Total
3704 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-26322 | 2 Mi, Xiaomi | 2 Getapps, Getapps Application | 2024-09-12 | 8.8 High |
| A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. | ||||
| CVE-2023-41898 | 1 Home-assistant | 1 Home Assistant Companion | 2024-09-12 | 8.6 High |
| Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`. | ||||
| CVE-2023-31315 | 1 Redhat | 3 Rhel Aus, Rhel E4s, Rhel Els | 2024-09-12 | 7.5 High |
| Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. | ||||
| CVE-2023-46010 | 1 Seacms | 1 Seacms | 2024-09-11 | 9.8 Critical |
| An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component. | ||||
| CVE-2024-7627 | 1 Bitapps | 1 File Manager | 2024-09-11 | 8.1 High |
| The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions. | ||||
| CVE-2024-41127 | 1 Monkeytype | 1 Monkeytype | 2024-09-11 | 8.4 High |
| Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0. | ||||
| CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-09-10 | 4.7 Medium |
| A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-44410 | 2 D-link, Dlink | 3 Di-8300, Di-8300, Di-8300 Firmware | 2024-09-10 | 9.8 Critical |
| D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function. | ||||
| CVE-2024-6596 | 1 Endress\+hauser | 7 Echo Curve Viewer Firmware, Field Xpert Smt50 Firmware, Field Xpert Smt70 Firmware and 4 more | 2024-09-10 | 9.8 Critical |
| An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. | ||||
| CVE-2023-5044 | 1 Kubernetes | 1 Ingress-nginx | 2024-09-10 | 7.6 High |
| Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation. | ||||
| CVE-2024-44411 | 1 D-link | 1 Di-8300 | 2024-09-10 | 9.8 Critical |
| D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. | ||||
| CVE-2024-29014 | 1 Sonicwall | 1 Netextender | 2024-09-10 | 8.8 High |
| Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. | ||||
| CVE-2024-29178 | 1 Apache | 1 Streampark | 2024-09-10 | 8.8 High |
| On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4 | ||||
| CVE-2024-8258 | 1 Logitech | 1 Options Plus | 2024-09-10 | N/A |
| Improper Control of Generation of Code ('Code Injection') in Electron Fuses in Logitech Options Plus version 1.60.496306 on macOS allows attackers to execute arbitrary code via insecure Electron Fuses configuration. | ||||
| CVE-2024-8478 | 1 Ifeelweb | 1 Affiliate Super Assistent | 2024-09-10 | 7.3 High |
| The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-8268 | 1 Buffercode | 1 Frontend Dashboard | 2024-09-10 | 8.8 High |
| The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to call arbitrary functions that can be leverage for privilege escalation by changing user's passwords. | ||||
| CVE-2024-44724 | 1 Autocms | 1 Autocms | 2024-09-10 | 7.2 High |
| AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. This vulnerability allows attackers to execute arbitrary PHP code via injecting a crafted value. | ||||
| CVE-2024-6655 | 1 Redhat | 1 Enterprise Linux | 2024-09-10 | 7 High |
| A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. | ||||
| CVE-2023-49001 | 1 Indibrowser | 1 Indi Browser | 2024-09-09 | 9.8 Critical |
| An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. | ||||
| CVE-2020-36767 | 2 Linux, Vareille | 2 Linux Kernel, Tinyfiledialogs | 2024-09-09 | 7.5 High |
| tinyfiledialogs (aka tiny file dialogs) before 3.8.0 allows shell metacharacters in titles, messages, and other input data. | ||||