CVE List - 2024 / November
Showing 2201 - 2300 of 4054 CVEs for November 2024 (Page 23 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-10934 | 2024-11-15 | OpenBSD NFS double-free vulnerability |
| CVE-2024-11256 | 2024-11-15 | 1000 Projects Portfolio Management System MCA login.php sql injection |
| CVE-2024-11257 | 2024-11-15 | 1000 Projects Beauty Parlour Management System forgot-password.php sql injection |
| CVE-2024-49536 | 2024-11-15 | Audition | Out-of-bounds Read (CWE-125) |
| CVE-2024-3334 | 2024-11-15 | USB Security Feature Bypass in Digital Guardian Windows Agent Prior to version 8.2.0 |
| CVE-2024-11258 | 2024-11-15 | 1000 Projects Beauty Parlour Management System index.php sql injection |
| CVE-2024-11259 | 2024-11-15 | code-projects Farmacia fornecedores.php cross site scripting |
| CVE-2024-45609 | 2024-11-15 | GLPI has a Reflected XSS in /front/stat.graph.php |
| CVE-2024-45610 | 2024-11-15 | GLPI has a reflected XSS in ajax/cable.php |
| CVE-2024-45611 | 2024-11-15 | GLPI has a stored XSS at src/RSSFeed.php |
| CVE-2024-49060 | 2024-11-15 | Azure Stack HCI Elevation of Privilege Vulnerability |
| CVE-2024-11217 | 2024-11-15 | Oauth-server-container: oauth-server-container logs client secret in debug level |
| CVE-2017-13309 | 2024-11-15 | In readEncryptedData of ConscryptEngine.java, there is a possible plaintext leak due to improperly used crypto. This could lead to local information disclosure with no additional execution privileges needed. User interaction... |
| CVE-2024-38370 | 2024-11-15 | GLPI allows API document download without rights |
| CVE-2024-9500 | 2024-11-15 | Autodesk ADP Desktop SDK Privilege Escalation Vulnerability |
| CVE-2024-51764 | 2024-11-15 | A security vulnerability has been identified in HPE Data Management Framework (DMF) Suite (CXFS). Depending on configuration, this vulnerability may lead to local/cluster unauthorized access. |
| CVE-2017-13310 | 2024-11-15 | In createFromParcel of ViewPager.java, there is a possible read/write serialization issue leading to a permissions bypass. This could lead to local escalation of privilege where an app can start an... |
| CVE-2024-51765 | 2024-11-15 | A security vulnerability has been identified in HPE Cray Data Virtualization Service (DVS). Depending on configuration, this vulnerability may lead to local/cluster unauthorized access. |
| CVE-2017-13311 | 2024-11-15 | In the read() function of ProcessStats.java, there is a possible read/write serialization issue leading to a permissions bypass. This could lead to local escalation of privilege where an app can... |
| CVE-2017-13312 | 2024-11-15 | In createFromParcel of MediaCas.java, there is a possible parcel read/write mismatch due to improper input validation. This could lead to local escalation of privilege where an app can start an... |
| CVE-2017-13314 | 2024-11-15 | In setAllowOnlyVpnForUids of NetworkManagementService.java, there is a possible security settings bypass due to a missing permission check. This could lead to local escalation of privilege allowing users to access non-VPN... |
| CVE-2024-11261 | 2024-11-15 | SourceCodester Student Record Management System Number of Students Menu StudentRecordManagementSystem.cpp memory corruption |
| CVE-2017-13313 | 2024-11-15 | In ElementaryStreamQueue::dequeueAccessUnitMPEG4Video of ESQueue.cpp, there is a possible infinite loop leading to resource exhaustion due to an incorrect bounds check. This could lead to remote denial of service with no... |
| CVE-2024-11262 | 2024-11-15 | SourceCodester Student Record Management System View All Student Marks main stack-based overflow |
| CVE-2024-11263 | 2024-11-15 | arch: riscv: userspace: potential security risk when CONFIG_RISCV_GP=y |
| CVE-2024-10795 | 2024-11-16 | Popularis Extra <= 1.2.7 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-10861 | 2024-11-16 | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups <= 4.9.7 - Missing Authorization to Unauthenticated Limited Options Update |
| CVE-2024-10786 | 2024-11-16 | Simple Local Avatars <= 2.7.11 - Missing Authorization to Authenticated (Subscriber+) User Cache Clearing |
| CVE-2024-10883 | 2024-11-16 | SimpleForm – Contact form made simple <= 2.2.0 - Reflected Cross-Site Scripting |
| CVE-2024-10884 | 2024-11-16 | SimpleForm Contact Form Submissions <= 2.1.0 - Reflected Cross-Site Scripting |
| CVE-2024-9849 | 2024-11-16 | 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 4.6 - Authenticated (Author+) Arbitrary File Upload |
| CVE-2024-10017 | 2024-11-16 | PJW Mime Config <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-9192 | 2024-11-16 | WP Video Robot <= 1.20.0 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update |
| CVE-2024-9935 | 2024-11-16 | PDF Generator Addon for Elementor Page Builder <= 1.7.5 - Unauthenticated Arbitrary File Download |
| CVE-2024-11118 | 2024-11-16 | 404 Error Monitor <= 1.1 - Cross-Site Request Forgery to Plugin Settings Update via updatePluginSettings Function |
| CVE-2024-10875 | 2024-11-16 | Gallery Manager <= 1.6.58 - Reflected Cross-Site Scripting |
| CVE-2024-11092 | 2024-11-16 | SVGPlus <= 1.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-9386 | 2024-11-16 | Exclusive Divi – Divi Preloader, Modules for Divi & Extra Theme <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-10147 | 2024-11-16 | Steel <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via btn Shortcode |
| CVE-2024-9615 | 2024-11-16 | BulkPress <= 0.3.5 - Reflected Cross-Site Scripting |
| CVE-2024-10015 | 2024-11-16 | ConvertCalculator for WordPress <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via id and type Parameter |
| CVE-2024-6628 | 2024-11-16 | EleForms – All In One Form Integration including DB for Elementor <= 2.9.9.9 - Cross-Site Request Forgery |
| CVE-2024-9938 | 2024-11-16 | Bounce Handler MailPoet 3 <= 1.3.21 - Reflected Cross-Site Scripting |
| CVE-2024-9850 | 2024-11-16 | SVG Case Study <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-8873 | 2024-11-16 | PeproDev WooCommerce Receipt Uploader <= 2.6.9 - Reflected Cross-Site Scripting |
| CVE-2024-11085 | 2024-11-16 | WP Log Viewer <= 1.2.1 - Missing Authorization |
| CVE-2024-9839 | 2024-11-16 | Uix Slideshow <= 1.6.5 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-10262 | 2024-11-16 | Drop Shadow Boxes <= 1.7.14 - Authenticated (Subscriber+) Arbitrary Shortcode Execution |
| CVE-2024-10533 | 2024-11-16 | WP Chat App <= 3.6.8 - Missing Authorization to Authenticated (Subscriber+) Filebird Plugin Installation |
| CVE-2024-10728 | 2024-11-16 | PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation |
| CVE-2024-8856 | 2024-11-16 | Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload |
| CVE-2024-10614 | 2024-11-16 | Customer Reviews for WooCommerce <= 5.61.0 - Missing Authorization to Authenticated (Subscriber+) Import Cancellation |
| CVE-2024-10645 | 2024-11-16 | Blogger 301 Redirect <= 2.5.3 - Unauthenticated SQL Injection via br |
| CVE-2024-9887 | 2024-11-16 | Login using WordPress Users ( WP as SAML IDP ) <= 1.15.6 - Authenticated (Administrator+) SQL Injection |
| CVE-2024-10592 | 2024-11-16 | Mapster WP Maps <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11094 | 2024-11-16 | 404 Solution <= 2.35.17 - Missing Authentication to Sensitive Information Exposure |
| CVE-2024-52416 | 2024-11-16 | WordPress Debug Tool plugin <= 2.2 - Remote Code Execution vulnerability |
| CVE-2024-52415 | 2024-11-16 | WordPress SK WP Settings Backup plugin <= 1.0 - CSRF to PHP Object Injection vulnerability |
| CVE-2024-52386 | 2024-11-16 | WordPress Classified Listing plugin <= 3.1.15.1 - Local File Inclusion vulnerability |
| CVE-2024-52414 | 2024-11-16 | WordPress WDES Responsive Mobile Menu plugin <= 5.3.18 - PHP Object Injection vulnerability |
| CVE-2024-52413 | 2024-11-16 | WordPress Airin Blog theme <= 1.6.1 - PHP Object Injection vulnerability |
| CVE-2024-52412 | 2024-11-16 | WordPress Xin theme <= 1.0.8.1 - PHP Object Injection vulnerability |
| CVE-2024-52411 | 2024-11-16 | WordPress Advanced Personalization plugin <= 1.1.2 - PHP Object Injection vulnerability |
| CVE-2024-52410 | 2024-11-16 | WordPress Referrer Detector plugin <= 4.2.1.0 - PHP Object Injection vulnerability |
| CVE-2024-52409 | 2024-11-16 | WordPress AJAX Random Posts plugin <= 0.3.3 - PHP Object Injection vulnerability |
| CVE-2024-52408 | 2024-11-16 | WordPress Push Notifications for WordPress by PushAssist plugin <= 3.0.8 - Arbitrary File Upload vulnerability |
| CVE-2024-52407 | 2024-11-16 | WordPress BasePress Migration Tools plugin <= 1.0.0 - Arbitrary File Upload vulnerability |
| CVE-2024-52406 | 2024-11-16 | WordPress CSV to html plugin <= 3.04 - Arbitrary File Upload vulnerability |
| CVE-2024-52405 | 2024-11-16 | WordPress B-Banner Slider plugin <= 1.1 - Arbitrary File Upload vulnerability |
| CVE-2024-52404 | 2024-11-16 | WordPress CF7 Reply Manager plugin <= 1.2.3 - Arbitrary File Upload vulnerability |
| CVE-2024-52403 | 2024-11-16 | WordPress User Management plugin <= 1.1 - Arbitrary File Upload vulnerability |
| CVE-2024-52400 | 2024-11-16 | WordPress Gallerio plugin <= 1.01 - Arbitrary File Upload vulnerability |
| CVE-2024-52399 | 2024-11-16 | WordPress Writer Helper plugin <= 3.1.6 - Arbitrary File Upload vulnerability |
| CVE-2024-52398 | 2024-11-16 | WordPress CDI plugin <= 5.5.3 - Arbitrary File Upload vulnerability |
| CVE-2024-52397 | 2024-11-16 | WordPress Convert Docx2post plugin <= 1.4 - Arbitrary File Upload vulnerability |
| CVE-2024-52867 | 2024-11-17 | guix-daemon in GNU Guix before 5ab3c4c allows privilege escalation because build outputs are accessible by local users before file metadata concerns (e.g., for setuid and setgid programs) are properly addressed.... |
| CVE-2024-52871 | 2024-11-17 | In Flagsmith before 2.134.1, it is possible to bypass the ALLOW_REGISTRATION_WITHOUT_INVITE setting. |
| CVE-2024-52872 | 2024-11-17 | In Flagsmith before 2.134.1, the get_document endpoint is not correctly protected by permissions. |
| CVE-2024-52876 | 2024-11-17 | Holy Stone Remote ID Module HSRID01, firmware distributed with the Drone Go2 mobile application before 1.1.8, allows unauthenticated "remote power off" actions (in broadcast mode) via multiple read operations on... |
| CVE-2020-25720 | 2024-11-17 | Samba: check attribute access rights for ldap adds of computers |
| CVE-2023-0657 | 2024-11-17 | Keycloak: impersonation via logout token exchange |
| CVE-2023-1419 | 2024-11-17 | Debezium: script injection via connector parameter |
| CVE-2023-4639 | 2024-11-17 | Undertow: cookie smuggling/spoofing |
| CVE-2023-6110 | 2024-11-17 | Openstack: deleting a non existing access rule deletes another existing access rule in it's scope |
| CVE-2024-0793 | 2024-11-17 | Kube-controller-manager: malformed hpa v1 manifest causes crash |
| CVE-2023-43091 | 2024-11-17 | Gnome-maps: gnome maps is vulnerable to a code injection attack (similar to xss) via its service.json |
| CVE-2015-20111 | 2024-11-18 | miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different... |
| CVE-2019-25220 | 2024-11-18 | Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service (daemon crash) via a flood of low-difficulty header chains (aka a "Chain Width Expansion" attack) because a... |
| CVE-2023-49952 | 2024-11-18 | Mastodon 4.1.x before 4.1.17 and 4.2.x before 4.2.9 allows a bypass of rate limiting via a crafted HTTP request header. |
| CVE-2024-28058 | 2024-11-18 | In RSA NetWitness (NW) Platform before 12.5.1, even when an administrator revokes the access of a specific user with an active session, an internal threat actor could impersonate the revoked... |
| CVE-2024-33231 | 2024-11-18 | Cross Site Scripting vulnerability in Ferozo Email version 1.1 allows a local attacker to execute arbitrary code via a crafted payload to the PDF preview component. |
| CVE-2024-44757 | 2024-11-18 | An arbitrary file download vulnerability in the component /Basics/DownloadInpFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to download arbitrary files and access sensitive information via a crafted interface request. |
| CVE-2024-48292 | 2024-11-18 | An issue in the wssrvc.exe service of QuickHeal Antivirus Pro Version v24.0 and Quick Heal Total Security v24.0 allows authenticated attackers to escalate privileges. |
| CVE-2024-48293 | 2024-11-18 | Incorrect access control in QuickHeal Antivirus Pro 24.1.0.182 and earlier allows authenticated attackers with low-level privileges to arbitrarily modify antivirus settings. |
| CVE-2024-48294 | 2024-11-18 | A NULL pointer dereference in the component libPdfCore.dll of Wondershare PDF Reader v1.0.9.2544 allows attackers to cause a Denial of Service (DoS) via a crafted PDF file. |
| CVE-2024-50804 | 2024-11-18 | Insecure Permissions vulnerability in Micro-star International MSI Center Pro 2.1.37.0 allows a local attacker to execute arbitrary code via the Device_DeviceID.dat.bak file within the C:\ProgramData\MSI\One Dragon Center\Data folder |
| CVE-2024-50919 | 2024-11-18 | Jpress until v5.1.1 has arbitrary file uploads on the windows platform, and the construction of non-standard file formats such as .jsp. can lead to arbitrary command execution |
| CVE-2024-51051 | 2024-11-18 | AVSCMS v8.2.0 was discovered to contain weak default credentials for the Administrator account. |
| CVE-2024-51053 | 2024-11-18 | An arbitrary file upload vulnerability in the component /main/fileupload.php of AVSCMS v8.2.0 allows attackers to execute arbitrary code via uploading a crafted file. |
| CVE-2024-52912 | 2024-11-18 | Bitcoin Core before 0.21.0 allows a network split that is resultant from an integer overflow (calculating the time offset for newly connecting peers) and an abs64 logic bug. |