Total
4971 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-41997 | 2024-10-16 | N/A | 6.6 MEDIUM | ||
| An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine. | |||||
| CVE-2024-49254 | 2024-10-16 | N/A | 10.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Sunjianle allows Code Injection.This issue affects ajax-extend: from n/a through 1.0. | |||||
| CVE-2024-9581 | 1 Happyplugins | 1 Shortcodes Anywhere | 2024-10-15 | N/A | 7.3 HIGH |
| The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-9837 | 2024-10-15 | N/A | 7.3 HIGH | ||
| The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-8760 | 2024-10-15 | N/A | 5.3 MEDIUM | ||
| The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. | |||||
| CVE-2024-44414 | 2024-10-15 | N/A | 8.8 HIGH | ||
| A vulnerability was discovered in FBM_292W-21.03.10V, which has been classified as critical. This issue affects the sub_4901E0 function in the msp_info.htm file. Manipulation of the path parameter can lead to command injection. | |||||
| CVE-2024-45873 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | |||||
| CVE-2024-45874 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
| A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | |||||
| CVE-2024-41651 | 1 Prestashop | 1 Prestashop | 2024-10-09 | N/A | 8.1 HIGH |
| An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | |||||
| CVE-2024-45933 | 2024-10-08 | N/A | 6.6 MEDIUM | ||
| OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint. | |||||
| CVE-2024-8254 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-10-08 | N/A | 6.3 MEDIUM |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | |||||
| CVE-2024-44744 | 2024-10-04 | N/A | 5.7 MEDIUM | ||
| An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileges and that the contents cannot be altered by non-admin users. | |||||
| CVE-2024-45186 | 2024-10-04 | N/A | 9.8 CRITICAL | ||
| FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials. | |||||
| CVE-2024-46489 | 1 Ferrislucas | 1 Promptr | 2024-10-02 | N/A | 8.8 HIGH |
| A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL. | |||||
| CVE-2024-6596 | 1 Endress | 10 Echo Curve Viewer, Field Xpert Smt50, Field Xpert Smt50 Firmware and 7 more | 2024-10-01 | N/A | 9.8 CRITICAL |
| An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. | |||||
| CVE-2024-45200 | 2024-09-30 | N/A | 6.3 MEDIUM | ||
| In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed browse-reply packet, aka KartLANPwn. The victim is not required to join a game session with an attacker. The victim must open the "Wireless Play" (or "LAN Play") menu from the game's title screen, and an attacker nearby (LDN) or on the same LAN network as the victim can send a crafted reply packet to the victim's console. This enables a remote attacker to obtain complete denial-of-service on the game's process, or potentially, remote code execution on the victim's console. The issue is caused by incorrect use of the Nintendo Pia library, | |||||
| CVE-2024-8258 | 2 Apple, Logitech | 2 Macos, Logi Options\+ | 2024-09-27 | N/A | 7.8 HIGH |
| Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration. | |||||
| CVE-2024-8271 | 1 Pluginus | 1 Fox - Currency Switcher Professional For Woocommerce | 2024-09-27 | N/A | 7.3 HIGH |
| The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-8479 | 1 Webliberty | 1 Simple Spoiler | 2024-09-27 | N/A | 7.3 HIGH |
| The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-37779 | 2024-09-27 | N/A | 8.8 HIGH | ||
| WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. | |||||