ReportizFlow
Filtered by vendor
Subscriptions
Total
4010 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8760 | 2024-10-15 | 5.3 Medium | ||
| The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. | ||||
| CVE-2024-9581 | 1 Happyplugins | 1 Shortcodes Anywhere | 2024-10-15 | 7.3 High |
| The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-9837 | 1 Numanrki | 1 Aadmy Add Auto Date Month Year Into Posts | 2024-10-15 | 7.3 High |
| The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-44414 | 1 Wayos | 1 Fbm 292w Firmware | 2024-10-15 | 8.8 High |
| A vulnerability was discovered in FBM_292W-21.03.10V, which has been classified as critical. This issue affects the sub_4901E0 function in the msp_info.htm file. Manipulation of the path parameter can lead to command injection. | ||||
| CVE-2024-25706 | 2024-10-10 | 6.1 Medium | ||
| There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. This could simplify phishing attacks. | ||||
| CVE-2024-45873 | 1 Vegabird | 1 Yaazhini | 2024-10-10 | 9.8 Critical |
| A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | ||||
| CVE-2024-45874 | 1 Vegabird | 1 Vooki | 2024-10-10 | 9.8 Critical |
| A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | ||||
| CVE-2024-46076 | 1 Ruoyi | 1 Ruoyi | 2024-10-10 | 9.8 Critical |
| RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. | ||||
| CVE-2024-41651 | 1 Prestashop | 1 Prestashop | 2024-10-09 | 9.8 Critical |
| An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). | ||||
| CVE-2024-43469 | 1 Microsoft | 1 Azure Cyclecloud | 2024-10-09 | 8.8 High |
| Azure CycleCloud Remote Code Execution Vulnerability | ||||
| CVE-2024-45933 | 1 Online News Portal Project | 1 Online News Portal | 2024-10-08 | 6.6 Medium |
| OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint. | ||||
| CVE-2024-8254 | 1 Icegram | 1 Email Subscribers \& Newsletters | 2024-10-08 | 5.4 Medium |
| The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. | ||||
| CVE-2024-44744 | 1 Malwarebytes | 1 Premium Security | 2024-10-04 | 5.7 Medium |
| An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileges and that the contents cannot be altered by non-admin users. | ||||
| CVE-2024-46080 | 1 Scriptcase | 1 Scriptcase | 2024-10-04 | 8 High |
| Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function. | ||||
| CVE-2024-45186 | 1 Filesender | 1 Filesender | 2024-10-04 | 9.8 Critical |
| FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials. | ||||
| CVE-2024-8481 | 2 Blogcoding, Minimus | 2 Special Text Boxes, Special Text Boxes | 2024-10-02 | 7.3 High |
| The The Special Text Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 6.2.2. This is due to the plugin adding the filter add_filter('comment_text', 'do_shortcode'); which will run all shortcodes in comments. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-46489 | 1 Ferrislucas | 1 Promptr | 2024-10-02 | 8.8 High |
| A remote command execution (RCE) vulnerability in promptr v6.0.7 allows attackers to execute arbitrary commands via a crafted URL. | ||||
| CVE-2024-6596 | 2 Endress, Endress\+hauser | 17 Echo Curve Viewer, Field Xpert Smt50, Field Xpert Smt50 Firmware and 14 more | 2024-10-01 | 9.8 Critical |
| An unauthenticated remote attacker can run malicious c# code included in curve files and execute commands in the users context. | ||||
| CVE-2024-45200 | 1 Nintendo | 1 Mario Kart 8 | 2024-09-30 | 6.3 Medium |
| In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed browse-reply packet, aka KartLANPwn. The victim is not required to join a game session with an attacker. The victim must open the "Wireless Play" (or "LAN Play") menu from the game's title screen, and an attacker nearby (LDN) or on the same LAN network as the victim can send a crafted reply packet to the victim's console. This enables a remote attacker to obtain complete denial-of-service on the game's process, or potentially, remote code execution on the victim's console. The issue is caused by incorrect use of the Nintendo Pia library, | ||||
| CVE-2024-6983 | 1 Mudler | 1 Localai | 2024-09-30 | N/A |
| mudler/localai version 2.17.1 is vulnerable to remote code execution. The vulnerability arises because the localai backend receives inputs not only from the configuration file but also from other inputs, allowing an attacker to upload a binary file and execute malicious code. This can lead to the attacker gaining full control over the system. | ||||