Total
3668 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-51424 | 2024-11-04 | N/A | 9.8 CRITICAL | ||
| An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | |||||
| CVE-2024-3408 | 1 Man | 1 D-tale | 2024-11-03 | N/A | 9.8 CRITICAL |
| man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. | |||||
| CVE-2024-48359 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. | |||||
| CVE-2024-20485 | 1 Cisco | 2 Adaptive Security Appliance Software, Firepower Threat Defense Software | 2024-11-01 | N/A | 6.7 MEDIUM |
| A vulnerability in the VPN web server of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a specific file when it is read from system flash memory. An attacker could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. | |||||
| CVE-2024-9264 | 1 Grafana | 1 Grafana | 2024-11-01 | N/A | 8.8 HIGH |
| The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | |||||
| CVE-2024-48138 | 2024-11-01 | N/A | 9.8 CRITICAL | ||
| A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. | |||||
| CVE-2024-21537 | 2024-11-01 | N/A | 8.8 HIGH | ||
| Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. | |||||
| CVE-2024-51243 | 2024-11-01 | N/A | 7.2 HIGH | ||
| The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. | |||||
| CVE-2024-42041 | 2024-11-01 | N/A | 8.1 HIGH | ||
| The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. | |||||
| CVE-2024-3785 | 2024-10-31 | N/A | 6.6 MEDIUM | ||
| Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device NAS shared section (/admin/DeviceNAS). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. | |||||
| CVE-2024-50498 | 1 Lubus | 1 Wp Query Console | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0. | |||||
| CVE-2024-50492 | 1 Scottpaterson | 1 Scottcart | 2024-10-31 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection.This issue affects ScottCart: from n/a through 1.1. | |||||
| CVE-2024-9061 | 1 Themehunk | 1 Wp Popup Builder | 2024-10-30 | N/A | 9.8 CRITICAL |
| The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. | |||||
| CVE-2024-50611 | 2024-10-30 | N/A | 7.2 HIGH | ||
| CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake. | |||||
| CVE-2023-38198 | 1 Acme.sh Project | 1 Acme.sh | 2024-10-30 | N/A | 9.8 CRITICAL |
| acme.sh before 3.0.6 runs arbitrary commands from a remote server via eval, as exploited in the wild in June 2023. | |||||
| CVE-2024-48964 | 1 Snyk | 1 Snyk Cli | 2024-10-30 | N/A | 8.8 HIGH |
| The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects. | |||||
| CVE-2024-48655 | 2024-10-29 | N/A | 8.8 HIGH | ||
| An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. | |||||
| CVE-2024-48700 | 2024-10-29 | N/A | 7.2 HIGH | ||
| Kliqqi-CMS has a background arbitrary code execution vulnerability that attackers can exploit to implant backdoors or getShell via the edit_page.php component. | |||||
| CVE-2024-48236 | 2024-10-29 | N/A | 6.5 MEDIUM | ||
| An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file | |||||
| CVE-2024-48235 | 2024-10-29 | N/A | 6.5 MEDIUM | ||
| An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file. | |||||