CVE List - 2024 / October
Showing 1301 - 1400 of 3570 CVEs for October 2024 (Page 14 of 36)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-48797 | 2024-10-14 | An issue in PCS Engineering Preston Cinema (com.prestoncinema.app) 0.2.0 allows a remote attacker to obtain sensitive information via the firmware update process. |
| CVE-2024-48798 | 2024-10-14 | An issue in Hubble Connected (com.hubbleconnected.vervelife) 2.00.81 allows a remote attacker to obtain sensitive information via the firmware update process. |
| CVE-2024-48799 | 2024-10-14 | An issue in LOREX TECHNOLOGY INC com.lorexcorp.lorexping 1.4.22 allows a remote attacker to obtain sensitive information via the firmware update process. |
| CVE-2024-48821 | 2024-10-14 | Cross Site Scripting vulnerability in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php component. |
| CVE-2024-48822 | 2024-10-14 | Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page. |
| CVE-2024-48823 | 2024-10-14 | Local file inclusion in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the PassageAutoServer.php page. |
| CVE-2024-48824 | 2024-10-14 | An issue in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to obtain sensitive information via the Racine & FileName parameters in the download-file.php component. |
| CVE-2024-9921 | 2024-10-14 | TEAMPLUS TECHNOLOGY Team+ - SQL Injection |
| CVE-2024-9922 | 2024-10-14 | TEAMPLUS TECHNOLOGY Team+ - Arbitrary File Read through Path Traversal |
| CVE-2024-9923 | 2024-10-14 | TEAMPLUS TECHNOLOGY Team+ - Arbitrary File Move through Path Traversal |
| CVE-2024-9924 | 2024-10-14 | Hgiga OAKlouds - Arbitrary File Read And Delete |
| CVE-2024-38862 | 2024-10-14 | SNMP and IMPI secrets written to audit log |
| CVE-2024-38863 | 2024-10-14 | CSRF token leaked in URL parameters |
| CVE-2024-9137 | 2024-10-14 | Moxa Service Missing Authentication for Critical Function |
| CVE-2024-46911 | 2024-10-14 | Apache Roller: Weakness in CSRF protection allows privilege escalation |
| CVE-2024-43701 | 2024-10-14 | GPU DDK - PowerVR: TLB invalidate UAF of dma_buf imported into multiple GPU devices |
| CVE-2024-9139 | 2024-10-14 | OS Command Injection in Restricted Command |
| CVE-2024-8602 | 2024-10-14 | XML Eternal Entity Attack in the Software Library taxstatement.jar |
| CVE-2024-9936 | 2024-10-14 | When manipulating the selection node cache, an attacker may have been able to cause unexpected behavior, potentially leading to an exploitable crash. This vulnerability affects Firefox < 131.0.3. |
| CVE-2024-7847 | 2024-10-14 | RSLogix™ 5 and RSLogix 500® Remote Code Execution Via VBA Embedded Script |
| CVE-2024-9823 | 2024-10-14 | Jetty DOS vulnerability on DosFilter |
| CVE-2024-6763 | 2024-10-14 | Jetty URI parsing of invalid authority |
| CVE-2024-6762 | 2024-10-14 | Jetty PushSessionCacheFilter can cause remote DoS attacks |
| CVE-2024-8184 | 2024-10-14 | Jetty ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks |
| CVE-2023-50780 | 2024-10-14 | Apache ActiveMQ Artemis: Authenticated users could perform RCE via Jolokia MBeans |
| CVE-2024-45735 | 2024-10-14 | Improper Access Control for low-privileged user in Splunk Secure Gateway App |
| CVE-2024-45731 | 2024-10-14 | Potential Remote Command Execution (RCE) through arbitrary file write to Windows system root directory when Splunk Enterprise for Windows is installed on a separate disk |
| CVE-2024-45740 | 2024-10-14 | Persistent Cross-Site Scripting (XSS) through Scheduled Views on Splunk Enterprise |
| CVE-2024-45734 | 2024-10-14 | Low Privilege User can View Images on the Host Machine by using the PDF Export feature in Splunk Classic Dashboard |
| CVE-2024-45741 | 2024-10-14 | Persistent Cross-Site Scripting (XSS) via props.conf on Splunk Enterprise |
| CVE-2024-45736 | 2024-10-14 | Improperly Formatted ‘INGEST_EVAL’ Parameter Crashes Splunk Daemon |
| CVE-2024-45732 | 2024-10-14 | Low-privileged user could run search as nobody in SplunkDeploymentServerConfig app |
| CVE-2024-45733 | 2024-10-14 | Remote Code Execution (RCE) due to insecure session storage configuration in Splunk Enterprise on Windows |
| CVE-2024-45737 | 2024-10-14 | Maintenance mode state change of App Key Value Store (KVStore) through Cross-Site Request Forgery (CSRF) |
| CVE-2024-45738 | 2024-10-14 | Sensitive information disclosure in REST_Calls logging channel |
| CVE-2024-45739 | 2024-10-14 | Sensitive information disclosure in AdminManager logging channel |
| CVE-2024-46980 | 2024-10-14 | Tuleap vulnerable to XSS in the HTML mail content of the cross reference field |
| CVE-2024-46988 | 2024-10-14 | Tuleap does not properly check permissions for email notifications in trackers |
| CVE-2024-47766 | 2024-10-14 | Permissions are incorrectly verified for project administrators in the cross tracker search widget |
| CVE-2024-47767 | 2024-10-14 | Tuleap lists trackers in the quick add actions of the backlog without any permissions check |
| CVE-2024-47826 | 2024-10-14 | eLabFTW vulnerable to HTML Injection in extended search error message |
| CVE-2024-47831 | 2024-10-14 | Next.js image optimization has Denial of Service condition |
| CVE-2024-47885 | 2024-10-14 | astro's client-side router has DOM Clobbering Gadget that leads to XSS |
| CVE-2024-48909 | 2024-10-14 | SpiceDB calls to LookupResources using LookupResources2 with caveats may return context is missing when it is not |
| CVE-2024-48911 | 2024-10-14 | OpenCanary Executes Commands From Potentially Writable Config File |
| CVE-2024-6207 | 2024-10-14 | CVE 2021-22681 https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.PN1550.html and send a specially crafted CIP message to the device. If exploited, a threat actor could help prevent access to the legitimate user and end connections to... |
| CVE-2024-9953 | 2024-10-14 | Potential DoS Vulnerability in CERT VINCE Software Before Version 3.0.8 |
| CVE-2024-30117 | 2024-10-14 | HCL BigFix Platform is affected by a DLL Hijack vulnerability |
| CVE-2024-9546 | 2024-10-14 | WPIDE <= 3.4.9 - Unauthenticated Full Path Dislcosure |
| CVE-2024-9548 | 2024-10-14 | Slimstat Analytics <= 5.2.6 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2023-31493 | 2024-10-15 | RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges... |
| CVE-2024-31955 | 2024-10-15 | An issue was discovered in Samsung eMMC with KLMAG2GE4A and KLM8G1WEMB firmware. Code bypass through Electromagnetic Fault Injection allows an attacker to successfully authenticate and write to the RPMB (Replay... |
| CVE-2024-35584 | 2024-10-15 | SQL injection vulnerabilities were discovered in Ajax.php, ForWindow.php, ForExport.php, Modules.php, functions/HackingLogFnc.php in OpenSis Community Edition 9.1 to 8.0, and possibly earlier versions. It is possible for an authenticated user to... |
| CVE-2024-41311 | 2024-10-15 | In Libheif 1.17.6, insufficient checks in ImageOverlay::parse() decoding a heif file containing an overlay image with forged offsets can lead to an out-of-bounds read and write. |
| CVE-2024-41344 | 2024-10-15 | A Cross-Site Request Forgery (CSRF) in Codeigniter 3.1.13 allows attackers to arbitrarily change the Administrator password and escalate privileges. |
| CVE-2024-44337 | 2024-10-15 | The package `github.com/gomarkdown/markdown` is a Go library for parsing Markdown text and rendering as HTML. Prior to pseudoversion `v0.0.0-20240729232818-a2a9c4f`, which corresponds with commit `a2a9c4f76ef5a5c32108e36f7c47f8d310322252`, there was a logical problem in... |
| CVE-2024-44775 | 2024-10-15 | An issue in kmqtt v0.2.7 allows attackers to cause a Denial of Service(DoS) via a crafted request. |
| CVE-2024-48278 | 2024-10-15 | Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to Cross Site Request Forgery (CSRF) via /edit-profile.php. |
| CVE-2024-48279 | 2024-10-15 | A HTML Injection vulnerability was found in /search-result.php of PHPGurukul User Registration & Login and User Management System 3.2. This vulnerability allows remote attackers to execute arbitrary HTML code via... |
| CVE-2024-48280 | 2024-10-15 | A SQL Injection vulnerability was found in /search-result.php of PHPGurukul User Registration & Login and User Management System 3.2, which allows remote attackers to execute arbitrary SQL command via the... |
| CVE-2024-48282 | 2024-10-15 | A SQL Injection vulnerability was found in /password-recovery.php of PHPGurukul User Registration & Login and User Management System 3.2, which allows remote attackers to execute arbitrary SQL commands to get... |
| CVE-2024-48283 | 2024-10-15 | Phpgurukul User Registration & Login and User Management System 3.2 is vulnerable to SQL Injection in /admin//search-result.php via the searchkey parameter. |
| CVE-2024-48411 | 2024-10-15 | itsourcecode Online Tours and Travels Management System v1.0 is vulnerable to SQL Injection (SQLI) via a crafted payload to the val-email parameter in forget_password.php. |
| CVE-2024-48622 | 2024-10-15 | A cross-site scripting (XSS) issue in DomainMOD below v4.12.0 allows remote attackers to inject JavaScript code via admin/domain-fields/edit.php and the cdfid parameter. |
| CVE-2024-48623 | 2024-10-15 | In queue\index.php of DomainMOD below v4.12.0, the list_id and domain_id parameters in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS). |
| CVE-2024-48624 | 2024-10-15 | In segments\edit.php of DomainMOD below v4.12.0, the segid parameter in the GET request can be exploited to cause a reflected Cross Site Scripting (XSS) vulnerability. |
| CVE-2024-48710 | 2024-10-15 | In TP-Link TL-WDR7660 1.0, the wlanTimerRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. |
| CVE-2024-48712 | 2024-10-15 | In TP-Link TL-WDR7660 1.0, the rtRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. |
| CVE-2024-48713 | 2024-10-15 | In TP-Link TL-WDR7660 1.0, the wacWhitelistJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. |
| CVE-2024-48714 | 2024-10-15 | In TP-Link TL-WDR7660 v1.0, the guestRuleJsonToBin function handles the parameter string name without checking it, which can lead to stack overflow vulnerabilities. |
| CVE-2024-48779 | 2024-10-15 | An issue in Wanxing Technology's Yitu project Management Software 3.2.2 allows a remote attacker to execute arbitrary code via the platformpluginpath parameter to specify that the qt plugin loads the... |
| CVE-2024-48781 | 2024-10-15 | An issue in Wanxing Technology Yitu Project Management Kirin Edition 2.3.6 allows a remote attacker to execute arbitrary code via a specially constructed so file/opt/EdrawProj-2/plugins/imageformat. |
| CVE-2024-48782 | 2024-10-15 | File Upload vulnerability in DYCMS Open-Source Version v2.0.9.41 allows a remote attacker to execute arbitrary code via the application only detecting the extension of image files in the front-end. |
| CVE-2024-48783 | 2024-10-15 | An issue in Ruijie NBR3000D-E Gateway allows a remote attacker to obtain sensitive information via the /tool/shell/postgresql.conf component. |
| CVE-2024-48948 | 2024-10-15 | The Elliptic package 6.5.7 for Node.js, in its for ECDSA implementation, does not correctly verify valid signatures if the hash contains at least four leading 0 bytes and when the... |
| CVE-2024-49195 | 2024-10-15 | Mbed TLS 3.5.x through 3.6.x before 3.6.2 has a buffer underrun in pkwrite when writing an opaque key pair |
| CVE-2024-9952 | 2024-10-15 | SourceCodester Online Eyewear Shop Contact Information Page contact_info cross site scripting |
| CVE-2024-9687 | 2024-10-15 | WP 2FA with Telegram <= 3.0 - Authenticated (Subscriber+) Authentication Bypass |
| CVE-2024-6757 | 2024-10-15 | Elementor <= 3.23.5 - Authenticated (Contributor+) Basic Information Exposure via get_image_alt Function |
| CVE-2024-9820 | 2024-10-15 | WP 2FA with Telegram <= 3.0 - Two-Factor Authentication Bypass |
| CVE-2024-9968 | 2024-10-15 | NewType WebEIP v3.0 - SQL injection |
| CVE-2024-9969 | 2024-10-15 | NewType WebEIP v3.0 - Reflected XSS |
| CVE-2024-9970 | 2024-10-15 | NewType FlowMaster BPM Plus - Privilege Escalation |
| CVE-2024-9971 | 2024-10-15 | NewType FlowMaster BPM Plus - SQL Injection |
| CVE-2024-21535 | 2024-10-15 | Versions of the package markdown-to-jsx before 7.4.0 are vulnerable to Cross-site Scripting (XSS) via the src property due to improper input sanitization. An attacker can execute arbitrary code by injecting... |
| CVE-2024-9944 | 2024-10-15 | WooCommerce <= 9.0.2 - Unauthenticated HTML Injection |
| CVE-2024-0129 | 2024-10-15 | NVIDIA NeMo contains a vulnerability in SaveRestoreConnector where a user may cause a path traversal issue via an unsafe .tar file extraction. A successful exploit of this vulnerability may lead... |
| CVE-2024-46898 | 2024-10-15 | SHIRASAGI prior to v1.19.1 processes URLs in HTTP requests improperly, resulting in a path traversal vulnerability. If this vulnerability is exploited, arbitrary files on the server may be retrieved when... |
| CVE-2024-9972 | 2024-10-15 | ChanGate Property Management System - SQL Injection |
| CVE-2024-9837 | 2024-10-15 | AADMY – Add Auto Date Month Year Into Posts <= 2.0.1 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-9980 | 2024-10-15 | FormosaSoft ee-class - SQL Injection |
| CVE-2024-9981 | 2024-10-15 | FormosaSoft ee-class - Local File Inclusion |
| CVE-2024-9982 | 2024-10-15 | ESi Technology AIM LINE Marketing Platform - SQL Injection |
| CVE-2024-9983 | 2024-10-15 | Ragic Enterprise Cloud Database - Arbitrary File Read through Path Traversal |
| CVE-2024-9984 | 2024-10-15 | Ragic Enterprise Cloud Database - Missing Authentication |
| CVE-2024-9985 | 2024-10-15 | Ragic Enterprise Cloud Database - Arbitrary File Upload |
| CVE-2024-9895 | 2024-10-15 | Smart Online Order for Clover <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via moo_receipt_link Shortcode |
| CVE-2024-9925 | 2024-10-15 | SQL injection in QPLANT by TAI Smart Factory |
| CVE-2024-47943 | 2024-10-15 | Improper signature verification of firmware upgrade files |
| CVE-2024-47944 | 2024-10-15 | Missing Protection Mechanism for Alternate Hardware Interface |