Total
3704 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-37084 | 1 Vmware | 1 Spring Cloud Data Flow | 2024-08-26 | 9.8 Critical |
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server | ||||
CVE-2024-7656 | 1 Le Van Toan | 1 Image Hotspot By Devvn | 2024-08-26 | 8.8 High |
The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
CVE-2024-31380 | 2024-08-26 | 9.9 Critical | ||
Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9. | ||||
CVE-2024-40453 | 1 Squirrelly | 1 Squirrelly | 2024-08-23 | 9.8 Critical |
squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName. | ||||
CVE-2024-41304 | 2024-08-23 | 5.4 Medium | ||
An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file. | ||||
CVE-2024-7559 | 1 Filemanagerpro | 1 File Manager Pro | 2024-08-23 | 8.8 High |
The File Manager Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in the mk_file_folder_manager AJAX action in all versions up to, and including, 8.3.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
CVE-2024-45201 | 2024-08-23 | 8.8 High | ||
An issue was discovered in llama_index before 0.10.38. download/integration.py includes an exec call for import {cls_name}. | ||||
CVE-2024-41623 | 2 D3dsecurity, Ezviz | 3 D8801, D8801 Firmware, Internet Pt Camera | 2024-08-23 | 9.8 Critical |
An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload | ||||
CVE-2024-40487 | 1 Kashipara | 1 Live Membership System | 2024-08-23 | 7.6 High |
A Stored Cross Site Scripting (XSS) vulnerability was found in "/view_type.php" of Kashipara Live Membership System v1.0, which allows remote attackers to execute arbitrary code via membershipType parameter. | ||||
CVE-2023-50810 | 1 Sonos | 1 Sonos Firmware | 2024-08-23 | 6 Medium |
In certain Sonos products before Sonos S1 Release 11.12 and S2 release 15.9, a vulnerability exists in the U-Boot component of the firmware that allow persistent arbitrary code execution with Linux kernel privileges. A failure to correctly handle the return value of the setenv command can be used to override the kernel command-line parameters and ultimately bypass the Secure Boot implementation. This affects PLAY5 gen 2, PLAYBASE, PLAY:1, One, One SL, and Amp. | ||||
CVE-2024-31032 | 2024-08-22 | 9.8 Critical | ||
An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component. | ||||
CVE-2024-42598 | 1 Seacms | 1 Seacms | 2024-08-22 | 6.7 Medium |
SeaCMS 13.0 has a remote code execution vulnerability. The reason for this vulnerability is that although admin_editplayer.php imposes restrictions on edited files, attackers can still bypass these restrictions and write code, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges. | ||||
CVE-2024-37287 | 1 Elastic | 1 Kibana | 2024-08-22 | 9.1 Critical |
A flaw allowing arbitrary code execution was discovered in Kibana. An attacker with access to ML and Alerting connector features, as well as write access to internal ML indices can trigger a prototype pollution vulnerability, ultimately leading to arbitrary code execution. | ||||
CVE-2024-39331 | 1 Redhat | 5 Enterprise Linux, Rhel Aus, Rhel E4s and 2 more | 2024-08-22 | 9.8 Critical |
In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. | ||||
CVE-2024-28119 | 2024-08-21 | 8.8 High | ||
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue. | ||||
CVE-2024-30568 | 2024-08-21 | 9.8 Critical | ||
Netgear R6850 1.1.0.88 was discovered to contain a command injection vulnerability via the c4-IPAddr parameter. | ||||
CVE-2024-30845 | 2024-08-21 | 6.1 Medium | ||
Cross Site Scripting vulnerability in Rainbow external link network disk v.5.5 allows a remote attacker to execute arbitrary code via the validation component of the input parameters. | ||||
CVE-2024-37109 | 1 Wishlistmember | 1 Wishlist Member | 2024-08-21 | 9.9 Critical |
Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
CVE-2024-7899 | 2 Innocms, Innovative Cms | 2 Innocms, Innovative Cms | 2024-08-20 | 4.7 Medium |
A vulnerability, which was classified as critical, has been found in InnoCMS 0.3.1. This issue affects some unknown processing of the file /panel/pages/1/edit of the component Backend. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
CVE-2024-38458 | 1 Xenforo | 1 Xenforo | 2024-08-20 | 8.8 High |
Xenforo before 2.2.16 allows code injection. |