Total
277587 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10195 | 1 Tecno-mobile | 2 4g Portable Wifi Tr118, 4g Portable Wifi Tr118 Firmware | 2024-10-24 | 4.7 Medium |
| A vulnerability was found in Tecno 4G Portable WiFi TR118 V008-20220830. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /goform/goform_get_cmd_process of the component SMS Check. The manipulation of the argument order_by leads to sql injection. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-49622 | 1 Apa | 1 Apa Banner Slider | 2024-10-24 | 8.2 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Apa Apa Banner Slider allows SQL Injection.This issue affects Apa Banner Slider: from n/a through 1.0.0. | ||||
| CVE-2024-49623 | 1 Hasanmovahed | 1 Duplicate Title Validate | 2024-10-24 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Hasan Movahed Duplicate Title Validate allows Blind SQL Injection.This issue affects Duplicate Title Validate: from n/a through 1.0. | ||||
| CVE-2024-49631 | 1 Mdabdulkader | 1 Easy Addons For Elementor | 2024-10-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Md Abdul Kader Easy Addons for Elementor allows Stored XSS.This issue affects Easy Addons for Elementor: from n/a through 1.3.0. | ||||
| CVE-2024-10200 | 1 Wellchoose | 1 Administrative Management System | 2024-10-24 | 7.5 High |
| Administrative Management System from Wellchoose has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to download arbitrary files on the server. | ||||
| CVE-2024-10201 | 1 Wellchoose | 1 Administrative Management System | 2024-10-24 | 8.8 High |
| Administrative Management System from Wellchoose does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells. | ||||
| CVE-2024-8625 | 2 Pollbytotalsoft, Total-soft | 2 Ts Poll, Ts Poll | 2024-10-24 | 7.2 High |
| The TS Poll WordPress plugin before 2.4.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks | ||||
| CVE-2024-43945 | 1 Latepoint | 1 Latepoint | 2024-10-24 | 6.5 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.This issue affects LatePoint: from n/a through 4.9.91. | ||||
| CVE-2024-47328 | 1 Funnelkit | 1 Funnelkit Automations | 2024-10-24 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Automation By Autonami allows SQL Injection.This issue affects Automation By Autonami: from n/a through 3.1.2. | ||||
| CVE-2024-9923 | 1 Teamplus | 1 Team\+ Pro | 2024-10-24 | 4.9 Medium |
| The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing remote attackers with administrator privileges to move arbitrary system files to the website root directory and access them. | ||||
| CVE-2024-9922 | 1 Teamplus | 2 Team\+, Team\+ Pro | 2024-10-24 | 7.5 High |
| The Team+ from TEAMPLUS TECHNOLOGY does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. | ||||
| CVE-2024-9921 | 1 Teamplus | 2 Team\+, Team\+ Pro | 2024-10-24 | 9.8 Critical |
| The Team+ from TEAMPLUS TECHNOLOGY does not properly validate specific page parameter, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify and delete database contents. | ||||
| CVE-2024-10286 | 1 Ujangrohidin | 1 Localserver | 2024-10-24 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details through /testmail/index.php, parameter to. | ||||
| CVE-2024-10289 | 1 Ujangrohidin | 1 Localserver | 2024-10-24 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details through /mlss/ManageSubscription, parameter MSubListName. | ||||
| CVE-2024-10288 | 1 Ujangrohidin | 1 Localserver | 2024-10-24 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details through /mlss/SubscribeToList, parameter ListName. | ||||
| CVE-2024-10287 | 1 Ujangrohidin | 1 Localserver | 2024-10-24 | 6.1 Medium |
| Cross-Site Scripting (XSS) vulnerability affecting LocalServer 1.0.9 that could allow a remote user to send a specially crafted query to an authenticated user and steal their session details through /mlss/ForgotPassword, parameter ListName. | ||||
| CVE-2024-41712 | 1 Mitel | 1 Micollab | 2024-10-23 | 6.6 Medium |
| A vulnerability in the Web Conferencing Component of Mitel MiCollab through 9.8.1.5 could allow an authenticated attacker to conduct a command injection attack, due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary commands on the system within the context of the user. | ||||
| CVE-2024-35315 | 1 Mitel | 2 Micollab, Mivoice Business | 2024-10-23 | 5.6 Medium |
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges. | ||||
| CVE-2024-9899 | 2024-10-23 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-2143. Reason: This candidate is a reservation duplicate of CVE-2023-2143. Notes: All CVE users should reference CVE-2023-2143 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2024-8901 | 1 Amazon | 1 Aws Alb Route Directive Adapter For Istio | 2024-10-23 | 7.5 High |
| The AWS ALB Route Directive Adapter For Istio repo https://github.com/awslabs/aws-alb-route-directive-adapter-for-istio/tree/master provides an OIDC authentication mechanism that was integrated into the open source Kubeflow project. The adapter uses JWT for authentication, but lacks proper signer and issuer validation. In deployments of ALB that ignore security best practices, where ALB targets are directly exposed to internet traffic, an actor can provide a JWT signed by an untrusted entity in order to spoof OIDC-federated sessions and successfully bypass authentication. The repository/package has been deprecated, is end of life, and is no longer supported. As a security best practice, ensure that your ELB targets (e.g. EC2 Instances, Fargate Tasks etc.) do not have public IP addresses. Ensure any forked or derivative code validate that the signer attribute in the JWT match the ARN of the Application Load Balancer that the service is configured to use. | ||||