Total
67 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-7626 | 2024-09-11 | N/A | 8.1 HIGH | ||
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. | |||||
CVE-2024-0849 | 1 Leanote | 1 Desktop | 2024-09-05 | N/A | 5.5 MEDIUM |
Leanote version 2.7.0 allows obtaining arbitrary local files. This is possible because the application is vulnerable to LFR. | |||||
CVE-2024-7744 | 1 Progress | 1 Ws Ftp Server | 2024-09-04 | N/A | 6.5 MEDIUM |
In WS_FTP Server versions before 8.8.8 (2022.0.8), an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has been identified where a user can craft an API call that allows them to download a file from an arbitrary folder on the drive where that user host's root folder is located (by default this is C:) | |||||
CVE-2024-33671 | 2024-08-27 | N/A | 7.7 HIGH | ||
An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. The Backup Exec Deduplication Multi-threaded Streaming Agent can be leveraged to perform arbitrary file deletion on protected files. | |||||
CVE-2024-39303 | 1 Weblate | 1 Weblate | 2024-08-21 | N/A | 5.4 MEDIUM |
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. | |||||
CVE-2024-7911 | 1 Oretnom23 | 1 Simple Online Bidding System | 2024-08-19 | 6.5 MEDIUM | 9.8 CRITICAL |
A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been classified as critical. This affects an unknown part of the file /simple-online-bidding-system/bidding/index.php. The manipulation of the argument page leads to file inclusion. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-7497 | 1 Angeljudesuarez | 1 Airline Reservation System | 2024-08-19 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability was found in itsourcecode Airline Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/index.php. The manipulation of the argument page leads to file inclusion. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273623. | |||||
CVE-2024-7496 | 1 Angeljudesuarez | 1 Airline Reservation System | 2024-08-19 | 6.5 MEDIUM | 8.8 HIGH |
A vulnerability has been found in itsourcecode Airline Reservation System 1.0 and classified as critical. This vulnerability affects unknown code of the file /index.php. The manipulation of the argument page leads to file inclusion. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273622 is the identifier assigned to this vulnerability. | |||||
CVE-2024-38173 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2024-08-16 | N/A | 6.7 MEDIUM |
Microsoft Outlook Remote Code Execution Vulnerability | |||||
CVE-2024-38165 | 1 Microsoft | 2 Windows 11 22h2, Windows 11 23h2 | 2024-08-16 | N/A | 6.5 MEDIUM |
Windows Compressed Folder Tampering Vulnerability | |||||
CVE-2024-28394 | 2024-08-05 | N/A | 9.8 CRITICAL | ||
An issue in Advanced Plugins reportsstatistics v1.3.20 and before allows a remote attacker to execute arbitrary code via the Sales Reports, Statistics, Custom Fields & Export module. | |||||
CVE-2024-6714 | 2024-07-24 | N/A | 8.8 HIGH | ||
An issue was discovered in provd before version 0.1.5 with a setuid binary, which allows a local attacker to escalate their privilege. | |||||
CVE-2024-6937 | 2024-07-22 | 3.3 LOW | 2.7 LOW | ||
A vulnerability, which was classified as problematic, was found in formtools.org Form Tools 3.1.1. Affected is the function curl_exec of the file /admin/forms/option_lists/edit.php of the component Import Option List. The manipulation of the argument url leads to file inclusion. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-271992. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-20652 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-07-19 | N/A | 8.1 HIGH |
Windows HTML Platforms Security Feature Bypass Vulnerability | |||||
CVE-2024-5334 | 2024-07-12 | N/A | 7.5 HIGH | ||
A local file read vulnerability exists in the stitionai/devika repository, affecting the latest version. The vulnerability is due to improper handling of the 'snapshot_path' parameter in the '/api/get-browser-snapshot' endpoint. An attacker can exploit this vulnerability by crafting a request with a malicious 'snapshot_path' parameter, leading to arbitrary file read from the system. This issue impacts the security of the application by allowing unauthorized access to sensitive files on the server. | |||||
CVE-2024-38049 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2024-07-11 | N/A | 8.1 HIGH |
Windows Distributed Transaction Coordinator Remote Code Execution Vulnerability | |||||
CVE-2024-39904 | 2024-07-11 | N/A | 8.8 HIGH | ||
VNote is a note-taking platform. Prior to 3.18.1, a code execution vulnerability existed in VNote, which allowed an attacker to execute arbitrary programs on the victim's system. A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks. This vulnerability is fixed in 3.18.1. | |||||
CVE-2024-37149 | 2024-07-11 | N/A | 7.2 HIGH | ||
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. Upgrade to 10.0.16. | |||||
CVE-2024-23317 | 2024-07-11 | N/A | 6.3 MEDIUM | ||
External Control of File Name or Path (CWE-73) in the Controller 6000 and Controller 7000 allows an attacker with local access to the Controller to perform arbitrary code execution. This issue affects: 9.10 prior to vCR9.10.240520a (distributed in 9.10.1268(MR1)), 9.00 prior to vCR9.00.240521a (distributed in 9.00.1990(MR3)), 8.90 prior to vCR8.90.240520a (distributed in 8.90.1947 (MR4)), 8.80 prior to vCR8.80.240520a (distributed in 8.80.1726 (MR5)), 8.70 prior to vCR8.70.240520a (distributed in 8.70.2824 (MR7)), all versions of 8.60 and prior. | |||||
CVE-2024-27175 | 2024-07-04 | N/A | 4.4 MEDIUM | ||
Remote Command program allows an attacker to read any file using a Local File Inclusion vulnerability. An attacker can read any file on the printer. As for the affected products/models/versions, see the reference URL. |