Export limit exceeded: 341843 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (341843 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-33580 | 1 Lenovo | 1 Personal Cloud | 2024-10-15 | 7.8 High |
| A DLL hijack vulnerability was reported in Lenovo Personal Cloud that could allow a local attacker to execute code with elevated privileges. | ||||
| CVE-2024-33579 | 1 Lenovo | 1 Baiying | 2024-10-15 | 7.8 High |
| A DLL hijack vulnerability was reported in Lenovo Baiying that could allow a local attacker to execute code with elevated privileges. | ||||
| CVE-2023-42133 | 1 Paxtechnology | 1 Paydroid | 2024-10-15 | 6.7 Medium |
| PAX Android based POS devices allow for escalation of privilege via improperly configured scripts. An attacker must have shell access with system account privileges in order to exploit this vulnerability. A patch addressing this issue was included in firmware version PayDroid_8.1.0_Sagittarius_V11.1.61_20240226. | ||||
| CVE-2024-9234 | 1 Wpmet | 1 Gutenkit | 2024-10-15 | 9.8 Critical |
| The GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins, or utilize the functionality to upload arbitrary files spoofed like plugins. | ||||
| CVE-2024-9611 | 2024-10-15 | 6.1 Medium | ||
| The Increase upload file size & Maximum Execution Time limit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.0. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-9543 | 2024-10-15 | 6.4 Medium | ||
| The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'skipto' shortcode in all versions up to, and including, 11.9.18 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2023-25581 | 1 Pac4j | 1 Pac4j | 2024-10-15 | N/A |
| pac4j is a security framework for Java. `pac4j-core` prior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of the `UserProfile` class from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix `{#sb64}` and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although a `RestrictedObjectInputStream` is in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-9002 | 1 Schneider-electric | 1 Easergy Studio | 2024-10-15 | 7.8 High |
| CWE-269: Improper Privilege Management vulnerability exists that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation when non-admin authenticated user tries to perform privilege escalation by tampering with the binaries | ||||
| CVE-2024-9232 | 2024-10-15 | 6.1 Medium | ||
| The Download Plugins and Themes in ZIP from Dashboard plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 1.9.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-33578 | 1 Lenovo | 1 Leyun | 2024-10-15 | 7.8 High |
| A DLL hijack vulnerability was reported in Lenovo Leyun that could allow a local attacker to execute code with elevated privileges. | ||||
| CVE-2024-8070 | 2024-10-15 | 8.5 High | ||
| CWE-312: Cleartext Storage of Sensitive Information vulnerability exists that exposes test credentials in the firmware binary | ||||
| CVE-2024-44414 | 1 Wayos | 1 Fbm 292w Firmware | 2024-10-15 | 8.8 High |
| A vulnerability was discovered in FBM_292W-21.03.10V, which has been classified as critical. This issue affects the sub_4901E0 function in the msp_info.htm file. Manipulation of the path parameter can lead to command injection. | ||||
| CVE-2024-1342 | 2024-10-14 | 4.2 Medium | ||
| Unable to reproduce. | ||||
| CVE-2023-45817 | 2024-10-14 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-9823. Reason: This candidate is a reservation duplicate of CVE-2024-9823. Notes: All CVE users should reference CVE-2024-9823 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2024-9142 | 1 Olgu Computer Systems | 1 E-belediye | 2024-10-14 | 9.8 Critical |
| External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642. | ||||
| CVE-2024-48261 | 2024-10-14 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-48251. Reason: This candidate is a reservation duplicate of CVE-2024-48251. Notes: All CVE users should reference CVE-2024-48251 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2024-40616 | 2024-10-14 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||
| CVE-2024-47790 | 1 D3dsecurity | 1 D8801 | 2024-10-14 | N/A |
| ** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of insecure Real-Time Streaming Protocol (RTSP) version for live video streaming. A remote attacker could exploit this vulnerability by crafting a RTSP packet leading to unauthorized access to live feed of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-47789 | 1 D3dsecurity | 1 D8801 | 2024-10-14 | N/A |
| ** UNSUPPORTED WHEN ASSIGNED ** This vulnerability exists in D3D Security IP Camera D8801 due to usage of weak authentication scheme of the HTTP header protocol where authorization tag contain a Base-64 encoded username and password. A remote attacker could exploit this vulnerability by crafting a HTTP packet leading to exposure of user credentials of the targeted device. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2024-45132 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2024-10-14 | 6.5 Medium |
| Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authorization vulnerability that could result in Privilege escalation. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect confidentiality. Exploitation of this issue does not require user interaction. | ||||