Lista CVE - 2024 / Dicembre
Visualizzazione 301 - 400 di 3433 CVE per Dicembre 2024 (Pagina 4 di 35)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2024-11479 | 2024-12-04 | Authenticated HTML Injection in Issuetrak Ticket Comment Function |
| CVE-2024-42449 | 2024-12-04 | From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to remove arbitrary files on the VSPC server machine. |
| CVE-2024-42455 | 2024-12-04 | A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows... |
| CVE-2024-42456 | 2024-12-04 | A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted... |
| CVE-2024-40717 | 2024-12-04 | A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to... |
| CVE-2024-45205 | 2024-12-04 | An Improper Certificate Validation on the UniFi iOS App managing a standalone UniFi Access Point (not using UniFi Network Application) could allow a malicious actor with access to an adjacent... |
| CVE-2024-45206 | 2024-12-04 | A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources. |
| CVE-2024-42452 | 2024-12-04 | A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows... |
| CVE-2024-42457 | 2024-12-04 | A vulnerability in Veeam Backup & Replication allows users with certain operator roles to expose saved credentials by leveraging a combination of methods in a remote management interface. This can... |
| CVE-2024-45207 | 2024-12-04 | DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an... |
| CVE-2024-42453 | 2024-12-04 | A vulnerability Veeam Backup & Replication allows low-privileged users to control and modify configurations on connected virtual infrastructure hosts. This includes the ability to power off virtual machines, delete files... |
| CVE-2024-42451 | 2024-12-04 | A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol,... |
| CVE-2024-45204 | 2024-12-04 | A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive... |
| CVE-2024-11985 | 2024-12-04 | An improper input validation vulnerability leads to device crashes in certain ASUS router models. Refer to the '12/03/2024 ASUS Router Improper Input Validation' section on the ASUS Security Advisory for... |
| CVE-2024-10832 | 2024-12-04 | Posti Shipping <= 3.10.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via generate_notices_html Function |
| CVE-2024-10587 | 2024-12-04 | Funnelforms Free <= 3.7.4.1 - Authenticated (Contributor+) PHP Object Injection |
| CVE-2024-10952 | 2024-12-04 | Authors List <= 2.0.4 - Unauthenticated Arbitrary Shortcode Execution via update_authors_list_ajax |
| CVE-2024-11093 | 2024-12-04 | SG Helper <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-11897 | 2024-12-04 | Contact Form, Survey & Form Builder – MightyForms <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11813 | 2024-12-04 | Pulsating Chat Button <= 1.3.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-10663 | 2024-12-04 | Eleblog – Elementor Blog And Magazine Addons <= 1.8 - Missing Authorization to Authenticated (Subscriber+) Deactivation Submission |
| CVE-2024-11747 | 2024-12-04 | Responsive Videos <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11807 | 2024-12-04 | NPS computy <= 2.8.0 - Reflected Cross-Site Scripting |
| CVE-2024-12123 | 2024-12-04 | Unauthorized Modification of Ticket Requester |
| CVE-2024-10885 | 2024-12-04 | SearchIQ – The Search Solution <= 4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12099 | 2024-12-04 | Dollie Hub – Build Your Own WordPress Cloud Platform <= 6.2.0 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-9404 | 2024-12-04 | Denial-of-Service Vulnerability |
| CVE-2024-11398 | 2024-12-04 | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary... |
| CVE-2023-52943 | 2024-12-04 | Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified... |
| CVE-2023-52944 | 2024-12-04 | Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via... |
| CVE-2024-45717 | 2024-12-04 | SolarWinds Platform Cross- Site Scripting Vulnerability |
| CVE-2024-11466 | 2024-12-04 | Intro Tour Tutorial DeepPresentation <= 6.5.2 - Reflected Cross-Site Scripting |
| CVE-2024-10664 | 2024-12-04 | Knowledge Base documentation & wiki plugin – BasePress Docs <= 2.16.3.3 - Missing Authorization to Authenticated (Subscriber+) Database Update |
| CVE-2024-11293 | 2024-12-04 | Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction Social Sites Login <= 1.7.9 - Authentication Bypass via WordPress.com OAuth provider |
| CVE-2024-11769 | 2024-12-04 | Flower Delivery by Florist One <= 3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2023-6978 | 2024-12-04 | WP Job Manager – Company Profiles <= 1.7 - Reflected Cross-Site Scripting |
| CVE-2024-11903 | 2024-12-04 | WP eCards <= 1.3.904 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-10567 | 2024-12-04 | TI WooCommerce Wishlist <= 2.9.1 - Missing Authorization to Unauthenticated Plugin Setup Wizard Access |
| CVE-2024-10787 | 2024-12-04 | LA-Studio Element Kit for Elementor <= 1.4.4 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-11952 | 2024-12-04 | Classic Addons – WPBakery Page Builder <= 3.0 - Authenticated (Contributor+) Limited Local PHP File Inclusion |
| CVE-2024-5020 | 2024-12-04 | Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library |
| CVE-2024-11880 | 2024-12-04 | B Testimonial – testimonial plugin for WP <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11814 | 2024-12-04 | Additional Custom Order Status for WooCommerce <= 1.6.0 - Reflected Cross-Site Scripting |
| CVE-2024-52276 | 2024-12-04 | PDF Document Spoofing in DocuSign |
| CVE-2024-52277 | 2024-12-04 | PDF Document Spoofing in DocuSeal |
| CVE-2024-52272 | 2024-12-04 | Denial of Service on Tenda AC6V2 Due To Stack Overflow |
| CVE-2024-52273 | 2024-12-04 | Denial of Service on Tenda AC6V2 Due To Stack Overflow |
| CVE-2024-52274 | 2024-12-04 | Denial of Service on Tenda AC6V2 Due To Stack Overflow |
| CVE-2024-52275 | 2024-12-04 | Denial of Service on Tenda AC6V2 Due To Stack Overflow |
| CVE-2024-12107 | 2024-12-04 | Double Free in µD3TN |
| CVE-2024-11854 | 2024-12-04 | Listdom – Business Directory and Classified Ads Listings WordPress Plugin <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode Parameter |
| CVE-2024-8962 | 2024-12-04 | WPBITS Addons For Elementor Page Builder <= 1.5.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-54153 | 2024-12-04 | In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter |
| CVE-2024-54154 | 2024-12-04 | In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox |
| CVE-2024-54155 | 2024-12-04 | In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication |
| CVE-2024-54156 | 2024-12-04 | In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack |
| CVE-2024-54157 | 2024-12-04 | In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector |
| CVE-2024-54158 | 2024-12-04 | In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding |
| CVE-2024-52269 | 2024-12-04 | AI Assistant PDF Document Spoofing in DocuSign |
| CVE-2024-8894 | 2024-12-04 | Out-of-bounds Write vulnerability in ODA SDK versions < 2025.10 |
| CVE-2024-10576 | 2024-12-04 | Unauthorized factory reset of Infinix devices |
| CVE-2024-11935 | 2024-12-04 | Email Address Obfuscation <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter |
| CVE-2024-12138 | 2024-12-04 | horilla create_skills deserialization |
| CVE-2024-7488 | 2024-12-04 | Business Logic Error in RestApp Inc.'s Online Ordering System |
| CVE-2024-51465 | 2024-12-04 | IBM App Connect Enterprise Certified Container command execution |
| CVE-2024-53125 | 2024-12-04 | bpf: sync_linked_regs() must preserve subreg_def |
| CVE-2024-53126 | 2024-12-04 | vdpa: solidrun: Fix UB bug with devres |
| CVE-2024-53127 | 2024-12-04 | Revert "mmc: dw_mmc: Fix IDMAC operation with pages bigger than 4K" |
| CVE-2024-53128 | 2024-12-04 | sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers |
| CVE-2024-53129 | 2024-12-04 | drm/rockchip: vop: Fix a dereferenced before check warning |
| CVE-2024-53130 | 2024-12-04 | nilfs2: fix null-ptr-deref in block_dirty_buffer tracepoint |
| CVE-2024-53131 | 2024-12-04 | nilfs2: fix null-ptr-deref in block_touch_buffer tracepoint |
| CVE-2024-53132 | 2024-12-04 | drm/xe/oa: Fix "Missing outer runtime PM protection" warning |
| CVE-2024-53133 | 2024-12-04 | drm/amd/display: Handle dml allocation failure to avoid crash |
| CVE-2024-53134 | 2024-12-04 | pmdomain: imx93-blk-ctrl: correct remove path |
| CVE-2024-53135 | 2024-12-04 | KVM: VMX: Bury Intel PT virtualization (guest/host mode) behind CONFIG_BROKEN |
| CVE-2024-53136 | 2024-12-04 | mm: revert "mm: shmem: fix data-race in shmem_getattr()" |
| CVE-2024-53137 | 2024-12-04 | ARM: fix cacheflush with PAN |
| CVE-2024-53138 | 2024-12-04 | net/mlx5e: kTLS, Fix incorrect page refcounting |
| CVE-2024-53139 | 2024-12-04 | sctp: fix possible UAF in sctp_v6_available() |
| CVE-2024-53140 | 2024-12-04 | netlink: terminate outstanding dump on socket close |
| CVE-2024-12056 | 2024-12-04 | Client Secret not checked with OAuth Password grant type |
| CVE-2024-40744 | 2024-12-04 | Extension - tassos.gr - Unrestricted file upload in Convert Forms component for Joomla < 4.4.8 |
| CVE-2024-40745 | 2024-12-04 | Extension - tassos.gr - Reflected Cross site scripting vulnerability in Convert Forms component for Joomla < 4.4.8 |
| CVE-2024-54134 | 2024-12-04 | @solana/web3.js modified package published to npm, containing malware that exfiltrates private key material |
| CVE-2024-11643 | 2024-12-04 | Accessibility by AllAccessible <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Update |
| CVE-2024-54132 | 2024-12-04 | GitHub CLI allows downloading malicious GitHub Actions workflow artifact to result in path traversal vulnerability |
| CVE-2024-54002 | 2024-12-04 | Dependency-Track allows enumeration of managed users via /api/v1/user/login endpoint |
| CVE-2024-20397 | 2024-12-04 | Cisco NX-OS Software Image Verification Bypass Vulnerability |
| CVE-2018-9392 | 2024-12-04 | In get_binary of vendor/mediatek/proprietary/hardware/connectivity/gps/gps_hal/src/data_coder.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2024-12196 | 2024-12-04 | Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission. |
| CVE-2018-9393 | 2024-12-04 | In procfile_write of drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_proc.c, there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User... |
| CVE-2024-12151 | 2024-12-04 | Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets. |
| CVE-2024-12149 | 2024-12-04 | Incorrect permission assignment in temporary access requests component in Devolutions Remote Desktop Manager 2024.3.19.0 and earlier on Windows allows an authenticated user that request temporary permissions on an entry to... |
| CVE-2024-12148 | 2024-12-04 | Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints. |
| CVE-2018-9394 | 2024-12-04 | In mtk_p2p_wext_set_key of drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_p2p.c, there is a possible OOB write due to improper input validation. This could lead to local escalation of privilege with System execution privileges needed. User interaction... |
| CVE-2018-9395 | 2024-12-04 | In mtk_cfg80211_vendor_packet_keep_alive_start and mtk_cfg80211_vendor_set_config of drivers/misc/mediatek/connectivity/wlan/gen2/os/linux/gl_vendor.c, there is a possible OOB write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges... |
| CVE-2024-12147 | 2024-12-04 | Netgear R6900 HTTP Header upgrade_check.cgi buffer overflow |
| CVE-2024-38829 | 2024-12-04 | Spring LDAP sensitive data exposure for case-sensitive comparisons |
| CVE-2018-9396 | 2024-12-04 | In rpc_msg_handler and related handlers of drivers/misc/mediatek/eccci/port_rpc.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with... |