Total 18194 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-51259 1 Draytek 1 Vigor3900 Firmware 2024-11-01 9.8 Critical
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function.
CVE-2024-48307 1 Jeecg 1 Jeecgboot 2024-11-01 9.8 Critical
JeecgBoot v3.7.1 was discovered to contain a SQL injection vulnerability via the component /onlDragDatasetHead/getTotalData.
CVE-2024-51255 1 Draytek 1 Vigor3900 Firmware 2024-11-01 9.8 Critical
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function.
CVE-2024-49674 1 Lukas Huser 1 Ekc Tournament Manager 2024-11-01 9.6 Critical
Cross-Site Request Forgery (CSRF) vulnerability in Lukas Huser EKC Tournament Manager allows Upload a Web Shell to a Web Server.This issue affects EKC Tournament Manager: from n/a through 2.2.1.
CVE-2024-10456 1 Deltaww 1 Infrasuite Device Master 2024-11-01 9.8 Critical
Delta Electronics InfraSuite Device Master versions prior to 1.0.12 are affected by a deserialization vulnerability that targets the Device-Gateway, which could allow deserialization of arbitrary .NET objects prior to authentication.
CVE-2024-51260 1 Draytek 1 Vigor3900 Firmware 2024-11-01 9.8 Critical
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function.
CVE-2024-43984 1 Podlove 1 Podlove Podcast Publisher 2024-11-01 9.6 Critical
Cross-Site Request Forgery (CSRF) vulnerability in Podlove Podlove Podcast Publisher allows Code Injection.This issue affects Podlove Podcast Publisher: from n/a through 4.1.13.
CVE-2024-10525 1 Eclipse Foundation 1 Mosquitto 2024-11-01 9.1 Critical
In Eclipse Mosquitto, from version 1.3.2 through 2.0.18, if a malicious broker sends a crafted SUBACK packet with no reason codes, a client using libmosquitto may make out of bounds memory access when acting in its on_subscribe callback. This affects the mosquitto_sub and mosquitto_rr clients.
CVE-2024-8512 2024-11-01 9.1 Critical
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. This is due to the plugin passing user supplied input to eval(). This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.
CVE-2024-50503 2024-11-01 9.8 Critical
Authentication Bypass Using an Alternate Path or Channel vulnerability in Deryck OƱate User Toolkit allows Authentication Bypass.This issue affects User Toolkit: from n/a through 1.2.3.
CVE-2024-48237 1 Wtcms Project 1 Wtcms 2024-11-01 9.8 Critical
WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php.
CVE-2024-38821 1 Spring 1 Webflux 2024-11-01 9.1 Critical
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. For this to impact an application, all of the following must be true: * It must be a WebFlux application * It must be using Spring's static resources support * It must have a non-permitAll authorization rule applied to the static resources support
CVE-2024-40457 1 No-ip 1 Duc 2024-10-31 9.1 Critical
No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior.
CVE-2024-7042 2 Langchain, Langchain-ai 2 Langchain, Langchainjs 2024-10-31 9.8 Critical
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchainjs versions 0.2.5 and all versions with this class allows for prompt injection, leading to SQL injection. This vulnerability permits unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database.
CVE-2024-5823 1 Gaizhenbiao 1 Chuanhuchatgpt 2024-10-31 9.1 Critical
A file overwrite vulnerability exists in gaizhenbiao/chuanhuchatgpt versions <= 20240410. This vulnerability allows an attacker to gain unauthorized access to overwrite critical configuration files within the system. Exploiting this vulnerability can lead to unauthorized changes in system behavior or security settings. Additionally, tampering with these configuration files can result in a denial of service (DoS) condition, disrupting normal system operation.
CVE-2022-30357 1 Ovaledge 1 Ovaledge 2024-10-31 9.8 Critical
OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required.
CVE-2024-48230 1 Funadmin 1 Funadmin 2024-10-31 9.8 Critical
funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php.
CVE-2024-48229 1 Funadmin 1 Funadmin 2024-10-31 9.8 Critical
funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin.
CVE-2024-48223 1 Funadmin 1 Funadmin 2024-10-31 9.8 Critical
Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist.
CVE-2024-48222 1 Funadmin 1 Funadmin 2024-10-31 9.8 Critical
Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit.