Total
3676 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24278 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue in Teamwire Windows desktop client v.2.0.1 through v.2.4.0 allows a remote attacker to obtain sensitive information via a crafted payload to the message function. | |||||
| CVE-2024-24091 | 1 Yealink | 1 Yealink Meeting Server | 2024-11-21 | N/A | 9.8 CRITICAL |
| Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface. | |||||
| CVE-2024-23755 | 2024-11-21 | N/A | 8.8 HIGH | ||
| ClickUp Desktop before 3.3.77 on macOS and Windows allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode. | |||||
| CVE-2024-23750 | 1 Deepwisdom | 1 Metagpt | 2024-11-21 | N/A | 8.8 HIGH |
| MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen. | |||||
| CVE-2024-23746 | 2 Apple, Miro | 2 Macos, Miro | 2024-11-21 | N/A | 9.8 CRITICAL |
| Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents). | |||||
| CVE-2024-23742 | 1 Loom | 1 Loom | 2024-11-21 | N/A | 9.8 CRITICAL |
| An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. NOTE: the vendor disputes this because it requires local access to a victim's machine. | |||||
| CVE-2024-23727 | 2024-11-21 | N/A | 8.4 HIGH | ||
| The YI Smart Kami Vision com.kamivision.yismart application through 1.0.0_20231219 for Android allows a remote attacker to execute arbitrary JavaScript code via an implicit intent to the com.ants360.yicamera.activity.WebViewActivity component. | |||||
| CVE-2024-23692 | 1 Rejetto | 1 Http File Server | 2024-11-21 | N/A | 9.8 CRITICAL |
| Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported. | |||||
| CVE-2024-23278 | 2024-11-21 | N/A | 7.7 HIGH | ||
| The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox. | |||||
| CVE-2024-23208 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2024-11-21 | N/A | 7.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.3, watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2024-22988 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue in zkteco zkbio WDMS v.8.0.5 allows an attacker to execute arbitrary code via the /files/backup/ component. | |||||
| CVE-2024-22899 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-11-21 | N/A | 8.8 HIGH |
| Vinchin Backup & Recovery v7.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the syncNtpTime function. | |||||
| CVE-2024-22724 | 2024-11-21 | N/A | 6.6 MEDIUM | ||
| An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature. | |||||
| CVE-2024-22722 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary commands via the Group Name field under the add forms section of the application. | |||||
| CVE-2024-22633 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request. | |||||
| CVE-2024-22533 | 1 Xiandafu | 1 Beetl | 2024-11-21 | N/A | 9.8 CRITICAL |
| Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution. | |||||
| CVE-2024-22514 | 1 Ispyconnect | 1 Agent Dvr | 2024-11-21 | N/A | 8.8 HIGH |
| An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file. | |||||
| CVE-2024-22274 | 2024-11-21 | N/A | 7.2 HIGH | ||
| The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system. | |||||
| CVE-2024-22188 | 2024-11-21 | N/A | 7.2 HIGH | ||
| TYPO3 before 13.0.1 allows an authenticated admin user (with system maintainer privileges) to execute arbitrary shell commands (with the privileges of the web server) via a command injection vulnerability in form fields of the Install Tool. The fixed versions are 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, and 13.0.1. | |||||
| CVE-2024-22144 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through 4.21.96. | |||||