Total
277662 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9592 | 2024-10-15 | 6.1 Medium | ||
| The Easy PayPal Gift Certificate plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the 'wpppgc_plugin_options' function. This makes it possible for unauthenticated attackers to update the plugin's settings and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2024-9823 | 2 Eclipse, Redhat | 2 Jetty, Amq Streams | 2024-10-15 | 5.3 Medium |
| There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. | ||||
| CVE-2024-9860 | 1 Qode | 1 Bridge Core | 2024-10-15 | 6.5 Medium |
| The Bridge Core plugin for WordPress is vulnerable to unauthorized modification of data or loss of data due to a missing capability check on the 'import_action' and 'install_plugin_per_demo' functions in versions up to, and including, 3.3. This makes it possible for authenticated attackers with subscriber-level permissions or above, to delete or change plugin settings, import demo data, and install limited plugins. | ||||
| CVE-2024-48770 | 1 Starvedia | 1 Com.wisdomcity.zwave | 2024-10-15 | 8.2 High |
| An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2024-42640 | 1 Angular-base64-upload-project | 1 Angular-base64-upload | 2024-10-15 | 9.8 Critical |
| angular-base64-upload prior to v0.1.21 is vulnerable to unauthenticated remote code execution via demo/server.php. Exploiting this vulnerability allows an attacker to upload arbitrary content to the server, which can subsequently be accessed through demo/uploads. This leads to the execution of previously uploaded content and enables the attacker to achieve code execution on the server. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-48798 | 1 Hubble Connected | 1 Hubble Connected | 2024-10-15 | 7.5 High |
| An issue in Hubble Connected (com.hubbleconnected.vervelife) 2.00.81 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2024-48796 | 1 Eques | 1 Eques | 2024-10-15 | 7.5 High |
| An issue in EQUES com.eques.plug 1.0.1 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2024-48168 | 1 D-link | 1 Dcs 960l | 2024-10-15 | 9.8 Critical |
| A stack overflow vulnerability exists in the sub_402280 function of the HNAP service of D-Link DCS-960L 1.09, allowing an attacker to execute arbitrary code. | ||||
| CVE-2024-48150 | 1 D-link | 1 Dir-820l | 2024-10-15 | 9.8 Critical |
| D-Link DIR-820L 1.05B03 has a stack overflow vulnerability in the sub_451208 function. | ||||
| CVE-2024-47944 | 1 Rittal Gmbh And Co.kg | 1 Iot Interface And Cmc Iii Processing Unit | 2024-10-15 | 6.8 Medium |
| The device directly executes .patch firmware upgrade files on a USB stick without any prior authentication in the admin interface. This leads to an unauthenticated code execution via the firmware upgrade function. | ||||
| CVE-2024-46535 | 1 Jepass | 1 Jepass | 2024-10-15 | 9.8 Critical |
| Jepaas v7.2.8 was discovered to contain a SQL injection vulnerability via the orderSQL parameter at /homePortal/loadUserMsg. | ||||
| CVE-2024-45754 | 1 Centreon | 1 Centreon | 2024-10-15 | 7.2 High |
| An issue was discovered in the centreon-bi-server component in Centreon BI Server 24.04.x before 24.04.3, 23.10.x before 23.10.8, 23.04.x before 23.04.11, and 22.10.x before 22.10.11. SQL injection can occur in the listing of configured reporting jobs. Exploitation is only accessible to authenticated users with high-privileged access. | ||||
| CVE-2024-9821 | 1 Guruteam | 1 Bot For Telegram On Woocommerce | 2024-10-15 | 8.8 High |
| The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature. | ||||
| CVE-2024-45806 | 2 Envoyproxy, Redhat | 2 Envoy, Service Mesh | 2024-10-15 | 6.5 Medium |
| Envoy is a cloud-native high-performance edge/middle/service proxy. A security vulnerability in Envoy allows external clients to manipulate Envoy headers, potentially leading to unauthorized access or other malicious actions within the mesh. This issue arises due to Envoy's default configuration of internal trust boundaries, which considers all RFC1918 private address ranges as internal. The default behavior for handling internal addresses in Envoy has been changed. Previously, RFC1918 IP addresses were automatically considered internal, even if the internal_address_config was empty. The default configuration of Envoy will continue to trust internal addresses while in this release and it will not trust them by default in next release. If you have tooling such as probes on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) please explicitly include those addresses or CIDR ranges into `internal_address_config`. Successful exploitation could allow attackers to bypass security controls, access sensitive data, or disrupt services within the mesh, like Istio. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-38040 | 1 Esri | 1 Portal For Arcgis | 2024-10-15 | 7.5 High |
| There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2. 11.1, 11.0 and 10.9.1 that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files. | ||||
| CVE-2024-48792 | 1 Hideez | 1 Com.hideez Firmware | 2024-10-15 | 7.5 High |
| An issue in Hideez com.hideez 2.7.8.3 allows a remote attacker to obtain sensitive information via the firmware update process. | ||||
| CVE-2024-48824 | 1 Automatic Systems | 1 Maintenance Slimlane | 2024-10-15 | 7.5 High |
| An issue in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to obtain sensitive information via the Racine & FileName parameters in the download-file.php component. | ||||
| CVE-2024-48823 | 1 Automatic Systems | 1 Maintenance Slimlane | 2024-10-15 | 9.8 Critical |
| Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page. | ||||
| CVE-2024-48822 | 1 Automatic Systems | 1 Maintenance Slimlane | 2024-10-15 | 8.8 High |
| Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page. | ||||
| CVE-2024-48821 | 1 Automatic Systems | 1 Maintenance Slimlane | 2024-10-15 | 6.1 Medium |
| Cross Site Scripting vulnerability in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php component. | ||||