CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2024-21547 Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker ... | 7.5 | HIGH | β | 0 |
| CVE-2024-11295 The Simple Page Access Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.29 via the WordPress core search feature. This makes i... | 5.3 | MEDIUM | β | 0 |
| CVE-2024-12287 The Biagiotti Membership plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly verifying a user's identity pri... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-1610 In OPPO Store APP, there's a possible escalation of privilege due to improper input validation. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-39703 In ThreatQuotient ThreatQ before 5.29.3, authenticated users are able to execute arbitrary commands by sending a crafted request to an API endpoint. | 8.8 | HIGH | β | 0 |
| CVE-2024-10244 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ISDO Software Web Software allows SQL Injection.This issue affects Web Software: before 3.6. | 9.8 | CRITICAL | β | 0 |
| CVE-2024-12340 The Animation Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.6 via the 'render' function in widgets/content-slider.... | 4.3 | MEDIUM | β | 0 |
| CVE-2024-12454 The Affiliate Program Suite β SliceWP Affiliates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.23. This is due to missing or incorrect nonc... | 6.1 | MEDIUM | β | 0 |
| CVE-2024-12554 The Peterβs Custom Anti-Spam plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.3. This is due to missing nonce validation on the cas_register_p... | 5.4 | MEDIUM | β | 0 |
| CVE-2024-11912 The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the βorder_idβ parameter in all versions up to, and including, 3.1.6 due to insufficient esca... | 7.5 | HIGH | β | 0 |
| CVE-2024-11926 The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '__stPartnerCreateServiceRental', 'st_delete_order_i... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-49363 Misskey is an open source, federated social media platform. In affected versions FileServerService (media proxy) in github.com/misskey-dev/misskey 2024.10.1 or earlier did not detect proxy loops, whic... | 7.4 | HIGH | β | 0 |
| CVE-2024-12121 The Broken Link Checker | Finder plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.5.0 via the 'moblc_check_link' function. This makes it ... | 5.4 | MEDIUM | β | 0 |
| CVE-2024-11984 A unrestricted upload of file with dangerous type vulnerability in epaper draft function in Corporate Training Management System before 10.13 allows remote authenticated users to bypass file upload re... | 8.8 | HIGH | β | 0 |
| CVE-2024-4229 Incorrect Default Permissions vulnerability in Edgecross Basic Software for Windows versions 1.00 and later and Edgecross Basic Software for Developers versions 1.00 and later allows a malicious local... | 7.8 | HIGH | β | 0 |
| CVE-2024-4230 External Control of File Name or Path vulnerability in Edgecross Basic Software for Windows versions 1.00 and later and Edgecross Basic Software for Developers versions 1.00 and later allows a malicio... | 7.8 | HIGH | β | 0 |
| CVE-2023-4617 Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "... | 10.0 | CRITICAL | β | 0 |
| CVE-2024-12626 The AutomatorWP β Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the βa-0-o-search_field... | 9.6 | CRITICAL | β | 0 |
| CVE-2024-9101 A reflected cross-site scripting (XSS) vulnerability in the 'Entry Chooser' of phpLDAPadmin (version 1.2.1 through the latest version, 1.2.6.7) allows attackers to execute arbitrary JavaScript in the ... | N/A | NONE | β | 0 |
| CVE-2024-12786 A vulnerability, which was classified as critical, was found in X1a0He Adobe Downloader up to 1.3.1 on macOS. Affected is the function shouldAcceptNewConnection of the file com.x1a0he.macOS.Adobe-Down... | 7.8 | HIGH | β | 0 |
| CVE-2024-25131 A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. A non-privileged user on the cluster can create a MustGather object with a specially craft... | 8.8 | HIGH | β | 0 |
| CVE-2024-9154 A code injection vulnerability in HMS Networks Ewon Flexy 205 allows executing commands on system level on the device. This issue affects Ewon Flexy 205: through 14.8s0 (#2633). | N/A | NONE | β | 0 |
| CVE-2021-22501 Improper Restriction of XML External Entity Reference vulnerability in OpenTextβ’ Operations Bridge Manager allows Input Data Manipulation.Β The vulnerability could be exploited to confidential inform... | N/A | NONE | β | 0 |
| CVE-2020-6923 The HP Linux Imaging and Printing (HPLIP) software may potentially be affected by memory buffer overflow. | 5.7 | MEDIUM | β | 0 |
| CVE-2024-54150 cjwt is a C JSON Web Token (JWT) Implementation. Algorithm confusion occurs when a system improperly verifies the type of signature used, allowing attackers to exploit the lack of distinction between ... | 9.1 | CRITICAL | β | 0 |
| CVE-2024-56200 Altair is a fork of Misskey v12. Affected versions lack of request validation and lack of authentication in the image proxy for compressing and resizing remote files could allow attacks that could aff... | 8.6 | HIGH | β | 0 |
| CVE-2024-56327 pyrage is a set of Python bindings for the rage file encryption library (age in Rust). `pyrage` uses the Rust `age` crate for its underlying operations, and `age` is vulnerable to GHSA-4fg7-vxc8-qx5w.... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-5955 Cross-site scripting vulnerability in Trellix ePolicy Orchestrator prior to ePO 5.10 Service Pack 1 Update 3 allows a remote authenticated attacker to craft requests causing arbitrary content to be in... | 5.4 | MEDIUM | β | 0 |
| CVE-2024-11775 The Particle Background plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'particleground' shortcode in all versions up to, and including, 1.0.2 due to insufficient in... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-11783 The Financial Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'finance_calculator' shortcode in all versions up to, and including, 2.2.1 due to insufficie... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-11812 The Wtyczka SeoPilot dla WP plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.091. This is due to missing or incorrect nonce validation on the ... | 6.1 | MEDIUM | β | 0 |
| CVE-2024-11878 The Category Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'category-post-slider' shortcode in all versions up to, and including, 1.4 due to insufficie... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-12509 The Embed Twine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'embed_twine' shortcode in all versions up to, and including, 0.1.0 due to insufficient input sanitiz... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-12571 The Store Locator for WordPress with Google Maps β LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for ... | 9.8 | CRITICAL | β | 0 |
| CVE-2024-9619 The WP SHAPES plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escap... | 6.4 | MEDIUM | β | 0 |
| CVE-2024-10385 Ticket management system in DirectAdmin Evolution Skin is vulnerable to XSS (Cross-site Scripting), which allows a low-privileged user to inject and store malicious JavaScript code. If an admin views ... | N/A | NONE | β | 0 |
| CVE-2024-55186 An IDOR (Insecure Direct Object Reference) vulnerability exists in oqtane Framework 6.0.0, allowing a logged-in user to access inbox messages of other users by manipulating the notification ID in the ... | 4.3 | MEDIUM | β | 0 |
| CVE-2024-55470 Oqtane Framework 6.0.0 is vulnerable to Incorrect Access Control. By manipulating the entityid parameter, attackers can bypass passcode validation and successfully log into the application or access r... | 7.5 | HIGH | β | 0 |
| CVE-2024-55471 Oqtane Framework is vulnerable to Insecure Direct Object Reference (IDOR) in Oqtane.Controllers.UserController. This allows unauthorized users to access sensitive information of other users by manipul... | 6.5 | MEDIUM | β | 0 |
| CVE-2024-12677 Delta Electronics DTM Soft deserializes objects, which could allow an attacker to execute arbitrary code. | 7.8 | HIGH | β | 0 |
| CVE-2024-56329 Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Larav... | N/A | NONE | β | 0 |
| CVE-2024-56330 Stardust is a platform for streaming isolated desktop containers. With this exploit, inter container communication (ICC) is not disabled. This would allow users within a container to access another co... | N/A | NONE | β | 0 |
| CVE-2024-56331 Uptime Kuma is an open source, self-hosted monitoring tool. An **Improper URL Handling Vulnerability** allows an attacker to access sensitive local files on the server by exploiting the `file:///` pro... | 6.8 | MEDIUM | β | 0 |
| CVE-2024-56333 Onyxia is a web app that aims at being the glue between multiple open source backend technologies to provide a state of art working environment for data scientists. This critical vulnerability allows ... | N/A | NONE | β | 0 |
| CVE-2024-40875 There is a cross-site scripting vulnerability in the management console of Absolute Secure Access prior to version 13.52. Attackers with system administrator permissions can interfere with another sys... | N/A | NONE | β | 0 |
| CVE-2024-56334 systeminformation is a System and OS information library for node.js. In affected versions SSIDs are not sanitized when before they are passed as a parameter to cmd.exe in the `getWindowsIEEE8021x` fu... | 7.8 | HIGH | β | 0 |
| CVE-2021-40959 A reflected cross-site scripting vulnerability in MONITORAPP Application Insight Web Application Firewall (AIWAF) <= 4.1.6 and <=5.0 was identified on the subpage `/process_management/process_status.x... | 6.1 | MEDIUM | β | 0 |
| CVE-2024-12902 ANCHOR from Global Wisdom Software is an integrated product running on a Windows virtual machine. The underlying Windows OS of the product contains high-privilege service accounts. If these accounts u... | 8.4 | HIGH | β | 0 |
| CVE-2024-11811 The Feedify β Web Push Notifications plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'platform', 'phone', 'email', and 'store_url' parameters. in all versions up to, and i... | 6.1 | MEDIUM | β | 0 |
| CVE-2023-31279 The AirVantage platform is vulnerable to an unauthorized attacker registering previously unregistered devices on the AirVantage platform when the owner has not disabled the AirVantage Management Ser... | 8.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.