Total
272182 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45717 | 2024-12-04 | N/A | 7.0 HIGH | ||
| The SolarWinds Platform was susceptible to a XSS vulnerability that affects the search and node information section of the user interface. This vulnerability requires authentication and requires user interaction. | |||||
| CVE-2024-11398 | 2024-12-04 | N/A | 8.1 HIGH | ||
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors. | |||||
| CVE-2023-52944 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors. | |||||
| CVE-2023-52943 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| Incorrect authorization vulnerability in Alert.Setting webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to to perform limited actions on the alerting function via unspecified vectors. | |||||
| CVE-2024-54664 | 2024-12-04 | N/A | 7.8 HIGH | ||
| An issue was discovered in Veritas NetBackup before 10.5. This only applies to NetBackup components running on a Windows Operating System. If a user executes specific NetBackup commands or an attacker uses social engineering techniques to impel the user to execute the commands, a malicious DLL could be loaded, resulting in execution of the attacker's code in the user's security context, a different vulnerability than CVE-2024-52945. | |||||
| CVE-2024-54661 | 2024-12-04 | N/A | N/A | ||
| readline.sh in socat through 1.8.0.1 relies on the /tmp/$USER/stderr2 file. | |||||
| CVE-2024-9404 | 2024-12-04 | N/A | 5.3 MEDIUM | ||
| Moxa’s IP Cameras are affected by a medium-severity vulnerability, CVE-2024-9404, which could lead to a denial-of-service condition or cause a service crash. This vulnerability allows attackers to exploit the Moxa service, commonly referred to as moxa_cmd, originally designed for deployment. Because of insufficient input validation, this service may be manipulated to trigger a denial-of-service. This vulnerability poses a significant remote threat if the affected products are exposed to publicly accessible networks. Attackers could potentially disrupt operations by shutting down the affected systems. Due to the critical nature of this security risk, we strongly recommend taking immediate action to prevent potential exploitation. | |||||
| CVE-2024-53916 | 2024-12-04 | N/A | 7.5 HIGH | ||
| In OpenStack Neutron before 25.0.1, neutron/extensions/tagging.py can use an incorrect ID during policy enforcement. It does not apply the proper policy check for changing network tags. An unprivileged tenant is able to change (add and clear) tags on network objects that do not belong to the tenant, and this action is not subjected to the proper policy authorization check. This affects 23 before 23.2.1, 24 before 24.0.2, and 25 before 25.0.1. | |||||
| CVE-2024-53900 | 2024-12-04 | N/A | 9.1 CRITICAL | ||
| Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. | |||||
| CVE-2024-12123 | 2024-12-04 | N/A | N/A | ||
| A hidden field manipulation vulnerability was identified in Issuetrak version 17.1 that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and subsequently modified by using a proxy. The ticket requester can be changed from the original requester to another user in the same application, which the application then accepts. | |||||
| CVE-2024-12099 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| The Dollie Hub – Build Your Own WordPress Cloud Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.2.0 via the 'elementor-template' shortcode due to insufficient restrictions on which posts can be included. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract data from password protected, private, or draft posts that they should not have access to. | |||||
| CVE-2024-10885 | 2024-12-04 | N/A | 6.4 MEDIUM | ||
| The SearchIQ – The Search Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'siq_searchbox' shortcode in all versions up to, and including, 4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11897 | 2024-12-04 | N/A | 6.4 MEDIUM | ||
| The Contact Form, Survey & Form Builder – MightyForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mightyforms' shortcode in all versions up to, and including, 1.3.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11813 | 2024-12-04 | N/A | 6.1 MEDIUM | ||
| The Pulsating Chat Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.6. This is due to missing or incorrect nonce validation on the amin_chat_button_settings_page() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-11807 | 2024-12-04 | N/A | 6.1 MEDIUM | ||
| The NPS computy plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'data1' and 'data2' parameters in all versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-11747 | 2024-12-04 | N/A | 6.4 MEDIUM | ||
| The Responsive Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'somryv' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-11093 | 2024-12-04 | N/A | 5.5 MEDIUM | ||
| The SG Helper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in version 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-10952 | 2024-12-04 | N/A | 7.3 HIGH | ||
| The The Authors List plugin for WordPress is vulnerable to arbitrary shortcode execution via update_authors_list_ajax AJAX action in all versions up to, and including, 2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-10832 | 2024-12-04 | N/A | 6.1 MEDIUM | ||
| The Posti Shipping plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.10.3. This is due to missing or incorrect nonce validation on the generate_notices_html() function. This makes it possible for unauthenticated attackers to inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2024-10663 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
| The Eleblog – Elementor Blog And Magazine Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the goodbye_form_callback() function in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit a deactivation reason. | |||||