Total
18193 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-51064 | 1 Phpgurukul | 1 Teachers Record Management System | 2024-11-01 | 9.8 Critical |
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php. | ||||
CVE-2024-42515 | 1 Pebbleroad | 1 Glossarizer | 2024-11-01 | 9.9 Critical |
Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry. | ||||
CVE-2024-39332 | 1 Webswing | 1 Webswing | 2024-11-01 | 9.8 Critical |
Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server. | ||||
CVE-2023-52044 | 1 Std42 | 1 Elfinder | 2024-11-01 | 9.8 Critical |
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension. | ||||
CVE-2024-48063 | 1 Pytorch | 1 Pytorch | 2024-11-01 | 9.8 Critical |
In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing. | ||||
CVE-2024-48573 | 1 Aquila | 1 Cms | 2024-11-01 | 9.8 Critical |
A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature. | ||||
CVE-2024-48206 | 1 Chainer | 1 Chainer | 2024-11-01 | 9.8 Critical |
A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code. | ||||
CVE-2024-48138 | 1 Pluxml | 1 Pluxml | 2024-11-01 | 9.8 Critical |
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | ||||
CVE-2024-48910 | 2 Cure53, Redhat | 3 Dompurify, Advanced Cluster Security, Openshift | 2024-11-01 | 9.1 Critical |
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2. | ||||
CVE-2024-48307 | 1 Jeecg | 1 Jeecgboot | 2024-11-01 | 9.8 Critical |
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. | ||||
CVE-2024-51259 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. | ||||
CVE-2024-10392 | 1 Aipower | 1 Aipower | 2024-11-01 | 9.8 Critical |
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
CVE-2024-10456 | 1 Deltaww | 1 Infrasuite Device Master | 2024-11-01 | 9.8 Critical |
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | ||||
CVE-2024-48112 | 1 Thinkphp | 1 Thinkphp | 2024-11-01 | 9.8 Critical |
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | ||||
CVE-2024-8512 | 2024-11-01 | 9.1 Critical | ||
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | ||||
CVE-2024-48202 | 1 Thecosy | 1 Icecms | 2024-11-01 | 9.8 Critical |
icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile. | ||||
CVE-2024-50507 | 2024-11-01 | 9.8 Critical | ||
Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3. | ||||
CVE-2024-50511 | 2024-11-01 | 9.9 Critical | ||
Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1. | ||||
CVE-2024-10525 | 1 Eclipse Foundation | 1 Mosquitto | 2024-11-01 | 9.1 Critical |
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients. | ||||
CVE-2024-50510 | 2024-11-01 | 10 Critical | ||
Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2. |