Total
18194 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-51259 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. | ||||
CVE-2024-48307 | 1 Jeecg | 1 Jeecgboot | 2024-11-01 | 9.8 Critical |
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData. | ||||
CVE-2024-51255 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function. | ||||
CVE-2024-49674 | 1 Lukas Huser | 1 Ekc Tournament Manager | 2024-11-01 | 9.6 Critical |
Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1. | ||||
CVE-2024-10456 | 1 Deltaww | 1 Infrasuite Device Master | 2024-11-01 | 9.8 Critical |
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication. | ||||
CVE-2024-51260 | 1 Draytek | 1 Vigor3900 Firmware | 2024-11-01 | 9.8 Critical |
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function. | ||||
CVE-2024-43984 | 1 Podlove | 1 Podlove Podcast Publisher | 2024-11-01 | 9.6 Critical |
Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13. | ||||
CVE-2024-10525 | 1 Eclipse Foundation | 1 Mosquitto | 2024-11-01 | 9.1 Critical |
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients. | ||||
CVE-2024-8512 | 2024-11-01 | 9.1 Critical | ||
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | ||||
CVE-2024-50503 | 2024-11-01 | 9.8 Critical | ||
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck OƱate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3. | ||||
CVE-2024-48237 | 1 Wtcms Project | 1 Wtcms | 2024-11-01 | 9.8 Critical |
WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php. | ||||
CVE-2024-38821 | 1 Spring | 1 Webflux | 2024-11-01 | 9.1 Critical |
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support | ||||
CVE-2024-40457 | 1 No-ip | 1 Duc | 2024-10-31 | 9.1 Critical |
No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. | ||||
CVE-2024-7042 | 2 Langchain, Langchain-ai | 2 Langchain, Langchainjs | 2024-10-31 | 9.8 Critical |
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. | ||||
CVE-2024-5823 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2024-10-31 | 9.1 Critical |
A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation. | ||||
CVE-2022-30357 | 1 Ovaledge | 1 Ovaledge | 2024-10-31 | 9.8 Critical |
OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required. | ||||
CVE-2024-48230 | 1 Funadmin | 1 Funadmin | 2024-10-31 | 9.8 Critical |
funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php. | ||||
CVE-2024-48229 | 1 Funadmin | 1 Funadmin | 2024-10-31 | 9.8 Critical |
funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin. | ||||
CVE-2024-48223 | 1 Funadmin | 1 Funadmin | 2024-10-31 | 9.8 Critical |
Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist. | ||||
CVE-2024-48222 | 1 Funadmin | 1 Funadmin | 2024-10-31 | 9.8 Critical |
Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit. |