CVE List - 2024 / September
Showing 1901 - 2000 of 2516 CVEs for September 2024 (Page 20 of 26)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-39842 | 2024-09-23 | A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via user massive changes inputs. |
| CVE-2024-39843 | 2024-09-23 | A SQL injection vulnerability in Centreon 24.04.2 allows a remote high-privileged attacker to execute arbitrary SQL command via create user form inputs. |
| CVE-2024-40441 | 2024-09-23 | An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to... |
| CVE-2024-40442 | 2024-09-23 | An issue in Doccano Open source annotation tools for machine learning practitioners v.1.8.4 and Doccano Auto Labeling Pipeline module to annotate a document automatically v.0.1.23 allows a remote attacker to... |
| CVE-2024-41228 | 2024-09-23 | A symlink following vulnerability in the pouch cp function of AliyunContainerService pouch v1.3.1 allows attackers to escalate privileges and write arbitrary files. |
| CVE-2024-44540 | 2024-09-23 | Ubiquiti AirMax firmware version firmware version 8 allows attackers with physical access to gain a privileged command shell via the UART Debugging Port. |
| CVE-2024-46241 | 2024-09-23 | PHPGurukul Dairy Farm Shop Management System v1.1 is vulnerable to Cross-Site Scripting (XSS) via the pname parameter in add_product.php and edit_product.php. |
| CVE-2024-46639 | 2024-09-23 | A cross-site scripting (XSS) vulnerability in HelpDeskZ v2.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field of Custom Fields... |
| CVE-2024-42861 | 2024-09-23 | An issue in IEEE 802.1AS linuxptp v.4.2 and before allowing a remote attacker to cause a denial of service via a crafted Pdelay_Req message to the time synchronization function |
| CVE-2024-47222 | 2024-09-23 | New Cloud MyOffice SDK Collaborative Editing Server 2.2.2 through 2.8 allows SSRF via manipulation of requests from external document storage via the MS-WOPI protocol. |
| CVE-2024-47227 | 2024-09-23 | iRedAdmin before 2.6 allows XSS, e.g., via order_name. |
| CVE-2024-9091 | 2024-09-23 | code-projects Student Record System index.php sql injection |
| CVE-2024-43996 | 2024-09-23 | WordPress ElementsKit Pro plugin <= 3.6.0 - Local File Inclusion vulnerability |
| CVE-2024-44048 | 2024-09-23 | WordPress Product Carousel Slider & Grid Ultimate for WooCommerce plugin <= 1.9.10 - Authenticated Local File Inclusion vulnerability |
| CVE-2024-45453 | 2024-09-23 | WordPress Maintenance Redirect plugin <= 2.0.1 - IP Bypass vulnerability |
| CVE-2024-9092 | 2024-09-23 | SourceCodester Profile Registration without Reload Refresh Registration Form add.php cross site scripting |
| CVE-2024-9093 | 2024-09-23 | SourceCodester Profile Registration without Reload Refresh GET Parameter del.php sql injection |
| CVE-2024-9094 | 2024-09-23 | code-projects Blood Bank System o-.php sql injection |
| CVE-2024-7846 | 2024-09-23 | YITH WooCommerce Ajax Search < 2.7.1 - Contributor+ Stored XSS |
| CVE-2024-8758 | 2024-09-23 | Quiz and Survey Master (QSM) < 9.1.3 - Author+ Stored XSS |
| CVE-2024-8606 | 2024-09-23 | Fix 2FA bypass via RestAPI |
| CVE-2024-45348 | 2024-09-23 | Xiaomi Router AX9000 has a post-authorization command injection vulnerability |
| CVE-2024-8903 | 2024-09-23 | Local active protection service settings manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows, macOS) before build 38565. |
| CVE-2022-48945 | 2024-09-23 | media: vivid: fix compose size exceed boundary |
| CVE-2024-46544 | 2024-09-23 | Apache Tomcat Connectors: mod_jk: local users can view and modify configuration |
| CVE-2024-7735 | 2024-09-23 | SQLi in Exnet Informatics Software's Ferry Reservation System |
| CVE-2024-7835 | 2024-09-23 | Reflected XSS in Exnet Informatics Software's Ferry Reservation System |
| CVE-2024-23933 | 2024-09-23 | Sony XAV-AX5500 CarPlay TLV Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2024-23934 | 2024-09-23 | Sony XAV-AX5500 WMV/ASF Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2024-23972 | 2024-09-23 | Sony XAV-AX5500 USB Configuration Descriptor Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2024-23922 | 2024-09-23 | Sony XAV-AX5500 Insufficient Firmware Update Validation Remote Code Execution Vulnerability |
| CVE-2024-46985 | 2024-09-23 | DataEase has an XXE vulnerability |
| CVE-2024-46997 | 2024-09-23 | DataEase's H2 datasource has a remote command execution risk |
| CVE-2024-47066 | 2024-09-23 | Lobe Chat has insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964) |
| CVE-2024-47068 | 2024-09-23 | DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS |
| CVE-2024-47069 | 2024-09-23 | Oveleon Cookiebar reflected Cross-site Scripting vulnerability |
| CVE-2024-9014 | 2024-09-23 | OAuth2 client id and secret exposed through the web browser in pgAdmin 4 |
| CVE-2024-0001 | 2024-09-23 | A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges. |
| CVE-2024-0002 | 2024-09-23 | A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array. |
| CVE-2024-0003 | 2024-09-23 | A condition exists in FlashArray Purity whereby a malicious user could use a remote administrative service to create an account on the array allowing privileged access. |
| CVE-2024-0004 | 2024-09-23 | A condition exists in FlashArray Purity whereby an user with array admin role can execute arbitrary commands remotely to escalate privilege on the array. |
| CVE-2024-0005 | 2024-09-23 | A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration. |
| CVE-2024-43201 | 2024-09-23 | Planet Fitness Workouts mobile apps do not properly validate TLS certificates |
| CVE-2024-8770 | 2024-09-23 | A Cross-Site Scripting (XSS) vulnerability was identified in the repository transfer feature of GitHub Enterprise Server, which allows attackers to steal sensitive user information via social engineering. This vulnerability affected... |
| CVE-2024-8263 | 2024-09-23 | An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use of nested tags. This vulnerability affected all versions of GitHub Enterprise... |
| CVE-2024-7018 | 2024-09-23 | Heap buffer overflow in PDF in Google Chrome prior to 124.0.6367.78 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. (Chromium security severity: Medium) |
| CVE-2024-7019 | 2024-09-23 | Inappropriate implementation in UI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a... |
| CVE-2024-7020 | 2024-09-23 | Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2024-7022 | 2024-09-23 | Uninitialized Use in V8 in Google Chrome prior to 123.0.6312.58 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2023-7281 | 2024-09-23 | Inappropriate implementation in Compositing in Google Chrome prior to 119.0.6045.105 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) |
| CVE-2023-7282 | 2024-09-23 | Inappropriate implementation in Navigation in Google Chrome prior to 113.0.5672.63 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a... |
| CVE-2021-38023 | 2024-09-23 | Use after free in Extensions in Google Chrome prior to 92.0.4515.107 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2018-20072 | 2024-09-23 | Insufficient data validation in PDF in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform out of bounds memory access via a crafted PDF file. (Chromium security severity:... |
| CVE-2024-7023 | 2024-09-23 | Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) |
| CVE-2024-7024 | 2024-09-23 | Inappropriate implementation in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low) |
| CVE-2023-26686 | 2024-09-24 | File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the image upload feature when customizing a shop. |
| CVE-2023-26687 | 2024-09-24 | Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to obtain sensitive information via the product_data parameter in the PDF Add-on. |
| CVE-2023-26688 | 2024-09-24 | Cross Site Scripting (XSS) vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via the product_data parameter of add/edit product in the administration interface. |
| CVE-2023-26689 | 2024-09-24 | An issue discovered in CS-Cart MultiVendor 4.16.1 allows attackers to alter arbitrary user account profiles via crafted post request. |
| CVE-2023-26690 | 2024-09-24 | File Upload vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via File Manager/Editor component in the vendor or admin menu. |
| CVE-2023-26691 | 2024-09-24 | Directory Traversal vulnerability in CS-Cart MultiVendor 4.16.1 allows remote attackers to run arbitrary code via crafted zip file when installing a new add-on. |
| CVE-2024-42797 | 2024-09-24 | An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_playlist in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music playlist entries. |
| CVE-2024-46607 | 2024-09-24 | Incorrect access control in IceCMS v3.4.7 and before allows attackers to authenticate by entering any arbitrary values as the username and password via the loginAdmin method in the UserController.java file. |
| CVE-2024-46609 | 2024-09-24 | An access control issue in the CheckVip function in UserController.java of IceCMS v3.4.7 and before allows unauthenticated attackers to access and returns all user information, including passwords |
| CVE-2024-46610 | 2024-09-24 | An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s... |
| CVE-2024-46612 | 2024-09-24 | IceCMS v3.4.7 and before was discovered to contain a hardcoded JWT key, allowing an attacker to forge JWT authentication information. |
| CVE-2024-46957 | 2024-09-24 | Mellium mellium.im/xmpp 0.0.1 through 0.21.4 allows response spoofing if the implementation uses predictable IDs because the stanza type is not checked. This is fixed in 0.22.0. |
| CVE-2024-46934 | 2024-09-24 | Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to DOM-based Cross-site Scripting (XSS). Attackers may be able to abuse the UpdateOTRAck method to forge a message that... |
| CVE-2024-46935 | 2024-09-24 | Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier is vulnerable to denial of service (DoS). Attackers who craft messages with specific characters may crash the workspace due to an... |
| CVE-2024-46936 | 2024-09-24 | Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and before is vulnerable to a message forgery / impersonation issue. Attackers can abuse the UpdateOTRAck method to send ephemeral messages as if... |
| CVE-2024-47048 | 2024-09-24 | Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps. |
| CVE-2024-38266 | 2024-09-24 | An improper restriction of operations within the bounds of a memory buffer in the parameter type parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker... |
| CVE-2024-38267 | 2024-09-24 | An improper restriction of operations within the bounds of a memory buffer in the IPv6 address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker... |
| CVE-2024-38268 | 2024-09-24 | An improper restriction of operations within the bounds of a memory buffer in the MAC address parser of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker... |
| CVE-2024-38269 | 2024-09-24 | An improper restriction of operations within the bounds of a memory buffer in the USB file-sharing handler of the Zyxel VMG8825-T50K firmware versions through 5.50(ABOM.8)C0 could allow an authenticated attacker... |
| CVE-2024-8432 | 2024-09-24 | Appointment & Event Booking Calendar Plugin – Webba Booking <= 5.0.48 - Missing Authorization to Authenticated (Subscriber+) CSS Settings Update |
| CVE-2024-8657 | 2024-09-24 | Garden Gnome Package <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-8716 | 2024-09-24 | XT Ajax Add To Cart for WooCommerce <= 1.1.2 - Reflected Cross-Site Scripting |
| CVE-2024-8795 | 2024-09-24 | BA Book Everything <= 1.6.20 - Cross-Site Request Forgery to Email Address Update/Account Takeover |
| CVE-2024-8662 | 2024-09-24 | Koko Analytics <= 1.3.12 - Reflected Cross-Site Scripting |
| CVE-2024-8738 | 2024-09-24 | Seriously Simple Stats <= 1.6.0 - Reflected Cross-Site Scripting |
| CVE-2024-8544 | 2024-09-24 | Pixel Cat – Conversion Pixel Manager <= 3.0.5 - Reflected Cross-Site Scripting |
| CVE-2024-8791 | 2024-09-24 | Donation Forms by Charitable – Donations Plugin & Fundraising Platform for WordPress <= 1.8.1.14 - Insecure Direct Object Reference to Account Takeover and Privilege Escalation |
| CVE-2024-8794 | 2024-09-24 | BA Book Everything <= 1.6.20 - Unauthenticated Arbitrary User Password Reset |
| CVE-2024-8624 | 2024-09-24 | MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 - Authenticated (Contributor+) SQL Injection |
| CVE-2024-8623 | 2024-09-24 | MDTF – Meta Data and Taxonomies Filter <= 1.3.3.3 - Unauthenticated Arbitrary Shortcode Execution |
| CVE-2024-8671 | 2024-09-24 | WooEvents <= 4.1.2 - Unauthenticated Arbitrary File Overwrite |
| CVE-2024-8628 | 2024-09-24 | Popup, Optin Form & Email Newsletters for Mailchimp, HubSpot, AWeber – MailOptin <= 1.2.70.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2022-2439 | 2024-09-24 | Easy Digital Downloads – Simple eCommerce for Selling Digital Files <= 3.3.3 - Authenticated (Admin+) PHAR Deserialization |
| CVE-2024-8917 | 2024-09-24 | AnWP Football Leagues <= 0.16.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-8267 | 2024-09-24 | Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress <= 2.0.78 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute |
| CVE-2024-8919 | 2024-09-24 | Confetti Fall Animation <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via confetti-fall-animation Shortcode |
| CVE-2024-8103 | 2024-09-24 | WP Category Dropdown <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter |
| CVE-2024-8914 | 2024-09-24 | Thanh Toán Quét Mã QR Code Tự Động – MoMo, ViettelPay, VNPay và 40 ngân hàng Việt Nam <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2024-21545 | 2024-09-24 | Proxmox Virtual Environment is an open-source server management platform for enterprise virtualization. Insufficient safeguards against malicious API response values allow authenticated attackers with 'Sys.Audit' or 'VM.Monitor' privileges to download arbitrary... |
| CVE-2024-39928 | 2024-09-24 | Apache Linkis Spark EngineConn: Commons Lang's RandomStringUtils Random string security vulnerability |
| CVE-2023-5359 | 2024-09-24 | W3 Total Cache <= 2.7.5 - Sensitive Credentials Stored in Plaintext |
| CVE-2024-8437 | 2024-09-24 | WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Missing Authorization to Authenticated (Subscriber+) Gallery Manipulation |
| CVE-2024-8436 | 2024-09-24 | WP Easy Gallery – WordPress Gallery Plugin <= 4.8.5 - Authenticated (Subscriber+) SQL Injection |
| CVE-2024-9142 | 2024-09-24 | Local File Inclusion (LFI) in Olgu Computer Systems' e-Belediye |