Vulnerabilities (CVE)

Total 82118 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-45254 2024-11-15 N/A 7.5 HIGH
VaeMendis - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-52371 2024-11-15 N/A 8.6 HIGH
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in DonnellC Global Gateway e4 | Payeezy Gateway.This issue affects Global Gateway e4 | Payeezy Gateway: from n/a through 2.0.
CVE-2024-47915 2024-11-15 N/A 7.5 HIGH
VaeMendis - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVE-2024-51684 2024-11-15 N/A 7.1 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in Ciprian Popescu W3P SEO allows Stored XSS.This issue affects W3P SEO: from n/a before 1.8.6.
CVE-2024-11206 2024-11-15 N/A 7.5 HIGH
Unauthorized access vulnerability in the mobile application (com.transsion.phoenix) can lead to the leakage of user information.
CVE-2024-6068 2024-11-15 N/A 7.3 HIGH
A memory corruption vulnerability exists in the affected products when parsing DFT files. Local threat actors can exploit this issue to disclose information and to execute arbitrary code. To exploit this vulnerability a legitimate user must open a malicious DFT file.
CVE-2024-47916 2024-11-15 N/A 7.5 HIGH
Boa web server - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45253 2024-11-15 N/A 7.5 HIGH
Avigilon – CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-10962 2024-11-15 N/A 8.8 HIGH
The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 0.9.107 via deserialization of untrusted input in the 'replace_row_data' and 'replace_serialize_data' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. An administrator must create a staging site to trigger the exploit.
CVE-2024-51659 2024-11-15 N/A 7.1 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in GeekRMX Twitter @Anywhere Plus allows Stored XSS.This issue affects Twitter @Anywhere Plus: from n/a through 2.0.
CVE-2024-9463 1 Paloaltonetworks 1 Expedition 2024-11-15 N/A 7.5 HIGH
An OS command injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to run arbitrary OS commands as root in Expedition, resulting in disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.
CVE-2024-49381 1 Plenti 1 Plenti 2024-11-14 N/A 7.5 HIGH
Plenti, a static site generator, has an arbitrary file deletion vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write deletion when a plenti user serves their website. This issue may lead to information loss. Version 0.7.2 fixes the vulnerability.
CVE-2024-49376 1 Autolabproject 1 Autolab 2024-11-14 N/A 8.8 HIGH
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
CVE-2024-43093 1 Google 1 Android 2024-11-14 N/A 7.8 HIGH
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
CVE-2024-25431 1 Bytecodealliance 1 Webassembly Micro Runtime 2024-11-14 N/A 7.8 HIGH
An issue in bytecodealliance wasm-micro-runtime before v.b3f728c and fixed in commit 06df58f allows a remote attacker to escalate privileges via a crafted file to the check_was_abi_compatibility function.
CVE-2024-50634 1 Sbond 1 Watcharr 2024-11-14 N/A 8.8 HIGH
A vulnerability in a weak JWT token in Watcharr v1.43.0 and below allows attackers to perform privilege escalation using a crafted JWT token. This vulnerability is not limited to privilege escalation but also affects all functions that require authentication.
CVE-2024-46956 3 Artifex, Debian, Suse 5 Ghostscript, Debian Linux, Linux Enterprise High Performance Computing and 2 more 2024-11-14 N/A 7.8 HIGH
An issue was discovered in psi/zfile.c in Artifex Ghostscript before 10.04.0. Out-of-bounds data access in filenameforall can lead to arbitrary code execution.
CVE-2024-36513 1 Fortinet 1 Forticlient 2024-11-14 N/A 8.8 HIGH
A privilege context switching error vulnerability [CWE-270] in FortiClient Windows version 7.2.4 and below, version 7.0.12 and below, 6.4 all versions may allow an authenticated user to escalate their privileges via lua auto patch scripts.
CVE-2024-36507 1 Fortinet 1 Forticlient 2024-11-14 N/A 7.8 HIGH
A untrusted search path in Fortinet FortiClientWindows versions 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0 allows an attacker to run arbitrary code via DLL hijacking and social engineering.
CVE-2024-51484 1 Ampache 1 Ampache 2024-11-14 N/A 8.1 HIGH
Ampache is a web based audio/video streaming application and file manager. The current implementation of token parsing fails to properly validate CSRF tokens when activating or deactivating controllers. This vulnerability allows an attacker to exploit CSRF attacks, potentially enabling them to change website features that should only be managed by administrators through malicious requests. This issue has been addressed in version 7.0.1 and all users are advised to upgrade. There are no known workarounds for this vulnerability.