CVE List - 2024 / February
Showing 601 - 700 of 2784 CVEs for February 2024 (Page 7 of 28)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-24189 | 2024-02-07 | Jsish v3.5.0 (commit 42c694c) was discovered to contain a use-after-free via the SplitChar at ./src/jsiUtils.c. |
| CVE-2024-24304 | 2024-02-07 | In the module "Mailjet" (mailjet) from Mailjet for PrestaShop before versions 3.5.1, a guest can download technical information without restriction. |
| CVE-2024-24311 | 2024-02-07 | Path Traversal vulnerability in Linea Grafica "Multilingual and Multistore Sitemap Pro - SEO" (lgsitemaps) module for PrestaShop before version 1.6.6, a guest can download personal information without restriction. |
| CVE-2024-24488 | 2024-02-07 | An issue in Shenzen Tenda Technology CP3V2.0 V11.10.00.2311090948 allows a local attacker to obtain sensitive information via the password component. |
| CVE-2024-25200 | 2024-02-07 | Espruino 2v20 (commit fcc9ba4) was discovered to contain a Stack Overflow via the jspeFactorFunctionCall at src/jsparse.c. |
| CVE-2024-25201 | 2024-02-07 | Espruino 2v20 (commit fcc9ba4) was discovered to contain an Out-of-bounds Read via jsvStringIteratorPrintfCallback at src/jsvar.c. |
| CVE-2024-1265 | 2024-02-07 | CodeAstro University Management System Attendance Management att_add.php cross site scripting |
| CVE-2024-1266 | 2024-02-07 | CodeAstro University Management System Student Registration Form st_reg.php cross site scripting |
| CVE-2024-22021 | 2024-02-07 | Vulnerability CVE-2024-22021 allows a Veeam Recovery Orchestrator user with a low privileged role (Plan Author) to retrieve plans from a Scope other than the one they are assigned to. |
| CVE-2024-22022 | 2024-02-07 | Vulnerability CVE-2024-22022 allows a Veeam Recovery Orchestrator user that has been assigned a low-privileged role to access the NTLM hash of the service account used by the Veeam Orchestrator Server... |
| CVE-2024-1267 | 2024-02-07 | CodeAstro Restaurant POS System create_account.php cross site scripting |
| CVE-2024-1268 | 2024-02-07 | CodeAstro Restaurant POS System update_product.php unrestricted upload |
| CVE-2024-1269 | 2024-02-07 | SourceCodester Product Management System supplier.php cross site scripting |
| CVE-2024-24810 | 2024-02-07 | WiX is vulnerable to DLL redirection attacks that allow the attacker to escalate privileges |
| CVE-2023-6388 | 2024-02-07 | Suite CRM v7.14.2 - SSRF |
| CVE-2024-0849 | 2024-02-07 | Leanote 2.7.0 - Local File Read |
| CVE-2024-23446 | 2024-02-07 | Kibana Broken Access Control issue |
| CVE-2024-23447 | 2024-02-07 | Elastic Network Drive Connector Improper Access Control |
| CVE-2024-0256 | 2024-02-07 | The Starbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Profile Display Name and Social Settings in all versions up to, and including, 3.4.8 due to insufficient... |
| CVE-2024-1055 | 2024-02-07 | The PowerPack Addons for Elementor (Free Widgets, Extensions and Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's buttons in all versions up to, and including,... |
| CVE-2024-0628 | 2024-02-07 | The WP RSS Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.23.5 via the RSS feed source in admin settings. This... |
| CVE-2024-1037 | 2024-02-07 | The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 5.2.5 due... |
| CVE-2024-0977 | 2024-02-07 | The Timeline Widget For Elementor (Elementor Timeline, Vertical & Horizontal Timeline) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image URLs in the plugin's timeline widget in all... |
| CVE-2024-1079 | 2024-02-07 | The Quiz Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ays_show_results() function in all versions up to, and including,... |
| CVE-2024-1078 | 2024-02-07 | The Quiz Maker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ays_quick_start() and add_question_rows() functions in all versions up to,... |
| CVE-2023-51437 | 2024-02-07 | Apache Pulsar: Timing attack in SASL token signature verification |
| CVE-2024-1110 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the init() function in all versions up to, and... |
| CVE-2024-1109 | 2024-02-07 | The Podlove Podcast Publisher plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the init_download() and init() functions in all versions up... |
| CVE-2024-1118 | 2024-02-07 | The Podlove Subscribe button plugin for WordPress is vulnerable to UNION-based SQL Injection via the 'button' attribute of the podlove-subscribe-button shortcode in all versions up to, and including, 1.3.10 due... |
| CVE-2023-39196 | 2024-02-07 | Apache Ozone: Missing mutual TLS authentication in one of the service internal Ozone Storage Container Manager endpoints |
| CVE-2024-25143 | 2024-02-07 | The Document and Media widget In Liferay Portal 7.2.0 through 7.3.6, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 13, and older... |
| CVE-2024-24771 | 2024-02-07 | Open Forms potential multi-factor authentication bypass |
| CVE-2024-24811 | 2024-02-07 | Products.SQLAlchemyDA vulnerable to unauthenticated arbitrary SQL query execution |
| CVE-2024-25145 | 2024-02-07 | Stored cross-site scripting (XSS) vulnerability in the Portal Search module's Search Result app in Liferay Portal 7.2.0 through 7.4.3.11, and older unsupported versions, and Liferay DXP 7.4 before update 8,... |
| CVE-2024-24812 | 2024-02-07 | Frappe Authenticated Reflected Cross site scripting (XSS) in portal pages |
| CVE-2024-24815 | 2024-02-07 | CKEditor4 Cross-site scripting (XSS) vulnerability caused by incorrect CDATA detection |
| CVE-2024-22012 | 2024-02-07 | there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2023-32328 | 2024-02-07 | IBM Security Verify Access information disclosure |
| CVE-2023-32330 | 2024-02-07 | IBM Security Verify Access man in the middle |
| CVE-2023-43017 | 2024-02-07 | IBM Security Verify Access man in the middle |
| CVE-2023-31002 | 2024-02-07 | IBM Security Access Manager Container information disclosure |
| CVE-2023-38369 | 2024-02-07 | IBM Security Access Manager Container information disclosure |
| CVE-2024-20252 | 2024-02-07 | Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions... |
| CVE-2024-20254 | 2024-02-07 | Multiple vulnerabilities in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks that perform arbitrary actions... |
| CVE-2024-20255 | 2024-02-07 | A vulnerability in the SOAP API of Cisco Expressway Series and Cisco TelePresence Video Communication Server could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack... |
| CVE-2024-20290 | 2024-02-07 | A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability... |
| CVE-2023-47700 | 2024-02-07 | IBM Storage Virtualize improper certificate validation |
| CVE-2024-23806 | 2024-02-07 | HID Global Reader Configuration Cards Improper Authorization |
| CVE-2024-24706 | 2024-02-07 | WordPress WP-CFM Plugin <= 1.7.8 is vulnerable to Cross Site Request Forgery (CSRF) |
| CVE-2024-24816 | 2024-02-07 | Cross-site scripting (XSS) vulnerability in samples with enabled the preview feature |
| CVE-2024-24563 | 2024-02-07 | Vyper array negative index vulnerability |
| CVE-2024-24822 | 2024-02-07 | Pimcore Admin Classic Bundle permissions are not getting checked when working with tags |
| CVE-2024-24823 | 2024-02-07 | graylog2-server Session Fixation vulnerability through cookie injection |
| CVE-2024-24824 | 2024-02-07 | graylog2-server vulnerable to instantiation of arbitrary classes triggered by API request |
| CVE-2023-6356 | 2024-02-07 | Kernel: null pointer dereference in nvmet_tcp_build_iovec |
| CVE-2023-6535 | 2024-02-07 | Kernel: null pointer dereference in nvmet_tcp_execute_request |
| CVE-2023-6536 | 2024-02-07 | Kernel: null pointer dereference in __nvmet_req_complete |
| CVE-2024-23448 | 2024-02-07 | APM Server Insertion of Sensitive Information into Log File |
| CVE-2024-24806 | 2024-02-07 | Improper Domain Lookup that potentially leads to SSRF attacks in libuv |
| CVE-2024-1066 | 2024-02-07 | Allocation of Resources Without Limits or Throttling in GitLab |
| CVE-2023-6840 | 2024-02-07 | Missing Authorization in GitLab |
| CVE-2023-6736 | 2024-02-07 | Inefficient Regular Expression Complexity in GitLab |
| CVE-2023-47131 | 2024-02-08 | The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file. |
| CVE-2023-50061 | 2024-02-08 | PrestaShop Op'art Easy Redirect >= 1.3.8 and <= 1.3.12 is vulnerable to SQL Injection via Oparteasyredirect::hookActionDispatcher(). |
| CVE-2024-24017 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /common/dict/list |
| CVE-2024-24023 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/bookContent/list. |
| CVE-2024-24024 | 2024-02-08 | An arbitrary File download vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: fileDownload(). An attacker can pass in specially crafted filePath and fieName parameters to perform arbitrary File download. |
| CVE-2024-24202 | 2024-02-08 | An arbitrary file upload vulnerability in /upgrade/control.php of ZenTao Community Edition v18.10, ZenTao Biz v8.10, and ZenTao Max v4.10 allows attackers to execute arbitrary code via uploading a crafted .txt... |
| CVE-2024-24213 | 2024-02-08 | Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in... |
| CVE-2024-24496 | 2024-02-08 | An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components. |
| CVE-2024-25189 | 2024-02-08 | libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. |
| CVE-2024-25190 | 2024-02-08 | l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. |
| CVE-2023-25365 | 2024-02-08 | Cross Site Scripting vulnerability found in October CMS v.3.2.0 allows local attacker to execute arbitrary code via the file type .mp3 |
| CVE-2023-27001 | 2024-02-08 | An issue discovered in Egerie Risk Manager v4.0.5 allows attackers to bypass the signature mechanism and tamper with the values inside the JWT payload resulting in privilege escalation. |
| CVE-2023-40262 | 2024-02-08 | An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows unauthenticated Stored Cross-Site Scripting (XSS) in the administration component via Access Request. |
| CVE-2023-40263 | 2024-02-08 | An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows authenticated command injection via ftp. |
| CVE-2023-40264 | 2024-02-08 | An issue was discovered in Atos Unify OpenScape Voice Trace Manager V8 before V8 R0.9.11. It allows authenticated path traversal in the user interface. |
| CVE-2023-40265 | 2024-02-08 | An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows authenticated remote code execution via file upload. |
| CVE-2023-40266 | 2024-02-08 | An issue was discovered in Atos Unify OpenScape Xpressions WebAssistant V7 before V7R1 FR5 HF42 P911. It allows path traversal. |
| CVE-2023-42282 | 2024-02-08 | The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. |
| CVE-2023-47020 | 2024-02-08 | Multiple Cross-Site Request Forgery (CSRF) chaining in NCR Terminal Handler v.1.5.1 allows privileges to be escalated by an attacker through a crafted request involving user account creation and adding the... |
| CVE-2023-47132 | 2024-02-08 | An issue discovered in N-able N-central before 2023.6 and earlier allows attackers to gain escalated privileges via API calls. |
| CVE-2023-48974 | 2024-02-08 | Cross Site Scripting vulnerability in Axigen WebMail prior to 10.3.3.61 allows a remote attacker to escalate privileges via a crafted script to the serverName_input parameter. |
| CVE-2023-49101 | 2024-02-08 | WebAdmin in Axigen 10.3.x before 10.3.3.61, 10.4.x before 10.4.24, and 10.5.x before 10.5.10 allows XSS attacks against admins because of mishandling of viewing the usage of SSL certificates. |
| CVE-2024-22795 | 2024-02-08 | Insecure Permissions vulnerability in Forescout SecureConnector v.11.3.06.0063 allows a local attacker to escalate privileges via the Recheck Compliance Status component. |
| CVE-2024-22836 | 2024-02-08 | An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server. |
| CVE-2024-23660 | 2024-02-08 | The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only... |
| CVE-2024-23756 | 2024-02-08 | The HTTP PUT and DELETE methods are enabled in the Plone official Docker version 5.2.13 (5221), allowing unauthenticated attackers to execute dangerous actions such as uploading files to the server... |
| CVE-2024-23764 | 2024-02-08 | Certain WithSecure products allow Local Privilege Escalation. This affects WithSecure Client Security 15 and later, WithSecure Server Security 15 and later, WithSecure Email and Server Security 15 and later, and... |
| CVE-2024-24003 | 2024-02-08 | jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.DepotHeadController: com.jsh.erp.utils.BaseResponseInfo findInOutMaterialCount() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload... |
| CVE-2024-24014 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass crafted offset, limit, and sort parameters to perform SQL injection via /novel/author/list |
| CVE-2024-24018 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions. An attacker can pass in crafted offset, limit, and sort parameters to perform SQL injection via /system/dataPerm/list |
| CVE-2024-24021 | 2024-02-08 | A SQL injection vulnerability exists in Novel-Plus v4.3.0-RC1 and prior. An attacker can pass specially crafted offset, limit, and sort parameters to perform SQL injection via /novel/userFeedback/list. |
| CVE-2024-24025 | 2024-02-08 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior at com.java2nb.common.controller.FileController: upload(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. |
| CVE-2024-24026 | 2024-02-08 | An arbitrary File upload vulnerability exists in Novel-Plus v4.3.0-RC1 and prior versions at com.java2nb.system.controller.SysUserController: uploadImg(). An attacker can pass in specially crafted filename parameter to perform arbitrary File download. |
| CVE-2024-24034 | 2024-02-08 | Setor Informatica S.I.L version 3.0 is vulnerable to Open Redirect via the hprinter parameter, allows remote attackers to execute arbitrary code. |
| CVE-2024-24091 | 2024-02-08 | Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface. |
| CVE-2024-24113 | 2024-02-08 | xxl-job =< 2.4.1 has a Server-Side Request Forgery (SSRF) vulnerability, which causes low-privileged users to control executor to RCE. |
| CVE-2024-24115 | 2024-02-08 | A stored cross-site scripting (XSS) vulnerability in the Edit Page function of Cotonti CMS v0.9.24 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-24215 | 2024-02-08 | An issue in the component /cgi-bin/GetJsonValue.cgi of Cellinx NVT Web Server 5.0.0.014 allows attackers to leak configuration information via a crafted POST request. |