CVE List - 2024 / October
Showing 2701 - 2800 of 3570 CVEs for October 2024 (Page 28 of 36)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-48208 | 2024-10-24 | pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file. |
| CVE-2024-48423 | 2024-10-24 | An issue in assimp v.5.4.3 allows a local attacker to execute arbitrary code via the CallbackToLogRedirector function within the Assimp library. |
| CVE-2024-48424 | 2024-10-24 | A heap-buffer-overflow vulnerability has been identified in the OpenDDLParser::parseStructure function within the Assimp library, specifically during the processing of OpenGEX files. |
| CVE-2024-48425 | 2024-10-24 | A segmentation fault (SEGV) was detected in the Assimp::SplitLargeMeshesProcess_Triangle::UpdateNode function within the Assimp library during fuzz testing using AddressSanitizer. The crash occurs due to a read access violation at address... |
| CVE-2024-48426 | 2024-10-24 | A segmentation fault (SEGV) was detected in the SortByPTypeProcess::Execute function in the Assimp library during fuzz testing with AddressSanitizer. The crash occurred due to a read access to an invalid... |
| CVE-2024-48427 | 2024-10-24 | A SQL injection vulnerability in Sourcecodester Packers and Movers Management System v1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in /mpms/admin/?page=services/manage_service&id |
| CVE-2024-48440 | 2024-10-24 | Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp. |
| CVE-2024-48441 | 2024-10-24 | Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component at_command.asp. |
| CVE-2024-48442 | 2024-10-24 | Incorrect access control in Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 allows attackers to access the SSH protocol without authentication. |
| CVE-2024-48454 | 2024-10-24 | An issue in SourceCodester Purchase Order Management System v1.0 allows a remote attacker to execute arbitrary code via the /admin?page=user component |
| CVE-2024-48514 | 2024-10-24 | php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file... |
| CVE-2024-48538 | 2024-10-24 | Incorrect access control in the firmware update and download processes of Neye3C v4.5.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48539 | 2024-10-24 | Neye3C v4.5.2.0 was discovered to contain a hardcoded encryption key in the firmware update mechanism. |
| CVE-2024-48540 | 2024-10-24 | Incorrect access control in XIAO HE Smart 4.3.1 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48541 | 2024-10-24 | Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48542 | 2024-10-24 | Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK... |
| CVE-2024-48544 | 2024-10-24 | Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK... |
| CVE-2024-48545 | 2024-10-24 | Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48546 | 2024-10-24 | Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48547 | 2024-10-24 | Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. |
| CVE-2024-48548 | 2024-10-24 | The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a... |
| CVE-2024-9374 | 2024-10-24 | Terms descriptions <= 3.4.6 - Reflected Cross-Site Scripting |
| CVE-2024-9865 | 2024-10-24 | EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Cross-Site Scripting via Transaction Log |
| CVE-2024-9864 | 2024-10-24 | EventPrime – Modern Events Calendar, Bookings and Tickets <= 4.0.4.7 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-9531 | 2024-10-24 | MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authorization to Forged Vendor Profile Deletion Email Sending |
| CVE-2024-8667 | 2024-10-24 | HurryTimer – An Scarcity and Urgency Countdown Timer for WordPress & WooCommerce <= 2.10.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Publication |
| CVE-2024-9943 | 2024-10-24 | MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Request Forgery to Vendor Updates |
| CVE-2024-6049 | 2024-10-24 | Unauthenticated Path Traversal |
| CVE-2024-10050 | 2024-10-24 | Elementor Header & Footer Builder <= 1.6.43 - Authenticated (Contributor+) Information Disclosure via Shortcode |
| CVE-2024-8717 | 2024-10-24 | PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer – DearFlip <= 2.3.32 - Reflected Cross-Site Scripting |
| CVE-2024-8312 | 2024-10-24 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2024-6826 | 2024-10-24 | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2024-10331 | 2024-10-24 | PHPGurukul Vehicle Record System search-vehicle.php sql injection |
| CVE-2024-9650 | 2024-10-24 | WP Recipe Maker <= 9.6.1 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via 'tooltip' |
| CVE-2024-9214 | 2024-10-24 | Extra Product Options Builder for WooCommerce <= 1.2.133 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-10176 | 2024-10-24 | Compact WP Audio Player <= 1.9.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_embed_player Shortcode |
| CVE-2024-8959 | 2024-10-24 | WP Adminify – Best WordPress Custom Dashboard Plugin <= 4.0.1.6 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-49682 | 2024-10-24 | WordPress Simple Membership plugin <= 4.5.3 - Open Redirection vulnerability |
| CVE-2024-49683 | 2024-10-24 | WordPress Schema & Structured Data for WP & AMP plugin <= 1.3.5 - Sensitive Data Exposure vulnerability |
| CVE-2024-5608 | 2024-10-24 | SQL Injection |
| CVE-2024-49691 | 2024-10-24 | WordPress Product Filter by WBW plugin <= 2.7.0 - SQL Injection vulnerability |
| CVE-2024-49681 | 2024-10-24 | WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.0.9 - SQL Injection vulnerability |
| CVE-2024-49703 | 2024-10-24 | WordPress WpEvently plugin <= 4.2.5 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-10332 | 2024-10-24 | A Cross-Site Scripting vulnerability has been found in Janto v4.3r11 from Impronta. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a... |
| CVE-2024-49702 | 2024-10-24 | WordPress myCred Elementor plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-49696 | 2024-10-24 | WordPress Photo Gallery, Images, Slider in Rbs Image Gallery plugin <= 3.2.21 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-10180 | 2024-10-24 | Contact Form 7 - Repeatable Fields <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via field_group Shortcode |
| CVE-2024-49695 | 2024-10-24 | WordPress WP Flow Plus plugin <= 5.2.3 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-49693 | 2024-10-24 | WordPress Mega Elements – Addons for Elementor plugin <= 1.2.6 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-45031 | 2024-10-24 | Apache Syncope: Stored XSS in Console and Enduser |
| CVE-2024-9692 | 2024-10-24 | Improper Access Control in Input in VIMESA VHF/FM Transmitter Blue Plus |
| CVE-2024-10335 | 2024-10-24 | SourceCodester Garbage Collection Management System login.php sql injection |
| CVE-2024-10336 | 2024-10-24 | SourceCodeHero Clothes Recommendation System Admin Login Page index.php sql injection |
| CVE-2024-44185 | 2024-10-24 | The issue was addressed with improved checks. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. Processing maliciously... |
| CVE-2024-40810 | 2024-10-24 | An out-of-bounds write issue was addressed with improved input validation. This issue is fixed in macOS Sonoma 14.6. An app may be able to cause a coprocessor crash. |
| CVE-2024-44141 | 2024-10-24 | The issue was addressed with improved checks. This issue is fixed in macOS Sonoma 14.6. A person with physical access to an unlocked Mac may be able to gain root... |
| CVE-2024-44205 | 2024-10-24 | A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS... |
| CVE-2024-44206 | 2024-10-24 | An issue in the handling of URL protocols was addressed with improved logic. This issue is fixed in tvOS 17.6, visionOS 1.3, Safari 17.6, watchOS 10.6, iOS 17.6 and iPadOS... |
| CVE-2024-38314 | 2024-10-24 | IBM Maximo Application Suite - Monitor Component information disclosure |
| CVE-2024-10313 | 2024-10-24 | iniNet Solutions SpiderControl SCADA PC HMI Editor Path Traversal |
| CVE-2024-10295 | 2024-10-24 | Gateway: apicast basic auth bypass via malformed base64 headerssending non-base64 'basic' auth with special characters causes apicast to incorrectly authenticate a request |
| CVE-2024-10337 | 2024-10-24 | SourceCodeHero Clothes Recommendation System home.php sql injection |
| CVE-2024-10338 | 2024-10-24 | SourceCodeHero Clothes Recommendation System home.php sql injection |
| CVE-2024-46994 | 2024-10-24 | baserCMS has Cross-site Scripting Vulnerability in Blog posts and Contents list Feature |
| CVE-2024-46995 | 2024-10-24 | baserCMS has Cross-site Scripting Vulnerability in HTTP 400 Bad Request |
| CVE-2024-46996 | 2024-10-24 | baserCMS has a Cross-site Scripting (XSS) Vulnerability in Blog posts Feature |
| CVE-2024-46998 | 2024-10-24 | baserCMS has a Cross-site Scripting (XSS) Vulnerability in Edit Email Form Settings Feature |
| CVE-2024-47173 | 2024-10-24 | Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups |
| CVE-2024-47878 | 2024-10-24 | Reflected cross-site scripting vulnerability (XSS) in GData extension (authorized.vt) |
| CVE-2024-7763 | 2024-10-24 | WhatsUp Gold getReport Missing Authentication Authentication Bypass Vulnerability |
| CVE-2024-47879 | 2024-10-24 | OpenRefine's PreviewExpressionCommand, which is eval, lacks protection against cross-site request forgery (CSRF) |
| CVE-2024-10327 | 2024-10-24 | A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of... |
| CVE-2024-47880 | 2024-10-24 | OpenRefine has a reflected cross-site scripting vulnerability from POST request in ExportRowsCommand |
| CVE-2024-47881 | 2024-10-24 | OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE) |
| CVE-2024-47882 | 2024-10-24 | OpenRefine's error page lacks escaping, leading to potential Cross-site Scripting on import of malicious project |
| CVE-2024-47883 | 2024-10-24 | Butterfly has path/URL confusion in resource handling leading to multiple weaknesses |
| CVE-2024-48931 | 2024-10-24 | ZimaOS Arbitrary File Read via Parameter Manipulation |
| CVE-2024-48932 | 2024-10-24 | ZimaOS Unauthenticated API Discloses Usernames |
| CVE-2024-49357 | 2024-10-24 | ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak |
| CVE-2024-49358 | 2024-10-24 | ZimaOS vulnerable to Username Enumeration via API Responses |
| CVE-2024-49359 | 2024-10-24 | ZimaOS vulnerable to Directory Listing via Parameter Manipulation |
| CVE-2024-49760 | 2024-10-24 | OpenRefine has a path traversal in LoadLanguageCommand |
| CVE-2024-49762 | 2024-10-24 | Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disabled |
| CVE-2024-10348 | 2024-10-24 | SourceCodester Best House Rental Management System Manage Tenant Details index.php cross site scripting |
| CVE-2024-10349 | 2024-10-24 | SourceCodester Best House Rental Management System ajax.php delete_tenant sql injection |
| CVE-2024-49750 | 2024-10-24 | Snowflake Connector for Python has sensitive data in logs |
| CVE-2024-10350 | 2024-10-24 | code-projects Hospital Management System add-doctor.php sql injection |
| CVE-2024-10351 | 2024-10-24 | Tenda RX9 Pro POST Request setMacFilterCfg sub_424CE0 stack-based overflow |
| CVE-2024-10353 | 2024-10-24 | SourceCodester Online Exam System admin-dashboard access control |
| CVE-2022-30355 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required. |
| CVE-2022-30356 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by a Privilege Escalation vulnerability via a POST request to /user/assignuserrole via the userid and role parameters . Authentication is required with OE_ADMIN role... |
| CVE-2022-30357 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /profile/updateProfile via the userId and email parameters. Authentication is required. |
| CVE-2022-30358 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by an Account Takeover vulnerability via a POST request to /user/updatePassword via the userId and newPsw parameters. Authentication is required. |
| CVE-2022-30359 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserList. Authentication is required. The information disclosed is associated with the all registered... |
| CVE-2022-30360 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by multiple Stored XSS (AKA Persistent or Type II) vulnerabilities via a POST request to /profile/updateProfile via the slackid or phone parameters. Authentication is... |
| CVE-2022-30361 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserType. No authentication is required. The information disclosed is associated with the registered... |
| CVE-2023-26248 | 2024-10-25 | The Kademlia DHT (go-libp2p-kad-dht 0.20.0 and earlier) used in IPFS (0.18.1 and earlier) assigns routing information for content (i.e., information about who holds the content) to be stored by peers... |
| CVE-2024-37844 | 2024-10-25 | A stored cross-site scripting (XSS) vulnerability in MangoOS before 5.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-37845 | 2024-10-25 | MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature. |
| CVE-2024-37846 | 2024-10-25 | MangoOS before 5.2.0 was discovered to contain a Client-Side Template Injection (CSTI) vulnerability via the Platform Management Edit page. |