Total
3602 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8271 | 1 Pluginus | 1 Fox - Currency Switcher Professional For Woocommerce | 2024-09-27 | N/A | 7.3 HIGH |
| The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-8479 | 1 Webliberty | 1 Simple Spoiler | 2024-09-27 | N/A | 7.3 HIGH |
| The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-37779 | 2024-09-27 | N/A | 8.8 HIGH | ||
| WoodWing Elvis DAM v6.98.1 was discovered to contain an authenticated remote command execution (RCE) vulnerability via the Apache Ant script functionality. | |||||
| CVE-2024-0004 | 1 Purestorage | 1 Purity\/\/fa | 2024-09-27 | N/A | 7.2 HIGH |
| A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array. | |||||
| CVE-2024-6386 | 1 Wpml | 1 Wpml | 2024-09-27 | N/A | 8.8 HIGH |
| The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. This is due to missing input validation and sanitization on the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. | |||||
| CVE-2024-8623 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2024-09-26 | N/A | 7.3 HIGH |
| The The MDTF – Meta Data and Taxonomies Filter plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.3.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-8268 | 1 Buffercode | 1 Frontend Dashboard | 2024-09-26 | N/A | 8.8 HIGH |
| The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords. | |||||
| CVE-2024-8478 | 1 Ifeelweb | 1 Affiliate Super Assistent | 2024-09-26 | N/A | 7.3 HIGH |
| The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2023-29492 | 1 3rdmill | 1 Novi Survey | 2024-09-26 | N/A | 9.8 CRITICAL |
| Novi Survey before 8.9.43676 allows remote attackers to execute arbitrary code on the server in the context of the service account. This does not provide access to stored survey or response data. | |||||
| CVE-2023-41179 | 2 Microsoft, Trendmicro | 4 Windows, Apex One, Worry-free Business Security and 1 more | 2024-09-26 | N/A | 7.2 HIGH |
| A vulnerability in the 3rd party AV uninstaller module contained in Trend Micro Apex One (on-prem and SaaS), Worry-Free Business Security and Worry-Free Business Security Services could allow an attacker to manipulate the module to execute arbitrary commands on an affected installation. Note that an attacker must first obtain administrative console access on the target system in order to exploit this vulnerability. | |||||
| CVE-2024-46640 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file through the MySQL slow query method. | |||||
| CVE-2024-47219 | 2024-09-26 | N/A | N/A | ||
| An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection. | |||||
| CVE-2024-46103 | 2024-09-26 | N/A | 9.8 CRITICAL | ||
| SEMCMS 4.8 is vulnerable to SQL Injection via SEMCMS_Main.php. | |||||
| CVE-2024-46639 | 2024-09-26 | N/A | 7.6 HIGH | ||
| A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields message box. | |||||
| CVE-2024-40442 | 2024-09-26 | N/A | 7.2 HIGH | ||
| An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to escalate privileges via a crafted REST Request. | |||||
| CVE-2023-34195 | 1 Insyde | 1 Insydeh2o | 2024-09-25 | N/A | 7.8 HIGH |
| An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this value as a function pointer. This variable is wiped out by the same module near the end of the function. By setting this UEFI variable from the OS to point into custom code, an attacker could achieve arbitrary code execution in the DXE phase, before several chipset locks are set. | |||||
| CVE-2024-9006 | 1 Jeanmarc77 | 1 123solar | 2024-09-25 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in jeanmarc77 123solar 1.8.4.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file config/config_invt1.php. The manipulation of the argument PASSOx leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as f4a8c748ec436e5a79f91ccb6a6f73752b336aa5. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-44623 | 1 Spx | 1 Spx Graphics Controller | 2024-09-25 | N/A | 9.8 CRITICAL |
| An issue in TuomoKu SPx-GC v.1.3.0 and before allows a remote attacker to execute arbitrary code via the child_process.js function. | |||||
| CVE-2023-43234 | 1 Dedebiz | 1 Dedebiz | 2024-09-25 | N/A | 9.8 CRITICAL |
| DedeBIZ v6.2.11 was discovered to contain multiple remote code execution (RCE) vulnerabilities at /admin/file_manage_control.php via the $activepath and $filename parameters. | |||||
| CVE-2023-43222 | 1 Seacms | 1 Seacms | 2024-09-25 | N/A | 9.8 CRITICAL |
| SeaCMS v12.8 has an arbitrary code writing vulnerability in the /jxz7g2/admin_ping.php file. | |||||