Total 18193 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-5335 2024-08-21 9.8 Critical
The Ultimate Store Kit Elementor Addons, Woocommerce Builder, EDD Builder, Elementor Store Builder, Product Grid, Product Table, Woocommerce Slider plugin is vulnerable to PHP Object Injection via deserialization of untrusted input via the _ultimate_store_kit_compare_products cookie in versions up to , and including, 1.6.4. This makes it possible for an unauthenticated attacker to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker or above to delete arbitrary files, retrieve sensitive data, or execute code.
CVE-2024-43252 1 Crewhrm 1 Crewhrm 2024-08-21 9 Critical
Deserialization of Untrusted Data vulnerability in Crew HRM allows Object Injection.This issue affects Crew HRM: from n/a through 1.1.1.
CVE-2024-43401 1 Xwiki 2 Xwiki, Xwiki-platform 2024-08-21 9.1 Critical
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1.
CVE-2024-42567 2 Arajajyothibabu, School Management System Project 2 School Management System, School Management System 2024-08-21 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the sid parameter at /search.php?action=2.
CVE-2024-42570 1 Arajajyothibabu 1 School Management System 2024-08-21 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at admininsert.php.
CVE-2024-42574 1 Arajajyothibabu 1 School Management System 2024-08-21 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at attendance.php.
CVE-2024-42575 1 Arajajyothibabu 1 School Management System 2024-08-21 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at substaff.php.
CVE-2024-42581 2 Oswapp, Siamonhasan 2 Warehouse Inventory System, Warehouse Inventory System 2024-08-21 9.6 Critical
A Cross-Site Request Forgery (CSRF) in the component delete_group.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
CVE-2024-44076 1 Microcks 1 Microcks 2024-08-21 9.8 Critical
In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access.
CVE-2024-42565 1 Jerryhanjj 1 Erp 2024-08-20 9.8 Critical
ERP commit 44bd04 was discovered to contain a SQL injection vulnerability via the id parameter at /index.php/basedata/contact/delete?action=delete.
CVE-2024-42558 1 Vaibhavverma9999 1 Hotel Management System 2024-08-20 9.8 Critical
Hotel Management System commit 91caab8 was discovered to contain a SQL injection vulnerability via the book_id parameter at admin_modify_room.php.
CVE-2024-6847 1 Smartsearchwp 1 Chatbot With Chatgpt Wordpress 2024-08-20 9.8 Critical
The Chatbot with ChatGPT WordPress plugin before 2.4.5 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users when submitting messages to the chatbot.
CVE-2024-42559 1 Hotel Management System Project 1 Hotel Management System 2024-08-20 9.8 Critical
An issue in the login component (process_login.php) of Hotel Management System commit 79d688 allows attackers to authenticate without providing a valid password.
CVE-2024-6500 1 Inspirelabs 2 Inpost For Woocommerce, Inpost Pl 2024-08-20 10 Critical
The InPost for WooCommerce plugin and InPost PL plugin for WordPress are vulnerable to unauthorized access and deletion of data due to a missing capability check on the 'parse_request' function in all versions up to, and including, 1.4.0 (for InPost for WooCommerce) as well as 1.4.4 (for InPost PL). This makes it possible for unauthenticated attackers to read and delete arbitrary files on Windows servers. On Linux servers, only files within the WordPress install will be deleted, but all files can be read.
CVE-2024-33872 1 Keyfactor 1 Command 2024-08-20 9.8 Critical
Keyfactor Command 10.5.x before 10.5.1 and 11.5.x before 11.5.1 allows SQL Injection which could result in code execution and escalation of privileges.
CVE-2024-42569 1 Arajajyothibabu 1 School Management System 2024-08-20 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at paidclass.php.
CVE-2024-42562 1 Krishna9772 1 Pharmacy Management System 2024-08-20 9.8 Critical
Pharmacy Management System commit a2efc8 was discovered to contain a SQL injection vulnerability via the invoice_number parameter at preview.php.
CVE-2024-5914 1 Paloaltonetworks 1 Cortex Xsoar Commonscripts 2024-08-20 9.8 Critical
A command injection issue in Palo Alto Networks Cortex XSOAR CommonScripts Pack allows an unauthenticated attacker to execute arbitrary commands within the context of an integration container.
CVE-2024-38891 1 Horizoncloud 1 Caterease 2024-08-20 9.1 Critical
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Sniffing Network Traffic attack due to the cleartext transmission of sensitive information.
CVE-2024-38887 1 Horizoncloud 1 Caterease 2024-08-20 9.8 Critical
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges.