Total
3487 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-8271 | 2024-09-14 | N/A | 7.3 HIGH | ||
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
CVE-2024-8479 | 2024-09-14 | N/A | 7.3 HIGH | ||
The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |||||
CVE-2024-44466 | 1 Comfast | 2 Cf-xr11, Cf-xr11 Firmware | 2024-09-13 | N/A | 9.8 CRITICAL |
COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface. | |||||
CVE-2024-8695 | 1 Docker | 1 Desktop | 2024-09-13 | N/A | 9.8 CRITICAL |
A remote code execution (RCE) vulnerability via crafted extension description/changelog could be abused by a malicious extension in Docker Desktop before 4.34.2. | |||||
CVE-2024-8696 | 1 Docker | 1 Desktop | 2024-09-13 | N/A | 9.8 CRITICAL |
A remote code execution (RCE) vulnerability via crafted extension publisher-url/additional-urls could be abused by a malicious extension in Docker Desktop before 4.34.2. | |||||
CVE-2024-3121 | 1 Lollms | 1 Lollms | 2024-09-13 | N/A | 3.3 LOW |
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands. | |||||
CVE-2023-30131 | 1 Ixpdata | 1 Easyinstall | 2024-09-12 | N/A | 9.8 CRITICAL |
An issue discovered in IXP EasyInstall 6.6.14884.0 allows attackers to run arbitrary commands, gain escalated privilege, and cause other unspecified impacts via unauthenticated API calls. | |||||
CVE-2023-49391 | 1 Free5gc | 1 Free5gc | 2024-09-12 | N/A | 7.5 HIGH |
An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message. | |||||
CVE-2024-45390 | 1 Blakeembrey | 1 Template | 2024-09-12 | N/A | 9.8 CRITICAL |
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature. | |||||
CVE-2023-46042 | 1 Get-simple | 1 Getsimplecms | 2024-09-12 | N/A | 9.8 CRITICAL |
An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo(). | |||||
CVE-2023-26324 | 1 Mi | 1 Getapps | 2024-09-12 | N/A | 9.8 CRITICAL |
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. | |||||
CVE-2023-26322 | 1 Mi | 1 Getapps | 2024-09-12 | N/A | 9.8 CRITICAL |
A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code. | |||||
CVE-2023-46509 | 1 Contec | 2 Solarview Compact, Solarview Compact Firmware | 2024-09-12 | N/A | 9.8 CRITICAL |
An issue in Contec SolarView Compact v.6.0 and before allows an attacker to execute arbitrary code via the texteditor.php component. | |||||
CVE-2023-43352 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-09-12 | N/A | 7.8 HIGH |
An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component. | |||||
CVE-2023-46010 | 1 Seacms | 1 Seacms | 2024-09-11 | N/A | 9.8 CRITICAL |
An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component. | |||||
CVE-2024-7627 | 1 Bitapps | 1 File Manager | 2024-09-11 | N/A | 8.1 HIGH |
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions. | |||||
CVE-2024-41127 | 1 Monkeytype | 1 Monkeytype | 2024-09-11 | N/A | 9.6 CRITICAL |
Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0. | |||||
CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-09-10 | 5.8 MEDIUM | 7.2 HIGH |
A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2024-44410 | 1 Dlink | 2 Di-8300, Di-8300 Firmware | 2024-09-10 | N/A | 9.8 CRITICAL |
D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function. | |||||
CVE-2024-44411 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. |