CVE List - 2024 / November
Showing 3601 - 3700 of 4054 CVEs for November 2024 (Page 37 of 41)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2020-12492 | 2024-11-25 | Wifi information acquisition vulnerability in Framework Services |
| CVE-2024-11498 | 2024-11-25 | Resource exhaustion via Stack overflow in libjxl |
| CVE-2024-11403 | 2024-11-25 | Out of Bounds Memory Read/Write in libjxl |
| CVE-2024-27134 | 2024-11-25 | Excessive directory permissions in MLflow leads to local privilege escalation when using spark_udf |
| CVE-2024-11672 | 2024-11-25 | Incorrect authorization in the add permission component in Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows an authenticated malicious user to bypass the "Add" permission via the import... |
| CVE-2024-11671 | 2024-11-25 | Improper authentication in SQL data source MFA validation in Devolutions Remote Desktop Manager 2024.3.17 and earlier on Windows allows an authenticated user to bypass the MFA validation via data source... |
| CVE-2024-11670 | 2024-11-25 | Incorrect authorization in the permission validation component of Devolutions Remote Desktop Manager 2024.2.21 and earlier on Windows allows a malicious authenticated user to bypass the "View Password" permission via specific... |
| CVE-2023-45181 | 2024-11-25 | IBM Jazz Foundation cross-site scripting |
| CVE-2023-26280 | 2024-11-25 | IBM Jazz Foundation improper access control |
| CVE-2024-7915 | 2024-11-25 | macOS Sensei Mac Cleaner Local Privilege Escalation via PID Reuse - Race Condition Attack |
| CVE-2024-8272 | 2024-11-25 | macOS Universal Audio (UAConnect) <= 2.7.0 - Local Privilege Escalation |
| CVE-2024-51723 | 2024-11-25 | Vulnerability in Management Console Impacts BlackBerry AtHoc |
| CVE-2024-32468 | 2024-11-25 | Improper neutralization of input during web page generation ("Cross-site Scripting") in deno_doc HTML generator |
| CVE-2024-52529 | 2024-11-25 | Layer 7 policy enforcement may not occur in policies with wildcarded port ranges in Cilium |
| CVE-2024-52811 | 2024-11-25 | Acks not validated before logged to qlog leads to buffer overflow in ngtcp2 |
| CVE-2024-53255 | 2024-11-25 | Reflected Cross-site Scripting in /admin?page=media via file Parameter in BoidCMS |
| CVE-2024-53262 | 2024-11-25 | Unescaped error message included on error page in SvelteKit |
| CVE-2024-53261 | 2024-11-25 | Cross-Site Scripting attack (XSS) on dev mode 404 page in SvelteKit |
| CVE-2024-53258 | 2024-11-25 | download_all_submissions allows student to download another student's submissions in Autolab |
| CVE-2024-53268 | 2024-11-25 | Lack of validation on openExternal allows 1 click remote code execution in joplin |
| CVE-2024-53096 | 2024-11-25 | mm: resolve faulty mmap_region() error path behaviour |
| CVE-2024-53097 | 2024-11-25 | mm: krealloc: Fix MTE false alarm in __do_krealloc |
| CVE-2024-53098 | 2024-11-25 | drm/xe/ufence: Prefetch ufence addr to catch bogus address |
| CVE-2024-53099 | 2024-11-25 | bpf: Check validity of link->type in bpf_link_show_fdinfo() |
| CVE-2024-53100 | 2024-11-25 | nvme: tcp: avoid race between queue_lock lock and destroy |
| CVE-2024-53101 | 2024-11-25 | fs: Fix uninitialized value issue in from_kuid and from_kgid |
| CVE-2024-11673 | 2024-11-25 | 1000 Projects Bookstore Management System cross-site request forgery |
| CVE-2024-53843 | 2024-11-25 | Reflected XSS Vulnerability in Authentication Flow URL Handling in @dapperduckling/keycloak-connector-server |
| CVE-2024-11674 | 2024-11-25 | CodeAstro Hospital Management System his_doc_update-account.php unrestricted upload |
| CVE-2024-50942 | 2024-11-26 | qiwen-file v1.4.0 was discovered to contain a SQL injection vulnerability via the component /mapper/NoticeMapper.xml. |
| CVE-2024-53365 | 2024-11-26 | A stored cross-site scripting (XSS) vulnerability was identified in PHPGURUKUL Vehicle Parking Management System v1.13 in /users/profile.php. This vulnerability allows authenticated users to inject malicious XSS scripts into the profile... |
| CVE-2024-53555 | 2024-11-26 | A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file. |
| CVE-2024-53619 | 2024-11-26 | An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. |
| CVE-2024-53620 | 2024-11-26 | A cross-site scripting (XSS) vulnerability in the Article module of SPIP v4.3.3 allows authenticated attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Title... |
| CVE-2024-51058 | 2024-11-26 | Local File Inclusion (LFI) vulnerability has been discovered in TCPDF 6.7.5. This vulnerability enables a user to read arbitrary files from the server's file system through <img> src tag, potentially... |
| CVE-2024-11675 | 2024-11-26 | CodeAstro Hospital Management System Add Patient Details Page his_admin_register_patient.php cross site scripting |
| CVE-2024-11676 | 2024-11-26 | CodeAstro Hospital Management System Add Laboratory Equipment Page his_admin_add_lab_equipment.php cross site scripting |
| CVE-2024-52899 | 2024-11-26 | IBM Data Virtualization Manager code execution |
| CVE-2024-11677 | 2024-11-26 | CodeAstro Hospital Management System Add Vendor Details Page his_admin_add_vendor.php cross site scripting |
| CVE-2024-11678 | 2024-11-26 | CodeAstro Hospital Management System his_doc_register_patient.php cross site scripting |
| CVE-2024-10729 | 2024-11-26 | Booking & Appointment Plugin for WooCommerce <= 6.9.0 - Authenticated (Subscriber+) Arbitrary Option Update |
| CVE-2024-49595 | 2024-11-26 | Dell Wyse Management Suite, version WMS 4.4 and before, contain an Authentication Bypass by Capture-replay vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to... |
| CVE-2024-49597 | 2024-11-26 | Dell Wyse Management Suite, versions WMS 4.4 and prior, contain an Improper Restriction of Excessive Authentication Attempts vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability,... |
| CVE-2024-49596 | 2024-11-26 | Dell Wyse Management Suite, version WMS 4.4 and prior, contain a Missing Authorization vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of... |
| CVE-2024-49351 | 2024-11-26 | IBM Workload Scheduler information disclosure |
| CVE-2024-49353 | 2024-11-26 | IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data denial of service |
| CVE-2024-11342 | 2024-11-26 | Skt NURCaptcha <= 3.5.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-11418 | 2024-11-26 | Additional Order Filters for WooCommerce <= 1.21 - Reflected Cross-Site Scripting |
| CVE-2024-53278 | 2024-11-26 | Cross-site scripting vulnerability exists in WP Admin UI Customize versions prior to ver 1.5.14. If a malicious admin user customizes the admin screen with some malicious contents, an arbitrary script... |
| CVE-2024-10570 | 2024-11-26 | Security & Malware scan by CleanTalk <= 2.145 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated SQL Injection |
| CVE-2024-10781 | 2024-11-26 | Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.44 - Authorization Bypass due to Missing Empty Value Check to Unauthenticated Arbitrary Plugin Installation |
| CVE-2024-10542 | 2024-11-26 | Spam protection, Anti-Spam, FireWall by CleanTalk <= 6.43.2 - Authorization Bypass via Reverse DNS Spoofing to Unauthenticated Arbitrary Plugin Installation |
| CVE-2024-10471 | 2024-11-26 | Everest Forms < 3.0.4.2 - Admin+ Stored XSS |
| CVE-2024-11002 | 2024-11-26 | InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template |
| CVE-2024-10857 | 2024-11-26 | Product Input Fields for WooCommerce <= 1.9 - Authenticated (Contributor+) Arbitrary File Read |
| CVE-2024-6476 | 2024-11-26 | Gee-netics, member of the AXIS Camera Station Pro Bug Bounty Program has found that it is possible for a non-admin user to gain system privileges by redirecting a file deletion... |
| CVE-2024-6749 | 2024-11-26 | Seth Fogie, member of the AXIS Camera Station Pro Bug Bounty Program, has found that the Incident report feature may expose sensitive credentials on the AXIS Camera Station windows client.... |
| CVE-2024-6831 | 2024-11-26 | Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program has found that it is possible to edit and/or remove views without the necessary permission due to a client-side-only... |
| CVE-2024-47257 | 2024-11-26 | Florent Thiéry has found that selected Axis devices were vulnerable to handling certain ethernet frames which could lead to the Axis device becoming unavailable in the network. Axis has released... |
| CVE-2024-8772 | 2024-11-26 | 51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API managedoverlayimages.cgi was vulnerable to a race condition attack allowing for an attacker to block access... |
| CVE-2024-8160 | 2024-11-26 | Erik de Jong, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API ftptest.cgi did not have a sufficient input validation allowing for a possible command... |
| CVE-2024-9504 | 2024-11-26 | Booking calendar, Appointment Booking System <= 3.2.15 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-11202 | 2024-11-26 | Multiple Plugins <= (Various Versions) - Reflected Cross-Site Scripting via cminds_free_guide Shortcode |
| CVE-2024-28038 | 2024-11-26 | The web interface of the affected devices processes a cookie value improperly, leading to a stack buffer overflow. More precisely, giving too long character string to MFPSESSIONID parameter results in... |
| CVE-2024-28955 | 2024-11-26 | Affected devices create coredump files when crashed, storing them with world-readable permission. Any local user of the device can examine the coredump files, and research the memory contents. As for... |
| CVE-2024-29146 | 2024-11-26 | User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product... |
| CVE-2024-29978 | 2024-11-26 | User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product... |
| CVE-2024-32151 | 2024-11-26 | User passwords are decrypted and stored on memory before any user logged in. Those decrypted passwords can be retrieved from the coredump file. As for the details of affected product... |
| CVE-2024-33605 | 2024-11-26 | Improper processing of some parameters of installed_emanual_list.html leads to a path traversal vulnerability. As for the details of affected product names, model numbers, and versions, refer to the information provided... |
| CVE-2024-33610 | 2024-11-26 | "sessionlist.html" and "sys_trayentryreboot.html" are accessible with no authentication. "sessionlist.html" provides logged-in users' session information including session cookies, and "sys_trayentryreboot.html" allows to reboot the device. As for the details of affected... |
| CVE-2024-33616 | 2024-11-26 | Admin authentication can be bypassed with some specific invalid credentials, which allows logging in with an administrative privilege. Sharp Corporation states the telnet feature is implemented on older models only,... |
| CVE-2024-34162 | 2024-11-26 | The web interface of the affected devices is designed to hide the LDAP credentials even for administrative users. But configuring LDAP authentication to "SIMPLE", the device communicates with the LDAP... |
| CVE-2024-35244 | 2024-11-26 | There are several hidden accounts. Some of them are intended for maintenance engineers, and with the knowledge of their passwords (e.g., by examining the coredump), these accounts can be used... |
| CVE-2024-36248 | 2024-11-26 | API keys for some cloud services are hardcoded in the "main" binary. As for the details of affected product names, model numbers, and versions, refer to the information provided by... |
| CVE-2024-36249 | 2024-11-26 | Cross-site scripting vulnerability exists in Sharp Corporation and Toshiba Tech Corporation multiple MFPs (multifunction printers). If this vulnerability is exploited, an arbitrary script may be executed on the administrative page... |
| CVE-2024-36251 | 2024-11-26 | The web interface of the affected devices process some crafted HTTP requests improperly, leading to a device crash. More precisely, a crafted parameter to billcodedef_sub_sel.html is not processed properly and... |
| CVE-2024-36254 | 2024-11-26 | Out-of-bounds read vulnerability exists in Sharp Corporation and Toshiba Tec Corporation multiple MFPs (multifunction printers), which may lead to a denial-of-service (DoS) condition. |
| CVE-2024-9170 | 2024-11-26 | Booster for WooCommerce <= 7.2.3 - Authenticated (ShopManager+) Stored Cross-Site Scripting via wcj_product_meta Shortcode |
| CVE-2024-11119 | 2024-11-26 | BNE Gallery Extended <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via gallery Shortcode |
| CVE-2024-11192 | 2024-11-26 | Spotify Play Button for WordPress <= 2.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via spotifyplaybutton Shortcode |
| CVE-2024-11091 | 2024-11-26 | Support SVG – Upload svg files in wordpress without hassle <= 1.1.0 - Authenticated (Author+) Stored Cross-site Scripting via SVG File Upload |
| CVE-2016-10394 | 2024-11-26 | Improper Authentication in Core |
| CVE-2017-11076 | 2024-11-26 | Use of Out-of-range Pointer Offset in Video |
| CVE-2017-15832 | 2024-11-26 | Buffer overwrite due to improper input validation in WLAN host |
| CVE-2017-17772 | 2024-11-26 | Multiple buffer overread vulnerabilities in WLAN |
| CVE-2017-18153 | 2024-11-26 | Use After Free in WLAN |
| CVE-2018-11922 | 2024-11-26 | Configurations in Android Build |
| CVE-2018-11952 | 2024-11-26 | Improper Authentication in TrustZone |
| CVE-2024-11032 | 2024-11-26 | Parsi Date <= 5.1.1 - Reflected Cross-Site Scripting via add_query_arg Parameter |
| CVE-2024-11680 | 2024-11-26 | ProjectSend Unauthenticated Configuration Modification |
| CVE-2024-50358 | 2024-11-26 | A CWE-15 "External Control of System or Configuration Setting" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The vulnerability... |
| CVE-2024-50359 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50360 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50361 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50362 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50363 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50364 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50365 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50366 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |
| CVE-2024-50367 | 2024-11-26 | A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3)... |