Total 18197 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2019-25213 2 Advanced Access Manager Project, Vasyltech 2 Advanced Access Manager, Advanced Access Manager 2024-10-30 9.8 Critical
The Advanced Access Manager plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Read in versions up to, and including, 5.9.8.1 due to insufficient validation on the aam-media parameter. This allows unauthenticated attackers to read any file on the server, including sensitive files such as wp-config.php
CVE-2021-4449 2 Digitalzoomstudio, Zoomit 2 Zoomsounds, Zoomsounds 2024-10-30 9.8 Critical
The ZoomSounds plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'savepng.php' file in versions up to, and including, 5.96. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
CVE-2024-48357 1 Lylme 1 Lylme Spage 2024-10-30 9.8 Critical
LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php.
CVE-2024-48356 1 Lylme 1 Lylme Spage 2024-10-30 9.8 Critical
LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php.
CVE-2024-47901 1 Siemens 4 Intermesh 7177 Hybrid2.0 Subscriber, Intermesh 7177 Hybrid 2.0 Subscriber, Intermesh 7707 Fire Subscriber and 1 more 2024-10-30 10 Critical
A vulnerability has been identified in InterMesh 7177 Hybrid 2.0 Subscriber (All versions < V8.2.12), InterMesh 7707 Fire Subscriber (All versions < V7.2.12 only if the IP interface is enabled (which is not the default configuration)). The web server of affected devices does not sanitize the input parameters in specific GET requests that allow for code execution on operating system level. In combination with other vulnerabilities (CVE-2024-47902, CVE-2024-47903, CVE-2024-47904) this could allow an unauthenticated remote attacker to execute arbitrary code with root privileges.
CVE-2024-7763 1 Progress 1 Whatsup Gold 2024-10-30 9.8 Critical
In WhatsUp Gold versions released before 2024.0.0,  an Authentication Bypass issue exists which allows an attacker to obtain encrypted user credentials.
CVE-2024-7824 1 Webroot 1 Secureanywhere Web Shield 2024-10-30 9.8 Critical
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows Functionality Misuse.This issue affects SecureAnywhere - Web Shield: before 2.1.2.3.
CVE-2024-7825 1 Webroot 1 Secureanywhere Web Shield 2024-10-30 9.8 Critical
Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows Functionality Misuse.This issue affects SecureAnywhere - Web Shield: before 2.1.2.3.
CVE-2024-7826 1 Webroot 1 Secureanywhere Web Shield 2024-10-30 9.8 Critical
Improper Check for Unusual or Exceptional Conditions vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrURL.Dll modules) allows Functionality Misuse.This issue affects SecureAnywhere - Web Shield: before 2.1.2.3.
CVE-2024-50494 1 Amin Omer 1 Wc Sudan Payment Gateway 2024-10-29 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in Amin Omer Sudan Payment Gateway for WooCommerce allows Upload a Web Shell to a Web Server.This issue affects Sudan Payment Gateway for WooCommerce: from n/a through 1.2.2.
CVE-2024-50493 1 Masterhomepage 1 Automatic Translation 2024-10-29 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in masterhomepage Automatic Translation allows Upload a Web Shell to a Web Server.This issue affects Automatic Translation: from n/a through 1.0.4.
CVE-2024-50484 1 Mahlamusa 1 Multi Purpose Mail Form 2024-10-29 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in mahlamusa Multi Purpose Mail Form allows Upload a Web Shell to a Web Server.This issue affects Multi Purpose Mail Form: from n/a through 1.0.2.
CVE-2024-41618 1 Moneymanagerex 1 Money Manager Ex Webapp 2024-10-29 9.8 Critical
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to SQL Injection in the `transaction_delete_group` function. The vulnerability is due to improper sanitization of user input in the `TrDeleteArr` parameter, which is directly incorporated into an SQL query.
CVE-2024-41617 1 Moneymanagerex 1 Money Manager Ex Webapp 2024-10-29 9.8 Critical
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution.
CVE-2024-50486 1 Acnoo 2 Acnoo Flutter Api, Flutter Api 2024-10-29 9.8 Critical
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API allows Authentication Bypass.This issue affects Acnoo Flutter API: from n/a through 1.0.5.
CVE-2024-47883 1 Openrefine 2 Butterfly, Similie Butterfly 2024-10-29 9.1 Critical
The OpenRefine fork of the MIT Simile Butterfly server is a modular web application framework. The Butterfly framework uses the `java.net.URL` class to refer to (what are expected to be) local resource files, like images or templates. This works: "opening a connection" to these URLs opens the local file. However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase. This leads to multiple weaknesses and potential weaknesses. An attacker that has network access to the application could use it to gain access to files, either on the the server's filesystem (path traversal) or shared by nearby machines (server-side request forgery with e.g. SMB). An attacker that can lead or redirect a user to a crafted URL belonging to the app could cause arbitrary attacker-controlled JavaScript to be loaded in the victim's browser (cross-site scripting). If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote code execution). Version 1.2.6 contains a patch.
CVE-2024-42017 2024-10-29 10 Critical
An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication.
CVE-2024-50476 1 Grun Software Group 1 Spendino Spendenformular 2024-10-29 9.8 Critical
Missing Authorization vulnerability in GRÜN Software Group GmbH GRÜN spendino Spendenformular allows Privilege Escalation.This issue affects GRÜN spendino Spendenformular: from n/a through 1.0.1.
CVE-2024-50475 1 Scott Gamon 1 Signup Page 2024-10-29 9.8 Critical
Missing Authorization vulnerability in Scott Gamon Signup Page allows Privilege Escalation.This issue affects Signup Page: from n/a through 1.0.
CVE-2024-50482 1 Chetan Khandla 1 Woocommerce Product Design 2024-10-29 10 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in Chetan Khandla Woocommerce Product Design allows Upload a Web Shell to a Web Server.This issue affects Woocommerce Product Design: from n/a through 1.0.0.