Lista CVE - 2024 / Novembre
Visualizzazione 201 - 300 di 4054 CVE per Novembre 2024 (Pagina 3 di 41)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2024-37119 | 2024-11-01 | WordPress Uncanny Automator Pro plugin < 5.3.0.1 - Unauthenticated License Settings Reset vulnerability |
| CVE-2024-37108 | 2024-11-01 | WordPress WishList Member X plugin < 3.26.7 - Authenticated Arbitrary File Deletion vulnerability |
| CVE-2024-37106 | 2024-11-01 | WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability |
| CVE-2024-37096 | 2024-11-01 | WordPress Popup box plugin <= 4.5.1 - Broken Access Control vulnerability |
| CVE-2024-37095 | 2024-11-01 | WordPress Envira Photo Gallery plugin <= 1.8.7.3 - CSRF leading to notice dismissal vulnerability |
| CVE-2024-37249 | 2024-11-01 | WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Contributor+ Broken Access Control vulnerability |
| CVE-2024-37250 | 2024-11-01 | WordPress Advanced Custom Fields Pro plugin < 6.3.2 - Subscriber+ Broken Access Control vulnerability |
| CVE-2024-44038 | 2024-11-01 | WordPress Sunshine Photo Cart plugin <= 3.2.9 - Broken Access Control vulnerability |
| CVE-2024-47302 | 2024-11-01 | WordPress Fluent Support plugin <= 1.8.0 - Broken Access Control on Email Verification vulnerability |
| CVE-2024-47311 | 2024-11-01 | WordPress Wheel of Life plugin <= 1.1.8 - Broken Access Control vulnerability |
| CVE-2024-47314 | 2024-11-01 | WordPress Sunshine Photo Cart plugin <= 3.2.8 - Broken Access Control vulnerability |
| CVE-2024-48039 | 2024-11-01 | WordPress CubeWP – All-in-One Dynamic Content Framework plugin <= 1.1.15 - Broken Access Control vulnerability |
| CVE-2024-48044 | 2024-11-01 | WordPress ShortPixel Image Optimizer plugin <= 5.6.3 - Broken Access Control vulnerability |
| CVE-2024-48045 | 2024-11-01 | WordPress Happy Elementor Addons plugin <= 3.12.3 - Broken Access Control vulnerability |
| CVE-2024-49256 | 2024-11-01 | WordPress Htaccess File Editor plugin <= 1.0.18 - Broken Access Control vulnerability |
| CVE-2024-37209 | 2024-11-01 | WordPress User Rights Access Manager plugin <= 1.1.2 - Broken Access Control vulnerability |
| CVE-2024-10656 | 2024-11-01 | Tongda OA 2017 apply.php sql injection |
| CVE-2024-10657 | 2024-11-01 | Tongda OA prcs_info.php sql injection |
| CVE-2024-10658 | 2024-11-01 | Tongda OA check_seal.php sql injection |
| CVE-2024-10659 | 2024-11-01 | ESAFENET CDG CDGAuthoriseTempletService.java delSystemEncryptPolicy sql injection |
| CVE-2024-10660 | 2024-11-01 | ESAFENET CDG HookService.java deleteHook sql injection |
| CVE-2024-10661 | 2024-11-01 | Tenda AC15 SetDlnaCfg stack-based overflow |
| CVE-2024-10662 | 2024-11-01 | Tenda AC15 SetOnlineDevName formSetDeviceName stack-based overflow |
| CVE-2024-49770 | 2024-11-01 | oak's path traversal allows transfer of hidden files within the served root directory |
| CVE-2024-51483 | 2024-11-01 | changedetection.io Path Traversal vulnerability |
| CVE-2024-51492 | 2024-11-01 | Zusam vulnerable to stored XSS, allowing token theft via crafted SVG |
| CVE-2024-41738 | 2024-11-01 | IBM TXSeries for Multiplatforms information disclosure |
| CVE-2024-41741 | 2024-11-01 | IBM TXSeries for Multiplatforms information disclosure |
| CVE-2024-41745 | 2024-11-01 | IBM CICS TX Standard cross-site scripting |
| CVE-2024-41744 | 2024-11-01 | IBM CICS TX Standard cross-site request forgery |
| CVE-2024-44234 | 2024-11-01 | The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1,... |
| CVE-2024-44232 | 2024-11-01 | The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1,... |
| CVE-2024-44233 | 2024-11-01 | The issue was addressed with improved bounds checks. This issue is fixed in macOS Sonoma 14.7.1, macOS Ventura 13.7.1, visionOS 2.1, watchOS 11.1, tvOS 18.1, iOS 17.7.1 and iPadOS 17.7.1,... |
| CVE-2024-9191 | 2024-11-01 | The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with... |
| CVE-2024-51774 | 2024-11-02 | qBittorrent before 5.0.1 proceeds with use of https URLs even after certificate validation errors. |
| CVE-2024-10310 | 2024-11-02 | Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Custom Gallery Widget |
| CVE-2024-10540 | 2024-11-02 | Appointment Booking Calendar Plugin and Scheduling Plugin – BookingPress <= 1.1.16 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-8739 | 2024-11-02 | ReCaptcha Integration for WordPress <= 1.2.5 - Reflected Cross-Site Scripting |
| CVE-2024-9868 | 2024-11-02 | Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid & Carousel, Remote Arrows) <= 5.10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Age Gate |
| CVE-2024-9896 | 2024-11-02 | BBP Core – Expand bbPress powered forums with useful features <= 1.2.5 - Reflected Cross-Site Scripting via add_query_arg Parameter |
| CVE-2024-10697 | 2024-11-02 | Tenda AC6 API Endpoint WriteFacMac formWriteFacMac command injection |
| CVE-2024-10698 | 2024-11-02 | Tenda AC6 SetOnlineDevName formSetDeviceName stack-based overflow |
| CVE-2024-10699 | 2024-11-02 | code-projects Wazifa System logincontrol.php sql injection |
| CVE-2024-10700 | 2024-11-02 | code-projects University Event Management System submit.php sql injection |
| CVE-2024-10701 | 2024-11-02 | PHPGurukul Car Rental Portal search.php cross site scripting |
| CVE-2024-10702 | 2024-11-02 | code-projects Simple Car Rental System signup.php sql injection |
| CVE-2024-10730 | 2024-11-03 | Tongda OA web_show.php sql injection |
| CVE-2024-10731 | 2024-11-03 | Tongda OA check_seal.php sql injection |
| CVE-2024-10732 | 2024-11-03 | Tongda OA 2017 index.php sql injection |
| CVE-2024-10733 | 2024-11-03 | code-projects Restaurant Order System login.php sql injection |
| CVE-2024-10734 | 2024-11-03 | Project Worlds Life Insurance Management System editPayment.php sql injection |
| CVE-2024-10735 | 2024-11-03 | Project Worlds Life Insurance Management System editNominee.php sql injection |
| CVE-2024-10736 | 2024-11-03 | Codezips Free Exam Hall Seating Management System student.php sql injection |
| CVE-2024-10737 | 2024-11-03 | Codezips Free Exam Hall Seating Management System teacher.php sql injection |
| CVE-2024-10738 | 2024-11-03 | itsourcecode Farm Management System manage-breed.php sql injection |
| CVE-2024-10739 | 2024-11-03 | code-projects E-Health Care System adminlogin.php sql injection |
| CVE-2024-10740 | 2024-11-03 | code-projects E-Health Care System consulting_detail.php sql injection |
| CVE-2024-10741 | 2024-11-03 | code-projects E-Health Care System registration.php sql injection |
| CVE-2024-10742 | 2024-11-03 | code-projects Wazifa System control.php sql injection |
| CVE-2024-10743 | 2024-11-03 | PHPGurukul Online Shopping Portal editable_ajax.php cross site scripting |
| CVE-2024-10744 | 2024-11-03 | PHPGurukul Online Shopping Portal complex_header_2.php cross site scripting |
| CVE-2024-10745 | 2024-11-03 | PHPGurukul Online Shopping Portal deferred_table.php cross site scripting |
| CVE-2024-10746 | 2024-11-03 | PHPGurukul Online Shopping Portal dom_data.php cross site scripting |
| CVE-2024-30616 | 2024-11-04 | Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Non-admin users can manipulate sensitive profiles information, posing a significant risk to data integrity. |
| CVE-2024-30617 | 2024-11-04 | A Cross-Site Request Forgery (CSRF) vulnerability in Chamilo LMS 1.11.26 "/main/social/home.php," allows attackers to initiate a request that posts a fake post onto the user's social wall without their consent... |
| CVE-2024-30618 | 2024-11-04 | A Stored Cross-Site Scripting (XSS) Vulnerability in Chamilo LMS 1.11.26 allows a remote attacker to execute arbitrary JavaScript in a web browser by including a malicious payload in the 'content'... |
| CVE-2024-30619 | 2024-11-04 | Chamilo LMS Version 1.11.26 is vulnerable to Incorrect Access Control. A non-authenticated attacker can request the number of messages and the number of online users via "/main/inc/ajax/message.ajax.php?a=get_count_message" AND "/main/inc/ajax/online.ajax.php?a=get_users_online." |
| CVE-2024-34882 | 2024-11-04 | Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request. |
| CVE-2024-34883 | 2024-11-04 | Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allow remote administrators to read proxy-server accounts passwords via HTTP GET request. |
| CVE-2024-34885 | 2024-11-04 | Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read SMTP accounts passwords via HTTP GET request. |
| CVE-2024-34887 | 2024-11-04 | Insufficiently protected credentials in AD/LDAP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send AD/LDAP administrators account passwords to an arbitrary server via HTTP POST request. |
| CVE-2024-34891 | 2024-11-04 | Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read Exchange account passwords via HTTP GET request. |
| CVE-2024-45164 | 2024-11-04 | Akamai SIA (Secure Internet Access Enterprise) ThreatAvert, in SPS (Security and Personalization Services) before the latest 19.2.0 patch and Apps Portal before 19.2.0.3 or 19.2.0.20240814, has incorrect authorization controls for... |
| CVE-2024-45185 | 2024-11-04 | An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, Modem... |
| CVE-2024-45882 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `delete_map_profile.` |
| CVE-2024-45884 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMGroup.` |
| CVE-2024-45885 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `autodiscovery_clear.` |
| CVE-2024-45887 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `doOpenVPN.` |
| CVE-2024-45888 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `set_ap_map_config.' |
| CVE-2024-45889 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `commandTable.` |
| CVE-2024-45890 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `download_ovpn.` |
| CVE-2024-45891 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `delete_wlan_profile.` |
| CVE-2024-45893 | 2024-11-04 | DrayTek Vigor3900 1.5.1.3 contains a post-authentication command injection vulnerability. This vulnerability occurs when the `action` parameter in `cgi-bin/mainfunction.cgi` is set to `setSWMOption.` |
| CVE-2024-48050 | 2024-11-04 | In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands. |
| CVE-2024-48052 | 2024-11-04 | In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which... |
| CVE-2024-48057 | 2024-11-04 | localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the... |
| CVE-2024-48059 | 2024-11-04 | gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this... |
| CVE-2024-48061 | 2024-11-04 | langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. |
| CVE-2024-48336 | 2024-11-04 | The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional... |
| CVE-2024-48463 | 2024-11-04 | Bruno before 1.29.1 uses Electron shell.openExternal without validation (of http or https) for opening windows within the Markdown docs viewer. |
| CVE-2024-48809 | 2024-11-04 | An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service via the onos-a1t component of the sdran-in-a-box, specifically the... |
| CVE-2024-51127 | 2024-11-04 | An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information. |
| CVE-2024-51136 | 2024-11-04 | An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. |
| CVE-2024-51246 | 2024-11-04 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function. |
| CVE-2024-51249 | 2024-11-04 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the reboot function. |
| CVE-2024-51251 | 2024-11-04 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the backup function. |
| CVE-2024-51253 | 2024-11-04 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doL2TP function. |
| CVE-2024-51326 | 2024-11-04 | SQL Injection vulnerability in projectworlds Travel management System v.1.0 allows a remote attacker to execute arbitrary code via the 't2' parameter in deletesubcategory.php. |
| CVE-2024-51327 | 2024-11-04 | SQL Injection in loginform.php in ProjectWorld's Travel Management System v1.0 allows remote attackers to bypass authentication via SQL Injection in the 'username' and 'password' fields. |
| CVE-2024-51328 | 2024-11-04 | Cross Site Scripting vulnerability in addcategory.php in projectworld's Travel Management System v1.0 allows remote attacker to inject arbitrary code via the t2 parameter. |