Total
106 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2004-0285 | 3 Allmyguests Project, Allmylinks Project, Allmyvisitors Project | 3 Allmyguests, Allmylinks, Allmyvisitors | 2024-11-20 | 7.5 HIGH | 9.8 CRITICAL |
| PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. | |||||
| CVE-2004-0030 | 1 Phpgedview | 1 Phpgedview | 2024-11-20 | 7.5 HIGH | 9.8 CRITICAL |
| PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. | |||||
| CVE-2024-48336 | 2024-11-04 | N/A | 8.4 HIGH | ||
| The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a crafted package, aka Bug #8279. User interaction is not needed for exploitation. | |||||
| CVE-2024-50497 | 1 Buynowdepot | 1 Advanced Online Ordering And Delivery Platform | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuyNowDepot Advanced Online Ordering and Delivery Platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through 2.0.0. | |||||
| CVE-2024-38476 | 2 Apache, Netapp | 2 Http Server, Clustered Data Ontap | 2024-10-29 | N/A | 9.8 CRITICAL |
| Vulnerability in core of Apache HTTP Server 2.4.59 and earlier are vulnerably to information disclosure, SSRF or local script execution via backend applications whose response headers are malicious or exploitable. Users are recommended to upgrade to version 2.4.60, which fixes this issue. | |||||
| CVE-2022-24329 | 2 Jetbrains, Oracle | 3 Kotlin, Communications Cloud Native Core Binding Support Function, Communications Pricing Design Center | 2024-10-29 | 5.0 MEDIUM | 5.3 MEDIUM |
| In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. | |||||
| CVE-2024-49243 | 1 Jonvincentmendoza | 1 Dynamic Elementor Addons | 2024-10-22 | N/A | 8.8 HIGH |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jon Vincent Mendoza Dynamic Elementor Addons allows PHP Local File Inclusion.This issue affects Dynamic Elementor Addons: from n/a through 1.0.0. | |||||
| CVE-2024-30092 | 2024-10-10 | N/A | 8.0 HIGH | ||
| Windows Hyper-V Remote Code Execution Vulnerability | |||||
| CVE-2022-49038 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 7.8 HIGH |
| Inclusion of functionality from untrusted control sphere vulnerability in OpenSSL DLL component in Synology Drive Client before 3.3.0-15082 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2024-45416 | 2024-09-20 | N/A | 8.1 HIGH | ||
| The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root. | |||||
| CVE-2024-29073 | 1 Ankiweb | 1 Anki | 2024-09-18 | N/A | 6.5 MEDIUM |
| An vulnerability in the handling of Latex exists in Ankitects Anki 24.04. When Latex is sanitized to prevent unsafe commands, the verbatim package, which comes installed by default in many Latex distributions, has been overlooked. A specially crafted flashcard can lead to an arbitrary file read. An attacker can share a flashcard to trigger this vulnerability. | |||||
| CVE-2024-43690 | 2024-09-11 | N/A | 8.0 HIGH | ||
| Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE). This issue affects: Command Centre Server and Command Centre Workstations 9.10 prior to vEL9.10.1530 (MR2), 9.00 prior to vEL9.00.2168 (MR4), 8.90 prior to vEL8.90.2155 (MR5), 8.80 prior to vEL8.80.1938 (MR6), all versions of 8.70 and prior. | |||||
| CVE-2024-8252 | 1 Codection | 1 Clean Login | 2024-09-03 | N/A | 8.8 HIGH |
| The Clean Login plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.14.5 via the 'template' attribute of the clean-login-register shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | |||||
| CVE-2023-5523 | 1 M-files | 1 Web Companion | 2024-08-28 | N/A | 7.8 HIGH |
| Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution | |||||
| CVE-2022-29845 | 1 Progress | 1 Whatsup Gold | 2024-08-27 | 4.0 MEDIUM | 6.5 MEDIUM |
| In Progress Ipswitch WhatsUp Gold 21.1.0 through 21.1.1, and 22.0.0, it is possible for an authenticated user to invoke an API transaction that would allow them to read the contents of a local file. | |||||
| CVE-2024-5762 | 1 Zen-cart | 1 Zen Cart | 2024-08-23 | N/A | 8.1 HIGH |
| Zen Cart findPluginAdminPage Local File Inclusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Zen Cart. Authentication is not required to exploit this vulnerability. The specific flaw exists within the findPluginAdminPage function. The issue results from the lack of proper validation of user-supplied data prior to passing it to a PHP include function. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. Was ZDI-CAN-21408. | |||||
| CVE-2022-46302 | 1 Checkmk | 1 Checkmk | 2024-07-23 | N/A | 8.8 HIGH |
| Broad access controls could allow site users to directly interact with the system Apache installation when providing the reverse proxy configurations for Tribe29's Checkmk <= 2.1.0p6, Checkmk <= 2.0.0p27, and all versions of Checkmk 1.6.0 (EOL) allowing an attacker to perform remote code execution with root privileges on the underlying host. | |||||
| CVE-2021-41037 | 1 Eclipse | 1 Equinox P2 | 2024-07-12 | 6.8 MEDIUM | 8.0 HIGH |
| In Eclipse p2, installable units are able to alter the Eclipse Platform installation and the local machine via touchpoints during installation. Those touchpoints can, for example, alter the command-line used to start the application, injecting things like agent or other settings that usually require particular attention in term of security. Although p2 has built-in strategies to ensure artifacts are signed and then to help establish trust, there is no such strategy for the metadata part that does configure such touchpoints. As a result, it's possible to install a unit that will run malicious code during installation without user receiving any warning about this installation step being risky when coming from untrusted source. | |||||
| CVE-2024-38537 | 2024-07-03 | N/A | N/A | ||
| Fides is an open-source privacy engineering platform. `fides.js`, a client-side script used to interact with the consent management features of Fides, used the `polyfill.io` domain in a very limited edge case, when it detected a legacy browser such as IE11 that did not support the fetch standard. Therefore it was possible for users of legacy, pre-2017 browsers who navigate to a page serving `fides.js` to download and execute malicious scripts from the `polyfill.io` domain when the domain was compromised and serving malware. No exploitation of `fides.js` via `polyfill.io` has been identified as of time of publication. The vulnerability has been patched in Fides version `2.39.1`. Users are advised to upgrade to this version or later to secure their systems against this threat. On Thursday, June 27, 2024, Cloudflare and Namecheap intervened at a domain level to ensure `polyfill.io` and its subdomains could not resolve to the compromised service, rendering this vulnerability unexploitable. Prior to the domain level intervention, there were no server-side workarounds and the confidentiality, integrity, and availability impacts of this vulnerability were high. Clients could ensure they were not affected by using a modern browser that supported the fetch standard. | |||||
| CVE-2024-5693 | 2024-07-03 | N/A | 6.1 MEDIUM | ||
| Offscreen Canvas did not properly track cross-origin tainting, which could be used to access image data from another site in violation of same-origin policy. This vulnerability affects Firefox < 127, Firefox ESR < 115.12, and Thunderbird < 115.12. | |||||