CVE List - 2024 / July
Showing 2301 - 2400 of 3115 CVEs for July 2024 (Page 24 of 32)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-36533 | 2024-07-24 | Insecure permissions in volcano v1.8.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36534 | 2024-07-24 | Insecure permissions in hwameistor v0.14.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36535 | 2024-07-24 | Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36536 | 2024-07-24 | Insecure permissions in fabedge v0.8.1 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36537 | 2024-07-24 | Insecure permissions in cert-manager v1.14.4 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36538 | 2024-07-24 | Insecure permissions in chaos-mesh v2.6.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36539 | 2024-07-24 | Insecure permissions in contour v1.28.3 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-36541 | 2024-07-24 | Insecure permissions in logging-operator v4.6.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-39345 | 2024-07-24 | AdTran 834-5 HDC17600021F1 (SmartOS 11.1.1.1) devices enable the SSH service by default and have a hidden, undocumented, hard-coded support account whose password is based on the devices MAC address. All... |
| CVE-2024-40137 | 2024-07-24 | Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function. |
| CVE-2024-41459 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter at ip/goform/QuickIndex. |
| CVE-2024-41460 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/RouteStatic. |
| CVE-2024-41461 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the list1 parameter at ip/goform/DhcpListClient. |
| CVE-2024-41462 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/DhcpListClient. |
| CVE-2024-41463 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/addressNat. |
| CVE-2024-41464 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/RouteStatic |
| CVE-2024-41465 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter at ip/goform/setcfm. |
| CVE-2024-41466 | 2024-07-24 | Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/NatStaticSetting. |
| CVE-2024-41550 | 2024-07-24 | CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_invoice_items.php?id= . |
| CVE-2024-41551 | 2024-07-24 | CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_order_items.php?id= . |
| CVE-2024-36540 | 2024-07-24 | Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-40422 | 2024-07-24 | The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access... |
| CVE-2024-40495 | 2024-07-24 | A vulnerability was discovered in Linksys Router E2500 with firmware 2.0.00, allows authenticated attackers to execute arbitrary code via the hnd_parentalctrl_unblock function. |
| CVE-2024-40575 | 2024-07-24 | An issue in Huawei Technologies opengauss (openGauss 5.0.0 build) v.7.3.0 allows a local attacker to cause a denial of service via the modification of table attributes |
| CVE-2024-40767 | 2024-07-24 | In OpenStack Nova before 27.4.1, 28 before 28.2.1, and 29 before 29.1.1, by supplying a raw format image that is actually a crafted QCOW2 image with a backing file path... |
| CVE-2024-6756 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2024-6750 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Missing Authorization via Multiple Functions |
| CVE-2024-6752 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Authenticated (Subscriber+) Stored Cross-Site Scripting |
| CVE-2024-6753 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-6754 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Update via wpw_auto_poster_update_tweet_template |
| CVE-2024-7027 | 2024-07-24 | WooCommerce - PDF Vouchers <= 4.9.3 - Authentication Bypass to Voucher Vendor |
| CVE-2024-6751 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Cross-Site Request Forgery via Multiple Functions |
| CVE-2024-6755 | 2024-07-24 | Social Auto Poster <= 5.3.14 - Missing Authorization to Unauthenticated Arbitrary Post Deletion |
| CVE-2024-5861 | 2024-07-24 | WP Easy Pay (Free) <= 4.2.3 - Missing Authorization to Unauthenticated Service Disconnection |
| CVE-2024-3246 | 2024-07-24 | LiteSpeed Cache <= 6.2.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2024-6836 | 2024-07-24 | Funnel Builder for WordPress by FunnelKit – Customize WooCommerce Checkout Pages, Create Sales Funnels, Order Bumps & One Click Upsells <= 3.4.6 - Missing Authorization to Authenticated (Contributor+) Settings Update |
| CVE-2024-6094 | 2024-07-24 | WP ULike < 4.7.1 - Admin+ Stored XSS |
| CVE-2024-6553 | 2024-07-24 | WP Meteor Website Speed Optimization Addon <= 3.4.3 - Unauthenticated Full Path Disclosure |
| CVE-2024-6571 | 2024-07-24 | Optimize Images ALT Text (alt tag) & names for SEO using AI <= 3.1.1 - Unauthenticated Full Path Disclosure |
| CVE-2024-6629 | 2024-07-24 | All-in-One Video Gallery <= 3.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Shortcode |
| CVE-2023-32466 | 2024-07-24 | Dell Edge Gateway BIOS, versions 3200 and 5200, contains an out-of-bounds write vulnerability. A local authenticated malicious user with high privileges could potentially exploit this vulnerability leading to exposure of... |
| CVE-2023-32471 | 2024-07-24 | Dell Edge Gateway BIOS, versions 3200 and 5200, contains an out-of-bounds read vulnerability. A local authenticated malicious user with high privileges could potentially exploit this vulnerability to read contents of... |
| CVE-2024-6197 | 2024-07-24 | freeing stack buffer in utf8asn1str |
| CVE-2024-6930 | 2024-07-24 | WP Booking Calendar <= 10.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bookingform Shortcode |
| CVE-2024-6874 | 2024-07-24 | macidn punycode buffer overread |
| CVE-2024-39676 | 2024-07-24 | Apache Pinot: Unauthorized endpoint exposed sensitive information |
| CVE-2023-48362 | 2024-07-24 | Apache Drill: XXE Vulnerability in XML Format Reader |
| CVE-2024-3454 | 2024-07-24 | In-Fabric Matter Cluster Attribute Disclosure |
| CVE-2024-3297 | 2024-07-24 | Session establishment lock-up during replay of CASE Sigma1 messages |
| CVE-2024-7065 | 2024-07-24 | Spina CMS cross-site request forgery |
| CVE-2024-7066 | 2024-07-24 | F-logic DataCube3 HTTP POST Request config_time_sync.php os command injection |
| CVE-2024-6896 | 2024-07-24 | AMP for WP – Accelerated Mobile Pages <= 1.0.96.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-3896 | 2024-07-24 | Photo Gallery, Images, Slider in Rbs Image Gallery <= 3.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Title |
| CVE-2024-5818 | 2024-07-24 | Royal Elementor Addons and Templates <= 1.3.980 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Magazine Grid/Slider Widget |
| CVE-2024-6327 | 2024-07-24 | Progress Telerik Report Server Deserialization |
| CVE-2024-7067 | 2024-07-24 | kirilkirkov Ecommerce-Laravel-Bootstrap Cart.php getCartProductsIds deserialization |
| CVE-2024-6096 | 2024-07-24 | Unsafe Deserialization Vulnerability |
| CVE-2023-45249 | 2024-07-24 | Remote command execution due to use of default passwords. The following products are affected: Acronis Cyber Infrastructure (ACI) before build 5.0.1-61, Acronis Cyber Infrastructure (ACI) before build 5.1.1-71, Acronis Cyber... |
| CVE-2024-41914 | 2024-07-24 | A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of... |
| CVE-2024-7068 | 2024-07-24 | SourceCodester Insurance Management System update_sub_category cross site scripting |
| CVE-2024-22443 | 2024-07-24 | A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could... |
| CVE-2024-22444 | 2024-07-24 | A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface.... |
| CVE-2024-7069 | 2024-07-24 | SourceCodester Employee and Visitor Gate Pass Logging System sql injection |
| CVE-2024-7079 | 2024-07-24 | Openshift-console: unauthenticated installation of helm charts |
| CVE-2024-41110 | 2024-07-24 | Moby authz zero length regression |
| CVE-2024-41662 | 2024-07-24 | VNote vulnerable to Markdown XSS, which leads to RCE |
| CVE-2024-37533 | 2024-07-24 | IBM InfoSphere Information Server information disclosure |
| CVE-2024-41666 | 2024-07-24 | The Argo CD web terminal session does not handle the revocation of user permissions properly. |
| CVE-2024-41667 | 2024-07-24 | OpenAM FreeMarker template injection |
| CVE-2024-41672 | 2024-07-24 | DuckDB: sniff_csv provides filesystem access even when enable_external_access is disabled |
| CVE-2024-21684 | 2024-07-24 | There is a low severity open redirect vulnerability within affected versions of Bitbucket Data Center. Versions of Bitbucket DC from 8.0.0 to 8.9.12 and 8.19.0 to 8.19.1 are affected by... |
| CVE-2024-33519 | 2024-07-24 | Authenticated Server-Side prototype pollution Leading to Information Disclosure |
| CVE-2024-7080 | 2024-07-24 | SourceCodester Insurance Management System direct request |
| CVE-2024-41133 | 2024-07-24 | Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface |
| CVE-2024-41134 | 2024-07-24 | Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface |
| CVE-2024-41135 | 2024-07-24 | Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface |
| CVE-2024-41136 | 2024-07-24 | Authenticated Command Injection in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface |
| CVE-2024-7081 | 2024-07-24 | itsourcecode Tailoring Management System expcatadd.php sql injection |
| CVE-2024-7091 | 2024-07-24 | Exposure of Sensitive Information to an Unauthorized Actor in GitLab |
| CVE-2024-7060 | 2024-07-24 | Exposure of Sensitive Information to an Unauthorized Actor in GitLab |
| CVE-2024-5067 | 2024-07-24 | Exposure of Sensitive Information to an Unauthorized Actor in GitLab |
| CVE-2024-0231 | 2024-07-24 | Improper Control of Resource Identifiers ('Resource Injection') in GitLab |
| CVE-2024-38287 | 2024-07-25 | The password-reset mechanism in the Forgot Password functionality in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to force the application into resetting the administrator's password to a random insecure... |
| CVE-2024-38288 | 2024-07-25 | A command-injection issue in the Certificate Signing Request (CSR) functionality in R-HUB TurboMeeting through 8.x allows authenticated attackers with administrator privileges to execute arbitrary commands on the underlying server as... |
| CVE-2024-38289 | 2024-07-25 | A boolean-based SQL injection issue in the Virtual Meeting Password (VMP) endpoint in R-HUB TurboMeeting through 8.x allows unauthenticated remote attackers to extract hashed passwords from the database, and authenticate... |
| CVE-2024-40318 | 2024-07-25 | An arbitrary file upload vulnerability in Webkul Qloapps v1.6.0.0 allows attackers to execute arbitrary code via uploading a crafted file. |
| CVE-2024-40324 | 2024-07-25 | A CRLF injection vulnerability in E-Staff v5.1 allows attackers to insert Carriage Return (CR) and Line Feed (LF) characters into input fields, leading to HTTP response splitting and header manipulation. |
| CVE-2024-41468 | 2024-07-25 | Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand |
| CVE-2024-41473 | 2024-07-25 | Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac |
| CVE-2024-41705 | 2024-07-25 | A stored XSS issue was discovered in Archer Platform 6.8 before 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code in... |
| CVE-2024-41706 | 2024-07-25 | A stored XSS issue was discovered in Archer Platform 6 before version 2024.06. A remote authenticated malicious Archer user could potentially exploit this to store malicious HTML or JavaScript code... |
| CVE-2024-36542 | 2024-07-25 | Insecure permissions in kuma v2.7.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. |
| CVE-2024-41707 | 2024-07-25 | An issue was discovered in Archer Platform 6 before 2024.06. Authenticated users can achieve HTML content injection. A remote authenticated malicious Archer user could potentially exploit this to store malicious... |
| CVE-2024-7047 | 2024-07-25 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2024-7057 | 2024-07-25 | Improper Access Control in GitLab |
| CVE-2024-4811 | 2024-07-25 | In affected versions of Octopus Server under certain conditions, a user with specific role assignments can access restricted project artifacts. |
| CVE-2024-6972 | 2024-07-25 | In affected versions of Octopus Server under certain circumstances it is possible for sensitive variables to be printed in the task log in clear-text. |
| CVE-2024-37084 | 2024-07-25 | CVE-2024-37084: Remote code execution in Spring Cloud Data Flow |
| CVE-2024-6589 | 2024-07-25 | LearnPress <= 4.2.6.8.2 - Authenticated (Contributor+) Local File Inclusion |
| CVE-2024-39673 | 2024-07-25 | Vulnerability of serialisation/deserialisation mismatch in the iAware module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. |