Total
53154 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1859 | 2024-11-21 | 8.8 High | ||
| The Slider Responsive Slideshow – Image slider, Gallery slideshow plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.8 via deserialization of untrusted input to the awl_slider_responsive_shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-1856 | 2024-11-21 | 8.5 High | ||
| In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a remote threat actor through an insecure deserialization vulnerability. | ||||
| CVE-2024-1852 | 2024-11-21 | 7.2 High | ||
| The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the X-Forwarded-For header in all versions up to, and including, 3.4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page which is the edit users page. This vulnerability was partially patched in version 3.4.9.2, and was fully patched in 3.4.9.3. | ||||
| CVE-2024-1848 | 2024-11-21 | 7.8 High | ||
| Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in SOLIDWORKS Desktop on Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, DWG, DXF, IPT, JT, SAT, SLDDRW, SLDPRT, STL, STP, X_B or X_T file. | ||||
| CVE-2024-1847 | 2024-11-21 | 7.8 High | ||
| Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID. | ||||
| CVE-2024-1845 | 1 E4jconnect | 1 Vikrentcar | 2024-11-21 | 8.8 High |
| The VikRentCar Car Rental Management System WordPress plugin before 1.3.2 does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks | ||||
| CVE-2024-1833 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in SourceCodester Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Account/login.php. The manipulation of the argument txtusername leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254624. | ||||
| CVE-2024-1832 | 2024-11-21 | 7.3 High | ||
| A vulnerability has been found in SourceCodester Complete File Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ of the component Admin Login Form. The manipulation of the argument username with the input torada%27+or+%271%27+%3D+%271%27+--+- leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254623. | ||||
| CVE-2024-1831 | 2024-11-21 | 7.3 High | ||
| A vulnerability, which was classified as critical, was found in SourceCodester Complete File Management System 1.0. Affected is an unknown function of the file users/index.php of the component Login Form. The manipulation of the argument username with the input torada%27+or+%271%27+%3D+%271%27+--+- leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-254622 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-1830 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file Source/librarian/user/student/lost-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-254618 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-1829 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in code-projects Library System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file Source/librarian/user/student/registration.php. The manipulation of the argument email/regno/phone/username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254617 was assigned to this vulnerability. | ||||
| CVE-2024-1828 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in code-projects Library System 1.0. It has been classified as critical. Affected is an unknown function of the file Source/librarian/user/teacher/registration.php. The manipulation of the argument email/idno/phone/username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254616. | ||||
| CVE-2024-1827 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in code-projects Library System 1.0 and classified as critical. This issue affects some unknown processing of the file Source/librarian/user/teacher/login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254615. | ||||
| CVE-2024-1826 | 2024-11-21 | 7.3 High | ||
| A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file Source/librarian/user/student/login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-254614 is the identifier assigned to this vulnerability. | ||||
| CVE-2024-1824 | 2024-11-21 | 7.3 High | ||
| A vulnerability, which was classified as critical, has been found in CodeAstro House Rental Management System 1.0. Affected by this issue is some unknown functionality of the file signing.php. The manipulation of the argument uname/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254612. | ||||
| CVE-2024-1820 | 2024-11-21 | 7.3 High | ||
| A vulnerability was found in code-projects Crime Reporting System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file inchargelogin.php. The manipulation of the argument email/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254608. | ||||
| CVE-2024-1817 | 2024-11-21 | 7.3 High | ||
| A vulnerability has been found in Demososo DM Enterprise Website Building System up to 2022.8 and classified as critical. Affected by this vulnerability is the function dmlogin of the file indexDM_load.php of the component Cookie Handler. The manipulation of the argument is_admin with the input y leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-1812 | 2024-11-21 | 7.2 High | ||
| The Everest Forms plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.7 via the 'font_url' parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2024-1801 | 2024-11-21 | 7.7 High | ||
| In Progress® Telerik® Reporting versions prior to 2024 Q1 (18.0.24.130), a code execution attack is possible by a local threat actor through an insecure deserialization vulnerability. | ||||
| CVE-2024-1799 | 2024-11-21 | 8.8 High | ||
| The GamiPress – The #1 gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to SQL Injection via the 'achievement_types' attribute of the gamipress_earnings shortcode in all versions up to, and including, 6.8.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||