CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2024-11252 The Social Sharing Plugin – Sassy Social Share plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the heateor_mastodon_share parameter in all versions up to, and including, 3.3.6... | 6.1 | MEDIUM | — | 0 |
| CVE-2024-20132 In Modem, there is a possible out of bonds write due to a mission bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not... | 6.7 | MEDIUM | — | 0 |
| CVE-2024-29645 Buffer Overflow vulnerability in radarorg radare2 v.5.8.8 allows an attacker to execute arbitrary code via the parse_die function. | 7.8 | HIGH | — | 0 |
| CVE-2024-31669 rizin before Release v0.6.3 is vulnerable to Uncontrolled Resource Consumption via bin_pe_parse_imports, Pe_r_bin_pe_parse_var, and estimate_slide. | 7.5 | HIGH | — | 0 |
| CVE-2024-39343 An issue was discovered in Samsung Mobile Processor and Wearable Processor Exynos 2100, 1280, 2200, 1330, 1380, 1480, 2400, 9110, Modem 5123, and Modem 5300. The baseband software does not properly ch... | 7.0 | HIGH | — | 0 |
| CVE-2024-11453 The WordPress Pinterest Plugin – Make a Popup, User Profile, Masonry and Gallery Layout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gs_pin_widget' shortcode in ... | 6.4 | MEDIUM | — | 0 |
| CVE-2024-45106 Improper authentication of an HTTP endpoint in the S3 Gateway of Apache Ozone 1.4.0 allows any authenticated Kerberos user to revoke and regenerate the S3 secrets of any other user. This is only possi... | 8.1 | HIGH | — | 0 |
| CVE-2024-53999 Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. The application allows users to upload files w... | 8.1 | HIGH | — | 0 |
| CVE-2024-54000 Mobile Security Framework (MobSF) is a pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. In versions prior to 3.9.7, the requests.get()... | 7.5 | HIGH | — | 0 |
| CVE-2024-45206 A vulnerability in Veeam Service Provider Console has been identified, which allows to perform arbitrary HTTP requests to arbitrary hosts of the network and get information about internal resources. | N/A | NONE | — | 0 |
| CVE-2024-45207 DLL injection in Veeam Agent for Windows can occur if the system's PATH variable includes insecure locations. When the agent runs, it searches these directories for necessary DLLs. If an attacker plac... | N/A | NONE | — | 0 |
| CVE-2024-12570 An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.7 prior to 17.4.6, from 17.5 prior to 17.5.4, and from 17.6 prior to 17.6.2. It may have been possible for an attac... | 6.7 | MEDIUM | — | 0 |
| CVE-2023-6978 The WP Job Manager – Company Profiles plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'company' parameter in all versions up to, and including, 1.7 due to insufficient inp... | 6.1 | MEDIUM | — | 0 |
| CVE-2024-10787 The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.4.4 via the 'elementor-template' shortcode due to insufficien... | 4.3 | MEDIUM | — | 0 |
| CVE-2024-10178 The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and inclu... | 6.4 | MEDIUM | — | 0 |
| CVE-2022-41137 Apache Hive Metastore (HMS) uses SerializationUtilities#deserializeObjectWithTypeInformation method when filtering and fetching partitions that is unsafe and can lead to Remote Code Execution (RCE) si... | 8.3 | HIGH | — | 0 |
| CVE-2024-47104 IBM i 7.4 and 7.5 is vulnerable to an authenticated user gaining elevated privilege to a physical file. A user with authority to a view can alter the based-on physical file security attributes without... | 6.8 | MEDIUM | — | 0 |
| CVE-2024-10247 The Video Gallery – Best WordPress YouTube Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 2.4.2 due to in... | 7.2 | HIGH | — | 0 |
| CVE-2024-9769 The Video Gallery – Best WordPress YouTube Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.4.1 due to insufficient ... | 4.4 | MEDIUM | — | 0 |
| CVE-2024-53907 An issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10, and 4.2 before 4.2.17. The strip_tags() method and striptags template filter are subject to a potential denial-of-service attack ... | 7.5 | HIGH | — | 0 |
| CVE-2024-12167 The Shortcodes Blocks Creator Ultimate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the '_wpnonce' parameter in all versions up to, and including, 2.2.0 due to insufficient... | 6.1 | MEDIUM | — | 0 |
| CVE-2024-55492 Winmail Server 4.4 is vulnerable to f_user=%22%3E%3Csvg%20onload Cross Site Scripting (XSS). | 6.1 | MEDIUM | — | 0 |
| CVE-2024-46901 Insufficient validation of filenames against control characters in Apache Subversion repositories served via mod_dav_svn allows authenticated users with commit access to commit a corrupted revision, l... | 3.1 | LOW | — | 0 |
| CVE-2024-53947 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Superset. Specifically, certain engine-specific functions are not checked, which allows att... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-53450 RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents. | 7.5 | HIGH | — | 0 |
| CVE-2024-54149 Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Winter CMS prior to versions 1.2.7, 1.1.11, and 1.0.476 allow users with access to the CMS templates s... | 8.4 | HIGH | — | 0 |
| CVE-2024-50625 An issue was discovered in Digi ConnectPort LTS before 1.4.12. A vulnerability in the file upload handling of a web application allows manipulation of file paths via POST requests. This can lead to ar... | 8.0 | HIGH | — | 0 |
| CVE-2023-5117 An issue was discovered in GitLab CE/EE affecting all versions before 17.6.0 in which users were unaware that files uploaded to comments on confidential issues and epics of public projects could be ac... | 3.7 | LOW | — | 0 |
| CVE-2024-50626 An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Directory Traversal vulnerability exists in WebFS. This allows an attacker on the local area network to manipulate URLs to include trav... | 8.8 | HIGH | — | 0 |
| CVE-2024-50627 An issue was discovered in Digi ConnectPort LTS before 1.4.12. A Privilege Escalation vulnerability exists in the file upload feature. It allows an attacker on the local area network (with specific pe... | 8.8 | HIGH | — | 0 |
| CVE-2024-50628 An issue was discovered in the web services of Digi ConnectPort LTS before 1.4.12. It allows an attacker on the local area network to achieve unauthorized manipulation of resources, which may lead to ... | 8.8 | HIGH | — | 0 |
| CVE-2024-53552 CrushFTP 10 before 10.8.3 and 11 before 11.2.3 mishandles password reset, leading to account takeover. | 9.8 | CRITICAL | — | 0 |
| CVE-2024-12236 A security issue exists in Vertex Gemini API for customers using VPC-SC. By utilizing a custom crafted file URI for image input, data exfiltration is possible due to requests being routed outside the ... | 5.5 | MEDIUM | — | 0 |
| CVE-2024-46657 Artifex Software mupdf v1.24.9 was discovered to contain a segmentation fault via the component /tools/pdfextract.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafte... | 5.5 | MEDIUM | — | 0 |
| CVE-2024-50699 TP-Link TL-WR845N(UN)_V4_201214, TL-WR845N(UN)_V4_200909 and TL-WR845N(UN)_V4_190219 were discovered to contain weak default credentials for the Administrator account. | 8.0 | HIGH | — | 0 |
| CVE-2024-50920 Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to create a fake node via supplying crafted packets. | 8.8 | HIGH | — | 0 |
| CVE-2024-50921 Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause a Denial of Service (DoS) via repeatedly sending crafted packets to the controller. | 6.5 | MEDIUM | — | 0 |
| CVE-2024-50924 Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to cause disrupt communications between the controller and the device itself via repeatedly sending craf... | 6.5 | MEDIUM | — | 0 |
| CVE-2024-56737 GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. | 8.8 | HIGH | — | 0 |
| CVE-2024-50928 Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to change the wakeup interval of end devices in controller memory, disrupting the device's communication... | 6.5 | MEDIUM | — | 0 |
| CVE-2024-50929 Insecure permissions in Silicon Labs (SiLabs) Z-Wave Series 700 and 800 v7.21.1 allow attackers to arbitrarily change the device type in the controller's memory, leading to a Denial of Service (DoS). | 6.2 | MEDIUM | — | 0 |
| CVE-2024-50930 An issue in Silicon Labs Z-Wave Series 500 v6.84.0 allows attackers to execute arbitrary code. | 8.8 | HIGH | — | 0 |
| CVE-2024-50931 Silicon Labs Z-Wave Series 500 v6.84.0 was discovered to contain insecure permissions. | 4.6 | MEDIUM | — | 0 |
| CVE-2024-7572 Insufficient permissions in Ivanti DSM before version 2024.3.5740 allows a local authenticated attacker to delete arbitrary files. | 7.1 | HIGH | — | 0 |
| CVE-2024-51165 SQL injection vulnerability in JEPAAS7.2.8, via /je/rbac/rbac/loadLoginCount in the dateVal parameter, which could allow a remote user to submit a specially crafted query, allowing an attacker to retr... | 7.5 | HIGH | — | 0 |
| CVE-2025-26750 Missing Authorization vulnerability in appsbd Vitepos vitepos-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Vitepos: from n/a through <= 3.1.3. | N/A | NONE | — | 0 |
| CVE-2024-49538 Illustrator versions 29.0.0, 28.7.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of t... | 7.8 | HIGH | — | 0 |
| CVE-2024-53677 File upload logic in Apache Struts is flawed. An attacker can manipulate file upload params to enable paths traversal and under some circumstances this can lead to uploading a malicious file which can... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-37377 A heap-based buffer overflow in IPsec of Ivanti Connect Secure before version 22.7R2.3 allows a remote unauthenticated attacker to cause a denial of service. | N/A | NONE | — | 0 |
| CVE-2024-37401 An out-of-bounds read in IPsec of Ivanti Connect Secure before version 22.7R2.1 allows a remote unauthenticated attacker to cause a denial of service. | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.