Total
3674 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11070 | 2024-11-12 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS 5.202406.d. This issue affects some unknown processing of the file /admin/cmsTagType/save of the component Tag Type Handler. The manipulation of the argument name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-11078 | 2024-11-12 | 4.0 MEDIUM | 3.5 LOW | ||
| A vulnerability has been found in code-projects Job Recruitment 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /register.php. The manipulation of the argument e leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-51757 | 2024-11-08 | N/A | N/A | ||
| happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-46961 | 2024-11-08 | N/A | 8.1 HIGH | ||
| The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity component. | |||||
| CVE-2024-43425 | 2024-11-08 | N/A | 8.1 HIGH | ||
| A flaw was found in Moodle. Additional restrictions are required to avoid a remote code execution risk in calculated question types. Note: This requires the capability to add/update questions. | |||||
| CVE-2024-46960 | 2024-11-08 | N/A | 8.8 HIGH | ||
| The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component. | |||||
| CVE-2024-35314 | 2024-11-08 | N/A | 9.8 CRITICAL | ||
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts. | |||||
| CVE-2024-10263 | 1 Tickera | 1 Tickera | 2024-11-08 | N/A | 7.3 HIGH |
| The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-47826 | 1 Elabftw | 1 Elabftw | 2024-11-08 | N/A | 6.1 MEDIUM |
| eLabFTW is an open source electronic lab notebook for research labs. A vulnerability in versions prior to 5.1.5 allows an attacker to inject arbitrary HTML tags in the pages: "experiments.php" (show mode), "database.php" (show mode) or "search.php". It works by providing HTML code in the extended search string, which will then be displayed back to the user in the error message. This means that injected HTML will appear in a red "alert/danger" box, and be part of an error message. Due to some other security measures, it is not possible to execute arbitrary javascript from this attack. As such, this attack is deemed low impact. Users should upgrade to at least version 5.1.5 to receive a patch. No known workarounds are available. | |||||
| CVE-2024-10035 | 1 Bg-tek | 1 Coslat | 2024-11-08 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection.This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported. | |||||
| CVE-2024-8923 | 1 Servicenow | 1 Servicenow | 2024-11-07 | N/A | 9.8 CRITICAL |
| ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes. | |||||
| CVE-2024-48050 | 2024-11-06 | N/A | 9.8 CRITICAL | ||
| In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands. | |||||
| CVE-2024-48061 | 2024-11-06 | N/A | 9.8 CRITICAL | ||
| langflow <=1.0.18 is vulnerable to Remote Code Execution (RCE) as any component provided the code functionality and the components run on the local machine rather than in a sandbox. | |||||
| CVE-2024-51329 | 1 Idrsdev | 1 Agile-board | 2024-11-06 | N/A | 8.8 HIGH |
| A Host header injection vulnerability in Agile-Board 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. | |||||
| CVE-2024-47158 | 1 Neumann | 1 N-line | 2024-11-06 | N/A | 5.4 MEDIUM |
| N-LINE 2.0.6 and prior versions contain a code injection vulnerability. If this vulnerability is exploited, arbitrary code may be executed on the instructor's browser, or the instructor may be directed to a malicious website. | |||||
| CVE-2024-10505 | 1 Wuzhicms | 1 Wuzhicms | 2024-11-06 | 6.5 MEDIUM | 7.2 HIGH |
| A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-9846 | 1 Aftabhusain | 1 Enable Shortcodes Inside Widgets\,comments And Experts | 2024-11-06 | N/A | 7.3 HIGH |
| The The Enable Shortcodes inside Widgets,Comments and Experts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
| CVE-2024-37846 | 1 Radixiot | 1 Mango | 2024-11-05 | N/A | 4.6 MEDIUM |
| MangoOS before 5.2.0 was discovered to contain a Client-Side Template Injection (CSTI) vulnerability via the Platform Management Edit page. | |||||
| CVE-2024-37845 | 1 Radixiot | 1 Mango | 2024-11-04 | N/A | 7.2 HIGH |
| MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature. | |||||
| CVE-2024-9324 | 1 Intelbras | 1 Incontrol Web | 2024-11-04 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Intelbras InControl up to 2.21.57. It has been rated as critical. Affected by this issue is some unknown functionality of the file /v1/operador/ of the component Relatório de Operadores Page. The manipulation of the argument fields leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.21.58 is able to address this issue. It is recommended to upgrade the affected component. The vendor was informed early on 2024-07-19 about this issue. The release of a fixed version 2.21.58 was announced for the end of August 2024 but then was postponed until 2024-09-20. | |||||