Total
264172 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-47480 | 1 Puredata | 1 Puredata | 2024-09-26 | 8.4 High |
| An issue in Pure Data 0.54-0 and fixed in 0.54-1 allows a local attacker to escalate privileges via the set*id () function. | ||||
| CVE-2024-47210 | 1 Gladysassistant | 1 Gladys Assistant | 2024-09-26 | 8.8 High |
| Gladys Assistant before 4.45.1 allows Privilege Escalation (a user changing their own role) because req.body.role can be used in updateMySelf in server/api/controllers/user.controller.js. | ||||
| CVE-2024-47219 | 1 Vesoft | 1 Nebulagraph Studio | 2024-09-26 | N/A |
| An issue was discovered in vesoft NebulaGraph through 3.8.0. It allows shell command injection. | ||||
| CVE-2024-47220 | 1 Ruby | 1 Webrick | 2024-09-26 | 7.5 High |
| An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." | ||||
| CVE-2024-41228 | 1 Symlink | 1 Symlink | 2024-09-26 | 7.6 High |
| A symlink following vulnerability in the pouch cp function of AliyunContainerService pouch v1.3.1 allows attackers to escalate privileges and write arbitrary files. | ||||
| CVE-2024-8606 | 1 Checkmk | 1 Checkmk | 2024-09-26 | N/A |
| Bypass of two factor authentication in RestAPI in Checkmk < 2.3.0p16 and < 2.2.0p34 allows authenticated users to bypass two factor authentication | ||||
| CVE-2024-34331 | 1 Parallels | 1 Parallels Desktop | 2024-09-26 | 9.8 Critical |
| A lack of code signature verification in Parallels Desktop for Mac v19.3.0 and below allows attackers to escalate privileges via a crafted macOS installer, because Parallels Service is setuid root. | ||||
| CVE-2024-43996 | 2024-09-26 | 6.5 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ElementsKit ElementsKit Pro allows PHP Local File Inclusion.This issue affects ElementsKit Pro: from n/a through 3.6.0. | ||||
| CVE-2024-44048 | 2024-09-26 | 6.5 Medium | ||
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in wpWax Product Carousel Slider & Grid Ultimate for WooCommerce allows PHP Local File Inclusion.This issue affects Product Carousel Slider & Grid Ultimate for WooCommerce: from n/a through 1.9.10. | ||||
| CVE-2024-45453 | 2024-09-26 | 3.7 Low | ||
| Authentication Bypass by Spoofing vulnerability in Peter Hardy-vanDoorn Maintenance Redirect allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Maintenance Redirect: from n/a through 2.0.1. | ||||
| CVE-2024-7846 | 1 Yithemes | 1 Yith Woocommerce Ajax Search | 2024-09-26 | 5.4 Medium |
| YITH WooCommerce Ajax Search is vulnerable to a XSS vulnerability due to insufficient sanitization of user supplied block attributes. This makes it possible for Contributors+ attackers to inject arbitrary scripts. | ||||
| CVE-2024-7835 | 1 Exnet Informatics Software | 1 Ferry Reservation System | 2024-09-26 | N/A |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Exnet Informatics Software Ferry Reservation System allows Reflected XSS.This issue affects Ferry Reservation System: before 240805-002. | ||||
| CVE-2024-23972 | 1 Sony | 1 Xav-ax5500 | 2024-09-26 | 6.8 Medium |
| Sony XAV-AX5500 USB Configuration Descriptor Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the USB host driver. A crafted USB configuration descriptor can trigger an overflow of a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23185 | ||||
| CVE-2024-43989 | 2024-09-26 | 7.5 High | ||
| Server-Side Request Forgery (SSRF) vulnerability in Firsh Justified Image Grid allows Server Side Request Forgery.This issue affects Justified Image Grid: from n/a through 4.6.1. | ||||
| CVE-2024-39843 | 1 Centreon | 1 Centreon | 2024-09-26 | 6.7 Medium |
| A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via create user form inputs. | ||||
| CVE-2024-46997 | 1 Dataease | 1 Dataease | 2024-09-26 | 9.8 Critical |
| DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1. | ||||
| CVE-2024-45348 | 1 Mi | 1 Ax9000 Firmware | 2024-09-26 | 6.4 Medium |
| Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code. | ||||
| CVE-2024-23933 | 1 Sony | 1 Xav-ax5500 | 2024-09-26 | 6.8 Medium |
| Sony XAV-AX5500 CarPlay TLV Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the Apple CarPlay protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-23238 | ||||
| CVE-2024-47068 | 1 Rollup | 1 Rollup | 2024-09-26 | 6.1 Medium |
| Rollup is a module bundler for JavaScript. Versions prior to 3.29.5 and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from `import.meta` (e.g., `import.meta.url`) in `cjs`/`umd`/`iife` format. The DOM Clobbering gadget can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. Versions 3.29.5 and 4.22.4 contain a patch for the vulnerability. | ||||
| CVE-2024-9075 | 2024-09-26 | 2.6 Low | ||
| A vulnerability was found in Stirling-Tools Stirling-PDF up to 0.28.3. It has been declared as problematic. This vulnerability affects unknown code of the component Markdown-to-PDF. The manipulation leads to cross site scripting. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 0.29.0 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains that "this functionality was removed in 0.29.0 already" and "we plan to re-add at later date with issue resolved". | ||||