CVE List - 2024 / September
Showing 801 - 900 of 2516 CVEs for September 2024 (Page 9 of 26)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2024-38045 | 2024-09-10 | Windows TCP/IP Remote Code Execution Vulnerability |
| CVE-2024-38119 | 2024-09-10 | Windows Network Address Translation (NAT) Remote Code Execution Vulnerability |
| CVE-2024-43454 | 2024-09-10 | Windows Remote Desktop Licensing Service Remote Code Execution Vulnerability |
| CVE-2024-43455 | 2024-09-10 | Windows Remote Desktop Licensing Service Spoofing Vulnerability |
| CVE-2024-43457 | 2024-09-10 | Windows Setup and Deployment Elevation of Privilege Vulnerability |
| CVE-2024-43458 | 2024-09-10 | Windows Networking Information Disclosure Vulnerability |
| CVE-2024-43461 | 2024-09-10 | Windows MSHTML Platform Spoofing Vulnerability |
| CVE-2024-43466 | 2024-09-10 | Microsoft SharePoint Server Denial of Service Vulnerability |
| CVE-2024-43469 | 2024-09-10 | Azure CycleCloud Remote Code Execution Vulnerability |
| CVE-2024-43470 | 2024-09-10 | Azure Network Watcher VM Agent Elevation of Privilege Vulnerability |
| CVE-2024-43475 | 2024-09-10 | Microsoft Windows Admin Center Information Disclosure Vulnerability |
| CVE-2024-43476 | 2024-09-10 | Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
| CVE-2024-43479 | 2024-09-10 | Microsoft Power Automate Desktop Remote Code Execution Vulnerability |
| CVE-2024-30073 | 2024-09-10 | Windows Security Zone Mapping Security Feature Bypass Vulnerability |
| CVE-2024-43487 | 2024-09-10 | Windows Mark of the Web Security Feature Bypass Vulnerability |
| CVE-2024-43491 | 2024-09-10 | Microsoft Windows Update Remote Code Execution Vulnerability |
| CVE-2024-43495 | 2024-09-10 | Windows libarchive Remote Code Execution Vulnerability |
| CVE-2024-38194 | 2024-09-10 | Azure Web Apps Elevation of Privilege Vulnerability |
| CVE-2024-37980 | 2024-09-10 | Microsoft SQL Server Elevation of Privilege Vulnerability |
| CVE-2024-45596 | 2024-09-10 | Directus's session is cached for OpenID and OAuth2 if `redirect` is not used |
| CVE-2024-45409 | 2024-09-10 | The Ruby SAML library vulnerable to a SAML authentication bypass via Incorrect XPath selector |
| CVE-2024-8503 | 2024-09-10 | VICIdial Unauthenticated SQL Injection |
| CVE-2024-8504 | 2024-09-10 | VICIdial Authenticated Remote Code Execution |
| CVE-2024-8655 | 2024-09-10 | Mercury MNVR816 web-static file access |
| CVE-2024-8232 | 2024-09-10 | iniNet Solutions SpiderControl SCADA Web Server Unrestricted Upload of File with Dangerous Type |
| CVE-2024-8190 | 2024-09-10 | An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have... |
| CVE-2024-8012 | 2024-09-10 | An authentication bypass weakness in the message broker service of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. |
| CVE-2024-44103 | 2024-09-10 | DLL hijacking in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. |
| CVE-2024-44104 | 2024-09-10 | An incorrectly implemented authentication scheme that is subjected to a spoofing attack in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to... |
| CVE-2024-44105 | 2024-09-10 | Cleartext transmission of sensitive information in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to obtain OS credentials. |
| CVE-2024-44106 | 2024-09-10 | Insufficient server-side controls in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges. |
| CVE-2024-44107 | 2024-09-10 | DLL hijacking in the management console of Ivanti Workspace Control before version 2025.2 (10.19.0.0) allows a local authenticated attacker to escalate their privileges and achieve arbitrary code execution. |
| CVE-2024-8191 | 2024-09-10 | SQL injection in the management console of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to achieve remote code execution. |
| CVE-2024-8320 | 2024-09-10 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to spoof Network Isolation status of managed devices. |
| CVE-2024-8321 | 2024-09-10 | Missing authentication in Network Isolation of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote unauthenticated attacker to isolate managed devices from the network. |
| CVE-2024-8322 | 2024-09-10 | Weak authentication in Patch Management of Ivanti EPM before 2022 SU6, or the 2024 September update allows a remote authenticated attacker to access restricted functionality. |
| CVE-2024-8441 | 2024-09-10 | An uncontrolled search path in the agent of Ivanti EPM before 2022 SU6, or the 2024 September update allows a local authenticated attacker with admin privileges to escalate their privileges... |
| CVE-2024-45597 | 2024-09-10 | Pluto's http.request allows CR and LF in header values |
| CVE-2024-42760 | 2024-09-11 | SQL Injection vulnerability in Ellevo v.6.2.0.38160 allows a remote attacker to obtain sensitive information via the /api/mob/instrucao/conta/destinatarios component. |
| CVE-2024-44466 | 2024-09-11 | COMFAST CF-XR11 V2.7.2 has a command injection vulnerability in function sub_424CB4. Attackers can send POST request messages to /usr/bin/webmgnt and inject commands into parameter iface. |
| CVE-2024-44541 | 2024-09-11 | evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." |
| CVE-2024-44570 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a code injection vulnerability via the getParams function in phpinf.php. |
| CVE-2024-44571 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain incorrect access control in the mService function at phpinf.php. |
| CVE-2024-44572 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_mgmt function. |
| CVE-2024-44573 | 2024-09-11 | A stored cross-site scripting (XSS) vulnerability in the VLAN configuration of RELY-PCIe v22.2.1 to v23.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
| CVE-2024-44574 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the sys_conf function. |
| CVE-2024-44575 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 does not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in cleartext over an... |
| CVE-2024-44577 | 2024-09-11 | RELY-PCIe v22.2.1 to v23.1.0 was discovered to contain a command injection vulnerability via the time_date function. |
| CVE-2024-44851 | 2024-09-11 | A stored cross-site scripting (XSS) vulnerability in the Discussion section of Perfex CRM v1.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the... |
| CVE-2024-23716 | 2024-09-11 | In DevmemIntPFNotify of devicemem_server.c, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges... |
| CVE-2024-31336 | 2024-09-11 | In PVRSRVBridgeRGXKickTA3D2 of server_rgxta3d_bridge.c, there is a possible arbitrary code execution due to improper input validation. This could lead to local escalation of privilege in the kernel with no additional... |
| CVE-2024-40650 | 2024-09-11 | In wifi_item_edit_content of styles.xml , there is a possible FRP bypass due to Missing check for FRP state. This could lead to local escalation of privilege with no additional execution... |
| CVE-2024-40652 | 2024-09-11 | In onCreate of SettingsHomepageActivity.java, there is a possible way to access the Settings app while the device is provisioning due to a missing permission check. This could lead to local... |
| CVE-2024-40654 | 2024-09-11 | In multiple locations, there is a possible permission bypass due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction... |
| CVE-2024-40655 | 2024-09-11 | In bindAndGetCallIdentification of CallScreeningServiceHelper.java, there is a possible way to maintain a while-in-use permission in the background due to a permissions bypass. This could lead to local escalation of privilege... |
| CVE-2024-40656 | 2024-09-11 | In handleCreateConferenceComplete of ConnectionServiceWrapper.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution... |
| CVE-2024-40657 | 2024-09-11 | In addPreferencesForType of AccountTypePreferenceLoader.java, there is a possible way to disable apps for other users due to a confused deputy. This could lead to local escalation of privilege with no... |
| CVE-2024-40658 | 2024-09-11 | In getConfig of SoftVideoDecoderOMXComponent.cpp, there is a possible out of bounds write due to a heap buffer overflow. This could lead to local escalation of privilege with no additional execution... |
| CVE-2024-40659 | 2024-09-11 | In getRegistration of RemoteProvisioningService.java, there is a possible way to permanently disable the AndroidKeyStore key generation feature by updating the attestation keys of all installed apps due to improper input... |
| CVE-2024-40662 | 2024-09-11 | In scheme of Uri.java, there is a possible way to craft a malformed Uri object due to improper input validation. This could lead to local escalation of privilege with no... |
| CVE-2024-8253 | 2024-09-11 | Post Grid and Gutenberg Blocks 2.2.87 - 2.2.90 - Authenticated (Subscriber+) Privilege Escalation |
| CVE-2024-23906 | 2024-09-11 | Improper Neutralization of Input During Web Page Generation (CWE-79) in the Controller 6000 and Controller 7000 diagnostic webpage allows an attacker to modify Controller configuration during an authenticated Operator's session.... |
| CVE-2024-24972 | 2024-09-11 | Buffer Copy without Checking Size of Input (CWE-120) in the Controller 6000 and Controller 7000 diagnostic web interface allows an authorised and authenticated operator to reboot the Controller, causing a... |
| CVE-2024-39808 | 2024-09-11 | Incorrect Calculation of Buffer Size (CWE-131) in the Controller 6000 and Controller 7000 OSDP message handling, allows an attacker with physical access to Controller wiring to instigate a reboot leading... |
| CVE-2024-43690 | 2024-09-11 | Inclusion of Functionality from Untrusted Control Sphere(CWE-829) in the Command Centre Server and Workstations may allow an attacker to perform Remote Code Execution (RCE). This issue affects: Command Centre Server... |
| CVE-2024-1656 | 2024-09-11 | Affected versions of Octopus Server had a weak content security policy. |
| CVE-2024-7721 | 2024-09-11 | HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.34 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update |
| CVE-2024-7727 | 2024-09-11 | HTML5 Video Player – mp4 Video Player Plugin and Block <= 2.5.32 - Missing Authorization in multiple functions via h5vp_ajax_handler |
| CVE-2024-21529 | 2024-09-11 | Versions of the package dset before 3.1.4 are vulnerable to Prototype Pollution via the dset function due improper user input sanitization. This vulnerability allows the attacker to inject malicious object... |
| CVE-2024-3899 | 2024-09-11 | Envira Gallery < 1.8.15 - Author+ Stored XSS |
| CVE-2024-7716 | 2024-09-11 | GS Logo Slider Lite < 3.6.9 - Admin+ Stored XSS |
| CVE-2024-8440 | 2024-09-11 | Essential Addons for Elementor -- Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Fancy Text Widget |
| CVE-2024-7626 | 2024-09-11 | WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) <= 1.6.9 - Improper Path Validation to Authenticated (Subscriber+) Arbitrary File Move and Read |
| CVE-2024-8045 | 2024-09-11 | Advanced WordPress Backgrounds <= 1.12.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via imageTag Parameter |
| CVE-2019-25212 | 2024-09-11 | video carousel slider with lightbox <= 1.0.6 - Authenticated (Admin+) SQL Injection |
| CVE-2024-8277 | 2024-09-11 | WooCommerce Photo Reviews Premium <= 1.3.13.2 - Authentication Bypass to Account Takeover and Privilege Escalation |
| CVE-2024-45327 | 2024-09-11 | An improper authorization vulnerability [CWE-285] in FortiSOAR version 7.4.0 through 7.4.3, 7.3.0 through 7.3.2, 7.2.0 through 7.2.2, 7.0.0 through 7.0.3 change password endpoint may allow an authenticated attacker to perform... |
| CVE-2024-8096 | 2024-09-11 | OCSP stapling bypass with GnuTLS |
| CVE-2024-5416 | 2024-09-11 | Elementor Website Builder – More than Just a Page Builder <= 3.23.4 - Authenticated (Contributor+) Stored Cross-Site Scripting in the URL Parameter in Multiple Widgets |
| CVE-2024-7609 | 2024-09-11 | Directory Traversal in Vidco Software's VOC TESTER |
| CVE-2024-45786 | 2024-09-11 | Improper Authorization Vulnerability |
| CVE-2024-45787 | 2024-09-11 | Information Disclosure Vulnerability |
| CVE-2024-45788 | 2024-09-11 | No Rate Limiting Vulnerability |
| CVE-2024-45789 | 2024-09-11 | Parameter Tampering Vulnerability |
| CVE-2024-45790 | 2024-09-11 | User Enumeration vulnerability |
| CVE-2024-6091 | 2024-09-11 | Shell Command Denylist Bypass in significant-gravitas/autogpt |
| CVE-2024-8646 | 2024-09-11 | Eclipse Glassfish: URL redirection vulnerability to untrusted sites |
| CVE-2024-8642 | 2024-09-11 | Eclipse EDC: Consumer pull transfer token validation checks not applied |
| CVE-2024-27113 | 2024-09-11 | Insecure Direct Object Reference to export Database in SOPlanning before 1.52.02 |
| CVE-2024-27115 | 2024-09-11 | Remote Code Execution through File Upload in SOPlanning before 1.52.02 |
| CVE-2024-27114 | 2024-09-11 | Remote Code Execution through File Upload in SOPlanning before 1.52.02 |
| CVE-2024-27112 | 2024-09-11 | SQL Injection in SOPlanning before 1.52.02 |
| CVE-2024-8636 | 2024-09-11 | Heap buffer overflow in Skia in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-8637 | 2024-09-11 | Use after free in Media Router in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security... |
| CVE-2024-8638 | 2024-09-11 | Type Confusion in V8 in Google Chrome prior to 128.0.6613.137 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2024-8639 | 2024-09-11 | Use after free in Autofill in Google Chrome on Android prior to 128.0.6613.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity:... |
| CVE-2024-43793 | 2024-09-11 | Halo's editor has a stored XSS vulnerability |
| CVE-2024-4465 | 2024-09-11 | Incorrect authorization for Reports configuration in Guardian/CMC before 24.2.0 |
| CVE-2024-8306 | 2024-09-11 | CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by... |
| CVE-2024-45009 | 2024-09-11 | mptcp: pm: only decrement add_addr_accepted for MPJ req |