Total
296653 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-49220 | 1 Cookie-scanner | 1 Cookie Scanner | 2024-11-06 | N/A | 6.1 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in Cookie Scanner – Nikel Schubert Cookie Scanner allows Stored XSS.This issue affects Cookie Scanner: from n/a through 1.1. | |||||
CVE-2024-49229 | 1 Arifnezami | 1 Better Author Bio | 2024-11-06 | N/A | 6.1 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in Arif Nezami Better Author Bio allows Cross-Site Scripting (XSS).This issue affects Better Author Bio: from n/a through 2.7.10.11. | |||||
CVE-2024-31880 | 4 Ibm, Linux, Microsoft and 1 more | 4 Db2, Linux Kernel, Windows and 1 more | 2024-11-06 | N/A | 6.5 MEDIUM |
IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 is vulnerable to a denial of service, under specific configurations, as the server may crash when using a specially crafted SQL statement by an authenticated user. | |||||
CVE-2024-51362 | 2024-11-06 | N/A | 6.5 MEDIUM | ||
The LSC Smart Connect Indoor IP Camera V7.6.32 is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera's feed, potentially compromising user privacy and security. No credentials or special permissions are required, and access can be gained remotely over the network. | |||||
CVE-2024-51240 | 2024-11-06 | N/A | 8.0 HIGH | ||
An issue in the luci-mod-rpc package in OpenWRT Luci LTS allows for privilege escalation from an admin account to root via the JSON-RPC-API, which is exposed by the luci-mod-rpc package | |||||
CVE-2024-51132 | 2024-11-06 | N/A | 9.8 CRITICAL | ||
An XML External Entity (XXE) vulnerability in HAPI FHIR before v6.4.0 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted request containing malicious XML entities. | |||||
CVE-2024-42018 | 2024-11-06 | N/A | 7.7 HIGH | ||
An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC configuration. Because these parameters are needed for initialization, there is no available mechanism to ensure access control on the management node, and a mitigation measure is normally put in place to prevent access to unprivileged users. It was discovered that this mitigation measure does not survive a reboot of diskful nodes. (Diskless nodes are not at risk.) The mistake lies in the cloudinit configuration: the iptables configuration should have been in the bootcmd instead of the runcmd section. | |||||
CVE-2024-39339 | 2024-11-06 | N/A | 7.5 HIGH | ||
A vulnerability has been discovered in all versions of Smartplay headunits, which are widely used in Suzuki and Toyota cars. This misconfiguration can lead to information disclosure, leaking sensitive details such as diagnostic log traces, system logs, headunit passwords, and personally identifiable information (PII). The exposure of such information may have serious implications for user privacy and system integrity. | |||||
CVE-2024-49237 | 1 Ahmetimamoglu | 1 Ahmeti Wp Timeline | 2024-11-06 | N/A | 6.1 MEDIUM |
Cross-Site Request Forgery (CSRF) vulnerability in Ahmet Imamoglu Ahmeti Wp Timeline allows Stored XSS.This issue affects Ahmeti Wp Timeline: from n/a through 5.1. | |||||
CVE-2024-45185 | 2024-11-06 | N/A | 5.1 MEDIUM | ||
An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 9820, 9825, 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, W920, W930, Modem 5123, Modem 5300. There is an out-of-bounds write due to a heap overflow in the GPRS protocol. | |||||
CVE-2024-21690 | 2024-11-06 | N/A | 7.1 HIGH | ||
This High severity Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability was introduced in versions 7.19.0, 7.20.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.7.1, 8.8.0, and 8.9.0 of Confluence Data Center and Server. This Reflected XSS and CSRF (Cross-Site Request Forgery) vulnerability, with a CVSS Score of 7.1, allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victims browser and force a end user to execute unwanted actions on a web application in which they're currently authenticated which has high impact to confidentiality, low impact to integrity, no impact to availability, and requires user interaction. Atlassian recommends that Confluence Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Confluence Data Center and Server 7.19: Upgrade to a release greater than or equal to 7.19.26 * Confluence Data Center and Server 8.5: Upgrade to a release greater than or equal to 8.5.14 * Confluence Data Center and Server 9.0: Upgrade to a release greater than or equal to 9.0.1 See the release notes (https://confluence.atlassian.com/doc/confluence-release-notes-327.html). You can download the latest version of Confluence Data Center and Server from the download center (https://www.atlassian.com/software/confluence/download-archives). This vulnerability was reported via our Bug Bounty program. | |||||
CVE-2024-51685 | 1 Migaweb | 1 Accordion Title For Elementor | 2024-11-06 | N/A | 4.8 MEDIUM |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Gangolf Accordion title for Elementor allows Stored XSS.This issue affects Accordion title for Elementor: from n/a through 1.2.1. | |||||
CVE-2024-48809 | 1 Aetherproject | 2 Onos-a1t, Sdran-in-a-box | 2024-11-06 | N/A | 7.5 HIGH |
An issue in Open Networking Foundations sdran-in-a-box v.1.4.3 and onos-a1t v.0.2.3 allows a remote attacker to cause a denial of service via the onos-a1t component of the sdran-in-a-box, specifically the DeleteWatcher function. | |||||
CVE-2024-51136 | 1 Openimaj | 1 Openimaj | 2024-11-06 | N/A | 9.8 CRITICAL |
An XML External Entity (XXE) vulnerability in Dmoz2CSV in openimaj v1.3.10 allows attackers to access sensitive information or execute arbitrary code via supplying a crafted XML file. | |||||
CVE-2024-34882 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-06 | N/A | 4.9 MEDIUM |
Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request. | |||||
CVE-2024-34883 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-06 | N/A | 4.9 MEDIUM |
Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allow remote administrators to read proxy-server accounts passwords via HTTP GET request. | |||||
CVE-2024-34887 | 1 Bitrix24 | 1 Bitrix24 | 2024-11-06 | N/A | 4.9 MEDIUM |
Insufficiently protected credentials in AD/LDAP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send AD/LDAP administrators account passwords to an arbitrary server via HTTP POST request. | |||||
CVE-2024-51329 | 1 Idrsdev | 1 Agile-board | 2024-11-06 | N/A | 8.8 HIGH |
A Host header injection vulnerability in Agile-Board 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. | |||||
CVE-2024-10097 | 1 Loginizer | 1 Loginizer | 2024-11-06 | N/A | 8.1 HIGH |
The Loginizer Security and Loginizer plugins for WordPress are vulnerable to authentication bypass in all versions up to, and including, 1.9.2. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | |||||
CVE-2024-49368 | 1 Nginxui | 1 Nginx Ui | 2024-11-06 | N/A | 9.8 CRITICAL |
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue. |