ReportizFlow
Filtered by vendor
Subscriptions
Total
29880 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5503 | 1 Codevibrant | 2 Wp Blog Post Layouts, Wp Blogpost Layouts | 2024-11-21 | 8.8 High |
| The WP Blog Post Layouts plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-5464 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 4 Medium |
| Vulnerability of insufficient permission verification in the NearLink module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2024-5455 | 2 Posimyth, Wordpress | 2 The Plus Addons For Elementor, Plus Addon For Elementor Page Builder | 2024-11-21 | 8.8 High |
| The Plus Addons for Elementor Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.5.4 via the 'magazine_style' parameter within the Dynamic Smart Showcase widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-5389 | 1 Lunary | 1 Lunary | 2024-11-21 | 8.1 High |
| In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to create, update, get, and delete prompt variations for datasets not owned by their organization. This issue arises due to the application not properly validating the ownership of dataset prompts and their variations against the organization or project of the requesting user. As a result, unauthorized modifications to dataset prompts can occur, leading to altered or removed dataset prompts without proper authorization. This vulnerability impacts the integrity and consistency of dataset information, potentially affecting the results of experiments. | ||||
| CVE-2024-5349 | 1 La-studioweb | 1 Element Kit For Elementor | 2024-11-21 | 8.8 High |
| The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.8.1 via the 'map_style' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-4936 | 1 Canto | 1 Canto | 2024-11-21 | 9.8 Critical |
| The Canto plugin for WordPress is vulnerable to Remote File Inclusion in all versions up to, and including, 3.0.8 via the abspath parameter. This makes it possible for unauthenticated attackers to include remote files on the server, resulting in code execution. This required allow_url_include to be enabled on the target site in order to exploit. | ||||
| CVE-2024-4551 | 1 Yotuwp | 1 Video Gallery | 2024-11-21 | 6.4 Medium |
| The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the display function. This makes it possible for authenticated attackers, with contributor access and higher, to include and execute arbitrary php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-4258 | 1 Yotuwp | 1 Video Gallery | 2024-11-21 | 9.8 Critical |
| The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3.13 via the settings parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | ||||
| CVE-2024-45411 | 1 Symfony | 1 Twig | 2024-11-21 | 8.6 High |
| Twig is a template language for PHP. Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions. This vulnerability is fixed in 1.44.8, 2.16.1, and 3.14.0. | ||||
| CVE-2024-45272 | 2 Helmholz, Mbconnectline | 25 Myrex24.virtual, Myrex24 V2, Myrex24 V2 Virtual Server and 22 more | 2024-11-21 | 7.5 High |
| An unauthenticated remote attacker can perform a brute-force attack on the credentials of the remote service portal with a high chance of success, resulting in connection lost. | ||||
| CVE-2024-41828 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 2.6 Low |
| In JetBrains TeamCity before 2024.07 comparison of authorization tokens took non-constant time | ||||
| CVE-2024-41703 | 1 Librechat | 1 Librechat | 2024-11-21 | 5.4 Medium |
| LibreChat through 0.7.4-rc1 has incorrect access control for message updates. | ||||
| CVE-2024-41684 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | 5.3 Medium |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and compromise the targeted system. | ||||
| CVE-2024-3813 | 1 Tagdiv | 1 Tagdiv Composer | 2024-11-21 | 8.8 High |
| The tagDiv Composer plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8 via the 'td_block_title' shortcode 'block_template_id' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | ||||
| CVE-2024-3099 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | 5.4 Medium |
| A vulnerability in mlflow/mlflow version 2.11.1 allows attackers to create multiple models with the same name by exploiting URL encoding. This flaw can lead to Denial of Service (DoS) as an authenticated user might not be able to use the intended model, as it will open a different model each time. Additionally, an attacker can exploit this vulnerability to perform data model poisoning by creating a model with the same name, potentially causing an authenticated user to become a victim by using the poisoned model. The issue stems from inadequate validation of model names, allowing for the creation of models with URL-encoded names that are treated as distinct from their URL-decoded counterparts. | ||||
| CVE-2024-39743 | 1 Ibm | 1 Mq Operator | 2024-11-21 | 5.9 Medium |
| IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 IBM MQ Container Developer Edition is vulnerable to denial of service caused by incorrect memory de-allocation. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID: 297172. | ||||
| CVE-2024-39671 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 9.3 Critical |
| Access control vulnerability in the security verification module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | ||||
| CVE-2024-39375 | 1 Markoni | 4 Markoni-d \(compact\), Markoni-d \(compact\) Firmware, Markoni-dh \(exciter\+amplifiers\) and 1 more | 2024-11-21 | 9.8 Critical |
| TELSAT marKoni FM Transmitters are vulnerable to an attacker bypassing authentication and gaining administrator privileges. | ||||
| CVE-2024-39361 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 3.1 Low |
| Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | ||||
| CVE-2024-39325 | 1 Aimeos | 1 Aimeos Frontend Controller | 2024-11-21 | 5.3 Medium |
| aimeos/ai-controller-frontend is the Aimeos frontend controller. Prior to versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15, aimeos/ai-controller-frontend doesn't reset the payment status of a user's basket after the user completes a purchase. Versions 2024.04.2, 2023.10.9, 2022.10.8, 2021.10.8, and 2020.10.15 fix this issue. | ||||