Total
306778 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51684 | 2024-11-15 | N/A | 7.1 HIGH | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu W3P SEO allows Stored XSS.This issue affects W3P SEO: from n/a before 1.8.6. | |||||
| CVE-2024-52554 | 2024-11-15 | N/A | 8.8 HIGH | ||
| Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. | |||||
| CVE-2024-37285 | 2024-11-15 | N/A | 9.1 CRITICAL | ||
| A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. A successful attack requires a malicious user to have a combination of both specific Elasticsearch indices privileges https://www.elastic.co/guide/en/elasticsearch/reference/current/defining-roles.html#roles-indices-priv and Kibana privileges https://www.elastic.co/guide/en/fleet/current/fleet-roles-and-privileges.html assigned to them. The following Elasticsearch indices permissions are required * write privilege on the system indices .kibana_ingest* * The allow_restricted_indices flag is set to true Any of the following Kibana privileges are additionally required * Under Fleet the All privilege is granted * Under Integration the Read or All privilege is granted * Access to the fleet-setup privilege is gained through the Fleet Server’s service account token | |||||
| CVE-2024-52302 | 2024-11-15 | N/A | N/A | ||
| common-user-management is a robust Spring Boot application featuring user management services designed to control user access dynamically. There is a critical security vulnerability in the application endpoint /api/v1/customer/profile-picture. This endpoint allows file uploads without proper validation or restrictions, enabling attackers to upload malicious files that can lead to Remote Code Execution (RCE). | |||||
| CVE-2024-47916 | 2024-11-15 | N/A | 7.5 HIGH | ||
| Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||||
| CVE-2024-10962 | 2024-11-15 | N/A | 8.8 HIGH | ||
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit. | |||||
| CVE-2024-47914 | 2024-11-15 | N/A | 4.5 MEDIUM | ||
| VaeMendis - CWE-352: Cross-Site Request Forgery (CSRF) | |||||
| CVE-2024-45253 | 2024-11-15 | N/A | 7.5 HIGH | ||
| Avigilon – CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||||
| CVE-2023-4348 | 2024-11-15 | N/A | N/A | ||
| Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||||
| CVE-2024-9463 | 1 Paloaltonetworks | 1 Expedition | 2024-11-15 | N/A | 7.5 HIGH |
| An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. | |||||
| CVE-2024-51377 | 1 Ladybirdweb | 1 Faveo Helpdesk | 2024-11-14 | N/A | 5.4 MEDIUM |
| An issue in Ladybird Web Solution Faveo Helpdesk & Servicedesk (On-Premise and Cloud) 9.2.0 allows a remote attacker to execute arbitrary code via the Subject and Identifier fields | |||||
| CVE-2024-49381 | 1 Plenti | 1 Plenti | 2024-11-14 | N/A | 7.5 HIGH |
| Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability. | |||||
| CVE-2024-49376 | 1 Autolabproject | 1 Autolab | 2024-11-14 | N/A | 8.8 HIGH |
| Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist. | |||||
| CVE-2024-11016 | 1 Vice | 1 Webopac | 2024-11-14 | N/A | 9.8 CRITICAL |
| Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. | |||||
| CVE-2024-10381 | 1 Matrixcomsec | 2 Cosec Vega Faxq, Cosec Vega Faxq Firmware | 2024-11-14 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Matrix Door Controller Cosec Vega FAXQ due to improper implementation of session management at the web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http request on the vulnerable device. Successful exploitation of this vulnerability could allow remote attacker to gain unauthorized access and take complete control of the targeted device. | |||||
| CVE-2024-43093 | 1 Google | 1 Android | 2024-11-14 | N/A | 7.8 HIGH |
| In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
| CVE-2024-41738 | 1 Ibm | 1 Txseries For Multiplatforms | 2024-11-14 | N/A | 5.9 MEDIUM |
| IBM TXSeries for Multiplatforms 10.1 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques. | |||||
| CVE-2024-25431 | 1 Bytecodealliance | 1 Webassembly Micro Runtime | 2024-11-14 | N/A | 7.8 HIGH |
| An issue in bytecodealliance wasm-micro-runtime before v.b3f728c and fixed in commit 06df58f allows a remote attacker to escalate privileges via a crafted file to the check_was_abi_compatibility function. | |||||
| CVE-2024-41741 | 1 Ibm | 1 Txseries For Multiplatforms | 2024-11-14 | N/A | 5.3 MEDIUM |
| IBM TXSeries for Multiplatforms 10.1 could allow an attacker to determine valid usernames due to an observable timing discrepancy which could be used in further attacks against the system. | |||||
| CVE-2024-50634 | 1 Sbond | 1 Watcharr | 2024-11-14 | N/A | 8.8 HIGH |
| A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication. | |||||