Search Results (37095 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-37542 1 Wpdevart 1 Gallery 2024-11-21 5.4 Medium
Missing Authorization vulnerability in WpDevArt Responsive Image Gallery, Gallery Album.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3.
CVE-2024-37494 1 Kainelabs 1 Youzify 2024-11-21 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in KaineLabs Youzify.This issue affects Youzify: from n/a through 1.2.5.
CVE-2024-37486 1 Strangerstudios 1 Paid Memberships Pro 2024-11-21 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Paid Memberships Pro.This issue affects Paid Memberships Pro: from n/a through 3.0.5.
CVE-2024-37393 1 Securenvoy 2 Mfa, Multi-factor Authentication Solutions 2024-11-21 9.8 Critical
Multiple LDAP injections vulnerabilities exist in SecurEnvoy MFA before 9.4.514 due to improper validation of user-supplied input. An unauthenticated remote attacker could exfiltrate data from Active Directory through blind LDAP injection attacks against the DESKTOP service exposed on the /secserver HTTP endpoint. This may include ms-Mcs-AdmPwd, which has a cleartext password for the Local Administrator Password Solution (LAPS) feature.
CVE-2024-37317 1 Nextcloud 1 Notes 2024-11-21 4.6 Medium
The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3.
CVE-2024-37314 1 Nextcloud 1 Nextcloud Server 2024-11-21 3.5 Low
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2.
CVE-2024-37297 1 Woocommerce 1 Woocommerce 2024-11-21 5.4 Medium
WooCommerce is an open-source e-commerce platform built on WordPress. A vulnerability introduced in WooCommerce 8.8 allows for cross-site scripting. A bad actor can manipulate a link to include malicious HTML & JavaScript content. While the content is not saved to the database, the links may be sent to victims for malicious purposes. The injected JavaScript could hijack content & data stored in the browser, including the session. The URL content is read through the `Sourcebuster.js` library and then inserted without proper sanitization to the classic checkout and registration forms. Versions 8.8.5 and 8.9.3 contain a patch for the issue. As a workaround, one may disable the Order Attribution feature.
CVE-2024-37256 1 Themeum 1 Tutor Lms 2024-11-21 7.6 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.1.
CVE-2024-37225 1 Zoho 1 Marketing Automation 2024-11-21 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Zoho Marketing Automation.This issue affects Zoho Marketing Automation: from n/a through 1.2.7.
CVE-2024-37176 1 Sap 1 Bw\/4hana 2024-11-21 5.5 Medium
SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application.
CVE-2024-37175 1 Sap 2 Customer Relationship Management S4fnd, Customer Relationship Management Webclient Ui 2024-11-21 4.3 Medium
SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information.
CVE-2024-37172 1 Sap 2 S4core, S\/4hana 2024-11-21 5.4 Medium
SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.
CVE-2024-37156 1 Sulu 1 Suluformbundle 2024-11-21 6.1 Medium
The SuluFormBundle adds support for creating dynamic forms in Sulu Admin. The TokenController get parameter formName is not sanitized in the returned input field which leads to XSS. This vulnerability is fixed in 2.5.3.
CVE-2024-37154 1 Evmos 1 Evmos 2024-11-21 5.3 Medium
Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier.
CVE-2024-37112 1 Wishlist Member 1 Wishlist Member 2024-11-21 10 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7.
CVE-2024-37111 1 Wishlistmember 1 Wishlist Member X 2024-11-21 7.5 High
Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7.
CVE-2024-37090 1 Stylemixthemes 2 Consulting Elementor Widgets, Masterstudy Elementor Widgets 2024-11-21 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in StylemixThemes Masterstudy Elementor Widgets, StylemixThemes Consulting Elementor Widgets.This issue affects Masterstudy Elementor Widgets: from n/a through 1.2.2; Consulting Elementor Widgets: from n/a through 1.3.0.
CVE-2024-36837 1 Crmeb 1 Crmeb 2024-11-21 5.4 Medium
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
CVE-2024-36684 1 Prestashop 1 Pk Customlinks 2024-11-21 9.8 Critical
In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-36678 1 Promokit 1 Pk Themesettings 2024-11-21 9.8 Critical
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.