Total
263520 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-46869 | 2 Acronis, Microsoft | 2 Cyber Protect Home Office, Windows | 2024-09-19 | 7.8 High |
| Local privilege escalation during installation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Home Office (Windows) before build 40278. | ||||
| CVE-2024-25023 | 1 Ibm | 2 Cloud Pak For Security, Qradar Suite | 2024-09-19 | 6.2 Medium |
| IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.22.0 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 281429. | ||||
| CVE-2024-43042 | 1 Pluck-cms | 1 Pluck | 2024-09-19 | 9.8 Critical |
| Pluck CMS 4.7.18 does not restrict failed login attempts, allowing attackers to execute a brute force attack. | ||||
| CVE-2024-39304 | 1 Churchcrm | 1 Churchcrm | 2024-09-19 | 8.8 High |
| ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue. | ||||
| CVE-2024-34344 | 1 Nuxt | 1 Nuxt | 2024-09-19 | 8.8 High |
| Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts. | ||||
| CVE-2024-42352 | 1 Nuxt | 2 Icon, Nuxt | 2024-09-19 | 8.6 High |
| Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. `nuxt/icon` provides an API to allow client side icon lookup. This endpoint is at `/api/_nuxt_icon/[name]`. The proxied request path is improperly parsed, allowing an attacker to change the scheme and host of the request. This leads to SSRF, and could potentially lead to sensitive data exposure. The `new URL` constructor is used to parse the final path. This constructor can be passed a relative scheme or path in order to change the host the request is sent to. This constructor is also very tolerant of poorly formatted URLs. As a result we can pass a path prefixed with the string `http:`. This has the effect of changing the scheme to HTTP. We can then subsequently pass a new host, for example `http:127.0.0.1:8080`. This would allow us to send requests to a local server. This issue has been addressed in release version 1.4.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-45457 | 1 Spiffyplugins | 1 Spiffy Calendar | 2024-09-19 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Spiffy Plugins Spiffy Calendar allows Stored XSS.This issue affects Spiffy Calendar: from n/a through 4.9.13. | ||||
| CVE-2023-39923 | 1 Radiustheme | 1 The Post Grid | 2024-09-19 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme The Post Grid plugin <= 7.2.7 versions. | ||||
| CVE-2024-7553 | 2 Microsoft, Mongodb | 24 Windows 10 1507, Windows 10 1511, Windows 10 1607 and 21 more | 2024-09-19 | 7.3 High |
| Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue | ||||
| CVE-2023-39165 | 1 Fetchdesigns | 1 Sign-up Sheets | 2024-09-19 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets plugin <= 2.2.8 versions. | ||||
| CVE-2023-39917 | 1 Ays-pro | 1 Photo Gallery | 2024-09-19 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Photo Gallery Team Photo Gallery by Ays – Responsive Image Gallery plugin <= 5.2.6 versions. | ||||
| CVE-2024-37980 | 1 Microsoft | 1 Sql Server | 2024-09-19 | 8.8 High |
| Microsoft SQL Server Elevation of Privilege Vulnerability | ||||
| CVE-2024-38016 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2024-09-19 | 7.8 High |
| Microsoft Office Visio Remote Code Execution Vulnerability | ||||
| CVE-2024-43460 | 1 Microsoft | 1 .dynamics 365 Business Central Online | 2024-09-19 | 8.1 High |
| Improper authorization in Dynamics 365 Business Central resulted in a vulnerability that allows an authenticated attacker to elevate privileges over a network. | ||||
| CVE-2024-38183 | 1 Microsoft | 1 Groupme | 2024-09-19 | 8.8 High |
| An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link. | ||||
| CVE-2024-38222 | 1 Microsoft | 2 Edge, Edge Chromium | 2024-09-19 | 6.5 Medium |
| Microsoft Edge (Chromium-based) Information Disclosure Vulnerability | ||||
| CVE-2024-38194 | 1 Microsoft | 1 Azure Web Apps | 2024-09-19 | 8.4 High |
| An authenticated attacker can exploit an improper authorization vulnerability in Azure Web Apps to elevate privileges over a network. | ||||
| CVE-2024-43495 | 1 Microsoft | 6 Windows 11 22h2, Windows 11 22h2, Windows 11 23h2 and 3 more | 2024-09-19 | 7.3 High |
| Windows libarchive Remote Code Execution Vulnerability | ||||
| CVE-2024-43491 | 1 Microsoft | 1 Windows 10 1507 | 2024-09-19 | 9.8 Critical |
| Microsoft is aware of a vulnerability in Servicing Stack that has rolled back the fixes for some vulnerabilities affecting Optional Components on Windows 10, version 1507 (initial version released July 2015). This means that an attacker could exploit these previously mitigated vulnerabilities on Windows 10, version 1507 (Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB) systems that have installed the Windows security update released on March 12, 2024—KB5035858 (OS Build 10240.20526) or other updates released until August 2024. All later versions of Windows 10 are not impacted by this vulnerability. This servicing stack vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083), in that order. Note: Windows 10, version 1507 reached the end of support (EOS) on May 9, 2017 for devices running the Pro, Home, Enterprise, Education, and Enterprise IoT editions. Only Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise 2015 LTSB editions are still under support. | ||||
| CVE-2024-43487 | 1 Microsoft | 11 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 8 more | 2024-09-19 | 6.5 Medium |
| Windows Mark of the Web Security Feature Bypass Vulnerability | ||||