Total
264129 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-5416 | 1 Elementor | 1 Website Builder | 2024-09-26 | 5.4 Medium |
The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the url parameter of multiple widgets in all versions up to, and including, 3.23.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in Elementor Editor pages. This was partially patched in version 3.23.2. | ||||
CVE-2023-52949 | 1 Synology | 1 Active Backup For Business | 2024-09-26 | 5.5 Medium |
Missing authentication for critical function vulnerability in proxy settings functionality in Synology Active Backup for Business Agent before 2.7.0-3221 allows local users to obtain user credential via unspecified vectors. | ||||
CVE-2024-36265 | 1 Apache | 1 Submarine | 2024-09-26 | 9.8 Critical |
** UNSUPPORTED WHEN ASSIGNED ** Incorrect Authorization vulnerability in Apache Submarine Server Core. This issue affects Apache Submarine Server Core: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
CVE-2024-44678 | 1 Gigastone | 1 Travel Router R101 Firmware | 2024-09-26 | 8 High |
Gigastone TR1 Travel Router R101 v1.0.2 is vulnerable to Command Injection. This allows an authenticated attacker to execute arbitrary commands on the device by sending a crafted HTTP request to the ssid parameter in the request. | ||||
CVE-2024-41708 | 1 Adacore | 1 Ada Web Services | 2024-09-26 | 7.5 High |
An issue was discovered in AdaCore ada_web_services 20.0 allows an attacker to escalate privileges and steal sessions via the Random_String() function in the src/core/aws-utils.adb module. | ||||
CVE-2024-22893 | 1 Openslides | 1 Openslides | 2024-09-26 | 7.5 High |
OpenSlides 4.0.15 verifies passwords by comparing password hashes using a function with content-dependent runtime. This can allow attackers to obtain information about the password hash using a timing attack. | ||||
CVE-2023-42468 | 1 Azmobileapps | 1 Color Phone | 2024-09-26 | 5.3 Medium |
The com.cutestudio.colordialer application through 2.1.8-2 for Android allows a remote attacker to initiate phone calls without user consent, because of improper export of the com.cutestudio.dialer.activities.DialerActivity component. A third-party application (without any permissions) can craft an intent targeting com.cutestudio.dialer.activities.DialerActivity via the android.intent.action.CALL action in conjunction with a tel: URI, thereby placing a phone call. | ||||
CVE-2023-40850 | 1 Netentsec | 2 Ns-asg, Ns-asg Firmware | 2024-09-26 | 7.5 High |
netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There is a file leak in the website source code of the application security gateway. | ||||
CVE-2023-38829 | 1 Netis-systems | 2 Wf2409e, Wf2409e Firmware | 2024-09-26 | 8.8 High |
An issue in NETIS SYSTEMS WF2409E v.3.6.42541 allows a remote attacker to execute arbitrary code via the ping and traceroute functions of the diagnostic tools component in the admin management interface. | ||||
CVE-2023-35673 | 1 Google | 1 Android | 2024-09-26 | 8.8 High |
In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to an integer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
CVE-2023-38878 | 1 Devcode | 1 Openstamanager | 2024-09-26 | 6.1 Medium |
A reflected cross-site scripting (XSS) vulnerability in DevCode OpenSTAManager versions 2.4.24 to 2.4.47 may allow a remote attacker to execute arbitrary JavaScript in the web browser of a victim by injecting a malicious payload into the 'error' and 'error_description' parameters of 'oauth2.php'. | ||||
CVE-2024-36264 | 1 Apache | 1 Submarine | 2024-09-26 | 9.8 Critical |
** UNSUPPORTED WHEN ASSIGNED ** Improper Authentication vulnerability in Apache Submarine Commons Utils. This issue affects Apache Submarine Commons Utils: from 0.8.0. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
CVE-2023-3612 | 1 Govee | 1 Home | 2024-09-26 | 8.2 High |
Govee Home app has unprotected access to WebView component which can be opened by any app on the device. By sending an URL to a specially crafted site, the attacker can execute JavaScript in context of WebView or steal sensitive user data by displaying phishing content. | ||||
CVE-2023-24965 | 2 Ibm, Linux | 2 Aspera Faspex, Linux Kernel | 2024-09-26 | 5.8 Medium |
IBM Aspera Faspex 5.0.5 does not restrict or incorrectly restricts access to a resource from an unauthorized actor. IBM X-Force ID: 246713. | ||||
CVE-2024-9177 | 2024-09-26 | 6.4 Medium | ||
The Themedy Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's themedy_col, themedy_social_link, themedy_alertbox, and themedy_pullleft shortcodes in all versions up to, and including, 1.0.14, and up to, and including 1.0.15 for the plugin's themedy_button shortcode due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2023-40150 | 1 Softneta | 1 Meddream Pacs | 2024-09-26 | 9.8 Critical |
Softneta MedDream PACS does not perform an authentication check and performs some dangerous functionality, which could result in unauthenticated remote code execution.0 | ||||
CVE-2023-40218 | 1 Samsung | 12 Exynos 1280, Exynos 1280 Firmware, Exynos 1380 and 9 more | 2024-09-26 | 2 Low |
An issue was discovered in the NPU kernel driver in Samsung Exynos Mobile Processor 9820, 980, 2100, 2200, 1280, and 1380. An integer overflow can bypass detection of error cases via a crafted application. | ||||
CVE-2023-35675 | 1 Google | 1 Android | 2024-09-26 | 5.5 Medium |
In loadMediaResumptionControls of MediaResumeListener.kt, there is a possible way to play and listen to media files played by another user on the same device due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
CVE-2023-40834 | 1 Opencart | 1 Opencart | 2024-09-26 | 9.8 Critical |
OpenCart CMS v4.0.2.2 was discovered to lack a protective mechanism on its login page against excessive login attempts, allowing unauthenticated attackers to gain access to the application via a brute force attack to the password parameter. | ||||
CVE-2023-41013 | 1 Icewarp | 1 Icewarp | 2024-09-26 | 6.1 Medium |
Cross Site Scripting (XSS) in Webmail Calendar in IceWarp 10.3.1 allows remote attackers to inject arbitrary web script or HTML via the "p4" field. |