CVE List - 2024 / December
Showing 201 - 300 of 3433 CVEs for December 2024 (Page 3 of 35)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2018-9426 | 2024-12-02 | In RsaKeyPairGenerator::getNumberOfIterations of RSAKeyPairGenerator.java, an incorrect implementation could cause weak RSA key pairs being generated. This could lead to crypto vulnerability with no additional execution privileges needed. User interaction is... |
| CVE-2018-9429 | 2024-12-02 | In buildImageItemsIfPossible of ItemTable.cpp there is a possible out of bound read due to uninitialized data. This could lead to information disclosure with no additional execution privileges needed. User interaction... |
| CVE-2018-9430 | 2024-12-02 | In prop2cfg of btif_storage.cc, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges... |
| CVE-2018-9431 | 2024-12-02 | In OSUInfo of OSUInfo.java, there is a possible escalation of privilege due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.... |
| CVE-2018-9435 | 2024-12-02 | In gatt_process_error_rsp of gatt_cl.cc, there is a possible out of bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2024-29404 | 2024-12-03 | An issue in Razer Synapse 3 v.3.9.131.20813 and Synapse 3 App v.20240213 allows a local attacker to execute arbitrary code via the export parameter of the Chroma Effects function in... |
| CVE-2024-46624 | 2024-12-03 | An issue in InfoDom Performa 365 v4.0.1 allows authenticated attackers to elevate their privileges to Administrator via a crafted payload sent to /api/users. |
| CVE-2024-46625 | 2024-12-03 | An authenticated arbitrary file upload vulnerability in the /documentCache/upload endpoint of InfoDom Performa 365 v4.0.1 allows attackers to execute arbitrary code via uploading a crafted SVG file. |
| CVE-2024-50948 | 2024-12-03 | An issue in mochiMQTT v2.6.3 allows attackers to cause a Denial of Service (DoS) via a crafted request. |
| CVE-2024-51114 | 2024-12-03 | An issue in Beijing Digital China Yunke Information Technology Co.Ltd v.7.2.6.120 allows a remote attacker to execute arbitrary code via the code/function/dpi/web_auth/customizable.php file |
| CVE-2024-51363 | 2024-12-03 | Insecure deserialization in Hodoku v2.3.0 to v2.3.2 allows attackers to execute arbitrary code. |
| CVE-2024-53502 | 2024-12-03 | Seecms v4.8 was discovered to contain a SQL injection vulnerability in the SEMCMS_SeoAndTag.php page. |
| CVE-2024-53921 | 2024-12-03 | An issue was discovered in the installer in Samsung Magician 8.1.0 on Windows. An attacker can create arbitrary folders in the system permission directory via a symbolic link during the... |
| CVE-2024-45757 | 2024-12-03 | An issue was discovered in Centreon centreon-bam 24.04, 23.10, 23.04, and 22.10. SQL injection can occur in the user-settings form. Exploitation is only accessible to authenticated users with high-privileged access. |
| CVE-2024-48080 | 2024-12-03 | An issue in aedes v0.51.2 allows attackers to cause a Denial of Service(DoS) via a crafted request. NOTE: the Supplier indicates that exploitation cannot occur because of the protection mechanism... |
| CVE-2018-9441 | 2024-12-03 | In sdp_copy_raw_data of sdp_discovery.cc, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2018-9449 | 2024-12-03 | In process_service_search_attr_rsp of sdp_discovery.cc, there is a possible out of bound read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges... |
| CVE-2024-8748 | 2024-12-03 | A buffer overflow vulnerability in the packet parser of the third-party library "libclinkc" in Zyxel VMG8825-T50K firmware versions through V5.50(ABOM.8.4)C0 could allow an attacker to cause a temporary denial of... |
| CVE-2024-9197 | 2024-12-03 | A post-authentication buffer overflow vulnerability in the parameter "action" of the CGI program in Zyxel VMG3625-T50B firmware versions through V5.50(ABPM.9.2)C0 could allow an authenticated attacker with administrator privileges to cause... |
| CVE-2024-9200 | 2024-12-03 | A post-authentication command injection vulnerability in the "host" parameter of the diagnostic function in Zyxel VMG4005-B50A firmware versions through V5.15(ABQA.2.2)C0 could allow an authenticated attacker with administrator privileges to execute... |
| CVE-2024-9694 | 2024-12-03 | CMSMasters Elementor Addon <= 1.14.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets |
| CVE-2024-45068 | 2024-12-03 | Authentication credentials leakage vulnerability in Hitachi Ops Center Common Services within Hitachi Ops Center OVA |
| CVE-2024-10484 | 2024-12-03 | Spectra – WordPress Gutenberg Blocks <= 2.16.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Team Widget |
| CVE-2024-49410 | 2024-12-03 | Out-of-bounds write in libswmfextractor.so prior to SMR Dec-2024 Release 1 allows local attackers to execute arbitrary code. |
| CVE-2024-49411 | 2024-12-03 | Path Traversal in ThemeCenter prior to SMR Dec-2024 Release 1 allows physical attackers to copy apk files to arbitrary path with ThemeCenter privilege. |
| CVE-2024-49412 | 2024-12-03 | Improper input validation in Settings prior to SMR Dec-2024 Release 1 allows local attackers to broadcast signal for discovering Bluetooth on Galaxy Watch. |
| CVE-2024-49413 | 2024-12-03 | Improper Verification of Cryptographic Signature in SmartSwitch prior to SMR Dec-2024 Release 1 allows local attackers to install malicious applications. |
| CVE-2024-49414 | 2024-12-03 | Authentication Bypass Using an Alternate Path in Dex Mode prior to SMR Dec-2024 Release 1 allows physical attackers to temporarily access to recent app list. |
| CVE-2024-49415 | 2024-12-03 | Out-of-bound write in libsaped.so prior to SMR Dec-2024 Release 1 allows remote attackers to execute arbitrary code. |
| CVE-2024-49416 | 2024-12-03 | Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information. |
| CVE-2024-49417 | 2024-12-03 | Use of implicit intent for sensitive communication in Smart Touch Call prior to 1.0.0.8 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability. |
| CVE-2024-49418 | 2024-12-03 | Insufficient verification of url authenticity in GamingHub prior to version 6.1.03.4 in Korea, 7.1.02.4 in Global allows remote attackers to enable JavaScript in its webview. |
| CVE-2024-49419 | 2024-12-03 | Insufficient verification of url authenticity in GamingHub prior to version 6.1.03.4 in Korea, 7.1.02.4 in Global allows remote attackers to load an arbitrary URL in its webview. |
| CVE-2024-49420 | 2024-12-03 | Improper handling of responses in GamingHub prior to version 6.1.04.6 in Korea, 7.1.03.7 in Global allows remote attackers to launch arbitrary activity. |
| CVE-2024-49421 | 2024-12-03 | Path traversal in Quick Share Agent prior to version 3.5.14.47 in Android 12, 3.5.19.41 in Android 13, and 3.5.19.42 in Android 14 allows adjacent attackers to write file in arbitrary... |
| CVE-2024-10893 | 2024-12-03 | WP Booking Calendar < 10.6.5 - Admin+ Stored XSS |
| CVE-2024-9058 | 2024-12-03 | Element Pack Elementor Addons <= 5.10.5 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Lightbox Widget |
| CVE-2024-11453 | 2024-12-03 | WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout <= 1.8.8 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11707 | 2024-12-03 | My auctions allegro <= 3.6.17 - Reflected Cross-Site Scripting |
| CVE-2024-11898 | 2024-12-03 | Scratch & Win – Giveaways and Contests <= 2.6.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-11461 | 2024-12-03 | Form Data Collector <= 2.2.3 - Reflected Cross-Site Scripting |
| CVE-2024-11853 | 2024-12-03 | jAlbum Bridge <= 2.0.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via ar Parameter |
| CVE-2024-11805 | 2024-12-03 | Quick License Manager – WooCommerce Plugin <= 2.4.17 - Reflected Cross-Site Scripting |
| CVE-2024-11732 | 2024-12-03 | BP Profile Shortcodes Extra <= 2.6.0 - Authenticated (Contributor+) SQL Injection via tab Parameter |
| CVE-2024-11844 | 2024-12-03 | IdeaPush <= 8.71 - Missing Authorization to Board Term Deletion |
| CVE-2024-11866 | 2024-12-03 | BMLT Tabbed Map <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-45106 | 2024-12-03 | Apache Ozone: Improper authentication when generating S3 secrets |
| CVE-2024-11325 | 2024-12-03 | AWeber Forms by Optin Cat <= 2.5.7 - Reflected Cross-Site Scripting |
| CVE-2024-12062 | 2024-12-03 | Charity Addon for Elementor <= 1.3.2 - Authenticated (Contributor+) Post Disclosure |
| CVE-2024-11782 | 2024-12-03 | WP Mailster <= 1.8.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-47476 | 2024-12-03 | Dell NetWorker Management Console, version(s) 19.11, contain(s) an Improper Verification of Cryptographic Signature vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Code execution. |
| CVE-2024-11326 | 2024-12-03 | Campaign Monitor Forms by Optin Cat <= 2.5.7 - Reflected Cross-Site Scripting |
| CVE-2024-10074 | 2024-12-03 | Liteos_a has an use after free vulnerability |
| CVE-2024-12082 | 2024-12-03 | Ability Runtime has an out-of-bounds read permission bypass vulnerability |
| CVE-2024-42422 | 2024-12-03 | Dell NetWorker, version(s) 19.10, contain(s) an Authorization Bypass Through User-Controlled Key vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. |
| CVE-2024-9978 | 2024-12-03 | Liteos_a has an out-of-bounds read vulnerability |
| CVE-2024-11200 | 2024-12-03 | Goodlayers Core <= 2.0.7 - Reflected Cross-Site Scripting via 'font-family' |
| CVE-2024-11391 | 2024-12-03 | Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2024-54000 | 2024-12-03 | Mobile Security Framework (MobSF) bypass of SSRF fix |
| CVE-2024-53999 | 2024-12-03 | Mobile Security Framework (MobSF) Stored Cross-Site Scripting Vulnerability in "Diff or Compare" Functionality |
| CVE-2024-53257 | 2024-12-03 | Vitess allows HTML injection in /debug/querylogz & /debug/env |
| CVE-2021-29892 | 2024-12-03 | IBM Cognos Controller information disclosure |
| CVE-2024-25019 | 2024-12-03 | IBM Cognos Controller file upload |
| CVE-2024-40691 | 2024-12-03 | IBM Cognos Controller file upload |
| CVE-2024-25035 | 2024-12-03 | IBM Cognos Controller information disclosure |
| CVE-2024-25036 | 2024-12-03 | IBM Cognos Controller authentication bypass |
| CVE-2024-53863 | 2024-12-03 | Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders |
| CVE-2024-53867 | 2024-12-03 | Synapse Matrix has a partial room state leak via Sliding Sync |
| CVE-2024-52815 | 2024-12-03 | Synapse allows a a malformed invite to break the invitee's `/sync` |
| CVE-2024-52805 | 2024-12-03 | Synapse allows unsupported content types to lead to memory exhaustion |
| CVE-2024-37302 | 2024-12-03 | Synapse denial of service through media disk space consumption |
| CVE-2024-37303 | 2024-12-03 | Synapse unauthenticated writes to the media repository allow planting of problematic content |
| CVE-2024-45676 | 2024-12-03 | IBM Cognos Controller file upload |
| CVE-2024-41777 | 2024-12-03 | IBM Cognos Controller hard coded credentials |
| CVE-2024-41776 | 2024-12-03 | IBM Cognos Controller cross-site request forgery |
| CVE-2024-25020 | 2024-12-03 | IBM Cognos Controller file upload |
| CVE-2024-41775 | 2024-12-03 | IBM Cognos Controller information disclosure |
| CVE-2024-52544 | 2024-12-03 | Lorex 2K Indoor Wi-Fi Security Camera - Stack buffer overflow |
| CVE-2024-52545 | 2024-12-03 | Lorex 2K Indoor Wi-Fi Security Camera - Out of bounds heap read |
| CVE-2024-52546 | 2024-12-03 | Lorex 2K Indoor Wi-Fi Security Camera - Null pointer dereference |
| CVE-2024-52547 | 2024-12-03 | Lorex 2K Indoor Wi-Fi Security Camera - Stack buffer overflow |
| CVE-2024-52548 | 2024-12-03 | Lorex 2K Indoor Wi-Fi Security Camera - Code signing bypass |
| CVE-2024-12053 | 2024-12-03 | Type Confusion in V8 in Google Chrome prior to 131.0.6778.108 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-51771 | 2024-12-03 | Authenticated Remote Code Execution (RCE) via OGNL Injection in HPE Aruba Networking ClearPass Web-Based Management Interface |
| CVE-2024-51772 | 2024-12-03 | Authenticated Deserialization Vulnerability in ClearPass Policy Manager Web-Based Management Interface Leading to a Remote Command Execution (RCE) |
| CVE-2024-51773 | 2024-12-03 | Authenticated Stored Cross-Site Scripting (XSS) in HPE Aruba Networking ClearPass Policy Manager Web-based Management Interface |
| CVE-2024-53672 | 2024-12-03 | Authenticated Remote Command Injection in HPE Aruba Networking ClearPass Policy Manager Web-Based Management Interface |
| CVE-2024-54131 | 2024-12-03 | Kolide Agent Privilege Escalation (Windows, Versions >= 1.5.3, < 1.12.3) |
| CVE-2024-37574 | 2024-12-04 | The GriceMobile com.grice.call application 4.5.2 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.iui.mobile.presentation.MobileActivity. |
| CVE-2024-37575 | 2024-12-04 | The Mister org.mistergroup.shouldianswer application 1.4.264 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the org.mistergroup.shouldianswer.ui.default_dialer.DefaultDialerActivity component. |
| CVE-2024-39163 | 2024-12-04 | binux pyspider up to v0.3.10 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Flask endpoints. |
| CVE-2024-39219 | 2024-12-04 | An issue in Aginode GigaSwitch V5 before version 7.06G allows authenticated attackers with Administrator privileges to upload an earlier firmware version, exposing the device to previously patched vulnerabilities. |
| CVE-2024-48453 | 2024-12-04 | An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function |
| CVE-2024-50947 | 2024-12-04 | An issue in kmqtt v0.2.7 allows attackers to cause a Denial of Service (DoS) via a crafted request. |
| CVE-2024-51210 | 2024-12-04 | Firepad through 1.5.11 allows remote attackers, who have knowledge of a pad ID, to retrieve both the current text of a document and all content that has previously been pasted... |
| CVE-2024-52676 | 2024-12-04 | Itsourcecode Online Discussion Forum Project v.1.0.0 is vulnerable to Cross Site Scripting (XSS) via /bcc_forum/members/home.php. |
| CVE-2024-53614 | 2024-12-04 | A hardcoded decryption key in Thinkware Cloud APK v4.3.46 allows attackers to access sensitive data and execute arbitrary commands with elevated privileges. |
| CVE-2024-54661 | 2024-12-04 | readline.sh in socat before1.8.0.2 relies on the /tmp/$USER/stderr2 file. |
| CVE-2024-54674 | 2024-12-04 | app/View/GalaxyClusters/cluster_export_misp_galaxy.ctp in MISP through 2.5.2 has stored XSS when exporting custom clusters into the misp-galaxy format. |
| CVE-2024-54675 | 2024-12-04 | app/webroot/js/workflows-editor/workflows-editor.js in MISP through 2.5.2 has stored XSS in the editor interface for an ad-hoc workflow. |