Lista CVE - 2024 / Luglio
Visualizzazione 301 - 400 di 3115 CVE per Luglio 2024 (Pagina 4 di 32)
| ID CVE | Data | Titolo |
|---|---|---|
| CVE-2024-6126 | 2024-07-03 | Cockpit: authenticated user can kill any process when enabling pam_env's user_readenv option |
| CVE-2024-3332 | 2024-07-03 | bt: host/smp: DoS caused by null pointer dereference |
| CVE-2024-31223 | 2024-07-03 | Fides Information Disclosure Vulnerability in Privacy Center of SERVER_SIDE_FIDES_API_URL |
| CVE-2024-35227 | 2024-07-03 | Discourse vulnerable to DoS through Onebox |
| CVE-2024-5821 | 2024-07-03 | Local File Inclusion (LFI) in stitionai/devika |
| CVE-2024-35234 | 2024-07-03 | Discourse vulnerable to stored-dom XSS via Facebook Oneboxes |
| CVE-2024-36113 | 2024-07-03 | Discourse missing authorization checks for suspending admins/moderators |
| CVE-2024-36122 | 2024-07-03 | Discourse doesn't limit reviewable user serializer payload |
| CVE-2024-37157 | 2024-07-03 | Discourse vulnerable to Server-Side Request Forgery via FastImage |
| CVE-2024-39683 | 2024-07-03 | ZITADEL Vulnerable to Session Information Leakage |
| CVE-2024-34750 | 2024-07-03 | Apache Tomcat: HTTP/2 excess header handling DoS |
| CVE-2024-6383 | 2024-07-03 | MongoDB C Driver bson_string_append may be vulnerable to a buffer overflow |
| CVE-2024-6284 | 2024-07-03 | Improper IPv4 and IPv6 byte order storage in github.com/google/nftables |
| CVE-2024-39211 | 2024-07-04 | Kaiten 57.128.8 allows remote attackers to enumerate user accounts via a crafted POST request, because a login response contains a user_email field only if the user account exists. |
| CVE-2024-39930 | 2024-07-04 | The built-in SSH server of Gogs through 0.13.0 allows argument injection in internal/ssh/ssh.go, leading to remote code execution. Authenticated attackers can exploit this by opening an SSH connection and sending... |
| CVE-2024-39931 | 2024-07-04 | Gogs through 0.13.0 allows deletion of internal files. |
| CVE-2024-39932 | 2024-07-04 | Gogs through 0.13.0 allows argument injection during the previewing of changes. |
| CVE-2024-39933 | 2024-07-04 | Gogs through 0.13.0 allows argument injection during the tagging of a new release. |
| CVE-2024-39934 | 2024-07-04 | Robotmk before 2.0.1 allows a local user to escalate privileges (e.g., to SYSTEM) if automated Python environment setup is enabled, because the "shared holotree usage" feature allows any user to... |
| CVE-2024-39935 | 2024-07-04 | jc21 NGINX Proxy Manager before 2.11.3 allows backend/internal/certificate.js OS command injection by an authenticated user (with certificate management privileges) via untrusted input to the DNS provider configuration. NOTE: this is... |
| CVE-2024-39943 | 2024-07-04 | rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because... |
| CVE-2024-39165 | 2024-07-04 | QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in... |
| CVE-2024-39929 | 2024-07-04 | Exim through 4.97.1 misparses a multiline RFC 2231 header filename, and thus remote attackers can bypass a $mime_filename extension-blocking protection mechanism, and potentially deliver executable attachments to the mailboxes of... |
| CVE-2024-39936 | 2024-07-04 | An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about... |
| CVE-2024-39937 | 2024-07-04 | supOS 5.0 allows api/image/download?fileName=../ directory traversal for reading files. |
| CVE-2024-38344 | 2024-07-04 | A cross-site request forgery vulnerability exists in WP Tweet Walls versions prior to 1.0.4. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress... |
| CVE-2024-38345 | 2024-07-04 | A cross-site request forgery vulnerability exists in Sola Testimonials versions prior to 3.0.0. If this vulnerability is exploited, an attacker allows a user who logs in to the WordPress site... |
| CVE-2024-38471 | 2024-07-04 | Multiple TP-LINK products allow a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by restoring a crafted backup file. The affected device, with the initial configuration, allows... |
| CVE-2024-2385 | 2024-07-04 | Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Limited Local File Inclusion via Widgets |
| CVE-2024-3638 | 2024-07-04 | Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Marquee Text Widget, Testimonials Widget, and Testimonial Slider Widgets |
| CVE-2024-2926 | 2024-07-04 | Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Various Widgets |
| CVE-2024-3639 | 2024-07-04 | Elementor Addons by Livemesh <= 8.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Posts Grid |
| CVE-2024-5641 | 2024-07-04 | One Click Order Re-Order <= 1.1.9 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2024-6318 | 2024-07-04 | IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload_img_file' |
| CVE-2024-6434 | 2024-07-04 | Premium Addons for Elementor <= 4.10.35 - Regular Expressions Denial of Service |
| CVE-2024-6319 | 2024-07-04 | IMGspider <= 2.3.10 - Authenticated (Contributor+) Arbitrary File Upload via 'upload' |
| CVE-2024-39884 | 2024-07-04 | Apache HTTP Server: source code disclosure with handlers configured via AddType |
| CVE-2024-1182 | 2024-07-04 | Uncontrolled Search Path Element vulnerability in ICONICS GENESIS64 all versions, Mitsubishi Electric GENESIS64 all versions and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute a malicious... |
| CVE-2024-1573 | 2024-07-04 | Improper Authentication vulnerability in the mobile monitoring feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2 and Mitsubishi Electric MC Works64 all versions allows... |
| CVE-2024-1574 | 2024-07-04 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in the licensing feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2... |
| CVE-2024-3904 | 2024-07-04 | Incorrect Default Permissions vulnerability in Smart Device Communication Gateway preinstalled on MELIPC Series MI5122-VW firmware versions "05" to "07" allows a local attacker to execute arbitrary code by saving a... |
| CVE-2024-32754 | 2024-07-04 | Johnson Controls Kantech KT1, KT2, and KT400 Door Controllers - Exposure of Sensitive Information |
| CVE-2024-5943 | 2024-07-04 | Nested Pages <= 3.2.7 - Cross-Site Request Forgery to Local File Inclusion |
| CVE-2024-6507 | 2024-07-04 | Deep Lake Kaggle command injection |
| CVE-2024-6506 | 2024-07-04 | Information exposure vulnerability in the MRW plug-in |
| CVE-2024-22277 | 2024-07-04 | VMware Cloud Director Availability contains an HTML injection vulnerability. A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks. |
| CVE-2024-37476 | 2024-07-04 | WordPress Newspack Campaigns plugin <= 2.31.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-37474 | 2024-07-04 | WordPress Newspack Ads plugin <= 1.47.1 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-37472 | 2024-07-04 | WordPress Woffice theme <= 5.4.8 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-37471 | 2024-07-04 | WordPress Woffice Core plugin <= 5.4.8 - Site Wide Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-6511 | 2024-07-04 | y_project RuoYi Content-Type isJsonRequest cross site scripting |
| CVE-2024-23997 | 2024-07-05 | Lukas Bach yana =<1.0.16 is vulnerable to Cross Site Scripting (XSS) via src/electron-main.ts. |
| CVE-2024-23998 | 2024-07-05 | goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.vue. |
| CVE-2024-27709 | 2024-07-05 | SQL Injection vulnerability in Eskooly Web Product v.3.0 allows a remote attacker to execute arbitrary code via the searchby parameter of the allstudents.php component and the id parameter of the... |
| CVE-2024-27710 | 2024-07-05 | An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the authentication mechanism. |
| CVE-2024-27711 | 2024-07-05 | An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the Sin-up process function in the account settings. |
| CVE-2024-27713 | 2024-07-05 | An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the HTTP Response Header Settings component. |
| CVE-2024-27715 | 2024-07-05 | An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via a crafted request to the Password Change mechanism. |
| CVE-2024-27716 | 2024-07-05 | Cross Site Scripting vulnerability in Eskooly Web Product v.3.0 and before allows a remote attacker to execute arbitrary code via the message sending and user input fields. |
| CVE-2024-27717 | 2024-07-05 | Cross Site Request Forgery vulnerability in Eskooly Free Online School Management Software v.3.0 and before allows a remote attacker to escalate privileges via the Token Handling component. |
| CVE-2024-29319 | 2024-07-05 | Volmarg Personal Management System 1.4.64 is vulnerable to SSRF (Server Side Request Forgery) via uploading a SVG file. The server can make unintended HTTP and DNS requests to a server... |
| CVE-2024-33862 | 2024-07-05 | A buffer-management vulnerability in OPC Foundation OPCFoundation.NetStandard.Opc.Ua.Core before 1.05.374.54 could allow remote attackers to exhaust memory resources. It is triggered when the system receives an excessive number of messages from... |
| CVE-2024-37767 | 2024-07-05 | Insecure permissions in the component /api/admin/user of 14Finger v1.1 allows attackers to access all user information via a crafted GET request. |
| CVE-2024-37769 | 2024-07-05 | Insecure permissions in 14Finger v1.1 allow attackers to escalate privileges from normal user to Administrator via a crafted POST request. |
| CVE-2024-39019 | 2024-07-05 | idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/idcProData_deal.php?mudi=del |
| CVE-2024-39020 | 2024-07-05 | idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/vpsApiData_deal.php?mudi=rev&nohrefStr=close |
| CVE-2024-39021 | 2024-07-05 | idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/vpsApiData_deal.php?mudi=del |
| CVE-2024-39022 | 2024-07-05 | idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via /admin/infoSys_deal.php?mudi=deal |
| CVE-2024-39023 | 2024-07-05 | idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability via admin/info_deal.php?mudi=add&nohrefStr=close |
| CVE-2024-39028 | 2024-07-05 | An issue was discovered in SeaCMS <=12.9 which allows remote attackers to execute arbitrary code via admin_ping.php. |
| CVE-2024-39150 | 2024-07-05 | vditor v.3.9.8 and before is vulnerable to Arbitrary file read via a crafted data packet. |
| CVE-2024-39174 | 2024-07-05 | A cross-site scripting (XSS) vulnerability in the Publish Article function of yzmcms v7.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a published... |
| CVE-2024-39178 | 2024-07-05 | MyPower vc8100 V100R001C00B030 was discovered to contain an arbitrary file read vulnerability via the component /tcpdump/tcpdump.php?menu_uuid. |
| CVE-2024-39182 | 2024-07-05 | An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command (ISP6-1779). |
| CVE-2024-39210 | 2024-07-05 | Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files... |
| CVE-2023-52340 | 2024-07-05 | The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors)... |
| CVE-2024-27712 | 2024-07-05 | An issue in Eskooly Free Online School management Software v.3.0 and before allows a remote attacker to escalate privileges via the User Account Mangemnt component in the authentication mechanism. |
| CVE-2024-29318 | 2024-07-05 | Volmarg Personal Management System 1.4.64 is vulnerable to stored cross site scripting (XSS) via upload of a SVG file with embedded javascript code. |
| CVE-2024-32498 | 2024-07-05 | An issue was discovered in OpenStack Cinder through 24.0.0, Glance before 28.0.2, and Nova before 29.0.3. Arbitrary file access can occur via custom QCOW2 external data. By supplying a crafted... |
| CVE-2024-34481 | 2024-07-05 | drupal-wiki.com Drupal Wiki before 8.31.1 allows XSS via comments, captions, and image titles of a Wiki page. |
| CVE-2024-36041 | 2024-07-05 | KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows... |
| CVE-2024-37768 | 2024-07-05 | 14Finger v1.1 was discovered to contain an arbitrary user deletion vulnerability via the component /api/admin/user?id. |
| CVE-2024-39027 | 2024-07-05 | SeaCMS v12.9 has an unauthorized SQL injection vulnerability. The vulnerability is caused by the SQL injection through the cid parameter at /js/player/dmplayer/dmku/index.php?ac=edit, which can cause sensitive database information to be... |
| CVE-2024-39472 | 2024-07-05 | xfs: fix log recovery buffer allocation for the legacy h_size fixup |
| CVE-2024-39473 | 2024-07-05 | ASoC: SOF: ipc4-topology: Fix input format query of process modules without base extension |
| CVE-2024-39474 | 2024-07-05 | mm/vmalloc: fix vmalloc which may return null if called with __GFP_NOFAIL |
| CVE-2024-39475 | 2024-07-05 | fbdev: savage: Handle err return when savagefb_check_var failed |
| CVE-2024-39476 | 2024-07-05 | md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING |
| CVE-2024-39477 | 2024-07-05 | mm/hugetlb: do not call vma_add_reservation upon ENOMEM |
| CVE-2024-39478 | 2024-07-05 | crypto: starfive - Do not free stack buffer |
| CVE-2024-39479 | 2024-07-05 | drm/i915/hwmon: Get rid of devm |
| CVE-2024-39480 | 2024-07-05 | kdb: Fix buffer overflow during tab-complete |
| CVE-2024-39481 | 2024-07-05 | media: mc: Fix graph walk in media_pipeline_start |
| CVE-2024-39482 | 2024-07-05 | bcache: fix variable length array abuse in btree_iter |
| CVE-2024-39483 | 2024-07-05 | KVM: SVM: WARN on vNMI + NMI window iff NMIs are outright masked |
| CVE-2024-39484 | 2024-07-05 | mmc: davinci: Don't strip remove function when driver is builtin |
| CVE-2024-39485 | 2024-07-05 | media: v4l: async: Properly re-initialise notifier entry in unregister |
| CVE-2024-6523 | 2024-07-05 | ZKTeco BioTime system-group-add cross site scripting |
| CVE-2024-6298 | 2024-07-05 | remote code execution |
| CVE-2024-6209 | 2024-07-05 | unauthorized file access |