Total
305841 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-20370 | 2024-10-25 | N/A | 6.0 MEDIUM | ||
| A vulnerability in the Cisco FXOS CLI feature on specific hardware platforms for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to elevate their administrative privileges to root. The attacker would need valid administrative credentials on the device to exploit this vulnerability. This vulnerability exists because certain system configurations and executable files have insecure storage and permissions. An attacker could exploit this vulnerability by authenticating on the device and then performing a series of steps that includes downloading malicious system files and accessing the Cisco FXOS CLI to configure the attack. A successful exploit could allow the attacker to obtain root access on the device. | |||||
| CVE-2024-20260 | 2024-10-25 | N/A | 8.6 HIGH | ||
| A vulnerability in the VPN and management web servers of the Cisco Adaptive Security Virtual Appliance (ASAv) and Cisco Secure Firewall Threat Defense Virtual (FTDv), formerly Cisco Firepower Threat Defense Virtual, platforms could allow an unauthenticated, remote attacker to cause the virtual devices to run out of system memory, which could cause SSL VPN connection processing to slow down and eventually cease all together. This vulnerability is due to a lack of proper memory management for new incoming SSL/TLS connections on the virtual platforms. An attacker could exploit this vulnerability by sending a large number of new incoming SSL/TLS connections to the targeted virtual platform. A successful exploit could allow the attacker to deplete system memory, resulting in a denial of service (DoS) condition. The memory could be reclaimed slowly if the attack traffic is stopped, but a manual reload may be required to restore operations quickly. | |||||
| CVE-2024-49684 | 2024-10-25 | N/A | 7.2 HIGH | ||
| Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21. | |||||
| CVE-2024-48542 | 2024-10-25 | N/A | 8.4 HIGH | ||
| Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
| CVE-2024-49762 | 2024-10-25 | N/A | 4.6 MEDIUM | ||
| Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log query parameters in plain-text, storing a user's password in plain text. Prior to version 1.11.8, if a malicious user obtains access to these logs they could potentially authenticate against a user's account; assuming they are able to discover the account's email address or username separately. This problem has been patched in version 1.11.8. There are no workarounds at this time. There is not a direct vulnerability within the software as it relates to logs generated by intermediate components such as web servers or Layer 7 proxies. Updating to `v1.11.8` or adding the linked patch manually are the only ways to avoid this problem. As this vulnerability relates to historical logging of sensitive data, users who have ever disabled 2FA on a Panel (self-hosted or operated by a company) should change their passwords and consider enabling 2FA if it was left disabled. While it's unlikely that their account swill be compromised by this vulnerability, it's not impossible. Panel administrators should consider clearing any access logs that may contain sensitive data. | |||||
| CVE-2024-9949 | 2024-10-25 | N/A | N/A | ||
| Denial of Service in Forescout SecureConnector 11.1.02.1019 on Windows allows Unprivileged user to corrupt the configuration file and cause Denial of Service in the application. | |||||
| CVE-2024-10332 | 2024-10-25 | N/A | 6.1 MEDIUM | ||
| A Cross-Site Scripting vulnerability has been found in Janto v4.3r11 from Impronta. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the endpoint “/abonados/public/janto/main.php”. | |||||
| CVE-2024-10313 | 2024-10-25 | N/A | 8.0 HIGH | ||
| iniNet Solutions SpiderControl SCADA PC HMI Editor has a path traversal vulnerability. When the software loads a malicious ‘ems' project template file constructed by an attacker, it can write files to arbitrary directories. This can lead to overwriting system files, causing system paralysis, or writing to startup items, resulting in remote control. | |||||
| CVE-2024-9214 | 2024-10-25 | N/A | 6.1 MEDIUM | ||
| The Extra Product Options Builder for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'RednaoSerializedFields' parameter during the creation of a signature file in all versions up to, and including, 1.2.133 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-8717 | 2024-10-25 | N/A | 6.1 MEDIUM | ||
| The PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pdf_source' parameter in all versions up to, and including, 2.3.32 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-10343 | 2024-10-25 | N/A | 6.4 MEDIUM | ||
| The Beek Widget Extention plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-48547 | 2024-10-25 | N/A | 8.4 HIGH | ||
| Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
| CVE-2024-48539 | 2024-10-25 | N/A | 9.8 CRITICAL | ||
| Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. | |||||
| CVE-2024-49683 | 2024-10-25 | N/A | 5.3 MEDIUM | ||
| Missing Authorization vulnerability in Schema & Structured Data for WP & AMP allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Schema & Structured Data for WP & AMP: from n/a through 1.3.5. | |||||
| CVE-2024-48538 | 2024-10-25 | N/A | 9.8 CRITICAL | ||
| Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
| CVE-2024-49691 | 2024-10-25 | N/A | 7.6 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Woobewoo Product Filter by WBW allows SQL Injection.This issue affects Product Filter by WBW: from n/a through 2.7.0. | |||||
| CVE-2024-49681 | 2024-10-25 | N/A | 9.3 CRITICAL | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SWIT WP Sessions Time Monitoring Full Automatic allows SQL Injection.This issue affects WP Sessions Time Monitoring Full Automatic: from n/a through 1.0.9. | |||||
| CVE-2024-10327 | 2024-10-25 | N/A | 8.1 HIGH | ||
| A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the notification banner and selects an option, both options allow the authentication to succeed. The ContextExtension feature is one of several push mechanisms available when using Okta Verify Push on iOS devices. The vulnerable flows include: * When a user is presented with a notification on a locked screen, the user presses on the notification directly and selects their reply without unlocking the device; * When a user is presented with a notification on the home screen and drags the notification down and selects their reply; * When an Apple Watch is used to reply directly to a notification. A pre-condition for this vulnerability is that the user must have enrolled in Okta Verify while the Okta customer was using Okta Classic. This applies irrespective of whether the organization has since upgraded to Okta Identity Engine. | |||||
| CVE-2024-10016 | 2024-10-25 | N/A | 6.4 MEDIUM | ||
| The File Upload Types by WPForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-48546 | 2024-10-25 | N/A | 8.4 HIGH | ||
| Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||