CVE List - 2024 / December
Showing 2301 - 2400 of 3433 CVEs for December 2024 (Page 24 of 35)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-51479 | 2024-12-17 | Authorization bypass in Next.js |
| CVE-2024-56139 | 2024-12-17 | A stack overflow Segmentation Fault (SEGV) and Memory Leak in pdftools |
| CVE-2024-11993 | 2024-12-17 | Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.38, and Liferay DXP 7.4 GA through update 38 allows remote attackers to execute arbitrary web script or HTML via... |
| CVE-2024-12539 | 2024-12-17 | Elasticsearch Incorrect Authorization |
| CVE-2023-37940 | 2024-12-17 | Cross-site scripting (XSS) vulnerability in the edit Service Access Policy page in Liferay Portal 7.0.0 through 7.4.3.87, and Liferay DXP 7.4 GA through update 87, 7.3 GA through update 29,... |
| CVE-2024-56142 | 2024-12-17 | Path Traversal in pghoard |
| CVE-2024-52792 | 2024-12-17 | Arbitrary config values override in lam |
| CVE-2024-9779 | 2024-12-17 | Open-cluster-management-io/ocm: cluster-manager permissions may allow a worker node to obtain service account tokens |
| CVE-2024-10973 | 2024-12-17 | Keycloak: cli option for encrypted jgroups ignored |
| CVE-2024-37649 | 2024-12-18 | Insecure Permissions vulnerability in SecureSTATION v.2.5.5.3116-S50-SMA-B20160811A and before allows a physically proximate attacker to obtain sensitive information via the modification of user credentials. |
| CVE-2024-39703 | 2024-12-18 | In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint. |
| CVE-2024-49201 | 2024-12-18 | Keyfactor Remote File Orchestrator (aka remote-file-orchestrator) 2.8 before 2.8.1 allows Information Disclosure: sensitive information could be exposed at the debug logging level. |
| CVE-2024-49202 | 2024-12-18 | Keyfactor Command before 12.5.0 has Incorrect Access Control: access tokens are over permissioned, aka 64099. The fixed versions are 11.5.1.1, 11.5.2.1, 11.5.3.1, 11.5.4.5, 11.5.6.1, 11.6.0, 12.2.0.1, 12.3.0.1, 12.4.0.1, 12.5.0, and... |
| CVE-2024-55086 | 2024-12-18 | In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system. |
| CVE-2024-55088 | 2024-12-18 | GetSimple CMS CE 3.3.19 is vulnerable to Server-Side Request Forgery (SSRF) in the backend plugin module. |
| CVE-2024-55231 | 2024-12-18 | An IDOR vulnerability in the edit-notes.php module of PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to modify notes belonging to other accounts due to missing authorization checks.... |
| CVE-2024-55232 | 2024-12-18 | An IDOR vulnerability in the manage-notes.php module in PHPGurukul Online Notes Sharing Management System v1.0 allows unauthorized users to delete notes belonging to other accounts due to missing authorization checks.... |
| CVE-2024-55239 | 2024-12-18 | A reflected Cross-Site Scripting vulnerability in the standard documentation upload functionality in Portabilis i-Educar 2.9 allows attacker to craft malicious urls with arbitrary javascript in the 'titulo_documento' parameter. |
| CVE-2024-55461 | 2024-12-18 | SeaCMS <=13.0 is vulnerable to command execution in phome.php via the function Ebak_RepPathFiletext(). |
| CVE-2024-55492 | 2024-12-18 | Winmail Server 4.4 is vulnerable to f_user=%22%3E%3Csvg%20onload Cross Site Scripting (XSS). |
| CVE-2024-55506 | 2024-12-18 | An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an attacker to execute arbitrary code and obtain sensitive information via the delete.php file and modifying... |
| CVE-2024-56115 | 2024-12-18 | A vulnerability in Amiro.CMS before 7.8.4 exists due to the failure to take measures to neutralize special elements. It allows remote attackers to conduct a Cross-Site Scripting (XSS) attack. |
| CVE-2024-56116 | 2024-12-18 | A Cross-Site Request Forgery vulnerability in Amiro.CMS before 7.8.4 allows remote attackers to create an administrator account. |
| CVE-2024-56170 | 2024-12-18 | A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI manifests are listings of relevant files that clients are supposed to verify. Assuming everything else is correct,... |
| CVE-2024-56173 | 2024-12-18 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from JavaScript in an SVG document. |
| CVE-2024-56174 | 2024-12-18 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in search history. |
| CVE-2024-56175 | 2024-12-18 | In Optimizely Configured Commerce before 5.2.2408, malicious payloads can be stored and subsequently executed in users' browsers under specific conditions: XSS from client-side template injection in list item names. |
| CVE-2024-56317 | 2024-12-18 | In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0, the WriteAcl function deletes all existing ACL entries first, and then attempts to recreate them based on user input. If input... |
| CVE-2024-56318 | 2024-12-18 | In raw\TCP.cpp in Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0 before 27ca6ec, there is a NULL pointer dereference in TCPBase::ProcessSingleMessage via TCP packets with zero messageSize, leading to denial... |
| CVE-2024-56319 | 2024-12-18 | In Matter (aka connectedhomeip or Project CHIP) through 1.4.0.0 before e3277eb, unlimited user label appends in a userlabel cluster can lead to a denial of service (resource exhaustion). |
| CVE-2024-36694 | 2024-12-18 | OpenCart 4.0.2.3 is vulnerable to Server-Side Template Injection (SSTI) via the Theme Editor Function. |
| CVE-2024-53580 | 2024-12-18 | iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. |
| CVE-2024-55089 | 2024-12-18 | Rhymix 2.1.19 is vulnerable to Server-Side Request Forgery (SSRF) in the background import data function. |
| CVE-2024-55505 | 2024-12-18 | An issue in CodeAstro Complaint Management System v.1.0 allows a remote attacker to escalate privileges via the mess-view.php component. |
| CVE-2024-56169 | 2024-12-18 | A validation integrity issue was discovered in Fort through 1.6.4 before 2.0.0. RPKI Relying Parties (such as Fort) are supposed to maintain a backup cache of the remote RPKI data.... |
| CVE-2024-47480 | 2024-12-18 | Dell Inventory Collector Client, versions prior to 12.7.0, contains an Improper Link Resolution Before File Access vulnerability. A low-privilege attacker with local access may exploit this vulnerability, potentially resulting in... |
| CVE-2024-11439 | 2024-12-18 | ScanCircle <= 2.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11748 | 2024-12-18 | Taeggie Feed <= 0.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12500 | 2024-12-18 | Philantro – Donations and Donor Management <= 5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11881 | 2024-12-18 | Easy Waveform Player <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12513 | 2024-12-18 | Contests by Rewards Fuel <= 2.0.65 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12432 | 2024-12-18 | WPC Shop as a Customer for WooCommerce <= 1.2.8 - Authentication Bypass Due to Insufficiently Unique Key |
| CVE-2024-12025 | 2024-12-18 | Collapsing Categories <= 3.0.8 - Unauthenticated SQL Injection |
| CVE-2024-11254 | 2024-12-18 | AMP for WP – Accelerated Mobile Pages <= 1.1.1 - Reflected Cross-Site Scripting |
| CVE-2024-12259 | 2024-12-18 | CRM WordPress Plugin – RepairBuddy <= 3.8120 - Missing Authorization to Account Takeover/Privilege Escalation |
| CVE-2024-12596 | 2024-12-18 | LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes <= 7.8.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion |
| CVE-2024-12449 | 2024-12-18 | Video Share VOD – Turnkey Video Site Builder Script <= 2.6.30 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-12250 | 2024-12-18 | Accept Authorize.NET Payments Using Contact Form 7 <= 2.2 - Unauthenticated Information Exposure |
| CVE-2024-12061 | 2024-12-18 | Events Addon for Elementor <= 2.2.3 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-12698 | 2024-12-18 | Ose-olm-catalogd-container: incomplete fix for rapid reset (cve-2023-39325/cve-2023-44487) |
| CVE-2024-10892 | 2024-12-18 | Cost Calculator Builder < 3.2.43 - Settings update via CSRF |
| CVE-2024-4464 | 2024-12-18 | Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.5-3152 and 2.2.0-3325 allows remote attackers to read specific files via unspecified vectors. |
| CVE-2024-21546 | 2024-12-18 | Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This... |
| CVE-2024-21548 | 2024-12-18 | Versions of the package bun after 0.0.12 and before 1.1.30 are vulnerable to Prototype Pollution due to improper input sanitization. An attacker can exploit this vulnerability through Bun's APIs that... |
| CVE-2024-21547 | 2024-12-18 | Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker... |
| CVE-2024-1610 | 2024-12-18 | OPPO Store app include remote account token hijacking and sensitive information leakage |
| CVE-2024-47397 | 2024-12-18 | Weak authentication issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier. If this vulnerability is exploited, the authentication may be bypassed with an... |
| CVE-2024-53688 | 2024-12-18 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier, which... |
| CVE-2024-54457 | 2024-12-18 | Inclusion of undocumented features or chicken bits issue exists in AE1021 firmware versions 2.0.10 and earlier and AE1021PE firmware versions 2.0.10 and earlier, which may allow a logged-in user to... |
| CVE-2024-12287 | 2024-12-18 | Biagiotti Membership <= 1.0.2 - Authentication Bypass via biagiotti_membership_check_facebook_user |
| CVE-2024-11295 | 2024-12-18 | Simple Page Access Restriction <= 1.0.29 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure |
| CVE-2024-11614 | 2024-12-18 | Dpdk: denial of service from malicious guest on hypervisors using dpdk vhost library |
| CVE-2024-12340 | 2024-12-18 | Animation Addons for Elementor <= 1.1.6 - Authenticated (Contributor+) Sensitive Information Exposure via Content Slider and Tabs Widget Elementor Template |
| CVE-2024-12554 | 2024-12-18 | Peter’s Custom Anti-Spam <= 3.2.3 - Cross-Site Request Forgery via cas_register_post Function |
| CVE-2024-12454 | 2024-12-18 | Affiliate Program Suite — SliceWP Affiliates <= 1.1.23 - Cross-Site Request Forgery to Reflected Cross-Site Scripting |
| CVE-2024-47104 | 2024-12-18 | IBM i incorrect privilege assignment |
| CVE-2024-11926 | 2024-12-18 | Traveler <= 3.1.6 - Missing Authorization in Several AJAX Actions |
| CVE-2024-11291 | 2024-12-18 | Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction <= 2.13.4 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure |
| CVE-2024-11912 | 2024-12-18 | Traveler <= 3.1.6 - Unauthenticated SQL Injection via order_id |
| CVE-2024-4995 | 2024-12-18 | Protocol Downgrade in Wapro ERP Desktop |
| CVE-2024-4996 | 2024-12-18 | Hardcoded Password in Wapro ERP Desktop |
| CVE-2024-56008 | 2024-12-18 | WordPress Spreadr Woocommerce plugin <= 1.0.4 - Arbitrary Content Deletion vulnerability |
| CVE-2024-56059 | 2024-12-18 | WordPress Partners plugin <= 0.2.0 - PHP Object Injection vulnerability |
| CVE-2024-56058 | 2024-12-18 | WordPress VRPConnector plugin <= 2.0.1 - PHP Object Injection vulnerability |
| CVE-2024-54270 | 2024-12-18 | WordPress Axeptio plugin <= 2.5.3 - Local File Inclusion vulnerability |
| CVE-2024-55985 | 2024-12-18 | WordPress YDS Support Ticket System plugin <= 1.0 - SQL Injection vulnerability |
| CVE-2024-55984 | 2024-12-18 | WordPress Saksh Escrow System plugin <= 2.4 - SQL Injection vulnerability |
| CVE-2024-55983 | 2024-12-18 | WordPress PowerFormBuilder plugin <= 1.0.6 - SQL Injection vulnerability |
| CVE-2024-55975 | 2024-12-18 | WordPress Dr Affiliate plugin <= 1.2.3 - SQL Injection vulnerability |
| CVE-2024-56016 | 2024-12-18 | WordPress Image Mapper plugin <= 0.2.5.3 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-56010 | 2024-12-18 | WordPress Device Detector Plugin <= 4.2.0 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-54350 | 2024-12-18 | WordPress hmd theme <= 2.0 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-51646 | 2024-12-18 | WordPress Saoshyant Element plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-49677 | 2024-12-18 | WordPress Bootstrap Buttons plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability |
| CVE-2024-55997 | 2024-12-18 | WordPress Order Delivery & Pickup Location Date Time plugin <= 1.1.0 - Settings Change vulnerability |
| CVE-2024-52485 | 2024-12-18 | WordPress WP Menu Image plugin <= 2.2 - Broken Access Control vulnerability |
| CVE-2024-50570 | 2024-12-18 | A Cleartext Storage of Sensitive Information vulnerability [CWE-312] in FortiClientWindows 7.4.0 through 7.4.1, 7.2.0 through 7.2.6, 7.0.0 through 7.0.13 and FortiClientLinux 7.4.0 through 7.4.2, 7.2.0 through 7.2.7, 7.0.0 through 7.0.13... |
| CVE-2023-34990 | 2024-12-18 | A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests. |
| CVE-2024-48889 | 2024-12-18 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12... |
| CVE-2024-56128 | 2024-12-18 | Apache Kafka: SCRAM authentication vulnerable to replay attacks when used without encryption |
| CVE-2024-12371 | 2024-12-18 | Rockwell Automation PowerMonitor™ 1000 Remote Code Execution |
| CVE-2024-47119 | 2024-12-18 | IBM Storage Defender - Resiliency Service improper certificate validation |
| CVE-2023-50956 | 2024-12-18 | IBM Storage Defender - Resiliency Service information disclosure |
| CVE-2024-52361 | 2024-12-18 | IBM Storage Defender - Resiliency Service information disclosure |
| CVE-2024-12372 | 2024-12-18 | Rockwell Automation PowerMonitor™ 1000 Denial of Service |
| CVE-2024-12373 | 2024-12-18 | Rockwell Automation PowerMonitor™ 1000 Denial of Service |
| CVE-2024-47810 | 2024-12-18 | A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a 3D page object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which... |
| CVE-2024-49576 | 2024-12-18 | A use-after-free vulnerability exists in the way Foxit Reader 2024.3.0.26795 handles a checkbox CBF_Widget object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which... |
| CVE-2024-41752 | 2024-12-18 | IBM Cognos Analytics HTML injection |
| CVE-2024-45082 | 2024-12-18 | IBM Cognos Analytics HTTP open redirection |