Search Results (363677 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-37090 1 Stylemixthemes 2 Consulting Elementor Widgets, Masterstudy Elementor Widgets 2024-11-21 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Masterstudy Elementor Widgets, StylemixThemes Consulting Elementor Widgets.This issue affects Masterstudy Elementor Widgets: from n/a through 1.2.2; Consulting Elementor Widgets: from n/a through 1.3.0.
CVE-2024-37089 1 Stylemixthemes 1 Consulting Elementor Widgets 2024-11-21 9 Critical
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through 1.3.0.
CVE-2024-37084 1 Vmware 1 Spring Cloud Data Flow 2024-11-21 9.8 Critical
In Spring Cloud Data Flow versions prior to 2.11.4,  a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
CVE-2024-37077 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write.
CVE-2024-37066 1 Wyze 2 Cam V4, Cam V4 Firmware 2024-11-21 6.8 Medium
A command injection vulnerability exists in Wyze V4 Pro firmware versions before 4.50.4.9222, which allows attackers to execute arbitrary commands over Bluetooth as root during the camera setup process.
CVE-2024-37040 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 5.4 Medium
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.
CVE-2024-37039 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 5.9 Medium
CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.
CVE-2024-37038 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 7.5 High
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
CVE-2024-37037 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 8.1 High
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.
CVE-2024-37036 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 9.8 Critical
CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.
CVE-2024-37030 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through use after free.
CVE-2024-37029 1 Fujielectric 1 Tellus Lite V-simulator 2024-11-21 7.8 High
Fuji Electric Tellus Lite V-Simulator is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.
CVE-2024-37022 1 Fujielectric 1 Tellus Lite V-simulator 2024-11-21 7.8 High
Fuji Electric Tellus Lite V-Simulator is vulnerable to an out-of-bounds write, which could allow an attacker to manipulate memory, resulting in execution of arbitrary code.
CVE-2024-37014 1 Langflow 1 Langflow 2024-11-21 8.8 High
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
CVE-2024-36837 1 Crmeb 1 Crmeb 2024-11-21 5.4 Medium
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
CVE-2024-36821 1 Linksys 2 Velop Whw0101, Velop Whw0101 Firmware 2024-11-21 6.8 Medium
Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root.
CVE-2024-36684 1 Prestashop 1 Pk Customlinks 2024-11-21 9.8 Critical
In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-36678 1 Promokit 1 Pk Themesettings 2024-11-21 9.8 Critical
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-36572 1 Allpro 2 Form-manager, Formmanager Data Handler 2024-11-21 9.8 Critical
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
CVE-2024-36541 1 Kube-logging 2 Logging-operator, Logging Operator 2024-11-21 8.8 High
Insecure permissions in logging-operator v4.6.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.