Export limit exceeded: 78913 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (78913 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-41226 | 1 Automationanywhere | 1 Automation 360 | 2024-09-03 | 8.8 High |
| A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload. NOTE: Automation Anywhere disputes this report, arguing the attacker executes everything from the client side and does not attack the Control Room. The payload is being injected in the http Response from the client-side, so the owner of the Response and payload is the end user in this case. They contend that the server's security controls have no impact or role to play in this situation and therefore this is not a valid vulnerability. | ||||
| CVE-2024-41518 | 2 Feripro, Mecodia | 2 Feripro, Feripro | 2024-09-03 | 7.5 High |
| An Incorrect Access Control vulnerability in "/admin/programm/<program_id>/export/statistics" in Feripro <= v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants. | ||||
| CVE-2024-41700 | 1 Barix | 2 Sip Client Firmware, Sip Client Web Management Interface Ui | 2024-09-03 | 7.5 High |
| Barix – CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | ||||
| CVE-2024-42941 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | 7.5 High |
| Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the wanmode parameter in the fromAdvSetWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-42948 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | 7.5 High |
| Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the delno parameter in the fromPptpUserSetting function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | ||||
| CVE-2024-44778 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-44779 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-44777 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | 7.4 High |
| A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | ||||
| CVE-2024-7798 | 2 Oretnom23, Sourcecodester | 2 Simple Online Bidding System, Simple Online Bidding System | 2024-09-03 | 7.3 High |
| A vulnerability was found in SourceCodester Simple Online Bidding System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /simple-online-bidding-system/bidding/admin/ajax.php?action=login2. The manipulation of the argument username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-43948 | 1 Dineshkarki | 2 Wp Armour, Wp Armour Extended | 2024-09-03 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dinesh Karki WP Armour Extended.This issue affects WP Armour Extended: from n/a through 1.26. | ||||
| CVE-2024-7782 | 1 Bitapps | 1 Contact Form Builder | 2024-09-03 | 8.7 High |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the iconRemove function in versions 2.0 to 2.13.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | ||||
| CVE-2024-2694 | 1 Muffingroup | 1 Betheme | 2024-09-03 | 8.8 High |
| The Betheme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 27.5.6 via deserialization of untrusted input of the 'mfn-page-items' post meta value. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. | ||||
| CVE-2024-42361 | 1 Apache | 1 Hertzbeat | 2024-09-03 | 7.5 High |
| Hertzbeat is an open source, real-time monitoring system. Hertzbeat 1.6.0 and earlier declares a /api/monitor/{monitorId}/metric/{metricFull} endpoint to download job metrics. In the process, it executes a SQL query with user-controlled data, allowing for SQL injection. | ||||
| CVE-2024-7448 | 2 Magnet Forensics, Magnetforensics | 2 Axiom, Axiom | 2024-09-03 | 8.0 High |
| Magnet Forensics AXIOM Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Magnet Forensics AXIOM. User interaction is required to exploit this vulnerability in that the target must acquire data from a malicious mobile device. The specific flaw exists within the Android device image acquisition functionality. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-23964. | ||||
| CVE-2024-41864 | 1 Adobe | 1 Substance 3d Designer | 2024-08-31 | 7.8 High |
| Substance3D - Designer versions 13.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2024-42340 | 1 Cyberark | 1 Identity | 2024-08-30 | 8.3 High |
| CyberArk - CWE-602: Client-Side Enforcement of Server-Side Security | ||||
| CVE-2024-38869 | 1 Zohocorp | 4 Manageengine Endpoint Central, Manageengine Servicedesk Plus, Manageengine Servicedesk Plus Msp and 1 more | 2024-08-30 | 8.3 High |
| Zohocorp ManageEngine Endpoint Central affected by Incorrect authorization vulnerability in remote office deploy configurations.This issue affects Endpoint Central: before 11.3.2416.04 and before 11.3.2400.25. | ||||
| CVE-2024-41889 | 1 Pimax | 2 Pitool, Play | 2024-08-30 | 8.8 High |
| Multiple Pimax products accept WebSocket connections from unintended endpoints. If this vulnerability is exploited, arbitrary code may be executed by a remote unauthenticated attacker. | ||||
| CVE-2024-6117 | 1 Hamastar | 1 Meetinghub Paperless Meetings | 2024-08-30 | 8.8 High |
| A Unrestricted upload of file with dangerous type vulnerability in meeting management function in Hamastar MeetingHub Paperless Meetings 2021 allows remote authenticated users to perform arbitrary system commands via a crafted ASP file. | ||||
| CVE-2024-45232 | 2 In2code, Typo3 | 2 Powermail, Typo3 | 2024-08-30 | 7.3 High |
| An issue was discovered in powermail extension through 12.3.5 for TYPO3. It fails to validate the mail parameter of the confirmationAction, resulting in Insecure Direct Object Reference (IDOR). An unauthenticated attacker can use this to display the user-submitted data of all forms persisted by the extension. This can only be exploited when the extension is configured to save submitted form data to the database (plugin.tx_powermail.settings.db.enable=1), which however is the default setting of the extension. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0 | ||||