Total
277658 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9047 | 1 Iptanus | 1 Wordpress File Upload | 2024-10-15 | 9.8 Critical |
| The WordPress File Upload plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 4.24.11 via wfu_file_downloader.php. This makes it possible for unauthenticated attackers to read or delete files outside of the originally intended directory. Successful exploitation requires the targeted WordPress installation to be using PHP 7.4 or earlier. | ||||
| CVE-2024-8760 | 2024-10-15 | 5.3 Medium | ||
| The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. | ||||
| CVE-2024-46307 | 2 Nanjing Xingyuantu Technology, Sparkshop | 2 Sparkshop, Sparkshop | 2024-10-15 | 7.5 High |
| A loop hole in the payment logic of Sparkshop v1.16 allows attackers to arbitrarily modify the number of products. | ||||
| CVE-2024-8048 | 2 Progress, Progress Software | 2 Telerik Reporting, Telerik Reporting | 2024-10-15 | 7.8 High |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible using object injection via insecure expression evaluation. | ||||
| CVE-2024-7099 | 1 Netease | 1 Qanything | 2024-10-15 | N/A |
| netease-youdao/qanything version 1.4.1 contains a vulnerability where unsafe data obtained from user input is concatenated in SQL queries, leading to SQL injection. The affected functions include `get_knowledge_base_name`, `from_status_to_status`, `delete_files`, and `get_file_by_status`. An attacker can exploit this vulnerability to execute arbitrary SQL queries, potentially stealing information from the database. The issue is fixed in version 1.4.2. | ||||
| CVE-2024-8015 | 2 Progress, Progress Software | 2 Telerik Report Server, Telerik Reporting | 2024-10-15 | 9.1 Critical |
| In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. | ||||
| CVE-2024-8014 | 2 Progress, Progress Software | 2 Telerik Reporting, Telerik Reporting | 2024-10-15 | 8.8 High |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a code execution attack is possible through object injection via an insecure type resolution vulnerability. | ||||
| CVE-2024-7840 | 1 Progress | 1 Telerik Reporting | 2024-10-15 | 7.8 High |
| In Progress Telerik Reporting versions prior to 2024 Q3 (18.2.24.924), a command injection attack is possible through improper neutralization of hyperlink elements. | ||||
| CVE-2024-7294 | 1 Progress | 2 Telerik Report Server, Telerik Reporting | 2024-10-15 | 7.5 High |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), an HTTP DoS attack is possible on anonymous endpoints without rate limiting. | ||||
| CVE-2024-47885 | 1 Withastro | 1 Astro | 2024-10-15 | 5.9 Medium |
| The Astro web framework has a DOM Clobbering gadget in the client-side router starting in version 3.0.0 and prior to version 4.16.1. It can lead to cross-site scripting (XSS) in websites enables Astro's client-side routing and has *stored* attacker-controlled scriptless HTML elements (i.e., `iframe` tags with unsanitized `name` attributes) on the destination pages. This vulnerability can result in cross-site scripting (XSS) attacks on websites that built with Astro that enable the client-side routing with `ViewTransitions` and store the user-inserted scriptless HTML tags without properly sanitizing the `name` attributes on the page. Version 4.16.1 contains a patch for this issue. | ||||
| CVE-2024-7293 | 1 Progress | 2 Telerik Report Server, Telerik Reporting | 2024-10-15 | 7.5 High |
| In Progress® Telerik® Report Server versions prior to 2024 Q3 (10.2.24.806), a password brute forcing attack is possible through weak password requirements. | ||||
| CVE-2024-8531 | 1 Schneider-electric | 1 Data Center Expert | 2024-10-15 | 7.2 High |
| CWE-347: Improper Verification of Cryptographic Signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root. | ||||
| CVE-2024-8757 | 1 Afthemes | 1 Wp Post Author | 2024-10-15 | 7.2 High |
| The WP Post Author – Boost Your Blog's Engagement with Author Box, Social Links, Co-Authors, Guest Authors, Post Rating System, and Custom User Registration Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the linked_user_id parameter in all versions up to, and including, 3.8.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-9156 | 1 Templateinvaders | 1 Ti Woocommerce Wishlist | 2024-10-15 | 5.9 Medium |
| The TI WooCommerce Wishlist WordPress plugin through 2.8.2 is vulnerable to SQL Injection due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2024-9903 | 1 Zero Takeoff | 3 07fly-cms, 07flycms, 07flycrm | 2024-10-15 | 4.7 Medium |
| A vulnerability classified as critical has been found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.0. This affects the function fileUpload of the file /admin/File/fileUpload. The manipulation of the argument file leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The affected product is known with different names like 07FLYCMS, 07FLY-CMS, and 07FlyCRM. It was not possible to reach out to the vendor before assigning a CVE due to a not working mail address. | ||||
| CVE-2024-9074 | 1 Essamamdani | 1 Advanced Blocks Pro | 2024-10-15 | 6.4 Medium |
| The Advanced Blocks Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | ||||
| CVE-2024-9924 | 1 Hgiga | 1 Oaklouds | 2024-10-15 | 9.8 Critical |
| The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently . | ||||
| CVE-2024-8198 | 1 Google | 1 Chrome | 2024-10-15 | 7.5 High |
| Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.113 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2024-7534 | 1 Google | 1 Chrome | 2024-10-15 | 8.8 High |
| Heap buffer overflow in Layout in Google Chrome prior to 127.0.6533.99 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2024-46045 | 1 Tenda | 2 Ch22, Ch22 Firmware | 2024-10-15 | 5.7 Medium |
| Tenda CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the frmL7PlotForm function. | ||||