CVE List - 2024 / November
Showing 2001 - 2100 of 4054 CVEs for November 2024 (Page 21 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-48967 | 2024-11-14 | Life2000 ventilator and Service PC lack sufficient audit logging capabilities |
| CVE-2017-13227 | 2024-11-14 | In the autofill service, the package name that is provided by the app process is trusted inappropriately. This could lead to information disclosure with no additional execution privileges needed. User... |
| CVE-2024-52308 | 2024-11-14 | Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer |
| CVE-2024-23169 | 2024-11-15 | The web interface in RSA NetWitness 11.7.2.0 allows Cross-Site Scripting (XSS) via the Where textbox on the Reports screen during new rule creation. |
| CVE-2024-24425 | 2024-11-15 | Magma v1.8.0 and OAI EPC Federation v1.20 were discovered to contain an out-of-bounds read in the amf_as_establish_req function at /tasks/amf/amf_as.cpp. This vulnerability allows attackers to cause a Denial of Service... |
| CVE-2024-24426 | 2024-11-15 | Reachable assertions in the NGAP_FIND_PROTOCOLIE_BY_ID function of OpenAirInterface Magma v1.8.0 and OAI EPC Federation v1.2.0 allow attackers to cause a Denial of Service (DoS) via a crafted NGAP packet. |
| CVE-2024-24431 | 2024-11-15 | A reachable assertion in the ogs_nas_emm_decode function of Open5GS v2.7.0 allows attackers to cause a Denial of Service (DoS) via a crafted NAS packet with a zero-length EMM message length. |
| CVE-2024-24446 | 2024-11-15 | An uninitialized pointer dereference in OpenAirInterface CN5G AMF up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted InitialContextSetupResponse message sent to the AMF. |
| CVE-2024-24447 | 2024-11-15 | A buffer overflow in the ngap_amf_handle_pdu_session_resource_setup_response function of oai-cn5g-amf up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a PDU Session Resource Setup Response with an... |
| CVE-2024-24449 | 2024-11-15 | An uninitialized pointer dereference in the NasPdu::NasPdu component of OpenAirInterface CN5G AMF up to v2.0.0 allows attackers to cause a Denial of Service (DoS) via a crafted InitialUEMessage message sent... |
| CVE-2024-24450 | 2024-11-15 | Stack-based memcpy buffer overflow in the ngap_handle_pdu_session_resource_setup_response routine in OpenAirInterface CN5G AMF <= 2.0.0 allows a remote attacker with access to the N2 interface to carry out denial of service... |
| CVE-2024-44625 | 2024-11-15 | Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. |
| CVE-2024-44758 | 2024-11-15 | An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. |
| CVE-2024-44759 | 2024-11-15 | An arbitrary file download vulnerability in the component /Doc/DownloadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. |
| CVE-2024-45969 | 2024-11-15 | NULL pointer dereference in the MMS Client in MZ Automation LibIEC1850 before commit 7afa40390b26ad1f4cf93deaa0052fe7e357ef33 allows a malicious server to Cause a Denial-of-Service via the MMS InitiationResponse message. |
| CVE-2024-45970 | 2024-11-15 | Multiple Buffer overflows in the MMS Client in MZ Automation LibIEC61850 before commit ac925fae8e281ac6defcd630e9dd756264e9c5bc allow a malicious server to cause a stack-based buffer overflow via the MMS FileDirResponse message. |
| CVE-2024-45971 | 2024-11-15 | Multiple Buffer overflows in the MMS Client in MZ Automation LibIEC61850 before commit 1f52be9ddeae00e69cd43e4cac3cb4f0c880c4f0 allow a malicious server to cause a stack-based buffer overflow via the MMS IdentifyResponse message. |
| CVE-2024-46383 | 2024-11-15 | Hathway Skyworth Router CM5100-511 v4.1.1.24 was discovered to store sensitive information about USB and Wifi connected devices in plaintext. |
| CVE-2024-46462 | 2024-11-15 | By default, dedicated folders of ZEDMAIL for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration... |
| CVE-2024-46463 | 2024-11-15 | By default, dedicated folders of ORIZON for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration... |
| CVE-2024-46465 | 2024-11-15 | By default, dedicated folders of CRYHOD for Windows up to 2024.3 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration... |
| CVE-2024-46466 | 2024-11-15 | By default, dedicated folders of ZONECENTRAL for Windows up to 2024.3 or up to Q.2021.2 (ANSSI qualification submission) can be accessed by other users to misuse technical files and make... |
| CVE-2024-46467 | 2024-11-15 | By default, dedicated folders of ZONEPOINT for Windows up to 2024.1 can be accessed by other users to misuse technical files and make them perform tasks with higher privileges. Configuration... |
| CVE-2024-48068 | 2024-11-15 | A cross-site scripting (XSS) vulnerability in Shenzhen Landray Software Co.,LTD Landray EKP v16 and earlier allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-49592 | 2024-11-15 | Trial installer for McAfee Total Protection (legacy trial installer software) 16.0.53 allows local privilege escalation because of an Uncontrolled Search Path Element. The attacker could be "an adversary or knowledgeable... |
| CVE-2024-50647 | 2024-11-15 | The python_food ordering system V1.0 has an unauthorized vulnerability that leads to the leakage of sensitive user information. Attackers can access it through https://ip:port/api/myapp/index/user/info?id=1 And modify the ID value to... |
| CVE-2024-50648 | 2024-11-15 | yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. |
| CVE-2024-50649 | 2024-11-15 | The user avatar upload function in python_book V1.0 has an arbitrary file upload vulnerability. |
| CVE-2024-50650 | 2024-11-15 | python_book V1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. |
| CVE-2024-50651 | 2024-11-15 | java_shop 1.0 is vulnerable to Incorrect Access Control, which allows attackers to obtain sensitive information of users with different IDs by modifying the ID parameter. |
| CVE-2024-50652 | 2024-11-15 | A file upload vulnerability in java_shop 1.0 allows attackers to upload arbitrary files by modifying the avatar function. |
| CVE-2024-50654 | 2024-11-15 | lilishop <=4.2.4 is vulnerable to Incorrect Access Control, which can allow attackers to obtain coupons beyond the quantity limit by capturing and sending the data packets for coupon collection in... |
| CVE-2024-50655 | 2024-11-15 | emlog pro <=2.3.18 is vulnerable to Cross Site Scripting (XSS), which allows attackers to write malicious JavaScript code in published articles. |
| CVE-2024-50724 | 2024-11-15 | KASO v9.0 was discovered to contain a SQL injection vulnerability via the person_id parameter at /cardcase/editcard.jsp. |
| CVE-2024-50800 | 2024-11-15 | Cross Site Scripting vulnerability in M2000 Smart4Web before v.5.020241004 allows a remote attacker to execute arbitrary code via the error parameter in URL |
| CVE-2024-50983 | 2024-11-15 | FlightPath 7.5 contains a Cross Site Scripting (XSS) vulnerability, which allows authenticated remote attackers with administrative rights to inject arbitrary JavaScript in the web browser of a user by including... |
| CVE-2024-50986 | 2024-11-15 | An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. |
| CVE-2024-51037 | 2024-11-15 | An issue in kodbox v.1.52.04 and before allows a remote attacker to obtain sensitive information via the captcha feature in the password reset function. |
| CVE-2024-51141 | 2024-11-15 | An issue in TOTOLINK Bluetooth Wireless Adapter A600UB allows a local attacker to execute arbitrary code via the WifiAutoInstallDriver.exe and MSASN1.dll components. |
| CVE-2024-51142 | 2024-11-15 | Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. |
| CVE-2024-51164 | 2024-11-15 | Multiple parameters have SQL injection vulnerability in JEPaaS 7.2.8 via /je/login/btnLog/insertBtnLog, which could allow a remote user to submit a specially crafted query, allowing an attacker to retrieve all the... |
| CVE-2024-51330 | 2024-11-15 | An issue in UltiMaker Cura v.4.41 and 5.8.1 and before allows a local attacker to execute arbitrary code via Inter-process communication (IPC) mechanism between Cura application and CuraEngine processes, localhost... |
| CVE-2024-24452 | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Release Indication messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the... |
| CVE-2024-24453 | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB NotToBeModifiedBearerModInd information element in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the... |
| CVE-2024-24454 | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Modify Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the... |
| CVE-2024-24455 | 2024-11-15 | An invalid memory access when handling a UE Context Release message containing an invalid UE identifier in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS)... |
| CVE-2024-24457 | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of E-RAB Setup List Context SURes messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS)... |
| CVE-2024-24458 | 2024-11-15 | An invalid memory access when handling the ENB Configuration Transfer messages containing invalid PLMN Identities in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to... |
| CVE-2024-24459 | 2024-11-15 | An invalid memory access when handling the ProtocolIE_ID field of S1Setup Request messages in Athonet vEPC MME v11.4.0 allows attackers to cause a Denial of Service (DoS) to the cellular... |
| CVE-2024-50653 | 2024-11-15 | CRMEB <=5.4.0 is vulnerable to Incorrect Access Control. Users can bypass the front-end restriction of only being able to claim coupons once by capturing packets and sending a large number... |
| CVE-2024-11120 | 2024-11-15 | GeoVision EOL devices - OS Command Injection |
| CVE-2024-10924 | 2024-11-15 | Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 - Authentication Bypass |
| CVE-2024-10897 | 2024-11-15 | Tutor LMS Elementor Addons <= 2.1.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation |
| CVE-2024-9609 | 2024-11-15 | LearnPress Export Import – WordPress extension for LearnPress <= 4.0.4 - Reflected Cross-Site Scripting |
| CVE-2024-42499 | 2024-11-15 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an attacker may be able to... |
| CVE-2024-39610 | 2024-11-15 | Cross-site scripting vulnerability exists in FitNesse releases prior to 20241026. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is... |
| CVE-2024-10113 | 2024-11-15 | WP AdCenter – Ad Manager & Adsense Ads <= 2.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via wpadcenter_ad Shortcode |
| CVE-2024-10582 | 2024-11-15 | Music Player for Elementor – Audio Player & Podcast Player <= 2.4.1 - Missing Authorization to Authenticated (Subscriber+) Template Import |
| CVE-2024-9356 | 2024-11-15 | Yotpo: Product & Photo Reviews for WooCommerce <= 1.7.8 - Reflected Cross-Site Scripting |
| CVE-2024-10260 | 2024-11-15 | Tripetto <= 8.0.3 - Unauthentiated Stored Cross-Site Scripting via Form File Upload |
| CVE-2024-10793 | 2024-11-15 | WP Activity Log <= 5.2.1 - Unauthenticated Stored Cross-Site Scripting via User_id Parameter |
| CVE-2024-10104 | 2024-11-15 | Jobs for WordPress < 2.7.8 - Contributor+ Stored XSS |
| CVE-2024-9529 | 2024-11-15 | Secure Custom Fields < 6.3.6.3 - Admin+ Remote Code Execution |
| CVE-2024-8961 | 2024-11-15 | Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-10825 | 2024-11-15 | Hide My WP Ghost – Security & Firewall <= 5.3.01 - Reflected Cross-Site Scripting via URL |
| CVE-2024-45784 | 2024-11-15 | Apache Airflow: Sensitive configuration values are not masked in the logs by default |
| CVE-2024-8979 | 2024-11-15 | Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.9 - Authenticated (Author+) Sensitive Information Exposure to Privilege Escalation |
| CVE-2024-8978 | 2024-11-15 | Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders <= 6.0.9 - Authenticated (Contributor+) Sensitive Information Exposure |
| CVE-2024-10311 | 2024-11-15 | External Database Based Actions <= 0.1 - Authenticated (Subscriber+) Authentication Bypass |
| CVE-2024-10443 | 2024-11-15 | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720... |
| CVE-2024-11182 | 2024-11-15 | Stored XSS vulnerability in MDaemon Email Server |
| CVE-2021-3741 | 2024-11-15 | Stored Cross-site Scripting (XSS) in chatwoot/chatwoot |
| CVE-2021-3742 | 2024-11-15 | Server-Side Request Forgery (SSRF) in chatwoot/chatwoot |
| CVE-2021-3838 | 2024-11-15 | PHAR Deserialization in dompdf/dompdf |
| CVE-2021-3841 | 2024-11-15 | Stored Cross-site Scripting (XSS) in sylius/sylius |
| CVE-2021-3902 | 2024-11-15 | Improper Restriction of XML External Entity Reference in dompdf/dompdf |
| CVE-2021-3986 | 2024-11-15 | Information Disclosure in janeczku/calibre-web |
| CVE-2021-3987 | 2024-11-15 | Improper Access Control in janeczku/calibre-web |
| CVE-2021-3988 | 2024-11-15 | Cross-site Scripting (XSS) in janeczku/calibre-web |
| CVE-2021-3991 | 2024-11-15 | Improper Authorization in dolibarr/dolibarr |
| CVE-2022-1884 | 2024-11-15 | Remote Command Execution in gogs/gogs |
| CVE-2023-0737 | 2024-11-15 | CSRF in wallabag/wallabag |
| CVE-2023-4679 | 2024-11-15 | Use After Free in gpac/gpac |
| CVE-2024-0787 | 2024-11-15 | Improper Restriction of Excessive Authentication Attempts in phpipam/phpipam |
| CVE-2024-1240 | 2024-11-15 | Open Redirection in pyload/pyload |
| CVE-2021-3740 | 2024-11-15 | Session Fixation in chatwoot/chatwoot |
| CVE-2024-1097 | 2024-11-15 | Stored XSS in craigk5n/webcalendar |
| CVE-2023-2332 | 2024-11-15 | Stored Cross-site Scripting (XSS) in pimcore/pimcore |
| CVE-2022-1226 | 2024-11-15 | Cross-site Scripting (XSS) in phpipam/phpipam |
| CVE-2023-0109 | 2024-11-15 | Stored XSS in usememos/memos |
| CVE-2024-0875 | 2024-11-15 | Stored XSS in openemr/openemr |
| CVE-2024-10534 | 2024-11-15 | Improper Access Control in Dataprom Informatics' PACS-ACSS |
| CVE-2024-11237 | 2024-11-15 | TP-Link VN020 F3v(T) DHCP DISCOVER Packet Parser TP-Thumper stack-based overflow |
| CVE-2024-11238 | 2024-11-15 | Landray EKP sysUiComponent.do delPreviewFile path traversal |
| CVE-2024-11239 | 2024-11-15 | Landray EKP API Interface import.do deleteFile path traversal |
| CVE-2024-11240 | 2024-11-15 | IBPhoenix ibWebAdmin Banco de Dados Tab database.php cross site scripting |
| CVE-2024-11241 | 2024-11-15 | code-projects Job Recruitment reset.php sql injection |
| CVE-2024-11242 | 2024-11-15 | ZZCMS Keyword Filtering ad_list.php sql injection |
| CVE-2024-41785 | 2024-11-15 | IBM Concert cross-site scripting |
| CVE-2024-43189 | 2024-11-15 | IBM Concert Software information disclosure |