Total 18193 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-51064 1 Phpgurukul 1 Teachers Record Management System 2024-11-01 9.8 Critical
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection via the tid parameter to admin/queries.php.
CVE-2024-42515 1 Pebbleroad 1 Glossarizer 2024-11-01 9.9 Critical
Glossarizer through 1.5.2 improperly tries to convert text into HTML. Even though the application itself escapes special characters (e.g., <>), the underlying library converts these encoded characters into legitimate HTML, thereby possibly causing stored XSS. Attackers can append a XSS payload to a word that has a corresponding glossary entry.
CVE-2024-39332 1 Webswing 1 Webswing 2024-11-01 9.8 Critical
Webswing 23.2.2 allows remote attackers to modify client-side JavaScript code to achieve path traversal, likely leading to remote code execution via modification of shell scripts on the server.
CVE-2023-52044 1 Std42 1 Elfinder 2024-11-01 9.8 Critical
Studio-42 eLfinder 2.1.62 is vulnerable to Remote Code Execution (RCE) as there is no restriction for uploading files with the .php8 extension.
CVE-2024-48063 1 Pytorch 1 Pytorch 2024-11-01 9.8 Critical
In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.
CVE-2024-48573 1 Aquila 1 Cms 2024-11-01 9.8 Critical
A NoSQL injection vulnerability in AquilaCMS 1.409.20 and prior allows unauthenticated attackers to reset user and administrator account passwords via the "Reset password" feature.
CVE-2024-48206 1 Chainer 1 Chainer 2024-11-01 9.8 Critical
A Deserialization of Untrusted Data vulnerability in chainer v7.8.1.post1 leads to execution of arbitrary code.
CVE-2024-48138 1 Pluxml 1 Pluxml 2024-11-01 9.8 Critical
A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template.
CVE-2024-48910 2 Cure53, Redhat 3 Dompurify, Advanced Cluster Security, Openshift 2024-11-01 9.1 Critical
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.
CVE-2024-48307 1 Jeecg 1 Jeecgboot 2024-11-01 9.8 Critical
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.
CVE-2024-51259 1 Draytek 1 Vigor3900 Firmware 2024-11-01 9.8 Critical
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.
CVE-2024-10392 1 Aipower 1 Aipower 2024-11-01 9.8 Critical
The AI Power: Complete AI Pack plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'handle_image_upload' function in all versions up to, and including, 1.8.89. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-10456 1 Deltaww 1 Infrasuite Device Master 2024-11-01 9.8 Critical
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication.
CVE-2024-48112 1 Thinkphp 1 Thinkphp 2024-11-01 9.8 Critical
A deserialization vulnerability in the component \controller\Index.php of Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code.
CVE-2024-8512 2024-11-01 9.1 Critical
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
CVE-2024-48202 1 Thecosy 1 Icecms 2024-11-01 9.8 Critical
icecms <=3.4.7 has a File Upload vulnerability in FileUtils.java,uploadFile.
CVE-2024-50507 2024-11-01 9.8 Critical
Deserialization of Untrusted Data vulnerability in Daniel Schmitzer DS.DownloadList allows Object Injection.This issue affects DS.DownloadList: from n/a through 1.3.
CVE-2024-50511 2024-11-01 9.9 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in David DONISA WP donimedia carousel allows Upload a Web Shell to a Web Server.This issue affects WP donimedia carousel: from n/a through 1.0.1.
CVE-2024-10525 1 Eclipse Foundation 1 Mosquitto 2024-11-01 9.1 Critical
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
CVE-2024-50510 2024-11-01 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in Web and Print Design AR For Woocommerce allows Upload a Web Shell to a Web Server.This issue affects AR For Woocommerce: from n/a through 6.2.