Lista CVE - 2024 / Ottobre
Visualizzazione 3401 - 3500 di 3570 CVE per Ottobre 2024 (Pagina 35 di 36)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2024-10488 | 2024-10-29 | Use after free in WebRTC in Google Chrome prior to 130.0.6723.92 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-50348 | 2024-10-29 | InstantCMS has a Cross Site Scripting Vulnerability |
| CVE-2023-52066 | 2024-10-30 | http.zig commit 76cf5 was discovered to contain a CRLF injection vulnerability via the url parameter. |
| CVE-2024-31972 | 2024-10-30 | EnGenius ESR580 A8J-EMR5000 devices allow a remote attacker to conduct stored XSS attacks that could lead to arbitrary JavaScript code execution (under the context of the user's session) via the... |
| CVE-2024-31973 | 2024-10-30 | Hitron CODA-4582 2AHKM-CODA4589 7.2.4.5.1b8 devices allow a remote attacker within Wi-Fi proximity to conduct stored XSS attacks via the 'Network Name (SSID)' input fields to the /index.html#wireless_basic page. |
| CVE-2024-31975 | 2024-10-30 | EnGenius EWS356-Fit devices through 1.1.30 allow a remote attacker to conduct stored XSS attacks via the Wi-Fi SSID parameters. JavaScript embedded into a vulnerable field is executed when the user... |
| CVE-2024-36060 | 2024-10-30 | EnGenius EnStation5-AC A8J-ENS500AC 1.0.0 devices allow blind OS command injection via shell metacharacters in the Ping and Speed Test parameters. |
| CVE-2024-37573 | 2024-10-30 | The Talkatone com.talkatone.android application 8.4.6 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.talkatone.vedroid.ui.launcher.OutgoingCallInterceptor component. |
| CVE-2024-42041 | 2024-10-30 | The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. |
| CVE-2024-43382 | 2024-10-30 | Snowflake JDBC driver versions >= 3.2.6 and <= 3.19.1 have an Incorrect Security Setting that can result in data being uploaded to an encrypted stage without the additional layer of... |
| CVE-2024-46531 | 2024-10-30 | phpgurukul Vehicle Record Management System v1.0 was discovered to contain a SQL injection vulnerability via the searchinputdata parameter at /index.php. |
| CVE-2024-48093 | 2024-10-30 | Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file extensions or... |
| CVE-2024-48112 | 2024-10-30 | A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. |
| CVE-2024-48202 | 2024-10-30 | icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. |
| CVE-2024-48214 | 2024-10-30 | KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker... |
| CVE-2024-48241 | 2024-10-30 | An issue in radare2 v5.8.0 through v5.9.4 allows a local attacker to cause a denial of service via the __bf_div function. |
| CVE-2024-48271 | 2024-10-30 | D-Link DSL6740C v6.TR069.20211230 was discovered to use insecure default credentials for Administrator access, possibly allowing attackers to bypass authentication and escalate privileges on the device via a bruteforce attack. |
| CVE-2024-48272 | 2024-10-30 | D-Link DSL6740C v6.TR069.20211230 was discovered to use an insecure default Wifi password, possibly allowing attackers to connect to the device via a bruteforce attack. |
| CVE-2024-48346 | 2024-10-30 | xtreme1 <= v0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the /api/data/upload path. The vulnerability is triggered through the fileUrl parameter, which allows an attacker to make arbitrary requests... |
| CVE-2024-48646 | 2024-10-30 | An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files,... |
| CVE-2024-48647 | 2024-10-30 | A file disclosure vulnerability exists in Sage 1000 v7.0.0. This vulnerability allows remote attackers to retrieve arbitrary files from the server's file system by manipulating the URL parameter in HTTP... |
| CVE-2024-48648 | 2024-10-30 | A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Sage 1000 v 7.0.0. This vulnerability allows attackers to inject malicious scripts into URLs, which are reflected back by the server... |
| CVE-2024-48733 | 2024-10-30 | SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because... |
| CVE-2024-48734 | 2024-10-30 | Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized... |
| CVE-2024-48735 | 2024-10-30 | Directory Traversal in /SASStudio/sasexec/sessions/{sessionID}/workspace/{InternalPath} in SAS Studio 9.4 allows remote attacker to access internal files by manipulating default path during file download. NOTE: this is disputed by the vendor because... |
| CVE-2024-48807 | 2024-10-30 | Cross Site Scripting vulnerability in PHPGurukul Doctor Appointment Management System v.1.0 allows a local attacker to execute arbitrary code via the search parameter. |
| CVE-2024-51242 | 2024-10-30 | A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF. |
| CVE-2024-51243 | 2024-10-30 | The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. |
| CVE-2024-51257 | 2024-10-30 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function. |
| CVE-2024-51258 | 2024-10-30 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function. |
| CVE-2024-51296 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function. |
| CVE-2024-51299 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function. |
| CVE-2024-51300 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function. |
| CVE-2024-51301 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function. |
| CVE-2024-51304 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function. |
| CVE-2024-51419 | 2024-10-30 | Cross Site Scripting vulnerability in Shenzhen Interconnection Harbor Network Technology Co., Ltd Ofweek Online Exhibition v.1.0.0 allows a remote attacker to execute arbitrary code. |
| CVE-2024-51424 | 2024-10-30 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is... |
| CVE-2024-51425 | 2024-10-30 | An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties... |
| CVE-2024-51426 | 2024-10-30 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is... |
| CVE-2024-51427 | 2024-10-30 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is... |
| CVE-2024-48569 | 2024-10-30 | Proactive Risk Manager version 9.1.1.0 is affected by multiple Cross-Site Scripting (XSS) vulnerabilities in the add/edit form fields, at the urls starting with the subpaths: /ar/config/configuation/ and /ar/config/risk-strategy-control/ |
| CVE-2024-51298 | 2024-10-30 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. |
| CVE-2024-10500 | 2024-10-30 | ESAFENET CDG HookWhiteListService.java sql injection |
| CVE-2024-10501 | 2024-10-30 | ESAFENET CDG ExamCDGDocService.java findById sql injection |
| CVE-2024-10502 | 2024-10-30 | ESAFENET CDG FileDirectoryService.java getOneFileDirectory sql injection |
| CVE-2024-10503 | 2024-10-30 | Klokan MapTiler tileserver-gl URL cross site scripting |
| CVE-2024-10505 | 2024-10-30 | wuzhicms block.php edit code injection |
| CVE-2024-10506 | 2024-10-30 | code-projects Blood Bank System B-.php sql injection |
| CVE-2024-9884 | 2024-10-30 | T(-) Countdown <= 2.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2023-5816 | 2024-10-30 | Code Explorer <= 1.4.5 - Authenticated (Admin+) External File Reading |
| CVE-2024-9886 | 2024-10-30 | WP Baidu Map <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-9846 | 2024-10-30 | Enable Shortcodes inside Widgets,Comments and Experts <= 1.0.0 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-10507 | 2024-10-30 | Codezips Free Exam Hall Seating Management System login.php sql injection |
| CVE-2024-10509 | 2024-10-30 | Codezips Online Institute Management System login.php sql injection |
| CVE-2024-9885 | 2024-10-30 | Widget or Sidebar Shortcode <= 0.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-8627 | 2024-10-30 | Ultimate TinyMCE <= 5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-8792 | 2024-10-30 | Subscribe to Comments <= 2.3 - Reflected Cross-Site Scripting |
| CVE-2024-10399 | 2024-10-30 | Download Monitor <= 5.0.13 - Missing Authorization to Sensitive Information Exposure |
| CVE-2024-8871 | 2024-10-30 | Pricing Tables WordPress Plugin – Easy Pricing Tables <= 3.2.5 - Reflected Cross-Site Scripting |
| CVE-2024-8444 | 2024-10-30 | Download Manager < 3.3.00 - Contributor+ Stored XSS |
| CVE-2024-10223 | 2024-10-30 | HT Team Member <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via htteamember Shortcode |
| CVE-2024-10108 | 2024-10-30 | WPAdverts – Classifieds Plugin <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via adverts_add Shortcode |
| CVE-2024-50503 | 2024-10-30 | WordPress User Toolkit plugin <= 1.2.3 - Account Takeover vulnerability |
| CVE-2024-50509 | 2024-10-30 | WordPress Woocommerce Product Design plugin <= 1.0.0 - Arbitrary File Deletion vulnerability |
| CVE-2024-50512 | 2024-10-30 | WordPress Posti Shipping plugin <= 3.10.2 - Full Path Disclosure (FPD) vulnerability |
| CVE-2024-9632 | 2024-10-30 | Xorg-x11-server: tigervnc: heap-based buffer overflow privilege escalation vulnerability |
| CVE-2024-50507 | 2024-10-30 | WordPress DS.DownloadList plugin <= 1.3 - PHP Object Injection vulnerability |
| CVE-2024-50511 | 2024-10-30 | WordPress WP donimedia carousel plugin <= 1.0.1 - Arbitrary File Upload vulnerability |
| CVE-2024-50510 | 2024-10-30 | WordPress AR For Woocommerce plugin <= 6.2 - Arbitrary File Upload vulnerability |
| CVE-2024-50508 | 2024-10-30 | WordPress Woocommerce Product Design plugin <= 1.0.0 - Arbitrary File Download vulnerability |
| CVE-2024-50506 | 2024-10-30 | WordPress Marketing Automation by AZEXO plugin <= 1.27.80 - Privilege Escalation vulnerability |
| CVE-2024-50504 | 2024-10-30 | WordPress Bulk Change Role plugin <= 1.1 - Privilege Escalation vulnerability |
| CVE-2024-8512 | 2024-10-30 | W3SPEEDSTER <= 7.26 - Authenticated (Administrator+) Remote Code Execution |
| CVE-2024-9388 | 2024-10-30 | Black Widgets For Elementor <= 1.3.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-10525 | 2024-10-30 | Eclipse Mosquito: Heap Buffer Overflow in my_subscribe_callback |
| CVE-2024-3935 | 2024-10-30 | Eclipse Mosquito: Double free vulnerability |
| CVE-2024-33623 | 2024-10-30 | A denial of service vulnerability exists in the Web Application functionality of LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to a reboot. An attacker can send an... |
| CVE-2024-33700 | 2024-10-30 | The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP... |
| CVE-2024-28052 | 2024-10-30 | The WBR-6012 is a wireless SOHO router. It is a low-cost device which functions as an internet gateway for homes and small offices while aiming to be easy to configure... |
| CVE-2024-23309 | 2024-10-30 | The LevelOne WBR-6012 router with firmware R0.40e6 has an authentication bypass vulnerability in its web application due to reliance on client IP addresses for authentication. Attackers could spoof an IP... |
| CVE-2024-33626 | 2024-10-30 | The LevelOne WBR-6012 router contains a vulnerability within its web application that allows unauthenticated disclosure of sensitive information, such as the WiFi WPS PIN, through a hidden page accessible by... |
| CVE-2024-33603 | 2024-10-30 | The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such as... |
| CVE-2024-33699 | 2024-10-30 | The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password. |
| CVE-2024-32946 | 2024-10-30 | A vulnerability in the LevelOne WBR-6012 router's firmware version R0.40e6 allows sensitive information to be transmitted in cleartext via Web and FTP services, exposing it to network sniffing attacks. |
| CVE-2024-31152 | 2024-10-30 | The LevelOne WBR-6012 router with firmware R0.40e6 is vulnerable to improper resource allocation within its web application, where a series of crafted HTTP requests can cause a reboot. This could... |
| CVE-2024-24777 | 2024-10-30 | A cross-site request forgery (CSRF) vulnerability exists in the Web Application functionality of the LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to unauthorized access. An attacker can... |
| CVE-2024-28875 | 2024-10-30 | A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing... |
| CVE-2024-31151 | 2024-10-30 | A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing... |
| CVE-2024-50353 | 2024-10-30 | ICG.AspNetCore.Utilities.CloudStorage's Secure Token Durations Different Than Expected |
| CVE-2024-50419 | 2024-10-30 | WordPress Greenshift plugin <= 9.7 - Broken Access Control vulnerability |
| CVE-2024-50344 | 2024-10-30 | I, Librarian has a Stored XSS vulnerability in Supplemental Files |
| CVE-2024-9110 | 2024-10-30 | Cross-Site Scripting In Privileged Identity |
| CVE-2024-9419 | 2024-10-30 | Certain HP Print Products–Potential Remote Code Execution and/or Elevation of Privilege with the HP Smart Universal Printing Driver |
| CVE-2024-10456 | 2024-10-30 | Delta Electronics InfraSuite Device Master Deserialization of Untrusted Data |
| CVE-2024-10546 | 2024-10-30 | open-scratch Teaching 在线教学平台 URL getDictItemsByTable sql injection |
| CVE-2024-10005 | 2024-10-30 | Consul L7 Intentions Vulnerable To URL Path Bypass |
| CVE-2024-10006 | 2024-10-30 | Consul L7 Intentions Vulnerable To Headers Bypass |
| CVE-2024-10086 | 2024-10-30 | Consul Vulnerable To Reflected XSS On Content-Type Error Manipulation |
| CVE-2023-52044 | 2024-10-31 | Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension. |
| CVE-2023-52045 | 2024-10-31 | Studio-42 eLfinder 2.1.62 contains a filename restriction bypass leading to a persistent Cross-site Scripting (XSS) vulnerability. |