CVE List - 2024 / October
Showing 1701 - 1800 of 3570 CVEs for October 2024 (Page 18 of 36)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-32266 | 2024-10-16 | Code injection vulnerability found in OpenText Application Lifecycle Management (ALM),Quality Center. |
| CVE-2024-4184 | 2024-10-16 | Multiple XXE sinks in ALM archive post-build step in OpenText Application Automation Tools |
| CVE-2024-4189 | 2024-10-16 | Multiple XXE sinks in Run LoadRunner script step in OpenText Application Automation Tools |
| CVE-2024-4211 | 2024-10-16 | Multiple missing permission checks |
| CVE-2024-4690 | 2024-10-16 | Insecure usage for DocumentBuilderFactory and TransformerFactory in OpenText Application Automation Tools |
| CVE-2024-4692 | 2024-10-16 | Multiple missing permission checks |
| CVE-2024-38814 | 2024-10-16 | An authenticated SQL injection vulnerability in VMware HCX was privately reported to VMware. A malicious authenticated user with non-administrator privileges may be able to enter specially crafted SQL queries and... |
| CVE-2024-10033 | 2024-10-16 | Aap-gateway: xss on aap-gateway |
| CVE-2024-9143 | 2024-10-16 | Low-level invalid GF(2^m) parameters lead to OOB memory access |
| CVE-2024-41128 | 2024-10-16 | Action Dispatch has possible ReDoS vulnerability in query parameter filtering |
| CVE-2024-45795 | 2024-10-16 | Suricata detect/datasets: reachable assertion with unimplemented rule option |
| CVE-2024-45796 | 2024-10-16 | Suricata defrag: off by one can lead to policy bypass |
| CVE-2024-45797 | 2024-10-16 | LibHTP's unbounded header handling leads to denial service |
| CVE-2024-47187 | 2024-10-16 | Suricata datasets: missing hashtable random seed leads to potential DoS |
| CVE-2024-47188 | 2024-10-16 | Suricata http/byte-ranges: missing hashtable random seed leads to potential DoS |
| CVE-2024-47522 | 2024-10-16 | Suricata ja4: invalid alpn leads to panic |
| CVE-2024-47836 | 2024-10-16 | Admidio vulnerable to HTML Injection In The Messages Section |
| CVE-2024-47887 | 2024-10-16 | Action Controller has possible ReDoS vulnerability in HTTP Token authentication |
| CVE-2024-47888 | 2024-10-16 | Action Text has possible ReDoS vulnerability in plain_text_for_blockquote_node |
| CVE-2024-47889 | 2024-10-16 | Action Mailer has possible ReDoS vulnerability in block_format |
| CVE-2024-48918 | 2024-10-16 | Lack of Input Validation in RDS Light - Potential for Injection Attacks and Memory Tampering |
| CVE-2024-7993 | 2024-10-16 | Out-of-Bounds Write Vulnerability in Autodesk Revit |
| CVE-2024-7994 | 2024-10-16 | Stack-Based Buffer Overflow Vulnerability in Autodesk Revit |
| CVE-2023-26785 | 2024-10-17 | MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed... |
| CVE-2023-39593 | 2024-10-17 | Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege... |
| CVE-2024-27766 | 2024-10-17 | An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is... |
| CVE-2024-30875 | 2024-10-17 | Cross Site Scripting vulnerability in JavaScript Library jquery-ui v.1.13.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the window.addEventListener component. NOTE:... |
| CVE-2024-33453 | 2024-10-17 | Buffer Overflow vulnerability in esp-idf v.5.1 allows a remote attacker to obtain sensitive information via the externalId component. |
| CVE-2024-48192 | 2024-10-17 | Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root |
| CVE-2024-48629 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48630 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48631 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48632 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute... |
| CVE-2024-48633 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtualServerSettings function. This vulnerability allows attackers to... |
| CVE-2024-48634 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48635 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48636 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48637 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-48638 | 2024-10-17 | D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SubnetMask parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands... |
| CVE-2024-49593 | 2024-10-17 | In Advanced Custom Fields (ACF) before 6.3.9 and Secure Custom Fields before 6.3.6.3 (plugins for WordPress), using the Field Group editor to edit one of the plugin's fields can result... |
| CVE-2024-45766 | 2024-10-17 | Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Control of Generation of Code ('Code Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this... |
| CVE-2024-45767 | 2024-10-17 | Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability. A low privileged attacker with remote access... |
| CVE-2024-9861 | 2024-10-17 | Miniorange OTP Verification with Firebase <= 3.6.0 - Authentication Bypass |
| CVE-2024-9862 | 2024-10-17 | Miniorange OTP Verification with Firebase <= 3.6.0 - Unauthenticated Arbitrary User Password Change |
| CVE-2024-9240 | 2024-10-17 | ReDi Restaurant Reservation <= 24.0902 - Reflected Cross-Site Scripting |
| CVE-2024-9215 | 2024-10-17 | Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors <= 4.7.1 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary User Email Update and Account Takeover |
| CVE-2024-9940 | 2024-10-17 | Calculated Fields Form <= 5.2.45 - HTML Injection |
| CVE-2024-9863 | 2024-10-17 | Miniorange OTP Verification with Firebase <= 3.6.0 - Privilege Escalation via Registration due to Administrator Default User Role Value |
| CVE-2024-9263 | 2024-10-17 | WP Timetics- AI-powered Appointment Booking Calendar and Online Scheduling Plugin <= 1.0.25 - Insecure Direct Object Reference to Unauthenticated Arbitrary User Password/Email Reset/Account Takeover |
| CVE-2024-9347 | 2024-10-17 | The Ultimate WordPress Toolkit – WP Extended <= 3.0.9 - Reflected Cross-Site Scripting |
| CVE-2024-8719 | 2024-10-17 | Flexmls® IDX Plugin <= 3.14.22 - Reflected Cross-Site Scripting |
| CVE-2024-7417 | 2024-10-17 | Royal Elementor Addons and Templates <= 1.3.986 - Authenticated (Subscriber+) Private Post Disclosure |
| CVE-2024-9352 | 2024-10-17 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Custom Form Creation |
| CVE-2024-9351 | 2024-10-17 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.35.1 - Cross-Site Request Forgery to Draft Quiz Creation |
| CVE-2024-5429 | 2024-10-17 | Logo Slider < 4.1.0 - Contributor+ Stored XSS |
| CVE-2024-9213 | 2024-10-17 | Persian WooCommerce SMS <= 7.0.2 - Reflected Cross-Site Scripting |
| CVE-2024-3184 | 2024-10-17 | Multiple CWE-476 NULL Pointer Dereference vulnerabilities were found in GoAhead Web Server up to version 6.0.0 when compiled with the ME_GOAHEAD_REPLACE_MALLOC flag. Without a memory notifier for allocation failures, remote... |
| CVE-2024-3186 | 2024-10-17 | CWE-476 NULL Pointer Dereference vulnerability in the evalExpr() function of GoAhead Web Server (version <= 6.0.0) when compiled with the ME_GOAHEAD_JAVASCRIPT flag. This vulnerability allows a remote attacker with the... |
| CVE-2024-9951 | 2024-10-17 | Wordpress Photo Album Plus <= 8.8.05.003 - Reflected Cross-Site Scripting |
| CVE-2024-3187 | 2024-10-17 | This issue tracks two CWE-416 Use After Free (UAF) and one CWE-415 Double Free vulnerabilities in Goahead versions <= 6.0.0. These are caused by JST values not being nulled when... |
| CVE-2024-8920 | 2024-10-17 | Fonto – Custom Web Fonts Manager <= 1.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-9184 | 2024-10-17 | SendPulse Free Web Push <= 1.3.6 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-49392 | 2024-10-17 | Stored cross-site scripting (XSS) vulnerability on enrollment invitation page. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. |
| CVE-2024-49391 | 2024-10-17 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. |
| CVE-2024-49390 | 2024-10-17 | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. |
| CVE-2024-49389 | 2024-10-17 | Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. |
| CVE-2024-49386 | 2024-10-17 | Sensitive information disclosure due to spell-jacking. The following products are affected: Acronis Cyber Files (Windows) before build 9.0.0x24. |
| CVE-2024-10025 | 2024-10-17 | Vulnerability in SICK CLV6xx, SICK Lector6xx and SICK RFx6xx |
| CVE-2024-10068 | 2024-10-17 | OpenSight Software FlashFXP FlashFXP.exe uncontrolled search path |
| CVE-2024-45713 | 2024-10-17 | SolarWinds Kiwi CatTools Sensitive Information Disclosure Vulnerability |
| CVE-2024-9898 | 2024-10-17 | Parallax Image <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via dd-parallax Shortcode |
| CVE-2024-49320 | 2024-10-17 | WordPress Encyclopedia / Glossary / Wiki plugin <= 1.7.60 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48024 | 2024-10-17 | WordPress Keep Backup Daily plugin <=2.0.7 - Sensitive Data Exposure vulnerability |
| CVE-2024-48043 | 2024-10-17 | WordPress ShortPixel Image Optimizer plugin <= 5.6.3 - SQL Injection vulnerability |
| CVE-2024-48047 | 2024-10-17 | WordPress Linked Variation for WooCommerce plugin <= 1.0.5 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2024-48038 | 2024-10-17 | WordPress wp-Monalisa plugin <= 6.4 - Cross Site Request Forgery (CSRF) vulnerability |
| CVE-2024-48037 | 2024-10-17 | WordPress Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table plugin <= 1.4.2 - CSRF vulnerability |
| CVE-2024-48031 | 2024-10-17 | WordPress Featured Posts with Multiple Custom Groups (FPMCG) plugin <= 4.0 - Cross-Site Request Forgery (CSRF) vulnerability |
| CVE-2023-6728 | 2024-10-17 | Nokia SR OS: BOF File Encryption Vulnerability |
| CVE-2024-48048 | 2024-10-17 | WordPress Wsify Widget plugin <= 1.0 - CSRF to Stored XSS vulnerability |
| CVE-2024-48046 | 2024-10-17 | WordPress Contact Form by Supsystic plugin <= 1.7.28 - Cross Site Scripting (XSS) vulnerability |
| CVE-2023-6729 | 2024-10-17 | Nokia SR OS: File Access Security Vulnerability |
| CVE-2024-48036 | 2024-10-17 | WordPress SKT Blocks plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48032 | 2024-10-17 | WordPress Featured Posts with Multiple Custom Groups (FPMCG) plugin <= 4.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48025 | 2024-10-17 | WordPress Simple Baseball Scoreboard plugin <= 1.3 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48023 | 2024-10-17 | WordPress Restaurant Reservations Widget plugin <= 1.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48022 | 2024-10-17 | WordPress Shortcode For Elementor Templates plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-48021 | 2024-10-17 | WordPress Contact Form 7 – PayPal & Stripe Add-on plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-49579 | 2024-10-17 | In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests |
| CVE-2024-49580 | 2024-10-17 | In JetBrains Ktor before 2.3.13 improper caching in HttpCache Plugin could lead to response information disclosure |
| CVE-2024-49315 | 2024-10-17 | WordPress FREE DOWNLOAD MANAGER plugin <= 1.0.0 - Arbitrary File Deletion vulnerability |
| CVE-2024-6333 | 2024-10-17 | Authenticated Remote Code Execution in Altalink, Versalink & WorkCentre Products |
| CVE-2005-10003 | 2024-10-17 | mikexstudios Xcomic os command injection |
| CVE-2024-9683 | 2024-10-17 | Quay: quay allows successful authentication with trucated version of the password |
| CVE-2024-48920 | 2024-10-17 | PutongOJ: unprivileged users can escalate privileges by constructing requests |
| CVE-2024-47459 | 2024-10-17 | Substance3D - Sampler | NULL Pointer Dereference (CWE-476) |
| CVE-2024-10069 | 2024-10-17 | ESAFENET CDG MailDecryptApplicationService.java actionPassMainApplication sql injection |
| CVE-2024-10070 | 2024-10-17 | ESAFENET CDG PolicyPushControlAction.java actionPolicyPush sql injection |
| CVE-2018-25104 | 2024-10-17 | CoinGate Plugin Payment callback.php postProcess logic error |
| CVE-2024-9414 | 2024-10-17 | Cross-site Scripting vulnerability in LCDS LAquis SCADA |