Total
299320 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-23862 | 1 Ysoft | 1 Safeq | 2024-10-30 | N/A | 7.8 HIGH |
| A Local Privilege Escalation issue was discovered in Y Soft SAFEQ 6 Build 53. The SafeQ JMX service running on port 9696 is vulnerable to JMX MLet attacks. Because the service did not enforce authentication and was running under the "NT Authority\System" user, an attacker is able to use the vulnerability to execute arbitrary code and elevate to the system user. | |||||
| CVE-2024-10121 | 1 Riskengine | 1 Radar | 2024-10-30 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in wfh45678 Radar up to 1.0.8 and classified as critical. This issue affects some unknown processing of the component Interface Handler. The manipulation with the input /../ leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This appears not to be a path traversal weakness. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-48605 | 1 Helakuru | 1 Helakuru | 2024-10-30 | N/A | 7.8 HIGH |
| An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file. | |||||
| CVE-2019-25218 | 1 I13websolution | 1 Photo Gallery Slideshow \& Masonry Tiled Gallery | 2024-10-30 | N/A | 4.9 MEDIUM |
| The Photo Gallery Slideshow & Masonry Tiled Gallery plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-49373 | 1 Nofusscomputing | 1 Centurion Erp | 2024-10-30 | N/A | 4.3 MEDIUM |
| No Fuss Computing Centurion ERP is open source enterprise resource planning (ERP) software. Prior to version 1.2.1, an authenticated user can view projects within organizations they are not apart of. Version 1.2.1 fixes the problem. | |||||
| CVE-2024-10129 | 1 Shudong-share Project | 1 Shudong-share | 2024-10-30 | 6.5 MEDIUM | 6.5 MEDIUM |
| A vulnerability classified as critical has been found in HFO4 shudong-share up to 2.4.7. This affects an unknown part of the file /includes/create_share.php of the component Share Handler. The manipulation of the argument fkey leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2016-15042 | 1 Najeebmedia | 2 Frontend File Manager, Post Front-end Form | 2024-10-30 | N/A | 9.8 CRITICAL |
| The Frontend File Manager (versions < 4.0), N-Media Post Front-end Form (versions < 1.1) plugins for WordPress are vulnerable to arbitrary file uploads due to missing file type validation via the `nm_filemanager_upload_file` and `nm_postfront_upload_file` AJAX actions. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | |||||
| CVE-2024-9061 | 1 Themehunk | 1 Wp Popup Builder | 2024-10-30 | N/A | 9.8 CRITICAL |
| The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. | |||||
| CVE-2023-22649 | 1 Suse | 1 Rancher | 2024-10-30 | N/A | 6.5 MEDIUM |
| A vulnerability has been identified which may lead to sensitive data being leaked into Rancher's audit logs. [Rancher Audit Logging](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log) is an opt-in feature, only deployments that have it enabled and have [AUDIT_LEVEL](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels) set to `1 or above` are impacted by this issue. | |||||
| CVE-2020-36840 | 1 Motopress | 1 Timetable And Event Schedule | 2024-10-30 | N/A | 9.8 CRITICAL |
| The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the wp_ajax_route_url() function called via a nopriv AJAX action in versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to call that function and perform a wide variety of actions such as including random template, injecting malicious web scripts, and more. | |||||
| CVE-2020-36842 | 1 Wpvivid | 1 Migration\, Backup\, Staging | 2024-10-30 | N/A | 8.8 HIGH |
| The Migration, Backup, Staging – WPvivid plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the wpvivid_upload_import_files and wpvivid_upload_files AJAX actions that allows low-level authenticated attackers to upload zip files that can be subsequently extracted. This affects versions up to, and including 0.9.35. | |||||
| CVE-2017-20194 | 1 Strategy11 | 1 Formidable Form Builder | 2024-10-30 | N/A | 5.3 MEDIUM |
| The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frm_forms_preview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. | |||||
| CVE-2024-45715 | 1 Solarwinds | 1 Solarwinds Platform | 2024-10-30 | N/A | 6.1 MEDIUM |
| The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements. | |||||
| CVE-2021-4452 | 1 Gtranslate | 1 Google Language Translator | 2024-10-30 | N/A | 5.4 MEDIUM |
| The Google Language Translator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in versions up to, and including, 6.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Specifically affects users with older browsers that lack proper URL encoding support. | |||||
| CVE-2024-9540 | 1 Sinaextra | 1 Sina Extension For Elementor | 2024-10-30 | N/A | 4.3 MEDIUM |
| The Sina Extension for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.7 via the render function in widgets/advanced/sina-modal-box.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data. | |||||
| CVE-2017-20193 | 1 Woo | 1 Product Vendors | 2024-10-30 | N/A | 6.1 MEDIUM |
| The Product Vendors is vulnerable to Reflected Cross-Site Scripting via the 'vendor_description' parameter in versions up to, and including, 2.0.35 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-47171 | 1 Agnai | 1 Agnai | 2024-10-30 | N/A | 4.3 MEDIUM |
| Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload image files at attacker-chosen location on the server. This issue can lead to image file uploads to unauthorized or unintended directories, including overwriting of existing images which may be used for defacement. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. Version 1.0.330 fixes this vulnerability. | |||||
| CVE-2024-46538 | 1 Netgate | 1 Pfsense | 2024-10-30 | N/A | 4.8 MEDIUM |
| A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. | |||||
| CVE-2024-50616 | 2024-10-30 | N/A | 8.8 HIGH | ||
| Ironman PowerShell Universal 5.x before 5.0.12 allows an authenticated attacker to elevate their privileges and view job information. | |||||
| CVE-2024-50615 | 2024-10-30 | N/A | 6.5 MEDIUM | ||
| TinyXML2 through 10.0.0 has a reachable assertion for UINT_MAX/digit, that may lead to application exit, in tinyxml2.cpp XMLUtil::GetCharacterRef. | |||||