Total
27033 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0002 | 1 Purestorage | 1 Purity\/\/fa | 2024-09-27 | N/A | 9.8 CRITICAL |
| A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array. | |||||
| CVE-2024-0001 | 1 Purestorage | 1 Purity\/\/fa | 2024-09-27 | N/A | 9.8 CRITICAL |
| A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges. | |||||
| CVE-2024-47088 | 1 Apexsoftcell | 2 Ld Dp Back Office, Ld Geo | 2024-09-26 | N/A | 9.8 CRITICAL |
| This vulnerability exists in Apex Softcell LD Geo due to missing restrictions for excessive failed authentication attempts on its API based login. A remote attacker could exploit this vulnerability by conducting a brute force attack on login OTP, which could lead to gain unauthorized access to other user accounts. | |||||
| CVE-2024-7493 | 1 Wpcom | 1 Wpcom Member | 2024-09-26 | N/A | 9.8 CRITICAL |
| The WPCOM Member plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.5.2.1. This is due to the plugin allowing arbitrary data to be passed to wp_insert_user() during registration. This makes it possible for unauthenticated attackers to update their role to that of an administrator during registration. | |||||
| CVE-2024-8624 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2024-09-26 | N/A | 9.9 CRITICAL |
| The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' attribute of the 'mdf_select_title' shortcode in all versions up to, and including, 1.3.3.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-8671 | 1 Exthemes | 1 Wooevents | 2024-09-26 | N/A | 9.1 CRITICAL |
| The WooEvents - Calendar and Event Booking plugin for WordPress is vulnerable to arbitrary file overwrite due to insufficient file path validation in the inc/barcode.php file in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to overwrite arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | |||||
| CVE-2024-9080 | 1 Code-projects | 1 Student Record System | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in code-projects Student Record System 1.0. It has been classified as critical. Affected is an unknown function of the file /pincode-verification.php. The manipulation of the argument pincode leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9079 | 1 Code-projects | 1 Student Record System | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in code-projects Student Record System 1.0 and classified as critical. This issue affects some unknown processing of the file /marks.php. The manipulation of the argument coursename leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9078 | 1 Code-projects | 1 Student Record System | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability has been found in code-projects Student Record System 1.0 and classified as critical. This vulnerability affects unknown code of the file /course.php. The manipulation of the argument coursename leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8791 | 1 Wpcharitable | 1 Charitable | 2024-09-26 | N/A | 9.8 CRITICAL |
| The Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.8.1.14. This is due to the plugin not properly verifying a user's identity when the ID parameter is supplied through the update_core_user() function. This makes it possible for unauthenticated attackers to update the email address and password of arbitrary user accounts, including administrators, which can then be used to log in to those user accounts. | |||||
| CVE-2024-46957 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing if the implementation uses predictable IDs because the stanza type is not checked. This is fixed in 0.22.0. | |||||
| CVE-2024-9086 | 1 Code-projects | 1 Restaurant Reservation System | 2024-09-26 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in code-projects Restaurant Reservation System 1.0. Affected is an unknown function of the file /filter.php. The manipulation of the argument from/to leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "from" to be affected. But it must be assumed that parameter "to" is affected as well. | |||||
| CVE-2024-9088 | 1 Razormist | 1 Telecom Billing Management System | 2024-09-26 | 5.8 MEDIUM | 9.8 CRITICAL |
| A vulnerability has been found in SourceCodester Telecom Billing Management System 1.0 and classified as critical. This vulnerability affects the function login. The manipulation of the argument uname leads to buffer overflow. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-9087 | 1 Vehicle Management Project | 1 Vehicle Management | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. This affects an unknown part of the file /edit1.php. The manipulation of the argument sno leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-8277 | 1 Villatheme | 1 Woocommerce Photo Reviews | 2024-09-26 | N/A | 9.8 CRITICAL |
| The WooCommerce Photo Reviews Premium plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.3.13.2. This is due to the plugin not properly validating what user transient is being used in the login() function and not properly verifying the user's identity. This makes it possible for unauthenticated attackers to log in as user that has dismissed an admin notice in the past 30 days, which is often an administrator. Alternatively, a user can log in as any user with any transient that has a valid user_id as the value, though it would be more difficult to exploit this successfully. | |||||
| CVE-2024-9014 | 2024-09-26 | N/A | 9.9 CRITICAL | ||
| pgAdmin versions 8.11 and earlier are vulnerable to a security flaw in OAuth2 authentication. This vulnerability allows an attacker to potentially obtain the client ID and secret, leading to unauthorized access to user data. | |||||
| CVE-2024-45489 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| Arc before 2024-08-26 allows remote code execution in JavaScript boosts. Boosts that run JavaScript cannot be shared by default; however (because of misconfigured Firebase ACLs), it is possible to create or update a boost using another user's ID. This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. NOTE: this is a no-action cloud vulnerability with zero affected users. | |||||
| CVE-2024-34331 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because Parallels Service is setuid root. | |||||
| CVE-2024-42505 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. | |||||
| CVE-2024-42506 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| Command injection vulnerabilities in the underlying CLI service could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of these vulnerabilities results in the ability to execute arbitrary code as a privileged user on the underlying operating system. | |||||