Lista CVE - 2024 / Ottobre
Visualizzazione 3501 - 3570 di 3570 CVE per Ottobre 2024 (Pagina 36 di 36)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2024-39332 | 2024-10-31 | Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server. |
| CVE-2024-39719 | 2024-10-31 | An issue was discovered in Ollama through 0.3.14. File existence disclosure can occur via api/create. When calling the CreateModel route with a path parameter that does not exist, it reflects... |
| CVE-2024-39720 | 2024-10-31 | An issue was discovered in Ollama before 0.1.46. An attacker can use two HTTP requests to upload a malformed GGUF file containing just 4 bytes starting with the GGUF custom... |
| CVE-2024-39721 | 2024-10-31 | An issue was discovered in Ollama before 0.1.34. The CreateModelHandler function uses os.Open to read a file until completion. The req.Path parameter is user-controlled and can be set to /dev/random,... |
| CVE-2024-39722 | 2024-10-31 | An issue was discovered in Ollama before 0.1.46. It exposes which files exist on the server on which it is deployed via path traversal in the api/push route. |
| CVE-2024-42515 | 2024-10-31 | Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML,... |
| CVE-2024-42835 | 2024-10-31 | langflow v1.0.12 was discovered to contain a remote code execution (RCE) vulnerability via the PythonCodeTool component. |
| CVE-2024-48200 | 2024-10-31 | An issue in MobaXterm v24.2 allows a local attacker to escalate privileges and execute arbitrary code via the remove function of the MobaXterm MSI is spawning one Administrative cmd (conhost.exe) |
| CVE-2024-48307 | 2024-10-31 | JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. |
| CVE-2024-48311 | 2024-10-31 | Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function. |
| CVE-2024-50801 | 2024-10-31 | A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/collections.php. The vulnerability is exploitable via the id parameter. |
| CVE-2024-50802 | 2024-10-31 | A SQL Injection vulnerability was discovered in AbanteCart 1.4.0 in the update() function in public_html/admin/controller/responses/listing_grid/email_templates.php. The vulnerability is exploitable via the id parameter. |
| CVE-2024-51060 | 2024-10-31 | Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter. |
| CVE-2024-51063 | 2024-10-31 | Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter. |
| CVE-2024-51064 | 2024-10-31 | Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php. |
| CVE-2024-51065 | 2024-10-31 | Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter. |
| CVE-2024-51066 | 2024-10-31 | An Insecure Direct Object Reference (IDOR) vulnerability in appointment-detail.php in Phpgurukul's Beauty Parlour Management System v1.1 allows unauthorized access to the Personally Identifiable Information (PII) of other customers. |
| CVE-2024-51254 | 2024-10-31 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function. |
| CVE-2024-51255 | 2024-10-31 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function. |
| CVE-2024-51259 | 2024-10-31 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. |
| CVE-2024-51260 | 2024-10-31 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function. |
| CVE-2024-51430 | 2024-10-31 | Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component. |
| CVE-2024-48359 | 2024-10-31 | Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. |
| CVE-2024-48360 | 2024-10-31 | Qualitor v8.24 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /request/viewValidacao.php. |
| CVE-2024-10556 | 2024-10-31 | Codezips Pet Shop Management System birdsadd.php sql injection |
| CVE-2024-10557 | 2024-10-31 | code-projects Blood Bank Management System updateprofile.php cross-site request forgery |
| CVE-2024-10559 | 2024-10-31 | SourceCodester Airport Booking Management System details buffer overflow |
| CVE-2024-10561 | 2024-10-31 | Codezips Pet Shop Management System birdsupdate.php sql injection |
| CVE-2024-10544 | 2024-10-31 | Woo Manage Fraud Orders <= 6.1.7 - Unauthenticated Information Exposure via Log Files |
| CVE-2024-9708 | 2024-10-31 | Easy SVG Upload <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-21537 | 2024-10-31 | Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can... |
| CVE-2024-10392 | 2024-10-31 | AI Power: Complete AI Pack <= 1.8.89 - Unauthenticated Arbitrary File Upload |
| CVE-2024-9700 | 2024-10-31 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.36.0 - Insecure Direct Object Reference to Submission Manipulation |
| CVE-2024-9165 | 2024-10-31 | Gift Cards (Gift Vouchers and Packages) (WooCommerce Supported) <= 4.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-9430 | 2024-10-31 | Get Quote For Woocommerce – Request A Quote For Woocommerce <= 1.0.0 - Missing Authorization to Unauthenticated Quote PDF and CSV Download |
| CVE-2024-9446 | 2024-10-31 | WP Simple Anchors Links <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpanchor Shortcode |
| CVE-2024-9434 | 2024-10-31 | WPGlobus Translate Options <= 2.2.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-30149 | 2024-10-31 | HCL AppScan Source is affected by an expired TLS/SSL certificate |
| CVE-2024-43383 | 2024-10-31 | Apache Lucene.Net.Replicator: Remote Code Execution in Lucene.Net.Replicator |
| CVE-2024-49685 | 2024-10-31 | WordPress Custom Twitter Feeds plugin <= 2.2.3 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2024-49674 | 2024-10-31 | WordPress EKC Tournament Manager plugin <= 2.2.1 - CSRF to Arbitrary File Upload vulnerability |
| CVE-2024-43984 | 2024-10-31 | WordPress Podlove Podcast Publisher plugin <= 4.1.13 - CSRF to Remote Code Execution (RCE) vulnerability |
| CVE-2024-43933 | 2024-10-31 | WordPress WPMobile.App plugin <= 11.48 - CSRF to Stored XSS vulnerability |
| CVE-2024-43930 | 2024-10-31 | WordPress JobSearch WP Job Board WordPress Plugin plugin <= 2.5.3 - Broken Access Control vulnerability |
| CVE-2024-8934 | 2024-10-31 | Beckhoff: Local command injection via TwinCAT Package Manager |
| CVE-2024-10454 | 2024-10-31 | Clickjacking vulnerability in Clibo Manager |
| CVE-2024-48910 | 2024-10-31 | DOMPurify vulnerable to tampering by prototype polution |
| CVE-2024-8553 | 2024-10-31 | Foreman: read-only access to entire db from templates |
| CVE-2024-8185 | 2024-10-31 | Vault Vulnerable to Denial of Service When Processing Raft Join Requests |
| CVE-2024-50354 | 2024-10-31 | Out-of-memory during deserialization with crafted inputs |
| CVE-2024-51481 | 2024-10-31 | Nix allows macOS sandbox escape via built-in builders |
| CVE-2024-51478 | 2024-10-31 | Use of a Broken or Risky Cryptographic Algorithm in YesWiki |
| CVE-2024-7883 | 2024-10-31 | CMSE secure state may leak from stack to floating-point registers |
| CVE-2024-50347 | 2024-10-31 | Laravel Reverb has Missing API Signature Verification |
| CVE-2024-50356 | 2024-10-31 | Press has a potential 2FA bypass |
| CVE-2024-51482 | 2024-10-31 | Boolean-based SQL Injection in ZoneMinder v1.37.* <= 1.37.64 |
| CVE-2024-10573 | 2024-10-31 | Mpg123: buffer overflow when writing decoded pcm samples |
| CVE-2024-10594 | 2024-10-31 | ESAFENET CDG FileDirectoryService.java docHistory sql injection |
| CVE-2024-10595 | 2024-10-31 | ESAFENET CDG PublicDocInfoAjax.java delDifferCourseList sql injection |
| CVE-2024-10596 | 2024-10-31 | ESAFENET CDG EncryptPolicyTypeService.java delEntryptPolicySort sql injection |
| CVE-2024-10597 | 2024-10-31 | ESAFENET CDG PolicyActionService.java delPolicyAction sql injection |
| CVE-2024-6480 | 2024-10-31 | SIP Reviews Shortcode for WooCommerce <= 1.2.3 - Authenticated (Contributor+) Cross-Site Scripting |
| CVE-2024-6479 | 2024-10-31 | SIP Reviews Shortcode for WooCommerce <= 1.2.3 - Authenticated (Contributor+) SQL Injection |
| CVE-2024-10598 | 2024-10-31 | Tongda OA Annual Leave data.php improper authorization |
| CVE-2024-10599 | 2024-10-31 | Tongda OA 2017 package_static_resources.php resource consumption |
| CVE-2024-10600 | 2024-10-31 | Tongda OA 2017 submenu.php sql injection |
| CVE-2024-10601 | 2024-10-31 | Tongda OA 2017 delete.php sql injection |
| CVE-2024-10602 | 2024-10-31 | Tongda OA 2017 data_picker_link.php sql injection |
| CVE-2024-10605 | 2024-10-31 | code-projects Blood Bank Management System request.php cross-site request forgery |
| CVE-2024-22733 | 2024-11-01 | TP Link MR200 V4 Firmware version 210201 was discovered to contain a null-pointer-dereference in the web administration panel on /cgi/login via the sign, Action or LoginStatus query parameters which could... |
| CVE-2024-27524 | 2024-11-01 | Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the new_ticket.php component. |
| CVE-2024-27525 | 2024-11-01 | Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows a remote attacker to escalate privileges via a crafted script to the filename parameter of the home.php component. |
| CVE-2024-28265 | 2024-11-01 | IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php. |
| CVE-2024-40490 | 2024-11-01 | An issue in Sourcebans++ before v.1.8.0 allows a remote attacker to obtain sensitive information via a crafted XAJAX call to the Forgot Password function. |
| CVE-2024-48217 | 2024-11-01 | An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation. |
| CVE-2024-48270 | 2024-11-01 | An issue in the component /logins of oasys v1.1 allows attackers to access sensitive information via a burst attack. |
| CVE-2024-48289 | 2024-11-01 | An issue in the Bluetooth Low Energy implementation of Cypress Bluetooth SDK v3.66 allows attackers to cause a Denial of Service (DoS) via supplying a crafted LL_PAUSE_ENC_REQ packet. |
| CVE-2024-48352 | 2024-11-01 | Yealink Meeting Server before V26.0.0.67 is vulnerable to sensitive data exposure in the server response via sending HTTP request with enterprise ID. |
| CVE-2024-48410 | 2024-11-01 | Cross Site Scripting vulnerability in Camtrace v.9.16.2.1 allows a remote attacker to execute arbitrary code via the login.php. |
| CVE-2024-51244 | 2024-11-01 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function. |
| CVE-2024-51245 | 2024-11-01 | In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function. |
| CVE-2024-51247 | 2024-11-01 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPPo function. |
| CVE-2024-51248 | 2024-11-01 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the modifyrow function. |
| CVE-2024-51252 | 2024-11-01 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function. |
| CVE-2024-51377 | 2024-11-01 | An issue in Ladybird Web Solution Faveo Helpdesk & Servicedesk (On-Premise and Cloud) 9.2.0 allows a remote attacker to execute arbitrary code via the Subject and Identifier fields |
| CVE-2024-51398 | 2024-11-01 | Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously... |
| CVE-2024-51399 | 2024-11-01 | Altai Technologies Ltd Altai IX500 Indoor 22 802.11ac Wave 2 AP After login, there are file reads in the background, and attackers can obtain sensitive information such as user credentials,... |
| CVE-2024-51406 | 2024-11-01 | Floodlight SDN Open Flow Controller v.1.2 has an issue that allows local hosts to build fake LLDP packets that allow specific clusters to be missed by Floodlight, which in turn... |
| CVE-2024-51407 | 2024-11-01 | Floodlight SDN OpenFlow Controller v.1.2 has an issue that allows local hosts to construct false broadcast ports causing inter-host communication anomalies. |
| CVE-2024-51431 | 2024-11-01 | LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. |
| CVE-2024-51432 | 2024-11-01 | Cross Site Scripting vulnerability in FiberHome HG6544C RP2743 allows an attacker to execute arbitrary code via the SSID field in the WIFI Clients List not being sanitized |
| CVE-2024-48353 | 2024-11-01 | Yealink Meeting Server before V26.0.0.67 allows attackers to obtain static key information from a front-end JS file and decrypt the plaintext passwords based on the obtained key information. |
| CVE-2024-10607 | 2024-11-01 | code-projects Courier Management System track-result.php sql injection |
| CVE-2024-10608 | 2024-11-01 | code-projects Courier Management System login.php sql injection |
| CVE-2024-10609 | 2024-11-01 | itsourcecode Tailoring Management System Project typeadd.php sql injection |
| CVE-2024-10610 | 2024-11-01 | ESAFENET CDG ProtocolService.java delProtocol sql injection |
| CVE-2024-10611 | 2024-11-01 | ESAFENET CDG PrintScreenListService.java delProtocol sql injection |
| CVE-2024-10612 | 2024-11-01 | ESAFENET CDG HookInvalidCourseService.java removeHookInvalidCourse sql injection |
| CVE-2024-10613 | 2024-11-01 | ESAFENET CDG SystemEncryptPolicyService.java delSystemEncryptPolicy sql injection |
| CVE-2024-10615 | 2024-11-01 | Tongda OA 2017 delete_data_attach.php sql injection |