Total
277647 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-9284 | 1 Tp-link | 1 Tl-wr841nd \(11.0\) Firmware | 2024-09-30 | 6.5 Medium |
| A vulnerability was found in TP-LINK TL-WR841ND up to 20240920. It has been rated as critical. Affected by this issue is some unknown functionality of the file /userRpm/popupSiteSurveyRpm.htm. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-47221 | 1 Rapidscada | 1 Rapid Scada | 2024-09-29 | 7.5 High |
| CheckUser in ScadaServerEngine/MainLogic.cs in Rapid SCADA through 5.8.4 allows an empty password. | ||||
| CVE-2022-39068 | 1 Zte | 2 Mf296r, Mf296r Firmware | 2024-09-29 | 4.5 Medium |
| There is a buffer overflow vulnerability in ZTE MF296R. Due to insufficient validation of the SMS parameter length, an authenticated attacker could use the vulnerability to perform a denial of service attack. | ||||
| CVE-2024-39910 | 1 Decidim | 1 Decidim | 2024-09-29 | 5.4 Medium |
| decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard | ||||
| CVE-2024-43024 | 1 Rws | 1 Multitrans | 2024-09-29 | 6.1 Medium |
| Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
| CVE-2024-43188 | 1 Ibm | 1 Business Automation Workflow | 2024-09-29 | 4.9 Medium |
| IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation. | ||||
| CVE-2021-27915 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-09-29 | 7.6 High |
| Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions. This could lead to the user having elevated access to the system. | ||||
| CVE-2024-44162 | 1 Apple | 1 Xcode | 2024-09-29 | 7.8 High |
| This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items. | ||||
| CVE-2024-32034 | 1 Decidim | 1 Decidim | 2024-09-29 | 6.8 Medium |
| decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`). | ||||
| CVE-2024-45300 | 1 Alf | 1 Alf | 2024-09-29 | 7.5 High |
| alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event organizer can apply price discounts by using promo codes to your events. The organizer can limit the number of promo codes that will be used for this, but the time-gap between checking the number of codes and restricting the use of the codes allows a threat actor to bypass the promo code limit. Version 2.0-M5 fixes this issue. | ||||
| CVE-2024-7734 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-28 | 5.3 Medium |
| An unauthenticated remote attacker can exploit the behavior of the pathfinder TCP encapsulation service by establishing a high number of TCP connections to the pathfinder TCP encapsulation service. The impact is limited to blocking of valid IPsec VPN peers. | ||||
| CVE-2023-45038 | 1 Qnap | 1 Music Station | 2024-09-28 | 4.3 Medium |
| An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later | ||||
| CVE-2023-47563 | 1 Qnap | 1 Video Station | 2024-09-28 | 7.4 High |
| An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later | ||||
| CVE-2023-50360 | 1 Qnap | 1 Video Station | 2024-09-28 | 8.8 High |
| A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 ( 2024/02/26 ) and later | ||||
| CVE-2024-42025 | 2 Ubiquiti, Ui | 2 Unifi Network Application, Unifi Network Application | 2024-09-28 | 7.8 High |
| A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device. | ||||
| CVE-2024-44056 | 1 Cryoutcreations | 1 Mantra | 2024-09-28 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in CryoutCreations Mantra allows Stored XSS.This issue affects Mantra: from n/a through 3.3.2. | ||||
| CVE-2024-8054 | 2 Mm-breaking News Project, Mm Breaking News | 2 Mm-breaking News, Mm Breaking News | 2024-09-27 | 6.1 Medium |
| The MM-Breaking News WordPress plugin through 0.7.9 does not have CSRF check in some places, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack. | ||||
| CVE-2024-8056 | 1 Mm-breaking News Project | 1 Mm-breaking News | 2024-09-27 | 6.1 Medium |
| The MM-Breaking News WordPress plugin through 0.7.9 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | ||||
| CVE-2024-6493 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | 4.8 Medium |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||
| CVE-2024-6617 | 1 Ninjateam | 1 Header Footer Custom Code | 2024-09-27 | 4.8 Medium |
| The NinjaTeam Header Footer Custom Code WordPress plugin before 1.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | ||||