Vulnerabilities (CVE)

Total 27043 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-9812 1 Code-projects 1 Crud Operation System 2024-10-15 7.5 HIGH 9.8 CRITICAL
A vulnerability classified as critical was found in code-projects Crud Operation System 1.0. This vulnerability affects unknown code of the file delete.php. The manipulation of the argument sid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-9811 1 Code-projects 1 Restaurant Reservation System 2024-10-15 7.5 HIGH 9.8 CRITICAL
A vulnerability classified as critical has been found in code-projects Restaurant Reservation System 1.0. This affects an unknown part of the file filter3.php. The manipulation of the argument company leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-9794 1 Codezips 1 Online Shopping Portal 2024-10-15 6.5 MEDIUM 9.8 CRITICAL
A vulnerability, which was classified as critical, has been found in Codezips Online Shopping Portal 1.0. This issue affects some unknown processing of the file /update-image1.php. The manipulation of the argument productimage1 leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-9796 1 Internet-formation 1 Wp-advanced-search 2024-10-15 N/A 9.8 CRITICAL
The WP-Advanced-Search WordPress plugin before 3.3.9.2 does not sanitize and escape the t parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks
CVE-2024-42640 2024-10-15 N/A 9.8 CRITICAL
angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
CVE-2024-46045 1 Tenda 2 Ch22, Ch22 Firmware 2024-10-15 N/A 9.8 CRITICAL
Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function.
CVE-2024-9518 1 Wpuserplus 1 Userplus 2024-10-15 N/A 9.8 CRITICAL
The UserPlus plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0 due to insufficient restriction on the 'form_actions' and 'userplus_update_user_profile' functions. This makes it possible for unauthenticated attackers to specify their user role by supplying the 'role' parameter during a registration.
CVE-2024-46088 2024-10-15 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the ProductAction.entphone interface of Zhejiang University Entersoft Customer Resource Management System v2002 to v2024 allows attackers to execute arbitrary code via uploading a crafted file.
CVE-2024-9234 2024-10-15 N/A 9.8 CRITICAL
The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins.
CVE-2024-47875 2024-10-15 N/A 10.0 CRITICAL
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This vulnerability is fixed in 2.5.0 and 3.1.3.
CVE-2024-9924 2024-10-15 N/A 9.8 CRITICAL
The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently .
CVE-2024-48033 2024-10-15 N/A 9.8 CRITICAL
Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0.
CVE-2024-9982 2024-10-15 N/A 9.8 CRITICAL
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content.
CVE-2024-45698 1 Dlink 2 Dir-x4860, Dir-x4860 Firmware 2024-10-15 N/A 9.8 CRITICAL
Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device.
CVE-2024-9142 2024-10-14 N/A 9.8 CRITICAL
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642.
CVE-2024-45746 2024-10-11 N/A 9.8 CRITICAL
An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE).
CVE-2024-25825 2024-10-11 N/A 9.8 CRITICAL
FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password.
CVE-2024-47553 1 Siemens 1 Sinec Security Monitor 2024-10-11 N/A 9.9 CRITICAL
A vulnerability has been identified in Siemens SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate user input to the ```ssmctl-client``` command. This could allow an authenticated, lowly privileged remote attacker to execute arbitrary code with root privileges on the underlying OS.
CVE-2024-44400 1 Dlink 2 Di-8400, Di-8400 Firmware 2024-10-11 N/A 9.8 CRITICAL
A vulnerability was discovered in DI_8400-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection.
CVE-2024-46446 1 Mecha-cms 1 Mecha 2024-10-11 N/A 9.8 CRITICAL
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover.