Total
79803 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-42314 | 1 Linux | 1 Linux Kernel | 2024-09-04 | N/A | 7.8 HIGH |
| In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when adding pages to compressed bio At add_ra_bio_pages() we are accessing the extent map to calculate 'add_size' after we dropped our reference on the extent map, resulting in a use-after-free. Fix this by computing 'add_size' before dropping our extent map reference. | |||||
| CVE-2024-41435 | 2024-09-03 | N/A | 7.5 HIGH | ||
| YugabyteDB v2.21.1.0 was discovered to contain a buffer overflow via the "insert into" parameter. | |||||
| CVE-2024-8344 | 1 Campcodes | 1 Supplier Management System | 2024-09-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability has been found in Campcodes Supplier Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/edit_area.php. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-41226 | 1 Automationanywhere | 1 Automation 360 | 2024-09-03 | N/A | 7.8 HIGH |
| A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability. | |||||
| CVE-2024-7943 | 1 Adonesevangelista | 1 Laravel Property Management System | 2024-09-03 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in itsourcecode Laravel Property Management System 1.0 and classified as critical. This issue affects the function upload of the file PropertiesController.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-41436 | 2024-09-03 | N/A | 7.5 HIGH | ||
| ClickHouse v24.3.3.102 was discovered to contain a buffer overflow via the component DB::evaluateConstantExpressionImpl. | |||||
| CVE-2024-41698 | 1 Priority-software | 1 Priority | 2024-09-03 | N/A | 7.5 HIGH |
| Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-41699 | 1 Priority-software | 1 Priority | 2024-09-03 | N/A | 7.5 HIGH |
| Priority – CWE-552: Files or Directories Accessible to External Parties | |||||
| CVE-2024-41518 | 1 Mecodia | 1 Feripro | 2024-09-03 | N/A | 7.5 HIGH |
| An Incorrect Access Control vulnerability in "/admin/programm/<program_id>/export/statistics" in Feripro <= v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants. | |||||
| CVE-2024-42902 | 2024-09-03 | N/A | 8.8 HIGH | ||
| An issue in the js_localize.php function of LimeSurvey v6.6.2 and before allows attackers to execute arbitrary code via injecting a crafted payload into the lng parameter of the js_localize.php function | |||||
| CVE-2024-41700 | 1 Barix | 1 Sip Client Firmware | 2024-09-03 | N/A | 7.5 HIGH |
| Barix – CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-42941 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
| Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the wanmode parameter in the fromAdvSetWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
| CVE-2024-42940 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
| Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the page parameter in the fromP2pListFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
| CVE-2024-33892 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2024-09-03 | N/A | 7.5 HIGH |
| Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3 | |||||
| CVE-2024-42987 | 1 Tenda | 2 Fh1206, Fh1206 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
| Tenda FH1206 v02.03.01.35 was discovered to contain a stack overflow via the modino parameter in the fromPptpUserAdd function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
| CVE-2024-42948 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
| Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the delno parameter in the fromPptpUserSetting function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
| CVE-2024-6586 | 2024-09-03 | N/A | 7.3 HIGH | ||
| Lightdash version 0.1024.6 allows users with the necessary permissions, such as Administrator or Editor, to create and share dashboards. A dashboard that contains HTML elements which point to a threat actor controlled source can trigger an SSRF request when exported, via a POST request to /api/v1/dashboards//export. The forged request contains the value of the exporting user’s session token. A threat actor could obtain the session token of any user who exports the dashboard. The obtained session token can be used to perform actions as the victim on the application, resulting in session takeover. | |||||
| CVE-2024-2694 | 1 Muffingroup | 1 Betheme | 2024-09-03 | N/A | 8.8 HIGH |
| The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | |||||
| CVE-2024-8016 | 1 Theeventscalendar | 1 Events Calendar Pro | 2024-09-03 | N/A | 7.2 HIGH |
| The Events Calendar Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 7.0.2 via deserialization of untrusted input from the 'filters' parameter in widgets. This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute code remotely. In certain configurations, this can be exploitable by lower level users. We confirmed that this plugin installed with Elementor makes it possible for users with contributor-level access and above to exploit this issue. | |||||
| CVE-2024-8252 | 1 Codection | 1 Clean Login | 2024-09-03 | N/A | 8.8 HIGH |
| The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||