network 6.0.6.1. This affects the function 0x220448 in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12656
CVE-2024-12655A vulnerability, which was classified as problematic, has been found in FabulaTech USB over Network 6.0.6.1. Affected by this issue is the function 0x220420 in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12655
CVE-2024-12654A vulnerability classified as problematic was found in FabulaTech USB over Network 6.0.6.1. Affected by this vulnerability is the function 0x220408 in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12654
CVE-2024-12653A vulnerability classified as problematic has been found in FabulaTech USB over Network 6.0.6.1. Affected is the function 0x22040C in the library ftusbbus2.sys of the component IOCT Handler. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-12653
CVE-2024-56074gitingest before 9996a06 mishandles symbolic links that point outside of the base directory.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-56074
CVE-2024-28144An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-28144
CVE-2024-54112Cross-process screen stack vulnerability in the UIExtension module
Impact: Successful exploitation of this vulnerability may affect service confidentiality.
5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54112
CVE-2024-54531The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.2. An app may be able to bypass kASLR.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54531
CVE-2024-54527This issue was addressed with improved checks. This issue is fixed in watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access sensitive user data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54527
CVE-2024-54526The issue was addressed with improved checks. This issue is fixed in watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. A malicious app may be able to access private information.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54526
CVE-2024-54524A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.2. A malicious app may be able to access arbitrary files.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54524
CVE-2024-54513A permissions issue was addressed with additional restrictions. This issue is fixed in watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2. An app may be able to access sensitive user data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54513
CVE-2024-54504A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54504
CVE-2024-54501The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. Processing a maliciously crafted file may lead to a denial of service.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54501
CVE-2024-54500The issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, visionOS 2.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. Processing a maliciously crafted image may result in disclosure of process memory.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54500
CVE-2024-54495The issue was addressed with improved permissions logic. This issue is fixed in macOS Sequoia 15.2, macOS Sonoma 14.7.2. An app may be able to modify protected parts of the file system.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54495
CVE-2024-54490This issue was addressed by enabling hardened runtime. This issue is fixed in macOS Sequoia 15.2. A local attacker may gain access to user's Keychain items.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54490
CVE-2024-54484The issue was resolved by sanitizing logging. This issue is fixed in macOS Sequoia 15.2. An app may be able to access user-sensitive data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54484
CVE-2024-54477The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54477
CVE-2024-54476The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54476
CVE-2024-54474The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access user-sensitive data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54474
CVE-2024-54471This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1. A malicious application may be able to leak a user's credentials.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-54471
CVE-2024-44300A logic issue was addressed with improved file handling. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to access protected user data.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-44300
CVE-2024-44201The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.3, macOS Ventura 13.7.2, iOS 18.1 and iPadOS 18.1, macOS Sonoma 14.7.2. Processing a malicious crafted file may lead to a denial-of-service.5.5https://nvd.nist.gov/vuln/detail/CVE-2024-44201
CVE-2024-49065Microsoft Office Remote Code Execution Vulnerability5.5https://nvd.nist.gov/vuln/detail/CVE-2024-49065
CVE-2024-55057Phpgurukul Online Birth Certificate System 1.0 suffers from insufficient password requirements which can lead to unauthorized access to user accounts.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55057
CVE-2024-55056A stored cross-site scripting (XSS) vulnerability was identified in Phpgurukul Online Birth Certificate System 1.0 in /user/certificate-form.php via the full name field.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55056
CVE-2024-55452A URL redirection vulnerability exists in UJCMS 9.6.3 due to improper validation of URLs in the upload and rendering of new block / carousel items. This vulnerability allows authenticated attackers to redirect unprivileged users to an arbitrary, attacker-controlled webpage. When an authenticated user clicks on the malicious block item, they are redirected to the arbitrary untrusted domains, where sensitive tokens, such as JSON Web Tokens, can be stolen via a crafted webpage.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55452
CVE-2024-55554Intrexx Portal Server before 12.0.2 allows XSS via a user-defined portlet.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55554
CVE-2024-56004Missing Authorization vulnerability in Alex W Fowler Easy Site Importer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Site Importer: from n/a through 1.0.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-56004
CVE-2024-55998Missing Authorization vulnerability in dusthazard Popup Surveys & Polls for WordPress (Mare.io) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Surveys & Polls for WordPress (Mare.io): from n/a through 1.36.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55998
CVE-2024-55992Missing Authorization vulnerability in Open Tools WooCommerce Basic Ordernumbers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Basic Ordernumbers: from n/a through 1.4.4.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-55992
CVE-2024-54430Cross-Site Request Forgery (CSRF) vulnerability in Bastien Ho EELV Newsletter allows Cross Site Request Forgery.This issue affects EELV Newsletter: from n/a through 4.8.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54430
CVE-2024-54419Cross-Site Request Forgery (CSRF) vulnerability in Mansur Ahamed Ui Slider Filter By Price allows Cross Site Request Forgery.This issue affects Ui Slider Filter By Price: from n/a through 1.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54419
CVE-2024-54418Cross-Site Request Forgery (CSRF) vulnerability in Diversified Technology Corp., WPYog, and Gagan Deep Singh DTC Documents allows Cross Site Request Forgery.This issue affects DTC Documents: from n/a through 1.1.05.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54418
CVE-2024-54356Cross-Site Request Forgery (CSRF) vulnerability in vCita.com Online Booking & Scheduling Calendar for WordPress by vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54356
CVE-2024-11841The Tithe.ly Giving Button WordPress plugin through 1.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-11841
CVE-2024-54323Missing Authorization vulnerability in WPExpertsio New User Approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through 2.6.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54323
CVE-2024-54311Missing Authorization vulnerability in i.lychkov Mark New Posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mark New Posts: from n/a through 7.5.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54311
CVE-2024-54271Missing Authorization vulnerability in WPTaskForce WPCargo Track & Trace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through 7.0.6.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-54271
CVE-2023-44142Missing Authorization vulnerability in Inactive Logout Inactive Logout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Inactive Logout: from n/a through 3.2.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-44142
CVE-2023-41857Missing Authorization vulnerability in ClickToTweet.com Click To Tweet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Click To Tweet: from n/a through 2.0.14.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-41857
CVE-2023-41688Missing Authorization vulnerability in Mad Fish Digital Bulk NoIndex & NoFollow Toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk NoIndex & NoFollow Toolkit: from n/a through 1.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-41688
CVE-2023-41683Missing Authorization vulnerability in Pechenki TelSender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TelSender: from n/a through 1.14.11.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-41683
CVE-2023-41671Missing Authorization vulnerability in Tyche Softwares Abandoned Cart Lite for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Abandoned Cart Lite for WooCommerce: from n/a through 5.16.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-41671
CVE-2023-40678Missing Authorization vulnerability in Lasso Simple URLs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple URLs: from n/a through 117.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-40678
CVE-2023-40011Missing Authorization vulnerability in StylemixThemes Cost Calculator Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cost Calculator Builder: from n/a through 3.1.42.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-40011
CVE-2023-38483Missing Authorization vulnerability in Dylan Blokhuis Instant CSS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Instant CSS: from n/a through 1.1.4.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-38483
CVE-2023-38383Missing Authorization vulnerability in OnTheGoSystems Language allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Language: from n/a through 1.2.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-38383
CVE-2023-37989Missing Authorization vulnerability in Easyship Easyship WooCommerce Shipping Rates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easyship WooCommerce Shipping Rates: from n/a through 0.9.0.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-37989
CVE-2023-36680Missing Authorization vulnerability in Iulia Cazan Image Regenerate & Select Crop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Regenerate & Select Crop: from n/a through 7.1.0.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-36680
CVE-2023-36526Missing Authorization vulnerability in Inqsys Technology Duplicate Post Page Menu & Custom Post Type allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Duplicate Post Page Menu & Custom Post Type: from n/a through 2.4.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-36526
CVE-2023-36519Missing Authorization vulnerability in wpthemego SW Product Bundles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SW Product Bundles: from n/a through 2.0.15.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-36519
CVE-2023-36509Missing Authorization vulnerability in Suresh Chand CHP Ads Block Detector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CHP Ads Block Detector: from n/a through 3.9.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-36509
CVE-2023-35051Missing Authorization vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Forms by Cimatti: from n/a through 1.5.7.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-35051
CVE-2023-35046Missing Authorization vulnerability in Dynamic.ooo Dynamic Visibility for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dynamic Visibility for Elementor: from n/a through 5.0.5.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-35046
CVE-2023-34376Missing Authorization vulnerability in Rextheme Change WooCommerce Add To Cart Button Text allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Change WooCommerce Add To Cart Button Text: from n/a through 1.3.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-34376
CVE-2023-34014Missing Authorization vulnerability in G5Theme Grid Plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grid Plus: from n/a through 1.3.2.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-34014
CVE-2023-33215Missing Authorization vulnerability in Tagbox Taggbox allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Taggbox: from n/a through 3.3.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-33215
CVE-2023-32601Missing Authorization vulnerability in Booking Ultra Pro Booking Ultra Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking Ultra Pro: from n/a through 1.1.12.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-32601
CVE-2023-32593Missing Authorization vulnerability in GS Plugins GS Pins for Pinterest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GS Pins for Pinterest: from n/a through 1.6.7.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-32593
CVE-2023-32581Missing Authorization vulnerability in MobileMonkey WP-Chatbot for Messenger allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Chatbot for Messenger: from n/a through 4.7.5.4https://nvd.nist.gov/vuln/detail/CVE-2023-32581
CVE-2022-46840Missing Authorization vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.7.1.5.4https://nvd.nist.gov/vuln/detail/CVE-2022-46840
CVE-2022-45841Missing Authorization vulnerability in RoboSoft Robo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Robo Gallery: from n/a through 3.2.9.5.4https://nvd.nist.gov/vuln/detail/CVE-2022-45841
CVE-2022-45826Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through 2.9.13.5.4https://nvd.nist.gov/vuln/detail/CVE-2022-45826
CVE-2024-12042The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the profile picture upload functionality in all versions up to, and including, 4.16.4 due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload HTML files with arbitrary web scripts that will execute whenever a user accesses the file.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-12042
CVE-2024-10678The Ultimate Blocks WordPress plugin before 3.2.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-10678
CVE-2024-12574The SVG Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-12574
CVE-2024-8647An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-8647
CVE-2024-8179An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-8179
CVE-2024-10583The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘post_title’ parameter in all versions up to, and including, 1.20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-10583
CVE-2024-10637The Gutenberg Blocks with AI by Kadence WP WordPress plugin before 3.2.54 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.5.4https://nvd.nist.gov/vuln/detail/CVE-2024-10637
CVE-2024-36831A NULL pointer dereference in the plugins_call_handle_uri_clean function of D-Link DAP-1520 REVA_FIRMWARE_1.10B04_BETA02_HOTFIX allows attackers to cause a Denial of Service (DoS) via a crafted HTTP request without authentication.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-36831
CVE-2024-54677Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
5.3https://nvd.nist.gov/vuln/detail/CVE-2024-54677
CVE-2024-12601The Calculated Fields Form plugin for WordPress is vulnerable to Denial of Service in all versions up to, and including, 5.2.63. This is due to unlimited height and width parameters for CAPTCHA images. This makes it possible for unauthenticated attackers to send multiple requests with large values, resulting in slowing server resources if the server does not mitigate Denial of Service attacks.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12601
CVE-2024-11280The PPWP – Password Protect Pages plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.9.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11280
CVE-2024-11294The Memberful plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.73.9 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as site members.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11294
CVE-2024-35230GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-35230
CVE-2024-55999Missing Authorization vulnerability in Marco Giannini XML Multilanguage Sitemap Generator.This issue affects XML Multilanguage Sitemap Generator: from n/a through 2.0.6.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-55999
CVE-2024-56009Missing Authorization vulnerability in spreadr Spreadr Woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Spreadr Woocommerce: from n/a through 1.0.4.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-56009
CVE-2024-55993Missing Authorization vulnerability in PickPlugins Job Board Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Job Board Manager: from n/a through 2.1.60.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-55993
CVE-2024-54417Missing Authorization vulnerability in Pixelgrade PixProof allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects PixProof: from n/a through 2.0.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-54417
CVE-2024-54366Generation of Error Message Containing Sensitive Information vulnerability in Dave Kiss Vimeography allows Retrieve Embedded Sensitive Data.This issue affects Vimeography: from n/a through 2.4.4.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-54366
CVE-2024-9679A Hardcoded Cryptographic key vulnerability existed in DLP Extension 11.11.1.3 which allowed the decryption of previously encrypted user credentials.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-9679
CVE-2024-5333The Events Calendar WordPress plugin before 6.8.2.1 is missing access checks in the REST API, allowing for unauthenticated users to access information about password protected events.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-5333
CVE-2024-8650An issue was discovered in GitLab CE/EE affecting all versions from 15.0 prior to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2 that allowed non-member users to view unresolved threads marked as internal notes in public projects merge requests.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-8650
CVE-2024-8116An issue has been discovered in GitLab CE/EE affecting all versions from 16.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. By using a specific GraphQL query, under specific conditions an unauthorized user can retrieve branch names.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-8116
CVE-2024-11712The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getResumeFileDownloadById() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to download other users resumes.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11712
CVE-2024-12578The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.5.4.8 via the 'tickera_tickets_info' endpoint. This makes it possible for unauthenticated attackers to extract sensitive data from bookings like full names, email addresses, check-in/out timestamps and more.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12578
CVE-2024-9945An information-disclosure vulnerability exists in Fortra's GoAnywhere MFT application prior to version 7.7.0 that allows external access to the resources in certain admin root folders.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-9945
CVE-2024-54310Missing Authorization vulnerability in Aslam Khan Gouran Gou Manage My Account Menu allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Gou Manage My Account Menu: from n/a through 1.0.1.8.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-54310
CVE-2023-44149Missing Authorization vulnerability in BeRocket Brands for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Brands for WooCommerce: from n/a through 3.8.2.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-44149
CVE-2023-44147Missing Authorization vulnerability in Apasionados Comment Blacklist Updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comment Blacklist Updater: from n/a through 1.1.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-44147
CVE-2023-41952Missing Authorization vulnerability in Contact Form - WPManageNinja LLC FluentForm allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through 5.0.8.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41952
CVE-2023-41875Missing Authorization vulnerability in wpdirectorykit.com WP Directory Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Directory Kit: from n/a through 1.2.6.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41875
CVE-2023-41862Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41862
CVE-2023-41849Missing Authorization vulnerability in WP Happy Coders Posts Like Dislike allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Posts Like Dislike: from n/a through 1.1.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41849
CVE-2023-41848Missing Authorization vulnerability in Majeed Raza Carousel Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carousel Slider: from n/a through 2.2.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41848
CVE-2023-41803Missing Authorization vulnerability in BitPay BitPay Checkout for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BitPay Checkout for WooCommerce: from n/a through 4.1.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41803
CVE-2023-41690Missing Authorization vulnerability in Wiser Notify WiserNotify Social Proof allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WiserNotify Social Proof: from n/a through 2.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41690
CVE-2023-41133Authentication Bypass by Spoofing vulnerability in Michal Novák Secure Admin IP allows Functionality Bypass.This issue affects Secure Admin IP: from n/a through 2.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-41133
CVE-2023-40005Missing Authorization vulnerability in Easy Digital Downloads Easy Digital Downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Digital Downloads: from n/a through 3.1.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-40005
CVE-2023-39997Missing Authorization vulnerability in supsystic.com Popup by Supsystic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup by Supsystic: from n/a through 1.10.19.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-39997
CVE-2023-39996Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Accordion and Accordion Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion and Accordion Slider: from n/a through 1.2.4.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-39996
CVE-2023-39305Missing Authorization vulnerability in YetAnotherStarsRating.com Yet Another Stars Rating allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yet Another Stars Rating: from n/a through 3.4.3.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-39305
CVE-2023-38480Missing Authorization vulnerability in Certain Dev Booster Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booster Elementor Addons: from n/a through 1.4.9.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-38480
CVE-2023-38479Missing Authorization vulnerability in Codents Simple Googlebot Visit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Googlebot Visit: from n/a through 1.2.4.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-38479
CVE-2023-37969Missing Authorization vulnerability in The African Boss Checkout with Zelle on Woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout with Zelle on Woocommerce: from n/a through 3.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-37969
CVE-2023-36681Missing Authorization vulnerability in Cool Plugins Cryptocurrency Widgets – Price Ticker & Coins List allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Widgets – Price Ticker & Coins List: from n/a through 2.6.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-36681
CVE-2023-36528Missing Authorization vulnerability in FeedbackWP kk Star Ratings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects kk Star Ratings: from n/a through 5.4.3.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-36528
CVE-2023-36506Missing Authorization vulnerability in YITH YITH WooCommerce Waiting List allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH WooCommerce Waiting List: from n/a through 2.13.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-36506
CVE-2023-35875Missing Authorization vulnerability in Jegstudio Gutenverse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse: from n/a through 1.8.5.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-35875
CVE-2023-35777Missing Authorization vulnerability in The Events Calendar The Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through 6.1.2.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-35777
CVE-2023-34381Missing Authorization vulnerability in Gesundheit Bewegt GmbH Zippy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zippy: from n/a through 1.6.2.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-34381
CVE-2023-32963Missing Authorization vulnerability in a3rev Software WooCommerce Predictive Search allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Predictive Search: from n/a through 5.8.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-32963
CVE-2023-32798Missing Authorization vulnerability in 10up Simple Page Ordering allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Page Ordering: from n/a through 2.5.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-32798
CVE-2023-22697Missing Authorization vulnerability in Survey Maker team Survey Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Survey Maker: from n/a through 3.2.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2023-22697
CVE-2022-47429Missing Authorization vulnerability in 8Degree Themes Coming Soon Landing Page and Maintenance Mode WordPress Plugin allows Retrieve Embedded Sensitive Data.This issue affects Coming Soon Landing Page and Maintenance Mode WordPress Plugin: from n/a through 2.2.0.5.3https://nvd.nist.gov/vuln/detail/CVE-2022-47429
CVE-2022-47182Missing Authorization vulnerability in Wpexpertsio APIExperts Square for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects APIExperts Square for WooCommerce: from n/a through 4.4.1.5.3https://nvd.nist.gov/vuln/detail/CVE-2022-47182
CVE-2022-46846Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Trending/Popular Post Slider and Widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trending/Popular Post Slider and Widget: from n/a through 1.5.7.5.3https://nvd.nist.gov/vuln/detail/CVE-2022-46846
CVE-2022-44578Missing Authorization vulnerability in Pierre JEHAN Owl Carousel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Owl Carousel: from n/a through 0.5.3.5.3https://nvd.nist.gov/vuln/detail/CVE-2022-44578
CVE-2024-48008Dell RecoverPoint for Virtual Machines 6.0.x contains a OS Command Injection vulnerability. An Low privileged remote attacker could potentially exploit this vulnerability leading to information disclosure ,allowing of unintended actions like reading files that may contain sensitive information5.3https://nvd.nist.gov/vuln/detail/CVE-2024-48008
CVE-2024-48007Dell RecoverPoint for Virtual Machines 6.0.x contains use of hard-coded credentials vulnerability. A Remote unauthenticated attacker could potentially exploit this vulnerability by gaining access to the source code, easily retrieving these secrets and reusing them to access the system leading to gaining access to unauthorized data.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-48007
CVE-2024-12309The Rate My Post – Star Rating Plugin by FeedbackWP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.4 via the get_post_status() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to vote on unpublished scheduled posts.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12309
CVE-2024-55918An issue was discovered in the Graphics::ColorNames package before 3.2.0 for Perl. There is an ambiguity between modules and filenames that can lead to HTML injection by an attacker who can create a file in the current working directory.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-55918
CVE-2024-12579The Minify HTML plugin for WordPress is vulnerable to Regular Expression Denial of Service (ReDoS) in all versions up to, and including, 2.1.10. This is due to processing user-supplied input as a regular expression. This makes it possible for unauthenticated attackers to create comments that can cause catastrophic backtracking and break pages.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12579
CVE-2024-54096Vulnerability of improper access control in the MTP module
Impact: Successful exploitation of this vulnerability may affect integrity and accuracy.
5.3https://nvd.nist.gov/vuln/detail/CVE-2024-54096
CVE-2024-12265The Web3 Crypto Payments by DePay for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/depay/wc/debug REST API endpoint in all versions up to, and including, 2.12.17. This makes it possible for unauthenticated attackers to retrieve debug infromation.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12265
CVE-2024-12255The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5 via the cf7sa-info.php file that returns phpinfo() data. This makes it possible for unauthenticated attackers to extract configuration information that can be leveraged in another attack.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12255
CVE-2024-44212A cookie management issue was addressed with improved state management. This issue is fixed in Safari 18.1, visionOS 2.1, tvOS 18.1, iOS 18.1 and iPadOS 18.1, watchOS 11.1. Cookies belonging to one origin may be sent to another origin.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-44212
CVE-2024-11351The Restrict – membership, site, content and user access restrictions for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.8 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11351
CVE-2024-12294The Last Viewed Posts by WPBeginner plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the 'get_legacy_cookies' function. This makes it possible for unauthenticated attackers to extract sensitive data including titles and permalinks of private, password-protected, pending, and draft posts.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-12294
CVE-2024-11008The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.10 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to higher-level roles such as administrator.5.3https://nvd.nist.gov/vuln/detail/CVE-2024-11008
CVE-2024-10511CWE-287: Improper Authentication vulnerability exists that could cause Denial of access to the web interface
when someone on the local network repeatedly requests the /accessdenied URL.
5.3https://nvd.nist.gov/vuln/detail/CVE-2024-10511
CVE-2024-54105Read/Write vulnerability in the image decoding module
Impact: Successful exploitation of this vulnerability will affect availability.
5.1https://nvd.nist.gov/vuln/detail/CVE-2024-54105
CVE-2024-54510A race condition was addressed with improved locking. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to leak sensitive kernel state.5.1https://nvd.nist.gov/vuln/detail/CVE-2024-54510
CVE-2024-49816IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores potentially sensitive information in log files that could be read by a local privileged user.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-49816
CVE-2024-54382Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in BoldThemes Bold Page Builder allows Path Traversal.This issue affects Bold Page Builder: from n/a through 5.1.5.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-54382
CVE-2024-9678An SQL Injection vulnerability existed in DLP Extension 11.11.1.3. The vulnerability allowed an attacker to perform arbitrary SQL queries potentially leading to command execution.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-9678
CVE-2024-11714The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'ff' parameter of the getFieldsForVisibleCombobox() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-11714
CVE-2024-11713The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'page_id' parameter of the wpjobportal_deactivate() function in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-11713
CVE-2024-11710The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to SQL Injection via the 'fieldfor', 'visibleParent' and 'id' parameters in all versions up to, and including, 2.2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-11710
CVE-2024-55889phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.4.9https://nvd.nist.gov/vuln/detail/CVE-2024-55889
CVE-2023-37940Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a service access policy's `Service Class` text field.4.8https://nvd.nist.gov/vuln/detail/CVE-2023-37940
CVE-2024-55451A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-55451
CVE-2024-37776A cross-site scripting (XSS) vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-37776
CVE-2024-37773An HTML injection vulnerability in Sunbird DCIM dcTrack 9.1.2 allows attackers authenticated as administrators to inject arbitrary HTML code in an admin screen.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-37773
CVE-2024-55100A stored cross-site scripting (XSS) vulnerability in the component /admin/profile.php of Online Nurse Hiring System v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the fullname parameter.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-55100
CVE-2024-48872Mattermost versions 10.1.x <= 10.1.2, 10.0.x <= 10.0.2, 9.11.x <= 9.11.4, and 9.5.x <= 9.5.12 fail to prevent concurrently checking and updating the failed login attempts. which allows an attacker to bypass of "Max failed attempts" restriction and send a big number of login attempts before being blocked via simultaneously sending multiple login requests4.8https://nvd.nist.gov/vuln/detail/CVE-2024-48872
CVE-2024-11715The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the assignUserRole() function in all versions up to, and including, 2.2.2. This makes it possible for unauthenticated attackers to elevate their privileges to that of an employer.4.8https://nvd.nist.gov/vuln/detail/CVE-2024-11715
CVE-2024-10939The Image Widget WordPress plugin before 4.4.11 does not sanitise and escape some of its Image Widget settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-10939
CVE-2024-9881The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-9881
CVE-2024-9641The LuckyWP Table of Contents WordPress plugin before 2.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-9641
CVE-2024-9428The Popup Builder WordPress plugin before 4.3.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-9428
CVE-2024-10518The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Membership Plan settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-10518
CVE-2024-10517The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.15.15 does not sanitise and escape some of its Drag & Drop Builder fields, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-10517
CVE-2024-10010The LearnPress WordPress plugin before 4.2.7.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.8https://nvd.nist.gov/vuln/detail/CVE-2024-10010
CVE-2024-12666A vulnerability has been found in ClassCMS up to 4.8 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin?do=admin:user:editPost of the component User Management Page. The manipulation leads to improper handling of insufficient privileges. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.4.7https://nvd.nist.gov/vuln/detail/CVE-2024-12666
CVE-2024-47947Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL









https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre

The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser.
4.7https://nvd.nist.gov/vuln/detail/CVE-2024-47947
CVE-2024-36498Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL









https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre

The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again.
4.7https://nvd.nist.gov/vuln/detail/CVE-2024-36498
CVE-2024-36494Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The login page at /cgi/slogin.cgi suffers from XSS due to improper input filtering of the -tsetup+-uuser parameter, which can only be exploited if the target user is not already logged in. This makes it ideal for login form phishing attempts.4.7https://nvd.nist.gov/vuln/detail/CVE-2024-36494
CVE-2024-28142Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins.









This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed.
4.7https://nvd.nist.gov/vuln/detail/CVE-2024-28142
CVE-2024-10568The Ajax Search Lite WordPress plugin before 4.12.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).4.7https://nvd.nist.gov/vuln/detail/CVE-2024-10568
CVE-2024-50585Users who click on a malicious link or visit a website under the control of an attacker can be infected with arbitrary JavaScript which is running in the context of the "Numerix License Server Administration System Login" (nlslogin.jsp) page. The vulnerability can be triggered by sending a specially crafted HTTP POST request. 



The vendor was unresponsive during multiple attempts to contact them via various channels, hence there is no solution available. In case you are using this software, be sure to restrict access and monitor logs. Try to reach out to your contact person for this vendor and request a patch.
4.7https://nvd.nist.gov/vuln/detail/CVE-2024-50585
CVE-2024-41146Use of Multiple Resources with Duplicate Identifier (CWE-694) in the Controller 6000 and Controller 7000 Platforms could allow an attacker with physical access to HBUS communication cabling to perform a Denial-of-Service attack against HBUS connected devices, require a device reboot to resolve.

This issue affects: Controller 6000 and Controller 7000 firmware versions 9.10 prior to vCR9.10.241108a (distributed in 9.10.2149 (MR4)), 9.00 prior to vCR9.00.241108a (distributed in 9.00.2374 (MR5)), 8.90 prior to vCR8.90.241107a (distributed in 8.90.2356 (MR6)), all versions of 8.80 and prior.
4.6https://nvd.nist.gov/vuln/detail/CVE-2024-41146
CVE-2024-49087Windows Mobile Broadband Driver Information Disclosure Vulnerability4.6https://nvd.nist.gov/vuln/detail/CVE-2024-49087
CVE-2024-49817IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 stores user credentials in configuration files which can be read by a local privileged user.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-49817
CVE-2024-52542Dell AppSync, version 4.6.0.x, contain a Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to information tampering.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-52542
CVE-2024-12628The bodi0`s Easy cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cache-folder' parameter in all versions up to, and including, 0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-12628
CVE-2024-47984Dell RecoverPoint for Virtual Machines 6.0.x contains Denial of Service vulnerability. A User with Remote access could potentially exploit this vulnerability, leading to the disruption of most functionalities of the RPA persistent after reboot, resulting in need of technical support intervention in getting system back to stable state.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-47984
CVE-2024-12581The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.53 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-12581
CVE-2024-50584An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-50584
CVE-2024-12271The 360 Javascript Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ref’ parameter in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-12271
CVE-2024-54114Out-of-bounds access vulnerability in playback in the DASH module
Impact: Successful exploitation of this vulnerability will affect availability.
4.4https://nvd.nist.gov/vuln/detail/CVE-2024-54114
CVE-2024-12401A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-12401
CVE-2024-11727The NotificationX – Live Sales Notification, WooCommerce Sales Popup, FOMO, Social Proof, Announcement Banner & Floating Notification Top Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's content settings for notifications in all versions up to, and including, 2.9.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-11727
CVE-2024-35117IBM OpenPages with Watson 9.0 may write sensitive information, under specific configurations, in clear text to the system tracing log files that could be obtained by a privileged user.4.4https://nvd.nist.gov/vuln/detail/CVE-2024-35117
CVE-2024-49818IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1

could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
4.3https://nvd.nist.gov/vuln/detail/CVE-2024-49818
CVE-2024-10356The ElementsReady Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.4.8 in inc/Widgets/accordion/output/content.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft template data.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-10356
CVE-2024-8429Improper Restriction of Excessive Authentication Attempts vulnerability in Digital Operation Services WiFiBurada allows Use of Known Domain Credentials.This issue affects WiFiBurada: before 1.0.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-8429
CVE-2024-56003Missing Authorization vulnerability in David Cramer Caldera SMTP Mailer.This issue affects Caldera SMTP Mailer: from n/a through 1.0.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56003
CVE-2024-54357Cross-Site Request Forgery (CSRF) vulnerability in ThemeFusion Avada.This issue affects Avada: from n/a through 7.11.10.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54357
CVE-2024-56007Missing Authorization vulnerability in Ram Segev Leader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leader: from n/a through 2.6.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-56007
CVE-2024-55994Missing Authorization vulnerability in 搜狐畅言 畅言评论系统 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 畅言评论系统: from n/a through 2.0.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-55994
CVE-2024-54402Missing Authorization vulnerability in Jozoor Arabic Webfonts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Arabic Webfonts: from n/a through 1.4.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54402
CVE-2024-54396Cross-Site Request Forgery (CSRF) vulnerability in Ryan Bet sport Free allows Cross Site Request Forgery.This issue affects Bet sport Free: from n/a through 1.0.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54396
CVE-2024-54384Missing Authorization vulnerability in eLightUp Falcon – WordPress Optimizations & Tweaks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Falcon – WordPress Optimizations & Tweaks: from n/a through 2.8.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54384
CVE-2024-54355Cross-Site Request Forgery (CSRF) vulnerability in brandtoss WP Mailster allows Cross Site Request Forgery.This issue affects WP Mailster: from n/a through 1.8.17.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54355
CVE-2024-37251Cross-Site Request Forgery (CSRF) vulnerability in WPENGINE, INC. Advanced Custom Fields PRO.This issue affects Advanced Custom Fields PRO: from n/a before 6.3.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-37251
CVE-2024-12362A vulnerability was found in InvoicePlane up to 1.6.1. It has been classified as problematic. This affects the function download of the file invoices.php. The manipulation of the argument invoice leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12362
CVE-2024-10690The Shortcodes for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.4 via the 'SHORTCODE_ELEMENTOR' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private and draft posts created with Elementor that they should not have access to.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-10690
CVE-2024-12447The Get Post Content Shortcode plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.4 via the 'post-content' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the content of password-protected, private, draft, and pending posts.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12447
CVE-2024-54321Cross-Site Request Forgery (CSRF) vulnerability in Hive Support Hive Support – WordPress Help Desk allows Cross Site Request Forgery.This issue affects Hive Support – WordPress Help Desk: from n/a through 1.1.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54321
CVE-2024-54307Cross-Site Request Forgery (CSRF) vulnerability in AIpost AIcomments allows Cross Site Request Forgery.This issue affects AIcomments: from n/a through 1.4.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54307
CVE-2024-54306Cross-Site Request Forgery (CSRF) vulnerability in KCT AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot allows Cross Site Request Forgery.This issue affects AIKCT Engine Chatbot, ChatGPT, Gemini, GPT-4o Best AI Chatbot: from n/a through 1.6.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54306
CVE-2024-54300Cross-Site Request Forgery (CSRF) vulnerability in Neuralabz LTD. AutoWP allows Cross Site Request Forgery.This issue affects AutoWP: from n/a through 2.0.8.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54300
CVE-2024-54298Missing Authorization vulnerability in Bill Minozzi Car Dealer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Dealer: from n/a through 4.46.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54298
CVE-2024-54278Missing Authorization vulnerability in Plugin Devs News Ticker for Elementor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects News Ticker for Elementor: from n/a through 2.1.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54278
CVE-2024-54268Missing Authorization vulnerability in SiteOrigin SiteOrigin Widgets Bundle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteOrigin Widgets Bundle: from n/a through 1.64.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54268
CVE-2024-54267Missing Authorization vulnerability in CreativeMindsSolutions CM Answers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM Answers: from n/a through 3.2.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54267
CVE-2023-41951Missing Authorization vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through 4.6.14.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41951
CVE-2023-41873Missing Authorization vulnerability in miniOrange SAML SP Single Sign On allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SAML SP Single Sign On: from n/a through 5.0.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41873
CVE-2023-41870Missing Authorization vulnerability in Themeum WP Crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through 2.1.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41870
CVE-2023-41869Missing Authorization vulnerability in Alex Volkov WP Accessibility Helper (WAH) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Accessibility Helper (WAH): from n/a through 0.6.2.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41869
CVE-2023-41866Missing Authorization vulnerability in Team Plugins360 Automatic YouTube Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automatic YouTube Gallery: from n/a through 2.3.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41866
CVE-2023-41865Missing Authorization vulnerability in bqworks Slider Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider Pro: from n/a through 4.8.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41865
CVE-2023-41802Missing Authorization vulnerability in Team Heateor Super Socializer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Super Socializer: from n/a through 7.13.54.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41802
CVE-2023-41689Missing Authorization vulnerability in Koen Reus Post to Google My Business (Google Business Profile) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post to Google My Business (Google Business Profile): from n/a through 3.1.14.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41689
CVE-2023-41132Missing Authorization vulnerability in ShapedPlugin LLC Category Slider for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Category Slider for WooCommerce: from n/a through 1.4.15.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-41132
CVE-2023-40670Missing Authorization vulnerability in ReviewX Team ReviewX allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ReviewX: from n/a through 1.6.17.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40670
CVE-2023-40334Missing Authorization vulnerability in realmag777 HUSKY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HUSKY: from n/a through 1.3.4.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40334
CVE-2023-40331Missing Authorization vulnerability in bqworks Accordion Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion Slider: from n/a through 1.9.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40331
CVE-2023-40213Missing Authorization vulnerability in Mateusz Czardybon Justified Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justified Gallery: from n/a through 1.7.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40213
CVE-2023-40203Missing Authorization vulnerability in MailMunch MailChimp Forms by MailMunch allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailChimp Forms by MailMunch: from n/a through 3.1.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40203
CVE-2023-40001Missing Authorization vulnerability in SolidWP iThemes Sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through 2.1.13.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-40001
CVE-2023-39995Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Portfolio and Projects allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio and Projects: from n/a through 1.3.7.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-39995
CVE-2023-38514Missing Authorization vulnerability in social share pro Social Share Icons & Social Share Buttons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Share Icons & Social Share Buttons: from n/a through 3.5.7.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-38514
CVE-2023-38477Missing Authorization vulnerability in Stanislav Kuznetsov QR code MeCard/vCard generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects QR code MeCard/vCard generator: from n/a through 1.6.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-38477
CVE-2023-38475Missing Authorization vulnerability in RedNao Donations Made Easy – Smart Donations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-38475
CVE-2023-37984Missing Authorization vulnerability in ExpressTech Quiz And Survey Master allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through 8.1.10.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-37984
CVE-2023-36531Missing Authorization vulnerability in LiquidPoll LiquidPoll – Advanced Polls for Creators and Brands allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LiquidPoll – Advanced Polls for Creators and Brands: from n/a through 3.3.68.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-36531
CVE-2023-36518Missing Authorization vulnerability in Hugh Lashbrooke Post Hit Counter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Hit Counter: from n/a through 1.3.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-36518
CVE-2023-35052Missing Authorization vulnerability in wpWax - WP Business Directory Plugin and Classified Listings Directory Directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through 7.5.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-35052
CVE-2023-34387Missing Authorization vulnerability in Constant Contact Constant Contact Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact Forms: from n/a through 2.0.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-34387
CVE-2023-34009Missing Authorization vulnerability in Inisev Social Media & Share Icons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Social Media & Share Icons: from n/a through 2.8.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-34009
CVE-2023-33998Missing Authorization vulnerability in cybernetikz Easy Social Icons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Social Icons: from n/a through 3.2.5.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-33998
CVE-2023-33995Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Gallery by 10Web: from n/a through 1.8.15.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-33995
CVE-2023-33928Missing Authorization vulnerability in WebToffee WordPress Backup & Migration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress Backup & Migration: from n/a through 1.4.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-33928
CVE-2023-32599Missing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects reCAPTCHA for all: from n/a through 1.22.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-32599
CVE-2023-32586Missing Authorization vulnerability in Thomas Michalak Soundcloud Is Gold allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Soundcloud Is Gold: from n/a through 2.5.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-32586
CVE-2023-32574Missing Authorization vulnerability in Fahad Mahmood Injection Guard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Injection Guard: from n/a through 1.2.1.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-32574
CVE-2023-32519Missing Authorization vulnerability in Webcodin WCP Contact Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCP Contact Form: from n/a through 3.1.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-32519
CVE-2023-28990Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-28990
CVE-2023-27456Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19.4.3https://nvd.nist.gov/vuln/detail/CVE-2023-27456
CVE-2022-47176Missing Authorization vulnerability in Depicter Slider and Popup by Averta Depicter Slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through 1.9.0.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-47176
CVE-2022-47168Missing Authorization vulnerability in Printful Printful Integration for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Printful Integration for WooCommerce: from n/a through 2.2.3.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-47168
CVE-2022-46811Missing Authorization vulnerability in VillaTheme(villatheme.com) ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce: from n/a through 1.0.21.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-46811
CVE-2022-46807Missing Authorization vulnerability in Lauri Karisola / WP Trio Stock Sync for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stock Sync for WooCommerce: from n/a through 2.3.2.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-46807
CVE-2022-45806Missing Authorization vulnerability in Strategy11 Form Builder Team Formidable Forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Formidable Forms: from n/a through 5.5.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-45806
CVE-2022-43472Missing Authorization vulnerability in StylemixThemes eRoom – Zoom Meetings & Webinar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects eRoom – Zoom Meetings & Webinar: from n/a through 1.4.6.4.3https://nvd.nist.gov/vuln/detail/CVE-2022-43472
CVE-2024-12414The Themify Store Locator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.9. This is due to missing or incorrect nonce validation on the setting_page() function. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12414
CVE-2024-11911The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-11911
CVE-2024-11275The WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the /wp-json/timetics/v1/customers/ REST API endpoint in all versions up to, and including, 1.0.27. This makes it possible for authenticated attackers, with Timetics Customer access and above, to delete arbitrary users.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-11275
CVE-2024-9367An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-9367
CVE-2024-54116Out-of-bounds read vulnerability in the M3U8 module
Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.
4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54116
CVE-2024-54115Out-of-bounds read vulnerability in the DASH module
Impact: Successful exploitation of this vulnerability will affect availability.
4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54115
CVE-2024-12329The Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12329
CVE-2024-12201The Hash Form – Drag & Drop Form Builder plugin for WordPress is vulnerable to unauthorized access due to a missing capability check when creating form styles in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create new form styles.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12201
CVE-2024-11724The Cookie Consent for WP – Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpl_script_save AJAX action in all versions up to, and including, 3.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to whitelist scripts.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-11724
CVE-2024-11181The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 9.9.9.3 via the 'wp_reusable_render' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-11181
CVE-2024-12263The Child Theme Creator by Orbisius plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cloud_delete() and cloud_update() functions in all versions up to, and including, 1.5.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update and delete cloud snippets. Please note that this vulnerability was present in the Cloud Library Addon used by the plugin and not in the plugin itself, the cloud library has been removed entirely.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12263
CVE-2024-12059The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.1 via the eli_option_value shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract arbitrary options from the wp_options table.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12059
CVE-2024-12018The Snippet Shortcodes plugin for WordPress is vulnerable to unauthorized Shortcode Deletion due to missing authorization in all versions up to, and including, 4.1.6. Note that a nonce is used as authentication here, but the value is leaked. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Shortcodes.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12018
CVE-2024-12526The Arena.IM – Live Blogging for real-time events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.3.0. This is due to missing or incorrect nonce validation on the 'albfre_user_action' AJAX action. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12526
CVE-2024-11709The AI Post Generator | AutoWriter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ai_post_generator_delete_Post AJAX action in all versions up to, and including, 3.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary pages and posts.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-11709
CVE-2024-12341The Custom Skins Contact Form 7 plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cf7cs_action_callback' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the content of any post and create new skins.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12341
CVE-2024-44246The issue was addressed with improved routing of Safari-originated requests. This issue is fixed in macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, Safari 18.2, iPadOS 17.7.3. On a device with Private Relay enabled, adding a website to the Safari Reading List may reveal the originating IP address to the website.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-44246
CVE-2024-49103Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability4.3https://nvd.nist.gov/vuln/detail/CVE-2024-49103
CVE-2024-49099Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability4.3https://nvd.nist.gov/vuln/detail/CVE-2024-49099
CVE-2024-49098Windows Wireless Wide Area Network Service (WwanSvc) Information Disclosure Vulnerability4.3https://nvd.nist.gov/vuln/detail/CVE-2024-49098
CVE-2024-12482A vulnerability was found in cjbi wetech-cms 1.0/1.1/1.2. It has been rated as problematic. Affected by this issue is the function backup of the file wetech-cms-master\\wetech-basic-common\\src\\main\\java\\tech\\wetech\\basic\\util\\BackupFileUtil.java of the component Database Backup Handler. The manipulation of the argument name leads to path traversal: '../filedir'. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-12482
CVE-2024-51460IBM InfoSphere Information Server 11.7 could allow an authenticated user to obtain sensitive information when a detailed technical error message is returned in a stack trace. This information could be used in further attacks against the system.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-51460
CVE-2024-54269Missing Authorization vulnerability in Ninja Team Notibar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notibar: from n/a through 2.1.4.4.3https://nvd.nist.gov/vuln/detail/CVE-2024-54269
CVE-2024-54503An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.2 and iPadOS 18.2. Muting a call while ringing may not result in mute being enabled.4.2https://nvd.nist.gov/vuln/detail/CVE-2024-54503
CVE-2024-49819IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information in cleartext in a communication channel that can be sniffed by unauthorized actors.4.1https://nvd.nist.gov/vuln/detail/CVE-2024-49819
CVE-2024-12292An issue was discovered in GitLab CE/EE affecting all versions starting from 11.0 prior to 17.4.6, starting from 17.5 prior to 17.5.4, and starting from 17.6 prior to 17.6.2, where sensitive information passed in GraphQL mutations may have been retained in GraphQL logs.4https://nvd.nist.gov/vuln/detail/CVE-2024-12292
CVE-2024-49820IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-49820
CVE-2024-9654The Easy Digital Downloads plugin for WordPress is vulnerable to Improper Authorization in versions 3.1 through 3.3.4. This is due to a lack of sufficient validation checks within the 'verify_guest_email' function to ensure the requesting user is the intended recipient of the purchase receipt. This makes it possible for unauthenticated attackers to bypass intended security restrictions and view the receipts of other users, which contains a link to download paid content. Successful exploitation requires knowledge of another customers email address as well as the file ID of the content they purchased.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-9654
CVE-2024-12667A vulnerability was found in InvoicePlane up to 1.6.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /invoices/view. The manipulation leads to session expiration. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.2-beta-1 is able to address this issue. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-12667
CVE-2024-12663A vulnerability classified as problematic was found in funnyzpc Mee-Admin up to 1.6. This vulnerability affects unknown code of the file /mee/login of the component Login. The manipulation of the argument username leads to observable response discrepancy. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-12663
CVE-2024-12300The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-12300
CVE-2024-12483A vulnerability classified as problematic has been found in Dromara UJCMS up to 9.6.3. This affects an unknown part of the file /users/id of the component User ID Handler. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used.3.7https://nvd.nist.gov/vuln/detail/CVE-2024-12483
CVE-2024-12665A vulnerability, which was classified as problematic, was found in ruifang-tech Rebuild 3.8.5. Affected is an unknown function of the component Task Comment Attachment Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-12665
CVE-2024-12664A vulnerability, which was classified as problematic, has been found in ruifang-tech Rebuild 3.8.5. This issue affects some unknown processing of the component Project Task Comment Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-12664
CVE-2024-56082ChatBar.tsx in Lumos before 1.0.17 parses raw HTML in Markdown because the markdown-to-jsx package is used without disableParsingRawHTML set to true.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-56082
CVE-2023-41695Missing Authorization vulnerability in Analytify Analytify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Analytify: from n/a through 5.1.0.3.5https://nvd.nist.gov/vuln/detail/CVE-2023-41695
CVE-2022-45819Missing Authorization vulnerability in Popup Maker Popup Maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Popup Maker: from n/a through 1.17.1.3.5https://nvd.nist.gov/vuln/detail/CVE-2022-45819
CVE-2021-32007This issue affects:
Secomea GateManager
Version 9.5 and all prior versions.
Protection Mechanism Failure vulnerability in web server of Secomea GateManager to potentially leak information to remote servers.
3.5https://nvd.nist.gov/vuln/detail/CVE-2021-32007
CVE-2024-12536A vulnerability, which was classified as problematic, has been found in SourceCodester Kortex Lite Advocate Office Management System 1.0. Affected by this issue is some unknown functionality of the file /control/client_data.php. The manipulation of the argument id leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.3.5https://nvd.nist.gov/vuln/detail/CVE-2024-12536
CVE-2024-11053When asked to both use a `.netrc` file for credentials and to follow HTTP
redirects, curl could leak the password used for the first host to the
followed-to host under certain circumstances.

This flaw only manifests itself if the netrc file has an entry that matches
the redirect target hostname but the entry either omits just the password or
omits both login and password.
3.4https://nvd.nist.gov/vuln/detail/CVE-2024-11053
CVE-2024-54493This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.2. Privacy indicators for microphone access may be attributed incorrectly.3.3https://nvd.nist.gov/vuln/detail/CVE-2024-54493
CVE-2024-44290This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1. An app may be able to determine a user’s current location.3.3https://nvd.nist.gov/vuln/detail/CVE-2024-44290
CVE-2024-44200This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to read sensitive location information.3.3https://nvd.nist.gov/vuln/detail/CVE-2024-44200
CVE-2024-42194An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call.3.1https://nvd.nist.gov/vuln/detail/CVE-2024-42194
CVE-2024-10043An issue has been discovered in GitLab EE affecting all versions starting from 14.3 before 17.4.6, all versions starting from 17.5 before 17.5.4 all versions starting from 17.6 before 17.6.2, that allows group users to view confidential incident title through the Wiki History Diff feature, potentially leading to information disclosure.3.1https://nvd.nist.gov/vuln/detail/CVE-2024-10043
CVE-2023-23472IBM InfoSphere DataStage Flow Designer (InfoSphere Information Server 11.7) could allow an authenticated user to obtain sensitive information that could aid in further attacks against the system.3.1https://nvd.nist.gov/vuln/detail/CVE-2023-23472
CVE-2023-37395IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data.2.5https://nvd.nist.gov/vuln/detail/CVE-2023-37395
CVE-2024-54485The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.3, iOS 18.2 and iPadOS 18.2. An attacker with physical access to an iOS device may be able to view notification content from the lock screen.2.4https://nvd.nist.gov/vuln/detail/CVE-2024-54485
CVE-2024-12503A vulnerability classified as problematic was found in ClassCMS 4.8. Affected by this vulnerability is an unknown functionality of the file /index.php/admin of the component Model Management Page. The manipulation of the argument URL leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.2.4https://nvd.nist.gov/vuln/detail/CVE-2024-12503
CVE-2024-56142pghoard is a PostgreSQL backup daemon and restore tooling that stores backup data in cloud object stores. A vulnerability has been discovered that could allow an attacker to acquire disk access with privileges equivalent to those of pghoard, allowing for unintended path traversal. Depending on the permissions/privileges assigned to pghoard, this could allow disclosure of sensitive information. This issue has been addressed in releases after 2.2.2a. Users are advised to upgrade. There are no known workarounds for this vulnerability.https://nvd.nist.gov/vuln/detail/CVE-2024-56142
CVE-2024-51175An issue in H3C switch h3c-S1526 allows a remote attacker to obtain sensitive information via the S1526.cfg component.https://nvd.nist.gov/vuln/detail/CVE-2024-51175
CVE-2024-31668rizin before v0.6.3 is vulnerable to Improper Neutralization of Special Elements via meta_set function in librz/analysis/meta.https://nvd.nist.gov/vuln/detail/CVE-2024-31668
CVE-2024-29646Buffer Overflow vulnerability in radarorg radare2 v.5.8.8 allows an attacker to execute arbitrary code via the name, type, or group fields.https://nvd.nist.gov/vuln/detail/CVE-2024-29646
CVE-2024-55059A stored HTML Injection vulnerability was identified in PHPGurukul Online Birth Certificate System v1.0 in /user/certificate-form.php.https://nvd.nist.gov/vuln/detail/CVE-2024-55059
CVE-2024-55058An insecure direct object reference (IDOR) vulnerability was discovered in PHPGurukul Online Birth Certificate System v1.0. This vulnerability resides in the viewid parameter of /user/view-application-detail.php. Authenticated users can exploit this flaw by manipulating the viewid parameter in the URL to access sensitive birth certificate details of other users without proper authorization checks.https://nvd.nist.gov/vuln/detail/CVE-2024-55058
CVE-2024-12539An issue was discovered where improper authorization controls affected certain queries that could allow a malicious actor to circumvent Document Level Security in Elasticsearch and get access to documents that their roles would normally not allow.https://nvd.nist.gov/vuln/detail/CVE-2024-12539
CVE-2024-11993Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.1.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38, 7.3 GA through update 36, 7.2 GA through fix pack 20 and 7.1 GA through fix pack 28 allows remote attackers to execute arbitrary web script or HTML via Dispatch name fieldhttps://nvd.nist.gov/vuln/detail/CVE-2024-11993
CVE-2024-55516A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 v3.90. The component affected by this issue is /upload_sysconfig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.https://nvd.nist.gov/vuln/detail/CVE-2024-55516
CVE-2024-55515A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_ipslib.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded.https://nvd.nist.gov/vuln/detail/CVE-2024-55515
CVE-2024-55514A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_sfmig.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.https://nvd.nist.gov/vuln/detail/CVE-2024-55514
CVE-2024-55513A vulnerability was found in Raisecom MSG1200, MSG2100E, MSG2200, and MSG2300 3.90. The component affected by this issue is /upload_netaction.php on the web interface. By crafting a suitable form name, arbitrary files can be uploaded, potentially leading to unauthorized access to server permissions.https://nvd.nist.gov/vuln/detail/CVE-2024-55513
CVE-2024-49194Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile.https://nvd.nist.gov/vuln/detail/CVE-2024-49194
CVE-2024-56139pdftools is a high level tools to convert PDF files to ePUB formats. In versions up to and including 0.5.0 maliciously crafted epub files can cause a stack overflow leading to a crash. This issue has not yet been addressed and users are advised to avoid untrusted input to their systems.https://nvd.nist.gov/vuln/detail/CVE-2024-56139
CVE-2024-55496A vulnerability has been found in the 1000projects Bookstore Management System PHP MySQL Project 1.0. This issue affects some unknown functionality of add_company.php. Actions on the delete parameter result in SQL injection.https://nvd.nist.gov/vuln/detail/CVE-2024-55496
CVE-2024-54662Dante 1.4.0 through 1.4.3 (fixed in 1.4.4) has incorrect access control for some sockd.conf configurations involving socksmethod.https://nvd.nist.gov/vuln/detail/CVE-2024-54662
CVE-2024-53144In the Linux kernel, the following vulnerability has been resolved:

Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4
("Bluetooth: Always request for user confirmation for Just Works")
always request user confirmation with confirm_hint set since the
likes of bluetoothd have dedicated policy around JUST_WORKS method
(e.g. main.conf:JustWorksRepairing).

CVE: CVE-2024-8805
https://nvd.nist.gov/vuln/detail/CVE-2024-53144
CVE-2024-54125Improper authorization in handler for custom URL scheme issue in "Shonen Jump+" App for Android versions prior to 4.0.0 allows an attacker to lead a user to access an arbitrary website via the vulnerable App. As a result, the user may become a victim of a phishing attack.https://nvd.nist.gov/vuln/detail/CVE-2024-54125
CVE-2024-55864Cross-site scripting vulnerability exists in My WP Customize Admin/Frontend versions prior to ver 1.24.1. If a malicious administrative user customizes the administrative page with some malicious contents, an arbitrary script may be executed on the web browser of the other users who are accessing the page.https://nvd.nist.gov/vuln/detail/CVE-2024-55864
CVE-2024-55951Metabase is an open-source data analytics platform. For new sandboxing configurations created in 1.52.0 till 1.52.2.4, sandboxed users are able to see field filter values from other sandboxed users. This is fixed in 1.52.2.5. Users on 1.52.0 or 1.52.1 or 1.5.2 should upgrade to 1.52.2.5. There are no workarounds for this issue aside from upgrading.https://nvd.nist.gov/vuln/detail/CVE-2024-55951
CVE-2024-55949MinIO is a high-performance, S3 compatible object store, open sourced under GNU AGPLv3 license. Minio is subject to a privilege escalation in IAM import API, all users are impacted since MinIO commit `580d9db85e04f1b63cc2909af50f0ed08afa965f`. This issue has been addressed in commit `f246c9053f9603e610d98439799bdd2a6b293427` which is included in RELEASE.2024-12-13T22-19-12Z. There are no workarounds possible, all users are advised to upgrade immediately.https://nvd.nist.gov/vuln/detail/CVE-2024-55949
CVE-2024-12687Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.

This issue affects PlexTrac: from 1.61.3 before 2.8.1.
https://nvd.nist.gov/vuln/detail/CVE-2024-12687
CVE-2024-6002Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.https://nvd.nist.gov/vuln/detail/CVE-2024-6002
CVE-2024-7701Use of Password Hash With Insufficient Computational Effort vulnerability in percona percona-toolkit allows Encryption Brute Forcing.This issue affects percona-toolkit: 3.6.0.https://nvd.nist.gov/vuln/detail/CVE-2024-7701
CVE-2024-12553GeoVision GV-ASManager Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of GeoVision GV-ASManager. Although authentication is required to exploit this vulnerability, default guest credentials may be used.

The specific flaw exists within the GV-ASWeb service. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25394.
https://nvd.nist.gov/vuln/detail/CVE-2024-12553
CVE-2024-12552Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Wacom Center. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within WTabletServicePro.exe. By creating a symbolic link, an attacker can abuse the service to create an arbitrary file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-25359.
https://nvd.nist.gov/vuln/detail/CVE-2024-12552
CVE-2024-55946Playloom Engine is an open-source, high-performance game development engine. Engine Beta v0.0.1 has a security vulnerability related to data storage, specifically when using the collaboration features. When collaborating with another user, they may have access to personal information you have entered into the software. This poses a risk to user privacy. The maintainers of Playloom Engine have temporarily disabled the collaboration feature until a fix can be implemented. When Engine Beta v0.0.2 is released, it is expected to contain a patch addressing this issue. Users should refrain from using the collaboration feature in the meantime.https://nvd.nist.gov/vuln/detail/CVE-2024-55946
CVE-2024-12632Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-55956. Reason: This candidate is a duplicate of CVE-2024-55956. Notes: All CVE users should reference CVE-2024-55956 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.https://nvd.nist.gov/vuln/detail/CVE-2024-12632
CVE-2024-55890D-Tale is a visualizer for pandas data structures. Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.16.1 where the `update-settings` endpoint blocks the ability for users to update the `enable_custom_filters` flag. The only workaround for versions earlier than 3.16.1 is to only host D-Tale to trusted users.https://nvd.nist.gov/vuln/detail/CVE-2024-55890
CVE-2024-52066Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routing Service) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.5.0, from 7.0.0 before 7.3.0.5, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.1.40.https://nvd.nist.gov/vuln/detail/CVE-2024-52066
CVE-2024-52065Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional on non-Windows (Persistence Service) allows Buffer Overflow via Environment Variables.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.1.2 before 6.1.2.21, from 5.3.1.40 before 5.3.1.41.https://nvd.nist.gov/vuln/detail/CVE-2024-52065
CVE-2024-52064Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.1.40, from 5.0.0 before 5.3.1.45.https://nvd.nist.gov/vuln/detail/CVE-2024-52064
CVE-2024-52062Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.0.0 before 7.3.0.5, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.1.40, from 5.0.0 before 5.3.1.45.https://nvd.nist.gov/vuln/detail/CVE-2024-52062
CVE-2024-52061Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Core Libraries, Queuing Service, Recording Service, Routing Service) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.4.0 before 7.5.0, from 7.0.0 before 7.3.0.5, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.1.40, from 5.0.0 before 5.3.1.45.https://nvd.nist.gov/vuln/detail/CVE-2024-52061
CVE-2024-52060Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Routing Service, Recording Service, Queuing Service, Observability Collector Service, Cloud Discovery Service) allows Buffer Overflow via Environment Variables.This issue affects Connext Professional: from 7.0.0 before 7.3.0.5, from 6.1.0 before 6.1.2.21, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.1.45.https://nvd.nist.gov/vuln/detail/CVE-2024-52060
CVE-2024-52059Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in RTI Connext Professional (Security Plugins) allows Overflow Variables and Tags.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.17.https://nvd.nist.gov/vuln/detail/CVE-2024-52059
CVE-2024-52058Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in RTI Connext Professional (System Designer) allows OS Command Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0.2, from 6.1.0 before 6.1.2.19.https://nvd.nist.gov/vuln/detail/CVE-2024-52058
CVE-2024-52057Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RTI Connext Professional (Queuing Service) allows SQL Injection.This issue affects Connext Professional: from 7.0.0 before 7.3.0, from 6.1.0 before 6.1.2.17, from 6.0.0 before 6.0.*, from 5.2.0 before 5.3.*.https://nvd.nist.gov/vuln/detail/CVE-2024-52057
CVE-2024-11839Deserialization of Untrusted Data vulnerability in PlexTrac (Runbooks modules) which allows Object Injection and arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11839
CVE-2024-11838External Control of File Name or Path vulnerability in PlexTrac allows Local Code Inclusion through use of an undocumented API endpoint.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11838
CVE-2024-11837Improper Neutralization of Special Elements used in an N1QL Command ('N1QL Injection') vulnerability in PlexTrac  allows N1QL Injection.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11837
CVE-2024-11836Server-Side Request Forgery (SSRF) vulnerability in PlexTrac allowing requests to internal system resources.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11836
CVE-2024-11835Uncontrolled Resource Consumption vulnerability in PlexTrac allows WebSocket DoS.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11835
CVE-2024-11833Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in PlexTrac allows arbitrary file writes.This issue affects PlexTrac: from 1.61.3 before 2.8.1.https://nvd.nist.gov/vuln/detail/CVE-2024-11833
CVE-2024-12603A logic vulnerability in the the mobile application (com.transsion.applock) can lead to bypassing the application password.https://nvd.nist.gov/vuln/detail/CVE-2024-12603
CVE-2024-55885beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.https://nvd.nist.gov/vuln/detail/CVE-2024-55885
CVE-2024-55876XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. This has been patched in XWiki 15.10.9 and 16.3.0. As a workaround, those who have subwikis where the Job Scheduler is enabled can edit the objects on `Scheduler.WebPreferences` to match the patch.https://nvd.nist.gov/vuln/detail/CVE-2024-55876
CVE-2024-55663XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki.https://nvd.nist.gov/vuln/detail/CVE-2024-55663
CVE-2024-55633Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable. 

This issue affects Apache Superset: before 4.1.0.

Users are recommended to upgrade to version 4.1.0, which fixes the issue.
https://nvd.nist.gov/vuln/detail/CVE-2024-55633
CVE-2024-54118Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.https://nvd.nist.gov/vuln/detail/CVE-2024-54118
CVE-2024-12564Exposure of Sensitive Information to an Unauthorized Actor vulnerability was discovered in Open Design Alliance CDE inWEB SDK before 2025.3. Installing CDE Server with default settings allows unauthorized users to visit prometheus metrics page. This can allow attackers to understand more things about the target application which may help in further investigation and exploitation.https://nvd.nist.gov/vuln/detail/CVE-2024-12564
CVE-2024-55660SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's `/api/template/renderSprig` endpoint is vulnerable to Server-Side Template Injection (SSTI) through the Sprig template engine. Although the engine has limitations, it allows attackers to access environment variables. Version 3.1.16 contains a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-55660
CVE-2024-55659SiYuan is a personal knowledge management system. Prior to version 3.1.16, the `/api/asset/upload` endpoint in Siyuan is vulnerable to both arbitrary file write to the host and stored cross-site scripting (via the file write). Version 3.1.16 contains a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-55659
CVE-2024-55658SiYuan is a personal knowledge management system. Prior to version 3.1.16, SiYuan's /api/export/exportResources endpoint is vulnerable to arbitary file read via path traversal. It is possible to manipulate the paths parameter to access and download arbitrary files from the host system by traversing the workspace directory structure. Version 3.1.16 contains a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-55658
CVE-2024-55657SiYuan is a personal knowledge management system. Prior to version 3.1.16, an arbitrary file read vulnerability exists in Siyuan's `/api/template/render` endpoint. The absence of proper validation on the path parameter allows attackers to access sensitive files on the host system. Version 3.1.16 contains a patch for the issue.https://nvd.nist.gov/vuln/detail/CVE-2024-55657
CVE-2024-54491The issue was resolved by sanitizing logging This issue is fixed in macOS Sequoia 15.2. A malicious application may be able to determine a user's current location.https://nvd.nist.gov/vuln/detail/CVE-2024-54491
CVE-2024-53845ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throughout the product's lifetime. In AES/CBC mode, if the IV is not properly initialized, the encrypted output becomes deterministic, leading to potential data leakage. To address the aforementioned issues, the application generates a random IV when activating the AES key starting in versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. This IV is then transmitted along with the provision data to the provision device. The provision device has also been equipped with a parser for the AES IV. The upgrade is applicable for all applications and users of ESPTouch v2 component from ESP-IDF. As it is implemented in the ESP Wi-Fi stack, there is no workaround for the user to fix the application layer without upgrading the underlying firmware.https://nvd.nist.gov/vuln/detail/CVE-2024-53845
CVE-2024-53274Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `home.vue` containsa reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability. Arbitrary javascript can be executed by the attacker in the context of the victim’s session. Version 5.28.5 contains a patch.https://nvd.nist.gov/vuln/detail/CVE-2024-53274
CVE-2024-53273Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `RegisterLoginReset.vue` contains a reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.https://nvd.nist.gov/vuln/detail/CVE-2024-53273
CVE-2024-53272Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` parameter to trigger the vulnerability, giving the attacker control of the victim’s account when a victim registers or logins with a specially crafted link. Version 5.28.5 contains a patch.https://nvd.nist.gov/vuln/detail/CVE-2024-53272
CVE-2024-44245The issue was addressed with improved memory handling. This issue is fixed in iPadOS 17.7.3, visionOS 2.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Sonoma 14.7.2. An app may be able to cause unexpected system termination or corrupt kernel memory.https://nvd.nist.gov/vuln/detail/CVE-2024-44245
CVE-2024-44243A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.2. An app may be able to modify protected parts of the file system.https://nvd.nist.gov/vuln/detail/CVE-2024-44243
CVE-2024-44225A logic issue was addressed with improved checks. This issue is fixed in iPadOS 17.7.3, watchOS 11.2, tvOS 18.2, macOS Sequoia 15.2, iOS 18.2 and iPadOS 18.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. An app may be able to gain elevated privileges.https://nvd.nist.gov/vuln/detail/CVE-2024-44225
CVE-2024-44224A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.2, macOS Ventura 13.7.2, macOS Sonoma 14.7.2. A malicious app may be able to gain root privileges.https://nvd.nist.gov/vuln/detail/CVE-2024-44224
CVE-2024-50339GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.17, an unauthenticated user can retrieve all the sessions IDs and use them to steal any valid session. Version 10.0.17 contains a patch for this issue.https://nvd.nist.gov/vuln/detail/CVE-2024-50339
CVE-2024-47835GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47835
CVE-2024-47834GStreamer is a library for constructing graphs of media-handling components. An Use-After-Free read vulnerability has been discovered affecting the processing of CodecPrivate elements in Matroska streams. In the GST_MATROSKA_ID_CODECPRIVATE case within the gst_matroska_demux_parse_stream function, a data chunk is allocated using gst_ebml_read_binary. Later, the allocated memory is freed in the gst_matroska_track_free function, by the call to g_free (track->codec_priv). Finally, the freed memory is accessed in the caps_serialize function through gst_value_serialize_buffer. The freed memory will be accessed in the gst_value_serialize_buffer function. This results in a UAF read vulnerability, as the function tries to process memory that has already been freed. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47834
CVE-2024-47778GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in gst_wavparse_adtl_chunk within gstwavparse.c. This vulnerability arises due to insufficient validation of the size parameter, which can exceed the bounds of the data buffer. As a result, an OOB read occurs in the following while loop. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47778
CVE-2024-47777GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_wavparse_smpl_chunk function within gstwavparse.c. This function attempts to read 4 bytes from the data + 12 offset without checking if the size of the data buffer is sufficient. If the buffer is too small, the function reads beyond its bounds. This vulnerability may result in reading 4 bytes out of the boundaries of the data buffer. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47777
CVE-2024-47776GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in gst_wavparse_cue_chunk within gstwavparse.c. The vulnerability happens due to a discrepancy between the size of the data buffer and the size value provided to the function. This mismatch causes the comparison if (size < 4 + ncues * 24) to fail in some cases, allowing the subsequent loop to access beyond the bounds of the data buffer. The root cause of this discrepancy stems from a miscalculation when clipping the chunk size based on upstream data size. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47776
CVE-2024-47775GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been found in the parse_ds64 function within gstwavparse.c. The parse_ds64 function does not check that the buffer buf contains sufficient data before attempting to read from it, doing multiple GST_READ_UINT32_LE operations without performing boundary checks. This can lead to an OOB-read when buf is smaller than expected. This vulnerability allows reading beyond the bounds of the data buffer, potentially leading to a crash (denial of service) or the leak of sensitive data. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47775
CVE-2024-47774GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been identified in the gst_avi_subtitle_parse_gab2_chunk function within gstavisubtitle.c. The function reads the name_length value directly from the input file without checking it properly. Then, the a condition, does not properly handle cases where name_length is greater than 0xFFFFFFFF - 17, causing an integer overflow. In such scenario, the function attempts to access memory beyond the buffer leading to an OOB-read. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47774
CVE-2024-47615GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47615
CVE-2024-47613GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47613
CVE-2024-47607GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47607
CVE-2024-47606GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47606
CVE-2024-47603GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_update_tracks function within matroska-demux.c. The vulnerability occurs when the gst_caps_is_equal function is called with invalid caps values. If this happen, then in the function gst_buffer_get_size the call to GST_BUFFER_MEM_PTR can return a null pointer. Attempting to dereference the size field of this null pointer results in a null pointer dereference. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47603
CVE-2024-47602GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. This function does not properly check the validity of the stream->codec_priv pointer in the following code. If stream->codec_priv is NULL, the call to GST_READ_UINT16_LE will attempt to dereference a null pointer, leading to a crash of the application. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47602
CVE-2024-47601GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_matroska_demux_parse_blockgroup_or_simpleblock function within matroska-demux.c. This function does not properly check the validity of the GstBuffer *sub pointer before performing dereferences. As a result, null pointer dereferences may occur. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47601
CVE-2024-47600GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47600
CVE-2024-47599GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been discovered in the gst_jpeg_dec_negotiate function in gstjpegdec.c. This function does not check for a NULL return value from gst_video_decoder_set_output_state. When this happens, dereferences of the outstate pointer will lead to a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47599
CVE-2024-47598GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in the qtdemux_merge_sample_table function within qtdemux.c. The problem is that the size of the stts buffer isn’t properly checked before reading stts_duration, allowing the program to read 4 bytes beyond the boundaries of stts->data. This vulnerability reads up to 4 bytes past the allocated bounds of the stts array. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47598
CVE-2024-47597GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been detected in the function qtdemux_parse_samples within qtdemux.c. This issue arises when the function qtdemux_parse_samples reads data beyond the boundaries of the stream->stco buffer. The following code snippet shows the call to qt_atom_parser_get_offset_unchecked, which leads to the OOB-read when parsing the provided GHSL-2024-245_crash1.mp4 file. This issue may lead to read up to 8 bytes out-of-bounds. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47597
CVE-2024-47596GStreamer is a library for constructing graphs of media-handling components. An OOB-read has been discovered in the qtdemux_parse_svq3_stsd_data function within qtdemux.c. In the FOURCC_SMI_ case, seqh_size is read from the input file without proper validation. If seqh_size is greater than the remaining size of the data buffer, it can lead to an OOB-read in the following call to gst_buffer_fill, which internally uses memcpy. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47596
CVE-2024-47546GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in extract_cc_from_data function within qtdemux.c. In the FOURCC_c708 case, the subtraction atom_length - 8 may result in an underflow if atom_length is less than 8. When that subtraction underflows, *cclen ends up being a large number, and then cclen is passed to g_memdup2 leading to an out-of-bounds (OOB) read. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47546
CVE-2024-47545GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in qtdemux_parse_trak function within qtdemux.c. During the strf parsing case, the subtraction size -= 40 can lead to a negative integer overflow if it is less than 40. If this happens, the subsequent call to gst_buffer_fill will invoke memcpy with a large tocopy size, resulting in an OOB-read. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47545
CVE-2024-47544GStreamer is a library for constructing graphs of media-handling components. The function qtdemux_parse_sbgp in qtdemux.c is affected by a null dereference vulnerability. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47544
CVE-2024-47543GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been discovered in qtdemux_parse_container function within qtdemux.c. In the parent function qtdemux_parse_node, the value of length is not well checked. So, if length is big enough, it causes the pointer end to point beyond the boundaries of buffer. Subsequently, in the qtdemux_parse_container function, the while loop can trigger an OOB-read, accessing memory beyond the bounds of buf. This vulnerability can result in reading up to 4GB of process memory or potentially causing a segmentation fault (SEGV) when accessing invalid memory. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47543
CVE-2024-47540GStreamer is a library for constructing graphs of media-handling components. An uninitialized stack variable vulnerability has been identified in the gst_matroska_demux_add_wvpk_header function within matroska-demux.c. When size < 4, the program calls gst_buffer_unmap with an uninitialized map variable. Then, in the gst_memory_unmap function, the program will attempt to unmap the buffer using the uninitialized map variable, causing a function pointer hijack, as it will jump to mem->allocator->mem_unmap_full or mem->allocator->mem_unmap. This vulnerability could allow an attacker to hijack the execution flow, potentially leading to code execution. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47540
CVE-2024-47539GStreamer is a library for constructing graphs of media-handling components. An out-of-bounds write vulnerability was identified in the convert_to_s334_1a function in isomp4/qtdemux.c. The vulnerability arises due to a discrepancy between the size of memory allocated to the storage array and the loop condition i * 2 < ccpair_size. Specifically, when ccpair_size is even, the allocated size in storage does not match the loop's expected bounds, resulting in an out-of-bounds write. This bug allows for the overwriting of up to 3 bytes beyond the allocated bounds of the storage array. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47539
CVE-2024-47538GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the vorbis_handle_identification_packet function within gstvorbisdec.c. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This vulnerability allows to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the GstAudioInfo info structure. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47538
CVE-2024-47537GStreamer is a library for constructing graphs of media-handling components. The program attempts to reallocate the memory pointed to by stream->samples to accommodate stream->n_samples + samples_count elements of type QtDemuxSample. The problem is that samples_count is read from the input file. And if this value is big enough, this can lead to an integer overflow during the addition. As a consequence, g_try_renew might allocate memory for a significantly smaller number of elements than intended. Following this, the program iterates through samples_count elements and attempts to write samples_count number of elements, potentially exceeding the actual allocated memory size and causing an OOB-write. This vulnerability is fixed in 1.24.10.https://nvd.nist.gov/vuln/detail/CVE-2024-47537
CVE-2024-42448From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine.https://nvd.nist.gov/vuln/detail/CVE-2024-42448
CVE-2024-37401An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service.https://nvd.nist.gov/vuln/detail/CVE-2024-37401
CVE-2024-37377A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service.https://nvd.nist.gov/vuln/detail/CVE-2024-37377
CVE-2024-11950XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of XnSoft XnView Classic. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.


The specific flaw exists within the parsing of RWZ files. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-22913.
https://nvd.nist.gov/vuln/detail/CVE-2024-11950
CVE-2024-11872Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within the product installer. The product applies incorrect default permissions to a sensitive folder. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-24329.
https://nvd.nist.gov/vuln/detail/CVE-2024-11872
CVE-2024-48912GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.17, an authenticated user can use an application endpoint to delete any user account. Version 10.0.17 contains a patch for this issue.https://nvd.nist.gov/vuln/detail/CVE-2024-48912
CVE-2024-47761GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.https://nvd.nist.gov/vuln/detail/CVE-2024-47761
CVE-2024-47760GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for this issue.https://nvd.nist.gov/vuln/detail/CVE-2024-47760
CVE-2024-53677File upload logic is flawed vulnerability in Apache Struts.

This issue affects Apache Struts: from 2.0.0 before 6.4.0.

Users are recommended to upgrade to version 6.4.0 migrate to the new file upload mechanism https://struts.apache.org/core-developers/file-upload .

You can find more details in  https://cwiki.apache.org/confluence/display/WW/S2-067
https://nvd.nist.gov/vuln/detail/CVE-2024-53677
CVE-2024-47758GLPI is a free asset and IT management software package. Starting in version 9.3.0 and prior to version 10.0.17, an authenticated user can use the API to take control of any user that have the same or a lower level of privileges. Version 10.0.17 contains a patch for this issue.https://nvd.nist.gov/vuln/detail/CVE-2024-47758
CVE-2024-11401Rapid7 Insight Platform versions prior to November 13th 2024, suffer from a privilege escalation vulnerability whereby, due to a lack of authorization checks, an attacker can successfully update the password policy in the platform settings as a standard user by crafting an API (the functionality was not possible through the platform's User Interface). This vulnerability has been fixed as of November 13th 2024.https://nvd.nist.gov/vuln/detail/CVE-2024-11401