Search Results (37090 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-25092 1 Xlplugins 1 Nextmove 2024-11-21 8.8 High
Missing Authorization vulnerability in XLPlugins NextMove Lite.This issue affects NextMove Lite: from n/a through 2.17.0.
CVE-2024-24925 1 Siemens 1 Simcenter Femap 2024-11-21 7.8 High
A vulnerability has been identified in Simcenter Femap (All versions < V2306.0000). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted Catia MODEL files. An attacker could leverage this vulnerability to execute code in the context of the current process. (ZDI-CAN-22060)
CVE-2024-24822 1 Pimcore 1 Admin Classic Bundle 2024-11-21 6.5 Medium
Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. Prior to version 1.3.3, an attacker can create, delete etc. tags without having the permission to do so. A fix is available in version 1.3.3. As a workaround, one may apply the patch manually.
CVE-2024-24812 1 Frappe 1 Frappe 2024-11-21 5.4 Medium
Frappe is a full-stack web application framework that uses Python and MariaDB on the server side and a tightly integrated client side library. Prior to versions 14.59.0 and 15.5.0, portal pages are susceptible to Cross-Site Scripting (XSS) which can be used to inject malicious JS code if user clicks on a malicious link. This vulnerability has been patched in versions 14.59.0 and 15.5.0. No known workarounds are available.
CVE-2024-24807 1 Sulu 1 Sulu 2024-11-21 2.7 Low
Sulu is a highly extensible open-source PHP content management system based on the Symfony framework. There is an issue when inputting HTML into the Tag name. The HTML is executed when the tag name is listed in the auto complete form. Only admin users can create tags so they are the only ones affected. The problem is patched with version(s) 2.4.16 and 2.5.12.
CVE-2024-24774 1 Mattermost 1 Mattermost Server 2024-11-21 3.4 Low
Mattermost Jira Plugin handling subscriptions fails to check the security level of an incoming issue or limit it based on the user who created the subscription resulting in registered users on Jira being able to create webhooks that give them access to all Jira issues.
CVE-2024-24751 1 Derhansen 1 Event Management And Registration 2024-11-21 4.3 Medium
sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-24741 1 Sap 1 Master Data Governance For Material Data 2024-11-21 4.3 Medium
SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.
CVE-2024-24716 1 Getawesomesupport 1 Awesome Support 2024-11-21 5.4 Medium
Missing Authorization vulnerability in Awesome Support Team Awesome Support.This issue affects Awesome Support: from n/a through 6.1.6.
CVE-2024-24704 1 Addonmaster 1 Load More Anything 2024-11-21 5.4 Medium
Missing Authorization vulnerability in AddonMaster Load More Anything.This issue affects Load More Anything: from n/a through 3.3.3.
CVE-2024-24572 1 Facilemanager 1 Facilemanager 2024-11-21 6.5 Medium
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable.
CVE-2024-24308 1 Boostmyshop 1 Boostmyshop 2024-11-21 9.8 Critical
SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php.
CVE-2024-24303 1 Hipresta 1 Gift Wrapping Pro 2024-11-21 9.8 Critical
SQL Injection vulnerability in HiPresta "Gift Wrapping Pro" (hiadvancedgiftwrapping) module for PrestaShop before version 1.4.1, allows remote attackers to escalate privileges and obtain sensitive information via the HiAdvancedGiftWrappingGiftWrappingModuleFrontController::addGiftWrappingCartValue() method.
CVE-2024-24213 2 Postgresql, Supabase 2 Postgresql, Postgres 2024-11-21 9.8 Critical
Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically, /pg_meta/default/query is for SQL queries that are entered in an intended UI by an authorized user. Nothing is injected.
CVE-2024-24141 1 Remyandrade 1 School Task Manager 2024-11-21 9.8 Critical
Sourcecodester School Task Manager App 1.0 allows SQL Injection via the 'task' parameter.
CVE-2024-24139 1 Remyandrade 1 Login System With Email Verification 2024-11-21 7.2 High
Sourcecodester Login System with Email Verification 1.0 allows SQL Injection via the 'user' parameter.
CVE-2024-24133 1 Atmail 1 Atmail 2024-11-21 9.8 Critical
Atmail v6.6.0 was discovered to contain a SQL injection vulnerability via the username parameter on the login page.
CVE-2024-24023 1 Xxyopen 1 Novel-plus 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list.
CVE-2024-24017 1 Xxyopen 1 Novel-plus 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list
CVE-2024-24004 1 Jishenghua 1 Jsherp 2024-11-21 9.8 Critical
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutDetail() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.