CVE List - 2024 / January
Showing 2101 - 2200 of 2591 CVEs for January 2024 (Page 22 of 26)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-51702 | 2024-01-24 | Apache Airflow CNCF Kubernetes provider, Apache Airflow: Kubernetes configuration file saved without encryption in the Metadata and logged as plain text in the Triggerer service |
| CVE-2023-50943 | 2024-01-24 | Apache Airflow: Potential pickle deserialization vulnerability in XComs |
| CVE-2023-50944 | 2024-01-24 | Apache Airflow: Bypass permission verification to read code of other dags |
| CVE-2023-6697 | 2024-01-24 | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28... |
| CVE-2024-22141 | 2024-01-24 | WordPress Profile Builder Pro Plugin <= 3.10.0 is vulnerable to Sensitive Data Exposure |
| CVE-2023-44281 | 2024-01-24 | Dell Pair Installer version prior to 1.2.1 contains an elevation of privilege vulnerability. A low privilege user with local access to the system could potentially exploit this vulnerability to delete... |
| CVE-2024-22229 | 2024-01-24 | Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create... |
| CVE-2024-23641 | 2024-01-24 | Sending a GET or HEAD request with a body crashes SvelteKit |
| CVE-2024-23897 | 2024-01-24 | Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an... |
| CVE-2024-23898 | 2024-01-24 | Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket... |
| CVE-2024-23899 | 2024-01-24 | Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with... |
| CVE-2024-23900 | 2024-01-24 | Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the... |
| CVE-2024-23901 | 2024-01-24 | Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a... |
| CVE-2024-23902 | 2024-01-24 | A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL. |
| CVE-2024-23903 | 2024-01-24 | Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use... |
| CVE-2024-23904 | 2024-01-24 | Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with... |
| CVE-2024-23905 | 2024-01-24 | Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download. |
| CVE-2024-23648 | 2024-01-24 | Pimcore Admin Classic Bundle host header injection in the password reset |
| CVE-2024-23649 | 2024-01-24 | Any authenticated user may obtain private message details from other users on the same instance |
| CVE-2024-23644 | 2024-01-24 | trillium-http and trillium-client vulnerable to HTTP Request/Response Splitting |
| CVE-2024-23646 | 2024-01-24 | Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip |
| CVE-2023-50785 | 2024-01-25 | Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal. |
| CVE-2024-22637 | 2024-01-25 | Form Tools v3.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /form_builder/preview.php?form_id=2. |
| CVE-2023-33757 | 2024-01-25 | A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on... |
| CVE-2023-33758 | 2024-01-25 | Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the CLIENT_NAME and DEVICE_GUID fields in the login component. |
| CVE-2023-33759 | 2024-01-25 | SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack. |
| CVE-2023-33760 | 2024-01-25 | SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue can allow attackers to eavesdrop on communications via a man-in-the-middle attack. |
| CVE-2023-41474 | 2024-01-25 | Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component. |
| CVE-2023-51833 | 2024-01-25 | A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page. |
| CVE-2023-52046 | 2024-01-25 | Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input... |
| CVE-2023-52251 | 2024-01-25 | An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. |
| CVE-2024-22529 | 2024-01-25 | TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. |
| CVE-2024-22635 | 2024-01-25 | WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php. |
| CVE-2024-22636 | 2024-01-25 | PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content... |
| CVE-2024-22638 | 2024-01-25 | liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php. |
| CVE-2024-22639 | 2024-01-25 | iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface. |
| CVE-2024-22729 | 2024-01-25 | NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page. |
| CVE-2024-22749 | 2024-01-25 | GPAC v2.3 was detected to contain a buffer overflow via the function gf_isom_new_generic_sample_description function in the isomedia/isom_write.c:4577 |
| CVE-2024-22922 | 2024-01-25 | An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php |
| CVE-2024-23055 | 2024-01-25 | An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. |
| CVE-2024-23985 | 2024-01-25 | EzServer 6.4.017 allows a denial of service (daemon crash) via a long string, such as one for the RNTO command. |
| CVE-2024-24399 | 2024-01-25 | An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area. |
| CVE-2024-0617 | 2024-01-25 | The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and... |
| CVE-2024-0624 | 2024-01-25 | The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. This... |
| CVE-2024-0688 | 2024-01-25 | The "WebSub (FKA. PubSubHubbub)" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 3.1.4 due to insufficient input sanitization and... |
| CVE-2024-0625 | 2024-01-25 | The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization... |
| CVE-2024-23307 | 2024-01-25 | Integer overflow in raid5_cache_count in Linux kernel |
| CVE-2024-22099 | 2024-01-25 | NULL pointer deference in rfcomm_check_security in Linux kernel |
| CVE-2023-6282 | 2024-01-25 | Cross-Site Scripting vulnerability in IceHrm |
| CVE-2024-23855 | 2024-01-25 | Cross-Site Scripting (XSS) vulnerability in Cups Easy |
| CVE-2024-0879 | 2024-01-25 | Authentication bypass in vector-admin domain restriction |
| CVE-2024-22432 | 2024-01-25 | Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. User has low privilege access to Networker... |
| CVE-2024-0822 | 2024-01-25 | Ovirt: authentication bypass |
| CVE-2023-3181 | 2024-01-25 | Insecure Permissions in Splashtop Software Updater |
| CVE-2023-52076 | 2024-01-25 | Remote Code Execution Vulnerability in Atril's EPUB ebook parsing |
| CVE-2023-40547 | 2024-01-25 | Shim: rce in http boot support may lead to secure boot bypass |
| CVE-2024-0880 | 2024-01-25 | Qidianbang qdbcrm Password Reset cross-site request forgery |
| CVE-2023-6267 | 2024-01-25 | Quarkus: json payload getting processed prior to security checks when rest resources are used with annotations. |
| CVE-2023-7227 | 2024-01-25 | Command Injection vulnerability in SystemK NVR 504/508/516 |
| CVE-2024-0882 | 2024-01-25 | qwdigital LinkWechat Universal Download Interface resource path traversal |
| CVE-2024-0883 | 2024-01-25 | SourceCodester Online Tours & Travels Management System pay.php prepare sql injection |
| CVE-2024-21630 | 2024-01-25 | Zulip non-admins can invite new users to streams they would not otherwise be able to add existing users to |
| CVE-2024-23655 | 2024-01-25 | Attacker can prevent users from accessing received emails |
| CVE-2024-23817 | 2024-01-25 | Dolibarr Application Home Page HTML injection vulnerability |
| CVE-2024-23656 | 2024-01-25 | Dex 2.37.0 is discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers |
| CVE-2023-52355 | 2024-01-25 | Libtiff: tiffrasterscanlinesize64 produce too-big size and could cause oom |
| CVE-2023-52356 | 2024-01-25 | Libtiff: segment fault in libtiff in tiffreadrgbatileext() leading to denial of service |
| CVE-2024-0884 | 2024-01-25 | SourceCodester Online Tours & Travels Management System payment.php exec sql injection |
| CVE-2024-0885 | 2024-01-25 | SpyCamLizard HTTP GET Request denial of service |
| CVE-2024-0886 | 2024-01-25 | Poikosoft EZ CD Audio Converter Activation denial of service |
| CVE-2024-0887 | 2024-01-25 | Mafiatic Blue Server Connection denial of service |
| CVE-2024-0888 | 2024-01-25 | BORGChat Service Port 7551 denial of service |
| CVE-2024-0889 | 2024-01-25 | Kmint21 Golden FTP Server PASV Command denial of service |
| CVE-2024-0890 | 2024-01-25 | hongmaple octopus edit sql injection |
| CVE-2024-21619 | 2024-01-25 | Junos OS: SRX Series and EX Series: J-Web - unauthenticated access to temporary files containing sensitive information |
| CVE-2024-21620 | 2024-01-25 | Junos OS: SRX Series and EX Series: J-Web doesn't sufficiently sanitize input to prevent XSS |
| CVE-2024-0891 | 2024-01-25 | hongmaple octopus cross site scripting |
| CVE-2024-23613 | 2024-01-25 | Symantec Deployment Solution Remote Code Execution |
| CVE-2024-23614 | 2024-01-25 | Symantec Messaging Gateway Buffer Overflow |
| CVE-2024-23615 | 2024-01-25 | Symantec Messaging Gateway Buffer Overflow |
| CVE-2024-23616 | 2024-01-25 | Symantec Server Management Suite Buffer Overflow |
| CVE-2024-23617 | 2024-01-25 | Symantec Data Loss Prevention Buffer Overflow |
| CVE-2024-23618 | 2024-01-25 | Arris SURFboard SBG6950AC2 Arbitrary Code Execution Vulnerability |
| CVE-2024-23619 | 2024-01-25 | IBM Merge Healthcare eFilm Workstation Hardcoded Credentials |
| CVE-2024-23620 | 2024-01-25 | IBM Merge Healthcare eFilm Workstation SYSTEM Privilege Escalation |
| CVE-2024-23621 | 2024-01-25 | IBM Merge Healthcare eFilm Workstation License Server Buffer Overflow |
| CVE-2024-23622 | 2024-01-25 | IBM Merge Healthcare eFilm Workstation License Server CopySLS_Request3 Buffer Overflow |
| CVE-2024-23624 | 2024-01-25 | D-Link DAP-1650 gena.cgi SUBSCRIBE Command Injection Vulnerability |
| CVE-2024-23625 | 2024-01-25 | D-Link DAP-1650 SUBSCRIBE Callback Command Injection Vulnerability |
| CVE-2024-23626 | 2024-01-25 | Motorola MR2600 SaveSysLogParams Command Injection Vulnerability |
| CVE-2024-23627 | 2024-01-25 | Motorola MR2600 SaveStaticRouteIPv4Params Command Injection Vulnerability |
| CVE-2024-23628 | 2024-01-25 | Motorola MR2600 SaveStaticRouteIPv6Params Command Injection Vulnerability |
| CVE-2024-23629 | 2024-01-25 | Motorola MR2600 Authentication Bypass Vulnerability |
| CVE-2024-23630 | 2024-01-25 | Motorola MR2600 Arbitrary Firmware Upload Vulnerability |
| CVE-2022-48622 | 2024-01-26 | In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. A... |
| CVE-2023-48130 | 2024-01-26 | An issue in GINZA CAFE mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. |
| CVE-2024-22550 | 2024-01-26 | An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. |
| CVE-2023-38317 | 2024-01-26 | An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the network interface name entry in the configuration file, allowing attackers that have direct or indirect access to... |
| CVE-2023-38318 | 2024-01-26 | An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the gateway FQDN entry in the configuration file, allowing attackers that have direct or indirect access to this... |
| CVE-2023-38319 | 2024-01-26 | An issue was discovered in OpenNDS before 10.1.3. It fails to sanitize the FAS key entry in the configuration file, allowing attackers that have direct or indirect access to this... |