CVE List - 2024 / October
Showing 2801 - 2900 of 3570 CVEs for October 2024 (Page 29 of 36)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-37847 | 2024-10-25 | An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file. |
| CVE-2024-48204 | 2024-10-25 | SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script. |
| CVE-2024-48218 | 2024-10-25 | Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/list. |
| CVE-2024-48222 | 2024-10-25 | Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/edit. |
| CVE-2024-48223 | 2024-10-25 | Funadmin v5.0.2 has a SQL injection vulnerability in /curd/table/fieldlist. |
| CVE-2024-48224 | 2024-10-25 | Funadmin v5.0.2 has an arbitrary file read vulnerability in /curd/index/editfile. |
| CVE-2024-48225 | 2024-10-25 | Funadmin v5.0.2 has an arbitrary file deletion vulnerability in /curd/index/delfile. |
| CVE-2024-48226 | 2024-10-25 | Funadmin 5.0.2 is vulnerable to SQL Injection in curd/table/savefield. |
| CVE-2024-48227 | 2024-10-25 | Funadmin 5.0.2 has a logical flaw in the Curd one click command deletion function, which can result in a Denial of Service (DOS). |
| CVE-2024-48228 | 2024-10-25 | An issue was found in funadmin 5.0.2. The selectfiles method in \backend\controller\sys\Attachh.php directly stores the passed parameters and values into the param parameter without filtering, resulting in Cross Site Scripting... |
| CVE-2024-48229 | 2024-10-25 | funadmin 5.0.2 has a SQL injection vulnerability in the Curd one click command mode plugin. |
| CVE-2024-48230 | 2024-10-25 | funadmin 5.0.2 is vulnerable to SQL Injection via the parentField parameter in the index method of \backend\controller\auth\Auth.php. |
| CVE-2024-48232 | 2024-10-25 | An issue was found in mipjz 5.0.5. In the mipPost method of \app\setting\controller\ApiAdminTool.php, the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and... |
| CVE-2024-48233 | 2024-10-25 | mipjz 5.0.5 is vulnerable to Cross Site Scripting (XSS) in \app\setting\controller\ApiAdminSetting.php via the ICP parameter. |
| CVE-2024-48234 | 2024-10-25 | An issue was discovered in mipjz 5.0.5. In the push method of app\tag\controller\ApiAdminTag.php the value of the postAddress parameter is not processed and is directly passed into curl_exec execution and... |
| CVE-2024-48235 | 2024-10-25 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the save method of the TemplateController.java file. |
| CVE-2024-48236 | 2024-10-25 | An issue in ofcms 1.1.2 allows a remote attacker to execute arbitrary code via the FileOutputStream function in the write String method of the ofcms-admin\src\main\java\com\ofsoft\cms\core\uitle\FileUtils.java file |
| CVE-2024-48237 | 2024-10-25 | WTCMS 1.0 is vulnerable to Incorrect Access Control in \Common\Controller\HomebaseController.class.php. |
| CVE-2024-48238 | 2024-10-25 | WTCMS 1.0 is vulnerable to SQL Injection in the edit_post method of /Admin\Controller\NavControl.class.php via the parentid parameter. |
| CVE-2024-48239 | 2024-10-25 | An issue was discovered in WTCMS 1.0. In the plupload method in \AssetController.class.php, the app parameters aren't processed, resulting in Cross Site Scripting (XSS). |
| CVE-2024-48343 | 2024-10-25 | A SQL Injection vulnerability in ESAFENET CDG 5 and earlier allows an attacker to execute arbitrary code via the id parameter of the dataSearch.jsp page. |
| CVE-2024-48396 | 2024-10-25 | AIML Chatbot 1.0 (fixed in 2.0) is vulnerable to Cross Site Scripting (XSS). The vulnerability is exploited through the message input field, where attackers can inject malicious HTML or JavaScript... |
| CVE-2024-48448 | 2024-10-25 | An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into the tracker comments page. |
| CVE-2024-48450 | 2024-10-25 | An arbitrary file upload vulnerability in Huly Platform v0.6.295 allows attackers to execute arbitrary code via uploading a crafted HTML file into chat group. |
| CVE-2024-48459 | 2024-10-25 | A command execution vulnerability exists in the AX2 Pro home router produced by Shenzhen Tenda Technology Co., Ltd. (Jixiang Tenda) v.DI_7003G-19.12.24A1V16.03.29.50;V16.03.29.50;V16.03.29.50. An attacker can exploit this vulnerability by constructing a... |
| CVE-2024-48579 | 2024-10-25 | SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. |
| CVE-2024-48580 | 2024-10-25 | SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request. |
| CVE-2024-48581 | 2024-10-25 | File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. |
| CVE-2024-48654 | 2024-10-25 | Cross Site Scripting vulnerability in Blood Bank v.1 allows a remote attacker to execute arbitrary code via a crafted script to the login.php component. |
| CVE-2024-48655 | 2024-10-25 | An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. |
| CVE-2024-48700 | 2024-10-25 | Kliqqi-CMS has a background arbitrary code execution vulnerability that attackers can exploit to implant backdoors or getShell via the edit_page.php component. |
| CVE-2024-48743 | 2024-10-25 | Cross Site Scripting vulnerability in Sentry v.6.0.9 allows a remote attacker to execute arbitrary code via the z parameter. |
| CVE-2022-30354 | 2024-10-25 | OvalEdge 5.2.8.0 and earlier is affected by a Sensitive Data Exposure vulnerability via a GET request to /user/getUserWithTeam. Authentication is required. The information disclosed is associated with all registered user... |
| CVE-2024-48428 | 2024-10-25 | An issue in Olive VLE allows an attacker to obtain sensitive information via the reset password function. |
| CVE-2024-10354 | 2024-10-25 | SourceCodester Petrol Pump Management Software print.php sql injection |
| CVE-2024-10355 | 2024-10-25 | SourceCodester Petrol Pump Management Software invoice.php sql injection |
| CVE-2024-10368 | 2024-10-25 | Codezips Sales Management System addstock.php sql injection |
| CVE-2024-10369 | 2024-10-25 | Codezips Sales Management System addcustcom.php sql injection |
| CVE-2024-10370 | 2024-10-25 | Codezips Sales Management System addcustind.php sql injection |
| CVE-2024-10371 | 2024-10-25 | SourceCodester Payroll Management System main login buffer overflow |
| CVE-2024-10372 | 2024-10-25 | chidiwilliams buzz model_loader.py download_model temp file |
| CVE-2024-9686 | 2024-10-25 | Order Notification for Telegram <= 1.0.1 - Missing Authorization to Unauthenticated Send Telegram Test Message |
| CVE-2024-9109 | 2024-10-25 | UPS Live Rates and Access Points <= 2.3.11 - Missing Authorization to Plugin API key reset |
| CVE-2024-9488 | 2024-10-25 | Comments – wpDiscuz <= 7.6.24 - Authentication Bypass via WordPress.com OAuth provider |
| CVE-2024-42420 | 2024-10-25 | Sharp and Toshiba Tec MFPs contain multiple Out-of-bounds Read vulnerabilities, due to improper processing of keyword search input and improper processing of SOAP messages. Crafted HTTP requests may cause affected... |
| CVE-2024-43424 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process HTTP request headers, resulting in an Out-of-bounds Read vulnerability. Crafted HTTP requests may cause affected products crashed. |
| CVE-2024-45829 | 2024-10-25 | Sharp and Toshiba Tec MFPs provide the web page to download data, where query parameters in HTTP requests are improperly processed and resulting in an Out-of-bounds Read vulnerability. Crafted HTTP... |
| CVE-2024-45842 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process URI data in HTTP PUT requests resulting in a path Traversal vulnerability. Unintended internal files may be retrieved when processing crafted HTTP requests. |
| CVE-2024-47005 | 2024-10-25 | Sharp and Toshiba Tec MFPs provide configuration related APIs. They are expected to be called by administrative users only, but insufficiently restricted. A non-administrative user may execute some configuration APIs. |
| CVE-2024-47406 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process HTTP authentication requests, resulting in an authentication bypass vulnerability. |
| CVE-2024-47549 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to... |
| CVE-2024-47801 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, resulting in a reflected cross-site scripting vulnerability. Accessing a crafted URL which points to an affected product may... |
| CVE-2024-48870 | 2024-10-25 | Sharp and Toshiba Tec MFPs improperly validate input data in URI data registration, resulting in a stored cross-site scripting vulnerability. If crafted input is stored by an administrative user, malicious... |
| CVE-2024-9302 | 2024-10-25 | App Builder – Create Native Android & iOS Apps On The Flight <= 5.3.7 - Privilege Escalation and Account Takeover via Weak OTP |
| CVE-2024-10011 | 2024-10-25 | BuddyPress <= 14.1.0 - Authenticated (Subscriber+) Directory Traversal |
| CVE-2024-10148 | 2024-10-25 | Awesome buttons <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via btn2 Shortcode |
| CVE-2024-9235 | 2024-10-25 | Mapster WP Maps <= 1.5.0 - Incorrect Authorization to Authenticated (Contributor+) Arbitrary Options Update |
| CVE-2024-9607 | 2024-10-25 | 10Web Social Post Feed <= 1.2.9 - Reflected Cross-Site Scripting |
| CVE-2024-50583 | 2024-10-25 | Whale browser Installer before 3.1.0.0 allows an attacker to execute a malicious DLL in the user environment due to improper permission settings. |
| CVE-2024-10341 | 2024-10-25 | League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) SQL Injection via Shortcode |
| CVE-2024-10342 | 2024-10-25 | League of Legends Shortcodes <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-10150 | 2024-10-25 | Bamazoo – Button Generator <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via dgs Shortcode |
| CVE-2024-9598 | 2024-10-25 | AMP for WP – Accelerated Mobile Pages <= 1.0.99.1 - Cross-Site Request Forgery to Privilege Escalation |
| CVE-2024-9630 | 2024-10-25 | WPS Telegram Chat <= 4.5.4 - Missing Authorization to Information Exposure |
| CVE-2024-9628 | 2024-10-25 | WPS Telegram Chat <= 4.5.4 - Authenticated (Subscriber+) Unauthorized Access to Telegram Bot API |
| CVE-2024-45785 | 2024-10-25 | MUSASI version 3 contains an issue with use of client-side authentication. If this vulnerability is exploited, other users' credential and sensitive information may be retrieved. |
| CVE-2024-47158 | 2024-10-25 | N-LINE 2.0.6 and prior versions contain a code injection vulnerability. If this vulnerability is exploited, arbitrary code may be executed on the instructor's browser, or the instructor may be directed... |
| CVE-2024-10016 | 2024-10-25 | File Upload Types by WPForms <= 1.4.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-10343 | 2024-10-25 | Beek Widget Extention <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode |
| CVE-2024-10112 | 2024-10-25 | Simple News <= 2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via news Shortcode |
| CVE-2024-8666 | 2024-10-25 | Shoutcast Icecast HTML5 Radio Player <= 2.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-44098 | 2024-10-25 | In lwis_device_event_states_clear_locked of lwis_event.c, there is a possible privilege escalation due to a double free. This could lead to local escalation of privilege with no additional execution privileges needed. User... |
| CVE-2024-44099 | 2024-10-25 | There is a possible Local bypass of user interaction due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction... |
| CVE-2024-44100 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows information disclosure in the modem component, A-299774545. |
| CVE-2024-44101 | 2024-10-25 | there is a possible Null Pointer Dereference (modem crash) due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction... |
| CVE-2024-47012 | 2024-10-25 | In mm_GetMobileIdIndexForNsUpdate of mm_GmmPduCodec.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution... |
| CVE-2024-47013 | 2024-10-25 | In pmucal_rae_handle_seq_int of flexpmu_cal_rae.c, there is a possible arbitrary write due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2024-47014 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows privilege escalation in the ABL component, A-330537292. |
| CVE-2024-47015 | 2024-10-25 | In ProtocolMiscHwConfigChangeAdapter::GetData() of protocolmiscadapter.cpp, there is a possible out-of-bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required. User Interaction... |
| CVE-2024-47016 | 2024-10-25 | there is a possible privilege escalation due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not... |
| CVE-2024-47017 | 2024-10-25 | In ufshc_scsi_cmd of ufs.c, there is a possible stack variable use after free due to a use after free. This could lead to local escalation of privilege with no additional... |
| CVE-2024-47018 | 2024-10-25 | In pmucal_rae_handle_seq_int of flexpmu_cal_rae.c, there is a possible out of bounds read due to a buffer overflow. This could lead to local information disclosure with no additional execution privileges needed.... |
| CVE-2024-47019 | 2024-10-25 | In ProtocolEmbmsSaiListAdapter::Init() of protocolembmsadapter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with baseband firmware compromise required.... |
| CVE-2024-47020 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows information disclosure in the ABL component, A-331966488. |
| CVE-2024-47021 | 2024-10-25 | In sms_ExtractCbLanguage of sms_CellBroadcast.c, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges... |
| CVE-2024-47022 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows information disclosure in the ACPM component, A-331255656. |
| CVE-2024-47023 | 2024-10-25 | there is a possible man-in-the-middle attack due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2024-47024 | 2024-10-25 | In vring_size of external/headers/include/virtio/virtio_ring.h, there is a possible out of bounds write due to an integer overflow. This could lead to local escalation of privilege with no additional execution privileges... |
| CVE-2024-47025 | 2024-10-25 | In ppmp_protect_buf of drm_fw.c, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2024-47026 | 2024-10-25 | In gsc_gsa_rescue of gsc_gsa.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2024-47027 | 2024-10-25 | In sm_mem_compat_get_vmm_obj of lib/sm/shared_mem.c, there is a possible arbitrary physical memory access due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges... |
| CVE-2024-47028 | 2024-10-25 | In ffu_flash_pack of ffu.c, there is a possible out of bounds read due to an integer overflow. This could lead to local information disclosure with System execution privileges needed. User... |
| CVE-2024-47029 | 2024-10-25 | In TrustySharedMemoryManager::GetSharedMemory of ondevice/trusty/trusty_shared_memory_manager.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2024-47030 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows information disclosure in the ACPM component, A-315191818. |
| CVE-2024-47031 | 2024-10-25 | Android before 2024-10-05 on Google Pixel devices allows privilege escalation in the ABL component, A-329163861. |
| CVE-2024-47033 | 2024-10-25 | In lwis_allocator_free of lwis_allocator.c, there is a possible memory corruption due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed.... |
| CVE-2024-47034 | 2024-10-25 | there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is... |
| CVE-2024-47035 | 2024-10-25 | In vring_init of external/headers/include/virtio/virtio_ring.h, there is a possible out of bounds write due to a logic error in the code. This could lead to local escalation of privilege with no... |
| CVE-2024-47041 | 2024-10-25 | In valid_address of syscall.c, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution... |
| CVE-2024-47481 | 2024-10-25 | Dell Data Lakehouse, version(s) 1.0.0.0, 1.1.0., contain(s) an Improper Access Control vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Denial of service. |