ReportizFlow
Filtered by vendor
Subscriptions
Total
323547 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47444 | 3 Adobe, Apple, Microsoft | 3 After Effects, Macos, Windows | 2024-11-14 | 5.5 Medium |
| After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2024-47446 | 3 Adobe, Apple, Microsoft | 3 After Effects, Macos, Windows | 2024-11-14 | 5.5 Medium |
| After Effects versions 23.6.9, 24.6.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2024-29211 | 1 Ivanti | 1 Secure Access Client | 2024-11-14 | 4.7 Medium |
| A race condition in Ivanti Secure Access Client before version 22.7R4 allows a local authenticated attacker to modify sensitive configuration files. | ||||
| CVE-2024-11074 | 1 Angeljudesuarez | 1 Tailoring Management System | 2024-11-14 | 6.3 Medium |
| A vulnerability classified as critical was found in itsourcecode Tailoring Management System 1.0. This vulnerability affects unknown code of the file /incadd.php. The manipulation of the argument inccat/desc/date/amount leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "inccat" to be affected. But it must be assumed "desc", "date", and "amount" are affected as well. | ||||
| CVE-2024-51843 | 1 Olland | 1 Horsemanager | 2024-11-14 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Olland.Biz Horsemanager allows Blind SQL Injection.This issue affects Horsemanager: from n/a through 1.3. | ||||
| CVE-2024-5982 | 1 Gaizhenbiao | 2 Chuanhuchatgpt, Gaizhenbiao\/chuanhuchatgpt | 2024-11-14 | 9.1 Critical |
| A path traversal vulnerability exists in the latest version of gaizhenbiao/chuanhuchatgpt. The vulnerability arises from unsanitized input handling in multiple features, including user upload, directory creation, and template loading. Specifically, the load_chat_history function in modules/models/base_model.py allows arbitrary file uploads, potentially leading to remote code execution (RCE). The get_history_names function in utils.py permits arbitrary directory creation. Additionally, the load_template function in utils.py can be exploited to leak the first column of CSV files. These issues stem from improper sanitization of user inputs concatenated with directory paths using os.path.join. | ||||
| CVE-2024-10672 | 1 Themeisle | 1 Multiple Page Generator | 2024-11-14 | 2.7 Low |
| The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the mpg_upsert_project_source_block() function in all versions up to, and including, 4.0.2. This makes it possible for authenticated attackers, with editor-level access and above, to delete limited files on the server. | ||||
| CVE-2024-51837 | 1 Andsonsdesign | 1 Wp-contest | 2024-11-14 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SONS Creative Development WP Contest allows SQL Injection.This issue affects WP Contest: from n/a through 1.0.0. | ||||
| CVE-2024-47782 | 1 Miraheze | 1 Wikidiscover | 2024-11-14 | 7.6 High |
| WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. Special:WikiDiscover is a special page that lists all wikis on the wiki farm. However, the special page does not make any effort to escape the wiki name or description. Therefore, if a wiki sets its name and/or description to an XSS payload, the XSS will execute whenever the wiki is shown on Special:WikiDiscover. This issue has been patched with commit `2ce846dd93` and all users are advised to apply that patch. User unable to upgrade should block access to `Special:WikiDiscover`. | ||||
| CVE-2024-47781 | 1 Miraheze | 1 Createwiki | 2024-11-14 | 6.1 Medium |
| CreateWiki is an extension used at Miraheze for requesting & creating wikis. The name of requested wikis is not escaped on Special:RequestWikiQueue, so a user can insert arbitrary HTML that is displayed in the request wiki queue when requesting a wiki. If a wiki creator comes across the XSS payload, their user session can be abused to retrieve deleted wiki requests, which typically contains private information. Likewise, this can also be abused on those with the ability to suppress requests to view sensitive information. This issue has been patched with commit `693a220` and all users are advised to apply the patch. Users unable to upgrade should disable Javascript and/or prevent access to the vulnerable page (Special:RequestWikiQueue). | ||||
| CVE-2024-10686 | 2024-11-14 | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-51689. Reason: This candidate is a reservation duplicate of CVE-2024-51689. Notes: All CVE users should reference CVE-2024-51689 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2024-51820 | 1 Lsquared | 1 L Squared Hub | 2024-11-14 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in L Squared Support L Squared Hub WP allows SQL Injection.This issue affects L Squared Hub WP: from n/a through 1.0. | ||||
| CVE-2024-45282 | 1 Sap | 1 S\/4 Hana | 2024-11-14 | 4.3 Medium |
| Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted. | ||||
| CVE-2024-45277 | 2 Sap, Sap Se | 2 Hana-client, Sap Hana Client | 2024-11-14 | 4.3 Medium |
| The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity. | ||||
| CVE-2024-51793 | 1 Webfulcreations | 1 Computer Repair Shop | 2024-11-14 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Webful Creations Computer Repair Shop allows Upload a Web Shell to a Web Server.This issue affects Computer Repair Shop: from n/a through 3.8115. | ||||
| CVE-2024-51591 | 1 Wpgrids | 1 Slicko | 2024-11-14 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in wpgrids Slicko allows DOM-Based XSS.This issue affects Slicko: from n/a through 1.2.0. | ||||
| CVE-2024-37179 | 1 Sap | 1 Businessobjects Business Intelligence | 2024-11-14 | 7.7 High |
| SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application. | ||||
| CVE-2024-51606 | 1 Blrt | 1 Blrt Wp Embed | 2024-11-14 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Blrt Blrt WP Embed allows SQL Injection.This issue affects Blrt WP Embed: from n/a through 1.6.9. | ||||
| CVE-2024-45278 | 2 Sap, Sap Se | 2 Commerce Backoffice, Sap Commerce Backoffice | 2024-11-14 | 5.4 Medium |
| SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application. | ||||
| CVE-2024-51608 | 1 Pluginhandy | 1 Amadiscount | 2024-11-14 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Pluginhandy AmaDiscount allows SQL Injection.This issue affects AmaDiscount: from n/a through 1.0. | ||||