Total
82118 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-45254 | 2024-11-15 | N/A | 7.5 HIGH | ||
VaeMendis - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | |||||
CVE-2024-52371 | 2024-11-15 | N/A | 8.6 HIGH | ||
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway.This issue affects Global Gateway e4 | Payeezy Gateway: from n/a through 2.0. | |||||
CVE-2024-47915 | 2024-11-15 | N/A | 7.5 HIGH | ||
VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
CVE-2024-51684 | 2024-11-15 | N/A | 7.1 HIGH | ||
Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu W3P SEO allows Stored XSS.This issue affects W3P SEO: from n/a before 1.8.6. | |||||
CVE-2024-11206 | 2024-11-15 | N/A | 7.5 HIGH | ||
Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information. | |||||
CVE-2024-6068 | 2024-11-15 | N/A | 7.3 HIGH | ||
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file. | |||||
CVE-2024-47916 | 2024-11-15 | N/A | 7.5 HIGH | ||
Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||||
CVE-2024-45253 | 2024-11-15 | N/A | 7.5 HIGH | ||
Avigilon – CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | |||||
CVE-2024-10962 | 2024-11-15 | N/A | 8.8 HIGH | ||
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit. | |||||
CVE-2024-51659 | 2024-11-15 | N/A | 7.1 HIGH | ||
Cross-Site Request Forgery (CSRF) vulnerability in GeekRMX Twitter @Anywhere Plus allows Stored XSS.This issue affects Twitter @Anywhere Plus: from n/a through 2.0. | |||||
CVE-2024-9463 | 1 Paloaltonetworks | 1 Expedition | 2024-11-15 | N/A | 7.5 HIGH |
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls. | |||||
CVE-2024-49381 | 1 Plenti | 1 Plenti | 2024-11-14 | N/A | 7.5 HIGH |
Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability. | |||||
CVE-2024-49376 | 1 Autolabproject | 1 Autolab | 2024-11-14 | N/A | 8.8 HIGH |
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist. | |||||
CVE-2024-43093 | 1 Google | 1 Android | 2024-11-14 | N/A | 7.8 HIGH |
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
CVE-2024-25431 | 1 Bytecodealliance | 1 Webassembly Micro Runtime | 2024-11-14 | N/A | 7.8 HIGH |
An issue in bytecodealliance wasm-micro-runtime before v.b3f728c and fixed in commit 06df58f allows a remote attacker to escalate privileges via a crafted file to the check_was_abi_compatibility function. | |||||
CVE-2024-50634 | 1 Sbond | 1 Watcharr | 2024-11-14 | N/A | 8.8 HIGH |
A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication. | |||||
CVE-2024-46956 | 3 Artifex, Debian, Suse | 5 Ghostscript, Debian Linux, Linux Enterprise High Performance Computing and 2 more | 2024-11-14 | N/A | 7.8 HIGH |
An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution. | |||||
CVE-2024-36513 | 1 Fortinet | 1 Forticlient | 2024-11-14 | N/A | 8.8 HIGH |
A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts. | |||||
CVE-2024-36507 | 1 Fortinet | 1 Forticlient | 2024-11-14 | N/A | 7.8 HIGH |
A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0 allows an attacker to run arbitrary code via DLL hijacking and social engineering. | |||||
CVE-2024-51484 | 1 Ampache | 1 Ampache | 2024-11-14 | N/A | 8.1 HIGH |
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change website features that should only be managed by administrators through malicious requests. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability. |