CVE List - 2024 / September
Showing 401 - 500 of 2516 CVEs for September 2024 (Page 5 of 26)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-44838 | 2024-09-06 | RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the username parameter at /resource/runlogin.php. |
| CVE-2024-44839 | 2024-09-06 | RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the articleid parameter at /default/article.php. |
| CVE-2024-44844 | 2024-09-06 | DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the name parameter in the run_command function. |
| CVE-2024-44845 | 2024-09-06 | DrayTek Vigor3900 v1.5.1.6 was discovered to contain an authenticated command injection vulnerability via the value parameter in the filter_string function. |
| CVE-2024-45751 | 2024-09-06 | tgt (aka Linux target framework) before 1.0.93 attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1, and thus the sequence of challenges is always... |
| CVE-2024-45758 | 2024-09-06 | H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. Exploitation can occur when an attacker has access to... |
| CVE-2024-45771 | 2024-09-06 | RapidCMS v1.3.1 was discovered to contain a SQL injection vulnerability via the password parameter at /resource/runlogin.php. |
| CVE-2024-40865 | 2024-09-06 | The issue was addressed by suspending Persona when the virtual keyboard is active. This issue is fixed in visionOS 1.3. Inputs to the virtual keyboard may be inferred from Persona. |
| CVE-2024-7415 | 2024-09-06 | Remember Me Controls <= 2.0.1 - Unauthenticated Full Path Disclosure |
| CVE-2024-8480 | 2024-09-06 | Image Optimizer, Resizer and CDN – Sirv <= 7.2.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload |
| CVE-2024-8247 | 2024-09-06 | Newsletters <= 4.9.9.2 - Authenticated Privilege Escalation |
| CVE-2024-38486 | 2024-09-06 | Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x , contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with... |
| CVE-2024-39585 | 2024-09-06 | Dell SmartFabric OS10 Software, version(s) 10.5.5.4 through 10.5.5.10 and 10.5.6.x, contain(s) an Use of Hard-coded Password vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading... |
| CVE-2024-6792 | 2024-09-06 | WP ULike < 4.7.2.1 - Subscriber+ Stored-XSS |
| CVE-2024-7349 | 2024-09-06 | LifterLMS <= 7.7.5 - Authenticated (Admin+) SQL Injection |
| CVE-2024-8292 | 2024-09-06 | WP-Recall – Registration, Profile, Commerce & More <= 16.26.8 - Insecure Direct Object Reference to Unauthenticated Arbitrary Password Update |
| CVE-2024-8317 | 2024-09-06 | WP AdCenter – Ad Manager & Adsense Ads <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via ad_alignment Attribute |
| CVE-2024-8427 | 2024-09-06 | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Settings Update |
| CVE-2023-52915 | 2024-09-06 | media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer |
| CVE-2023-52916 | 2024-09-06 | media: aspeed: Fix memory overwrite if timing is 1600x900 |
| CVE-2024-1744 | 2024-09-06 | IDOR in Ariva Computer's Accord ORS |
| CVE-2024-45040 | 2024-09-06 | gnark's commitments to private witnesses in Groth16 as implemented break zero-knowledge property |
| CVE-2024-45039 | 2024-09-06 | gnark's Groth16 commitment extension unsound for more than one commitment |
| CVE-2024-45299 | 2024-09-06 | alf.io's preloaded data as json is not escaped correctly |
| CVE-2024-45300 | 2024-09-06 | Bypassing promo code limitations with race conditions |
| CVE-2024-45405 | 2024-09-06 | gix-path improperly resolves configuration path reported by Git |
| CVE-2024-6445 | 2024-09-06 | Authenticated Local File Inclusion (LFI) in DataFlowX's DataDiodeX |
| CVE-2024-7622 | 2024-09-06 | Revision Manager TMC <= 2.8.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending |
| CVE-2024-7599 | 2024-09-06 | Advanced Sermons <= 3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2024-8428 | 2024-09-06 | ForumWP – Forum & Discussion Board Plugin <= 2.0.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Privilege Escalation via Account Takeover |
| CVE-2024-7493 | 2024-09-06 | WPCOM Member <= 1.5.2.1 - Unauthenticated Privilege Escalation via User Meta |
| CVE-2024-7611 | 2024-09-06 | Enter Addons – Ultimate Template Builder for Elementor <= 2.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Events Card Widget |
| CVE-2024-25584 | 2024-09-06 | Dovecot accepts dot LF DOT LF symbol as end of DATA command. RFC requires that it should always be CR LF DOT CR LF. This causes Dovecot to convert single... |
| CVE-2024-8509 | 2024-09-06 | Migration toolkit for virtualization: forklift-controller: empty bearer token may perform authentication |
| CVE-2024-45294 | 2024-09-06 | `org.hl7.fhir.core` XXE vulnerability in XSLT transforms |
| CVE-2024-8517 | 2024-09-06 | SPIP Bigup Multipart File Upload OS Command Injection |
| CVE-2024-8394 | 2024-09-06 | When aborting the verification of an OTR chat session, an attacker could have caused a use-after-free bug leading to a potentially exploitable crash. This vulnerability affects Thunderbird < 128.2. |
| CVE-2023-50366 | 2024-09-06 | QTS, QuTS hero |
| CVE-2023-51366 | 2024-09-06 | QTS, QuTS hero |
| CVE-2023-51367 | 2024-09-06 | QTS, QuTS hero |
| CVE-2023-51368 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-21897 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-21898 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-21903 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-27122 | 2024-09-06 | Notes Station 3 |
| CVE-2024-27126 | 2024-09-06 | Notes Station 3 |
| CVE-2022-27592 | 2024-09-06 | QVR Smart Client |
| CVE-2024-21904 | 2024-09-06 | QTS, QuTS hero |
| CVE-2023-47563 | 2024-09-06 | Video Station |
| CVE-2023-50360 | 2024-09-06 | Video Station |
| CVE-2023-45038 | 2024-09-06 | Music Station |
| CVE-2023-39300 | 2024-09-06 | QTS |
| CVE-2023-39298 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-32771 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-27125 | 2024-09-06 | Helpdesk |
| CVE-2024-32762 | 2024-09-06 | QuLog Center |
| CVE-2023-34974 | 2024-09-06 | QTS, QuTS hero, QuTScloud, QVR, QES |
| CVE-2023-34979 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-21906 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-32763 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-38641 | 2024-09-06 | QTS, QuTS hero |
| CVE-2024-38642 | 2024-09-06 | QuMagie |
| CVE-2024-38640 | 2024-09-06 | Download Station |
| CVE-2024-7652 | 2024-09-06 | Type Confusion in Async Generators in Javascript Engine |
| CVE-2024-34155 | 2024-09-06 | Stack exhaustion in all Parse functions in go/parser |
| CVE-2024-34156 | 2024-09-06 | Stack exhaustion in Decoder.Decode in encoding/gob |
| CVE-2024-34158 | 2024-09-06 | Stack exhaustion in Parse in go/build/constraint |
| CVE-2024-45498 | 2024-09-07 | Apache Airflow: Command Injection in an example DAG |
| CVE-2024-45034 | 2024-09-07 | Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes |
| CVE-2024-8521 | 2024-09-07 | Wavelog Live QSO qso index cross site scripting |
| CVE-2024-8538 | 2024-09-07 | Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure |
| CVE-2024-6849 | 2024-09-07 | Preloader Plus – WordPress Loading Screen Plugin <= 2.2.1 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload |
| CVE-2024-8523 | 2024-09-07 | lmxcms SQL Command Execution Module admin.php formatData code injection |
| CVE-2024-1596 | 2024-09-07 | Ninja Forms File Uploads <= 3.3.16 - Unauthenticated Stored Cross-Site Scripting via File Upload |
| CVE-2024-7112 | 2024-09-07 | Pinpoint Booking System <= 2.9.9.5.0- Authenticated (Subscriber+) SQL Injection |
| CVE-2024-7620 | 2024-09-07 | Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import |
| CVE-2024-6010 | 2024-09-07 | Cost Calculator Builder PRO <= 3.2.1 - Unauthenticated Price Manipulation |
| CVE-2024-8554 | 2024-09-07 | SourceCodester Clinics Patient Management System users.php cross site scripting |
| CVE-2024-37068 | 2024-09-07 | IBM Maximo Application Suite information disclosure |
| CVE-2024-40680 | 2024-09-07 | IBM MQ denial of service |
| CVE-2024-40681 | 2024-09-07 | IBM MQ security bypass |
| CVE-2024-8555 | 2024-09-07 | SourceCodester Clinics Patient Management System congratulations.php redirect |
| CVE-2024-8557 | 2024-09-07 | SourceCodester Food Ordering Management System cancel-order.php sql injection |
| CVE-2024-8558 | 2024-09-07 | SourceCodester Food Ordering Management System Price place-order.php improper validation of specified quantity in input |
| CVE-2023-30584 | 2024-09-07 | A vulnerability has been discovered in Node.js version 20, specifically within the experimental permission model. This flaw relates to improper handling of path traversal bypass when verifying file permissions. Please... |
| CVE-2023-30583 | 2024-09-07 | fs.openAsBlob() can bypass the experimental permission model when using the file system read restriction with the `--allow-fs-read` flag in Node.js 20. This flaw arises from a missing check in the... |
| CVE-2023-30587 | 2024-09-07 | A vulnerability in Node.js version 20 allows for bypassing restrictions set by the --experimental-permission flag using the built-in inspector module (node:inspector). By exploiting the Worker class's ability to create an... |
| CVE-2023-30582 | 2024-09-07 | A vulnerability has been identified in Node.js version 20, affecting users of the experimental permission model when the --allow-fs-read flag is used with a non-* argument. This flaw arises from... |
| CVE-2024-36137 | 2024-09-07 | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however,... |
| CVE-2023-39333 | 2024-09-07 | Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does... |
| CVE-2024-36138 | 2024-09-07 | Bypass incomplete fix of CVE-2024-27980, that arises from improper handling of batch files with all possible extensions on Windows via child_process.spawn / child_process.spawnSync. A malicious command line argument can inject... |
| CVE-2023-46809 | 2024-09-07 | Node.js versions which bundle an unpatched version of OpenSSL or run against a dynamically linked version of OpenSSL which are unpatched are vulnerable to the Marvin Attack - https://people.redhat.com/~hkario/marvin/, if... |
| CVE-2024-42019 | 2024-09-07 | A vulnerability that allows an attacker to access the NTLM hash of the Veeam Reporter Service service account. This attack requires user interaction and data collected from Veeam Backup &... |
| CVE-2024-39718 | 2024-09-07 | An improper input validation vulnerability that allows a low-privileged user to remotely remove files on the system with permissions equivalent to those of the service account. |
| CVE-2024-40710 | 2024-09-07 | A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). Exploiting these vulnerabilities requires... |
| CVE-2024-39714 | 2024-09-07 | A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. |
| CVE-2024-42020 | 2024-09-07 | A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widgets that allows HTML injection. |
| CVE-2024-38651 | 2024-09-07 | A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. |
| CVE-2024-40712 | 2024-09-07 | A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE). |
| CVE-2024-39715 | 2024-09-07 | A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code... |