Total
21864 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-32764 | 2024-04-26 | N/A | 9.9 CRITICAL | ||
A missing authentication for critical function vulnerability has been reported to affect myQNAPcloud Link. If exploited, the vulnerability could allow users with the privilege level of some functionality via a network. We have already fixed the vulnerability in the following version: myQNAPcloud Link 2.4.51 and later | |||||
CVE-2023-47222 | 2024-04-26 | N/A | 9.6 CRITICAL | ||
An exposure of sensitive information vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Media Streaming add-on 500.1.1.5 ( 2024/01/22 ) and later | |||||
CVE-2024-32766 | 2024-04-26 | N/A | 10.0 CRITICAL | ||
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later | |||||
CVE-2024-4040 | 1 Crushftp | 1 Crushftp | 2024-04-26 | N/A | 10.0 CRITICAL |
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | |||||
CVE-2024-3962 | 2024-04-26 | N/A | 9.8 CRITICAL | ||
The Product Addons & Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ppom_upload_file function in all versions up to, and including, 32.0.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires the PPOM Pro plugin to be installed along with a WooCommerce product that contains a file upload field to retrieve the correct nonce. | |||||
CVE-2024-0916 | 2024-04-26 | N/A | 10.0 CRITICAL | ||
Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. | |||||
CVE-2024-0740 | 2024-04-26 | N/A | 9.8 CRITICAL | ||
Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03 | |||||
CVE-2024-32651 | 2024-04-26 | N/A | 10.0 CRITICAL | ||
changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn't required by the application (not by default and not enforced). | |||||
CVE-2022-36028 | 2024-04-26 | N/A | 9.1 CRITICAL | ||
Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | |||||
CVE-2022-36029 | 2024-04-26 | N/A | 9.1 CRITICAL | ||
Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | |||||
CVE-2023-41993 | 3 Apple, Debian, Fedoraproject | 6 Ipados, Iphone Os, Macos and 3 more | 2024-04-26 | N/A | 9.8 CRITICAL |
The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14. Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7. | |||||
CVE-2023-3243 | 1 Honeywell | 2 Alerton Bcm-web, Alerton Bcm-web Firmware | 2024-04-25 | N/A | 9.8 CRITICAL |
** UNSUPPORTED WHEN ASSIGNED ** [An attacker can capture an authenticating hash and utilize it to create new sessions. The hash is also a poorly salted MD5 hash, which could result in a successful brute force password attack. Impacted product is BCM-WEB version 3.3.X. Recommended fix: Upgrade to a supported product such as Alerton ACM.] Out of an abundance of caution, this CVE ID is being assigned to better serve our customers and ensure all who are still running this product understand that the product is end of life and should be removed or upgraded. | |||||
CVE-2024-22144 | 2024-04-25 | N/A | 9.0 CRITICAL | ||
Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through 4.21.96. | |||||
CVE-2023-51478 | 2024-04-25 | N/A | 9.8 CRITICAL | ||
Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. | |||||
CVE-2024-31266 | 2024-04-25 | N/A | 9.1 CRITICAL | ||
Improper Control of Generation of Code ('Code Injection') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommerce: from n/a through 3.4.4. | |||||
CVE-2023-51482 | 2024-04-25 | N/A | 9.9 CRITICAL | ||
Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | |||||
CVE-2023-51484 | 2024-04-25 | N/A | 9.8 CRITICAL | ||
Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | |||||
CVE-2024-30560 | 2024-04-25 | N/A | 9.6 CRITICAL | ||
Cross-Site Request Forgery (CSRF) vulnerability in ??WP DX-Watermark.This issue affects DX-Watermark: from n/a through 1.0.4. | |||||
CVE-2024-31380 | 2024-04-25 | N/A | 9.9 CRITICAL | ||
Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection.This issue affects Oxygen Builder: from n/a through 4.8.2. | |||||
CVE-2023-51425 | 2024-04-24 | N/A | 9.8 CRITICAL | ||
Improper Privilege Management vulnerability in Jacques Malgrange Rencontre – Dating Site allows Privilege Escalation.This issue affects Rencontre – Dating Site: from n/a through 3.10.1. |