Total
287212 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-6782 | 2024-08-06 | N/A | 9.8 CRITICAL | ||
Improper access control in Calibre 6.9.0 ~ 7.14.0 allow unauthenticated attackers to achieve remote code execution. | |||||
CVE-2024-6315 | 2024-08-06 | N/A | 8.8 HIGH | ||
The Blox Page Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handleUploadFile' function in all versions up to, and including, 1.0.65. This makes it possible for authenticated attackers, with contributor-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-41811 | 2024-08-06 | N/A | 3.9 LOW | ||
ipl/web is a set of common web components for php projects. Some of the recent development by Icinga is, under certain circumstances, susceptible to cross site request forgery. (CSRF). All affected products, in any version, will be unaffected by this once `icinga-php-library` is upgraded. Version 0.10.1 includes a fix for this. It will be published as part of the `icinga-php-library` v0.14.1 release. | |||||
CVE-2024-6766 | 2024-08-06 | N/A | 5.4 MEDIUM | ||
The shortcodes-ultimate-pro WordPress plugin before 7.2.1 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks | |||||
CVE-2024-6886 | 2024-08-06 | N/A | N/A | ||
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea Gitea Open Source Git Server allows Stored XSS.This issue affects Gitea Open Source Git Server: 1.22.0. | |||||
CVE-2024-41376 | 2024-08-06 | N/A | 8.8 HIGH | ||
dzzoffice 2.02.1 is vulnerable to Directory Traversal via user/space/about.php. | |||||
CVE-2024-7055 | 2024-08-06 | 7.5 HIGH | 6.3 MEDIUM | ||
A vulnerability was found in FFmpeg up to 7.0.1. It has been classified as critical. This affects the function pnm_decode_frame in the library /libavcodec/pnmdec.c. The manipulation leads to heap-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.0.2 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-273651. | |||||
CVE-2024-7246 | 2024-08-06 | N/A | N/A | ||
It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the error status for a misencoded header is not cleared between header reads, resulting in subsequent (incrementally indexed) added headers in the first request being poisoned until cleared from the HPACK table. Please update to a fixed version of gRPC as soon as possible. This bug has been fixed in 1.58.3, 1.59.5, 1.60.2, 1.61.3, 1.62.3, 1.63.2, 1.64.3, 1.65.4. | |||||
CVE-2023-0253 | 2024-08-06 | N/A | N/A | ||
Rejected reason: **REJECT** Accidental CVE Assignment. Please use CVE-2023-0285. | |||||
CVE-2024-5081 | 2024-08-05 | N/A | 6.1 MEDIUM | ||
The wp-eMember WordPress plugin before v10.7.0 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack | |||||
CVE-2024-6390 | 2024-08-05 | N/A | 5.9 MEDIUM | ||
The Quiz and Survey Master (QSM) WordPress plugin before 9.1.0 does not properly sanitise and escape some of its Quizz settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks | |||||
CVE-2024-6270 | 2024-08-05 | N/A | 4.8 MEDIUM | ||
The Community Events WordPress plugin before 1.5.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
CVE-2024-6865 | 2024-08-05 | N/A | N/A | ||
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||||
CVE-2024-22169 | 2024-08-05 | N/A | N/A | ||
WD Discovery versions prior to 5.0.589 contain a misconfiguration in the Node.js environment settings that could allow code execution by utilizing the 'ELECTRON_RUN_AS_NODE' environment variable. Any malicious application operating with standard user permissions can exploit this vulnerability, enabling code execution within WD Discovery application's context. WD Discovery version 5.0.589 addresses this issue by disabling certain features and fuses in Electron. The attack vector for this issue requires the victim to have the WD Discovery app installed on their device. | |||||
CVE-2024-7257 | 2024-08-05 | N/A | 9.8 CRITICAL | ||
The YayExtra – WooCommerce Extra Product Options plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_upload_file function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-7291 | 2024-08-05 | N/A | 7.2 HIGH | ||
The JetFormBuilder plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.4.1. This is due to improper restriction on user meta fields. This makes it possible for authenticated attackers, with administrator-level and above permissions, to register as super-admins on the sites configured as multi-sites. | |||||
CVE-2024-28297 | 2024-08-05 | N/A | 7.5 HIGH | ||
SQL injection vulnerability in AzureSoft MyHorus 4.3.5 allows authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
CVE-2024-38885 | 2024-08-05 | N/A | 7.5 HIGH | ||
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform unauthorized access using known operating system credentials due to hardcoded SQL user credentials in the client application. | |||||
CVE-2024-2872 | 2024-08-02 | N/A | 4.8 MEDIUM | ||
The socialdriver-framework WordPress plugin before 2024.04.30 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | |||||
CVE-2024-5595 | 2024-08-02 | N/A | 5.4 MEDIUM | ||
The Essential Blocks WordPress plugin before 4.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks |