CVE List - 2024 / November
Showing 1601 - 1700 of 4054 CVEs for November 2024 (Page 17 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-47430 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-47428 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-47431 | 2024-11-12 | Substance3D - Painter | Heap-based Buffer Overflow (CWE-122) |
| CVE-2024-47429 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-49520 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-49518 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-47436 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Read (CWE-125) |
| CVE-2024-49515 | 2024-11-12 | Substance3D - Painter | Untrusted Search Path (CWE-426) |
| CVE-2024-47437 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Read (CWE-125) |
| CVE-2024-47427 | 2024-11-12 | Substance3D - Painter | Out-of-bounds Write (CWE-787) |
| CVE-2024-49525 | 2024-11-12 | Substance3D - Painter | Heap-based Buffer Overflow (CWE-122) |
| CVE-2024-11110 | 2024-11-12 | Inappropriate implementation in Extensions in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass site isolation via a crafted Chrome Extension. (Chromium security severity: High) |
| CVE-2024-11111 | 2024-11-12 | Inappropriate implementation in Autofill in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a... |
| CVE-2024-11112 | 2024-11-12 | Use after free in Media in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity:... |
| CVE-2024-11113 | 2024-11-12 | Use after free in Accessibility in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML... |
| CVE-2024-11114 | 2024-11-12 | Inappropriate implementation in Views in Google Chrome on Windows prior to 131.0.6778.69 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a... |
| CVE-2024-11115 | 2024-11-12 | Insufficient policy enforcement in Navigation in Google Chrome on iOS prior to 131.0.6778.69 allowed a remote attacker to perform privilege escalation via a series of UI gestures. (Chromium security severity:... |
| CVE-2024-11116 | 2024-11-12 | Inappropriate implementation in Blink in Google Chrome prior to 131.0.6778.69 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a... |
| CVE-2024-11117 | 2024-11-12 | Inappropriate implementation in FileSystem in Google Chrome prior to 131.0.6778.69 allowed a remote attacker to bypass filesystem restrictions via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2024-49508 | 2024-11-12 | InDesign Desktop | Heap-based Buffer Overflow (CWE-122) |
| CVE-2024-49507 | 2024-11-12 | InDesign Desktop | Heap-based Buffer Overflow (CWE-122) |
| CVE-2024-49511 | 2024-11-12 | InDesign Desktop | Out-of-bounds Read (CWE-125) |
| CVE-2024-49509 | 2024-11-12 | InDesign Desktop | Heap-based Buffer Overflow (CWE-122) |
| CVE-2024-49512 | 2024-11-12 | InDesign Desktop | Out-of-bounds Read (CWE-125) |
| CVE-2024-49510 | 2024-11-12 | InDesign Desktop | Out-of-bounds Read (CWE-125) |
| CVE-2024-11168 | 2024-11-12 | Improper validation of IPv6 and IPvFuture addresses |
| CVE-2023-38920 | 2024-11-13 | Cross Site Scripting vulnerability in Cyber Cafe Management System v.1.0 allows a local attacker to execute arbitrary code via a crafted script to the adminname parameter. |
| CVE-2024-40404 | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the API endpoint where Web Sockets connections are established. |
| CVE-2024-40405 | 2024-11-13 | Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request. |
| CVE-2024-40407 | 2024-11-13 | A full path disclosure in Cybele Software Thinfinity Workspace before v7.0.2.113 allows attackers to obtain the root path of the application via unspecified vectors. |
| CVE-2024-40408 | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated... |
| CVE-2024-40410 | 2024-11-13 | Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain a hardcoded cryptographic key used for encryption. |
| CVE-2024-42834 | 2024-11-13 | A stored cross-site scripting (XSS) vulnerability in the Create Customer API in Incognito Service Activation Center (SAC) UI v14.11 allows authenticated attackers to execute arbitrary web scripts or HTML via... |
| CVE-2024-45875 | 2024-11-13 | The create user function in baltic-it TOPqw Webportal 1.35.287.1 (fixed in version1.35.291), in /Apps/TOPqw/BenutzerManagement.aspx/SaveNewUser, is vulnerable to SQL injection. The JSON object username allows the manipulation of SQL queries. |
| CVE-2024-45876 | 2024-11-13 | The login form of baltic-it TOPqw Webportal v1.35.283.2 (fixed in version 1.35.283.4) at /Apps/TOPqw/Login.aspx is vulnerable to SQL injection. The vulnerability exists in the POST parameter txtUsername, which allows for... |
| CVE-2024-45877 | 2024-11-13 | baltic-it TOPqw Webportal v1.35.283.2 is vulnerable to Incorrect Access Control in the User Management function in /Apps/TOPqw/BenutzerManagement.aspx. This allows a low privileged user to access all modules in the web... |
| CVE-2024-45878 | 2024-11-13 | The "Stammdaten" menu of baltic-it TOPqw Webportal v1.35.283.2 (fixed in version 1.35.291), in /Apps/TOPqw/qwStammdaten.aspx, is vulnerable to persistent Cross-Site Scripting (XSS). |
| CVE-2024-45879 | 2024-11-13 | The file upload function in the "QWKalkulation" tool of baltic-it TOPqw Webportal v1.35.287.1 (fixed in version 1.35.291), in /Apps/TOPqw/QWKalkulation/QWKalkulation.aspx, is vulnerable to Cross-Site Scripting (XSS). To exploit the persistent XSS... |
| CVE-2024-48510 | 2024-11-13 | Directory Traversal vulnerability in DotNetZip v.1.16.0 and before allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component NOTE: This vulnerability only affects products that are no longer... |
| CVE-2024-50852 | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetUSBPartitionUmount function. |
| CVE-2024-50853 | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a command injection vulnerability via the formSetDebugCfg function. |
| CVE-2024-50956 | 2024-11-13 | A buffer overflow in the RecvSocketData function of Inovance HCPLC_AM401-CPU1608TPTN 21.38.0.0, HCPLC_AM402-CPU1608TPTN 41.38.0.0, and HCPLC_AM403-CPU1608TN 81.38.0.0 allows attackers to cause a Denial of Service (DoS) or execute arbitrary code via... |
| CVE-2024-50969 | 2024-11-13 | A Reflected cross-site scripting (XSS) vulnerability in browse.php of Code-projects Jonnys Liquor 1.0 allows remote attackers to inject arbitrary web scripts or HTML via the search parameter. |
| CVE-2024-50970 | 2024-11-13 | A SQL injection vulnerability in orderview1.php of Itsourcecode Online Furniture Shopping Project 1.0 allows remote attackers to execute arbitrary SQL commands via the id parameter. |
| CVE-2024-50971 | 2024-11-13 | A SQL injection vulnerability in print.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the map_id parameter. |
| CVE-2024-50972 | 2024-11-13 | A SQL injection vulnerability in printtool.php of Itsourcecode Construction Management System 1.0 allows remote attackers to execute arbitrary SQL commands via the borrow_id parameter. |
| CVE-2024-51027 | 2024-11-13 | Ruijie NBR800G gateway NBR_RGOS_11.1(6)B4P9 is vulnerable to command execution in /itbox_pi/networksafe.php via the province parameter. |
| CVE-2024-40443 | 2024-11-13 | SQL Injection vulnerability in Simple Laboratory Management System using PHP and MySQL v.1.0 allows a remote attacker to cause a denial of service via the delete_users function in the Useres.php |
| CVE-2024-50854 | 2024-11-13 | Tenda G3 v3.0 v15.11.0.20 was discovered to contain a stack overflow via the formSetPortMapping function. |
| CVE-2024-50955 | 2024-11-13 | An issue in how XINJE XD5E-24R and XL5E-16T v3.5.3b handles TCP protocol messages allows attackers to cause a Denial of Service (DoS) via a crafted TCP message. |
| CVE-2024-37376 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-39710 | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code... |
| CVE-2024-32841 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-34782 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-37398 | 2024-11-13 | Insufficient validation in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. |
| CVE-2024-32847 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-34787 | 2024-11-13 | Path traversal in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a local unauthenticated attacker to achieve code execution. User interaction is required. |
| CVE-2024-32844 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-38656 | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.2 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code... |
| CVE-2024-39709 | 2024-11-13 | Incorrect file permissions in Ivanti Connect Secure before version 22.6R2 (Not Applicable to 9.1Rx) and Ivanti Policy Secure before version 22.7R1 (Not Applicable to 9.1Rx) allow a local authenticated attacker... |
| CVE-2024-39711 | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code... |
| CVE-2024-38649 | 2024-11-13 | An out-of-bounds write in IPsec of Ivanti Connect Secure before version 22.7R2.1(Not Applicable to 9.1Rx) allows a remote unauthenticated attacker to cause a denial of service. |
| CVE-2024-38654 | 2024-11-13 | Improper bounds checking in Ivanti Secure Access Client before version 22.7R3 allows a local authenticated attacker with admin privileges to cause a denial of service. |
| CVE-2024-32839 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-37400 | 2024-11-13 | An out of bounds read in Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to trigger an infinite loop, causing a denial of service. |
| CVE-2024-34781 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-39712 | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code... |
| CVE-2024-29211 | 2024-11-13 | A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files. |
| CVE-2024-34780 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-34784 | 2024-11-13 | SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. |
| CVE-2024-38655 | 2024-11-13 | Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve... |
| CVE-2024-10778 | 2024-11-13 | BuddyPress Builder for Elementor – BuddyBuilder <= 1.7.4 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-10852 | 2024-11-13 | Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Export |
| CVE-2024-9578 | 2024-11-13 | Hide Links <= 1.4.2 - Unauthenticated Shortcode Execution |
| CVE-2024-8985 | 2024-11-13 | Social Proof (Testimonials) Slider <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via spslider-block Shortcode |
| CVE-2024-10851 | 2024-11-13 | Razorpay Payment Button <= 2.4.6 - Reflected Cross-Site Scripting |
| CVE-2024-10887 | 2024-11-13 | NiceJob <= 3.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-10577 | 2024-11-13 | Fat Rat Collect <= 2.7.3 - Reflected Cross-Site Scripting |
| CVE-2024-9614 | 2024-11-13 | Constant Contact Forms by MailMunch <= 2.1.2 - Reflected Cross-Site Scripting |
| CVE-2024-10850 | 2024-11-13 | Razorpay Payment Button for Elementor <= 1.2.5 - Reflected Cross-Site Scripting |
| CVE-2024-10038 | 2024-11-13 | WP-Strava <= 2.12.1 - Authenticated (Administrator+) Stored Cross-Site Scripting |
| CVE-2024-10717 | 2024-11-13 | Styler for Ninja Forms <= 3.3.4 - Authenticated (Subscriber+) Arbitrary Option Deletion via deactivate_license |
| CVE-2024-10853 | 2024-11-13 | Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Order Deletion |
| CVE-2024-10854 | 2024-11-13 | Buy one click WooCommerce <= 2.2.9 - Missing Authorization to Authenticated (Subscriber+) Settings Import |
| CVE-2024-8874 | 2024-11-13 | AJAX Login and Registration modal popup + inline form <= 2.24 - Reflected Cross-Site Scripting |
| CVE-2024-10629 | 2024-11-13 | GPX Viewer <= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation |
| CVE-2024-9426 | 2024-11-13 | Aqua SVG Sprite <= 3.0.14 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-10882 | 2024-11-13 | Product Delivery Date for WooCommerce - Lite <= 2.8.0 - Reflected Cross-Site Scripting |
| CVE-2024-10593 | 2024-11-13 | WPForms – Easy Form Builder for WordPress <= 1.9.1.6 - Cross-Site Request Forgery (CSRF) to Plugin's Log Deletion |
| CVE-2024-10530 | 2024-11-13 | Kognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant Addition |
| CVE-2024-10531 | 2024-11-13 | Kognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant Update |
| CVE-2024-10684 | 2024-11-13 | Kognetiks Chatbot for WordPress <= 2.1.7 - Reflected Cross-Site Scripting |
| CVE-2024-11143 | 2024-11-13 | Kognetiks Chatbot for WordPress <= 2.1.8 - Cross-Site Request Forgery to Authenticated (Subscriber+) Assistant Modification |
| CVE-2024-10529 | 2024-11-13 | Kognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant Deletion |
| CVE-2024-10802 | 2024-11-13 | Hash Elements <= 1.4.7 - Missing Authorization to Unauthenticated Draft Post Title Exposure |
| CVE-2024-10794 | 2024-11-13 | Boostify Header Footer Builder for Elementor <= 1.3.6 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-10828 | 2024-11-13 | Advanced Order Export For WooCommerce <= 3.5.5 - Unauthenticated PHP Object Injection via Order Details |
| CVE-2024-10820 | 2024-11-13 | WooCommerce Upload Files <= 84.3 - Unauthenticated Arbitrary File Upload |
| CVE-2024-10174 | 2024-11-13 | WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.13 - Insecure Direct Object Reference to Unauthenticated Authorization Bypass |
| CVE-2024-10816 | 2024-11-13 | LUNA RADIO PLAYER <= 6.24.01.24 - Unauthenticated Arbitrary File Read |