CVE List - 2024 / April
Showing 2001 - 2100 of 3605 CVEs for April 2024 (Page 21 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2023-48709 | 2024-04-15 | iTop vulnerable to potential formula injection in Excel/CSV export file |
| CVE-2023-48710 | 2024-04-15 | iTop limit pages/exec.php script to PHP files |
| CVE-2023-4855 | 2024-04-15 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute unauthorized commands via IPMI. |
| CVE-2023-4856 | 2024-04-15 | A format string vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute arbitrary commands on a specific API endpoint. |
| CVE-2023-4857 | 2024-04-15 | An authentication bypass vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user to execute certain IPMI calls that could lead to exposure of limited system information. |
| CVE-2024-2659 | 2024-04-15 | A command injection vulnerability was identified in SMM/SMM2 and FPC that could allow an authenticated user with elevated privileges to execute system commands when performing a specific administrative function. |
| CVE-2024-31219 | 2024-04-15 | Discourse-reactions' reaction data and public topic whisper content exposed on reactions given user activity page |
| CVE-2024-23593 | 2024-04-15 | A vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could allow a... |
| CVE-2024-23594 | 2024-04-15 | A buffer overflow vulnerability was reported in a system recovery bootloader that was part of the Lenovo preloaded Windows 7 and 8 operating systems from 2012 to 2014 that could... |
| CVE-2024-3803 | 2024-04-15 | Vesystem Cloud Desktop fileupload.php unrestricted upload |
| CVE-2024-23560 | 2024-04-15 | HCL DevOps Deploy / HCL Launch could be vulnerable to incomplete revocation of permissions when deleting a custom type |
| CVE-2024-3804 | 2024-04-15 | Vesystem Cloud Desktop fileupload2.php unrestricted upload |
| CVE-2024-31990 | 2024-04-15 | Argo CD' API server does not enforce project sourceNamespaces |
| CVE-2024-32035 | 2024-04-15 | Memory Allocation with Excessive Size Value in SixLabors.ImageSharp |
| CVE-2024-32036 | 2024-04-15 | SixLabors.ImageSharp vulnerable to data leakage |
| CVE-2024-23561 | 2024-04-15 | HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability |
| CVE-2024-23558 | 2024-04-15 | HCL DevOps Deploy / HCL Launch does not invalidate all session authentication cookies after logout |
| CVE-2024-3493 | 2024-04-15 | Rockwell Automation ControlLogix and GaurdLogix Vulnerable to Major Nonrecoverable Fault Due to Invalid Header Value |
| CVE-2024-2424 | 2024-04-15 | Rockwell Automation Input/Output Device Vulnerable to Major Nonrecoverable Fault |
| CVE-2024-27794 | 2024-04-15 | Claris FileMaker Server before version 20.3.2 was susceptible to a reflected Cross-Site Scripting vulnerability due to an improperly handled parameter in the FileMaker WebDirect login endpoint. The vulnerability was resolved... |
| CVE-2024-29291 | 2024-04-16 | An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner... |
| CVE-2024-29402 | 2024-04-16 | cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. |
| CVE-2024-31503 | 2024-04-16 | Incorrect access control in Dolibarr ERP CRM versions 19.0.0 and before, allows authenticated attackers to steal victim users' session cookies and CSRF protection tokens via user interaction with a crafted... |
| CVE-2024-31634 | 2024-04-16 | Cross Site Scripting (XSS) vulnerability in Xunruicms versions 4.6.3 and before, allows remote attacker to execute arbitrary code via the Security.php file in the catalog \XunRuiCMS\dayrui\Fcms\Library. |
| CVE-2024-31680 | 2024-04-16 | File Upload vulnerability in Shibang Communications Co., Ltd. IP network intercom broadcasting system v.1.0 allows a local attacker to execute arbitrary code via the my_parser.php component. |
| CVE-2024-31759 | 2024-04-16 | An issue in sanluan PublicCMS v.4.0.202302.e allows an attacker to escalate privileges via the change password function. |
| CVE-2024-31760 | 2024-04-16 | An issue in sanluan flipped-aurora gin-vue-admin 2.4.x allows an attacker to escalate privileges via the Session Expiration component. |
| CVE-2024-31784 | 2024-04-16 | An issue in Typora v.1.8.10 and before, allows a local attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the src component. |
| CVE-2024-32254 | 2024-04-16 | Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via tms/admin/create-package.php. When creating a new package, there is no checks for what types of... |
| CVE-2024-32256 | 2024-04-16 | Phpgurukul Tourism Management System v2.0 is vulnerable to Unrestricted Upload of File with Dangerous Type via /tms/admin/change-image.php. When updating a current package, there are no checks for what types of... |
| CVE-2023-50872 | 2024-04-16 | The API in Accredible Credential.net December 6th, 2023 allows an Insecure Direct Object Reference attack that discloses partial information about certificates and their respective holder. NOTE: the excellium-services.com web page... |
| CVE-2024-31783 | 2024-04-16 | Cross Site Scripting (XSS) vulnerability in Typora v.1.6.7 and before, allows a local attacker to obtain sensitive information via a crafted script during markdown file creation. |
| CVE-2024-0404 | 2024-04-16 | Mass Assignment Vulnerability in mintplex-labs/anything-llm |
| CVE-2024-1456 | 2024-04-16 | S3 Bucket Takeover in h2oai/h2o-3 |
| CVE-2024-1560 | 2024-04-16 | Path Traversal Vulnerability in mlflow/mlflow |
| CVE-2024-3575 | 2024-04-16 | Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb |
| CVE-2024-1666 | 2024-04-16 | Unauthorized Radar Creation in lunary-ai/lunary |
| CVE-2024-1483 | 2024-04-16 | Path Traversal Vulnerability in mlflow/mlflow |
| CVE-2024-3028 | 2024-04-16 | Improper Input Validation in mintplex-labs/anything-llm |
| CVE-2024-1593 | 2024-04-16 | Path Traversal via Parameter Smuggling in mlflow/mlflow |
| CVE-2024-0549 | 2024-04-16 | Relative Path Traversal in mintplex-labs/anything-llm |
| CVE-2024-1646 | 2024-04-16 | Authentication Bypass in parisneo/lollms-webui |
| CVE-2024-1601 | 2024-04-16 | SQL Injection in parisneo/lollms-webui |
| CVE-2024-1183 | 2024-04-16 | SSRF Vulnerability in gradio-app/gradio |
| CVE-2024-1738 | 2024-04-16 | Incorrect Authorization in lunary-ai/lunary |
| CVE-2024-1626 | 2024-04-16 | IDOR Vulnerability in lunary-ai/lunary |
| CVE-2024-3572 | 2024-04-16 | XML External Entity (XXE) Vulnerability in scrapy/scrapy |
| CVE-2024-1594 | 2024-04-16 | Local File Read via Path Traversal in mlflow/mlflow |
| CVE-2024-1558 | 2024-04-16 | Path Traversal Vulnerability in mlflow/mlflow |
| CVE-2024-3029 | 2024-04-16 | Improper Input Validation in mintplex-labs/anything-llm |
| CVE-2024-3573 | 2024-04-16 | Local File Inclusion (LFI) via Scheme Confusion in mlflow/mlflow |
| CVE-2024-1569 | 2024-04-16 | Uncontrolled Resource Consumption in parisneo/lollms-webui |
| CVE-2024-1135 | 2024-04-16 | HTTP Request Smuggling in benoitc/gunicorn |
| CVE-2024-2260 | 2024-04-16 | Session Fixation Vulnerability in zenml-io/zenml |
| CVE-2024-3271 | 2024-04-16 | Command Injection in run-llama/llama_index |
| CVE-2024-3574 | 2024-04-16 | Authorization Header Leak During Cross-Domain Redirect in scrapy/scrapy |
| CVE-2024-2912 | 2024-04-16 | Insecure Deserialization Leading to RCE in bentoml/bentoml |
| CVE-2024-3571 | 2024-04-16 | Path Traversal in langchain-ai/langchain |
| CVE-2024-1739 | 2024-04-16 | Case Insensitive Email Address Validation Vulnerability in lunary-ai/lunary |
| CVE-2024-2083 | 2024-04-16 | Directory Traversal in zenml-io/zenml |
| CVE-2024-1961 | 2024-04-16 | Path Traversal leading to Arbitrary File Write and RCE in vertaai/modeldb |
| CVE-2024-1561 | 2024-04-16 | Arbitrary Local File Read via Component Method Invocation in gradio-app/gradio |
| CVE-2024-22262 | 2024-04-16 | CVE-2024-22262: Spring Framework URL Parsing with Host Validation |
| CVE-2024-32557 | 2024-04-16 | WordPress Exclusive Addons for Elementor plugin <= 2.6.9.2 - Cross Site Scripting (XSS) vulnerability |
| CVE-2024-3871 | 2024-04-16 | Authenticated Remote Command Injection in Delta Electronics DVW |
| CVE-2024-32631 | 2024-04-16 | Out-of-bounds read in telephony |
| CVE-2024-32632 | 2024-04-16 | Printf arg type mismatch in ATCMD |
| CVE-2024-32633 | 2024-04-16 | Unsigned compared against 0 |
| CVE-2024-32634 | 2024-04-16 | Logically dead code |
| CVE-2024-32625 | 2024-04-16 | Uninitialized scalar field |
| CVE-2024-3872 | 2024-04-16 | Mattermost Mobile app versions 2.13.0 and earlier use a regular expression with polynomial complexity to parse certain deeplinks, which allows an unauthenticated remote attacker to freeze or crash the app... |
| CVE-2024-3867 | 2024-04-16 | The archive-tainacan-collection theme for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in version 2.7.2. This makes it possible... |
| CVE-2024-1357 | 2024-04-16 | The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5... |
| CVE-2024-3367 | 2024-04-16 | Argument injection to runmqsc |
| CVE-2024-3067 | 2024-04-16 | The WooCommerce Google Feed Manager plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on... |
| CVE-2024-3869 | 2024-04-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'woocommerce_json_search_coupons' function . This makes it possible... |
| CVE-2024-3243 | 2024-04-16 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and... |
| CVE-2024-3672 | 2024-04-16 | The BA Book Everything plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'all-items' shortcode in all versions up to, and including, 1.6.8 due to insufficient input... |
| CVE-2024-30256 | 2024-04-16 | Open WebUI vulnerable to server-side request forgery in utils.py |
| CVE-2024-31451 | 2024-04-16 | Limited file write in routes.py (GHSL-2023-250) |
| CVE-2024-32023 | 2024-04-16 | Kohya_ss vulnerable to path injection in `common_gui.py` `find_and_replace` function (`GHSL-2024-024`) |
| CVE-2024-32024 | 2024-04-16 | Kohya_ss vulenrable to path injection in `common_gui.py` `add_pre_postfix` function (`GHSL-2024-023`) |
| CVE-2024-32025 | 2024-04-16 | Kohya_ss is vulnerable to a command injection in `group_images_gui.py` (`GHSL-2024-021`) |
| CVE-2024-32026 | 2024-04-16 | Kohya_ss is vulnerable to a command injection in `git_caption_gui.py` (`GHSL-2024-020`) |
| CVE-2024-32027 | 2024-04-16 | Kohya_ss is vulnerable to a command injection in `finetune_gui.py` (`GHSL-2024-022`) |
| CVE-2024-32022 | 2024-04-16 | Kohya_ss is vulnerable to a command injection in basic_caption_gui.py (GHSL-2024-019) |
| CVE-2024-3852 | 2024-04-16 | GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. |
| CVE-2024-3853 | 2024-04-16 | A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. This vulnerability affects Firefox < 125. |
| CVE-2024-3854 | 2024-04-16 | In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. |
| CVE-2024-3855 | 2024-04-16 | In certain cases the JIT incorrectly optimized MSubstr operations, which led to out-of-bounds reads. This vulnerability affects Firefox < 125. |
| CVE-2024-3856 | 2024-04-16 | A use-after-free could occur during WASM execution if garbage collection ran during the creation of an array. This vulnerability affects Firefox < 125. |
| CVE-2024-3857 | 2024-04-16 | The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and... |
| CVE-2024-3858 | 2024-04-16 | It was possible to mutate a JavaScript object so that the JIT could crash while tracing it. This vulnerability affects Firefox < 125. |
| CVE-2024-3859 | 2024-04-16 | On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR <... |
| CVE-2024-3860 | 2024-04-16 | An out-of-memory condition during object initialization could result in an empty shape list. If the JIT subsequently traced the object it would crash. This vulnerability affects Firefox < 125. |
| CVE-2024-3861 | 2024-04-16 | If an AlignedBuffer were assigned to itself, the subsequent self-move could result in an incorrect reference count and later use-after-free. This vulnerability affects Firefox < 125, Firefox ESR < 115.10,... |
| CVE-2024-3862 | 2024-04-16 | The MarkStack assignment operator, part of the JavaScript engine, could access uninitialized memory if it were used in a self-assignment. This vulnerability affects Firefox < 125. |
| CVE-2024-3863 | 2024-04-16 | The executable file warning was not presented when downloading .xrm-ms files. *Note: This issue only affected Windows operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 125,... |
| CVE-2024-3302 | 2024-04-16 | There was no limit to the number of HTTP/2 CONTINUATION frames that would be processed. A server could abuse this to create an Out of Memory condition in the browser.... |
| CVE-2024-3864 | 2024-04-16 | Memory safety bug present in Firefox 124, Firefox ESR 115.9, and Thunderbird 115.9. This bug showed evidence of memory corruption and we presume that with enough effort this could have... |