Total
260271 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-10850 | 2024-11-13 | N/A | 6.1 MEDIUM | ||
The Razorpay Payment Button Elementor Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-10778 | 2024-11-13 | N/A | 4.3 MEDIUM | ||
The BuddyPress Builder for Elementor – BuddyBuilder plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.4 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from private or draft posts crated by Elementor that they should not have access to. | |||||
CVE-2024-10717 | 2024-11-13 | N/A | 6.5 MEDIUM | ||
The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value. | |||||
CVE-2024-10686 | 2024-11-13 | N/A | 6.1 MEDIUM | ||
The Design for Contact Form 7 Style WordPress Plugin – CF7 WOW Styler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'style_scheme' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-10629 | 2024-11-13 | N/A | 8.8 HIGH | ||
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. | |||||
CVE-2024-10577 | 2024-11-13 | N/A | 6.1 MEDIUM | ||
The 胖鼠采集(Fat Rat Collect) 微信知乎简书腾讯新闻列表分页采集, 还有自动采集、自动发布、自动标签、等多项功能。开源插件 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to missing escaping on a URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-10038 | 2024-11-13 | N/A | 6.1 MEDIUM | ||
The WP-Strava plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.12.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | |||||
CVE-2021-41277 | 1 Metabase | 1 Metabase | 2024-11-13 | 5.0 MEDIUM | 7.5 HIGH |
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (`admin->settings->maps->custom maps->add a map`) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application. | |||||
CVE-2021-26086 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-11-13 | 5.0 MEDIUM | 5.3 MEDIUM |
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to read particular files via a path traversal vulnerability in the /WEB-INF/web.xml endpoint. The affected versions are before version 8.5.14, from version 8.6.0 before 8.13.6, and from version 8.14.0 before 8.16.1. | |||||
CVE-2024-49039 | 2024-11-13 | N/A | 8.8 HIGH | ||
Windows Task Scheduler Elevation of Privilege Vulnerability | |||||
CVE-2024-43451 | 2024-11-13 | N/A | 6.5 MEDIUM | ||
NTLM Hash Disclosure Spoofing Vulnerability | |||||
CVE-2014-2120 | 1 Cisco | 1 Adaptive Security Appliance Software | 2024-11-13 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in the WebVPN login page in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCun19025. | |||||
CVE-2024-43314 | 1 Gabelivan | 1 Asset Cleanup | 2024-11-13 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through 1.3.9.3. | |||||
CVE-2024-43323 | 1 Wpdeveloper | 1 Reviewx | 2024-11-13 | N/A | 9.8 CRITICAL |
Missing Authorization vulnerability in ReviewX allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ReviewX: from n/a through 1.6.28. | |||||
CVE-2024-43332 | 1 Meowapps | 1 Photo Engine | 2024-11-13 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in Jordy Meow Photo Engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Photo Engine: from n/a through 6.4.0. | |||||
CVE-2024-43341 | 1 Cozythemes | 1 Hello Agency | 2024-11-13 | N/A | 9.8 CRITICAL |
Missing Authorization vulnerability in CozyThemes Hello Agency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hello Agency: from n/a through 1.0.5. | |||||
CVE-2024-43343 | 1 Etoilewebdesign | 1 Order Tracking | 2024-11-13 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in Etoile Web Design Order Tracking allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Order Tracking: from n/a through 3.3.12. | |||||
CVE-2024-43355 | 1 Beardev | 1 Joomsport | 2024-11-13 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in BearDev JoomSport allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JoomSport: from n/a through 5.3.0. | |||||
CVE-2024-43923 | 1 Arraytics | 1 Wp Timetics | 2024-11-13 | N/A | 9.8 CRITICAL |
Missing Authorization vulnerability in Arraytics Timetics allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Timetics: from n/a through 1.0.23. | |||||
CVE-2024-43925 | 1 Enviragallery | 1 Envira Gallery | 2024-11-13 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in Envira Gallery Team Envira Photo Gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Envira Photo Gallery: from n/a through 1.8.14. |