Total
5102 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-42041 | 1 Apptool-browser-video | 1 Video Downloader | 2024-11-01 | 8.1 High |
| The com.videodownload.browser.videodownloader (aka AppTool-Browser-Video All Video Downloader) application 20-30.05.24 for Android allows an attacker to execute arbitrary JavaScript code via the acr.browser.lightning.DefaultBrowserActivity component. | ||||
| CVE-2024-21537 | 1 Antonk52 | 1 Lilconfig | 2024-11-01 | 8.8 High |
| Versions of the package lilconfig from 3.1.0 and before 3.1.1 are vulnerable to Arbitrary Code Execution due to the insecure usage of eval in the dynamicImport function. An attacker can exploit this vulnerability by passing a malicious input through the defaultLoaders function. | ||||
| CVE-2024-50498 | 1 Lubus | 2 Wp Querey Table, Wp Query Console | 2024-10-31 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0. | ||||
| CVE-2024-50492 | 2 Scott Paterson, Scottpaterson | 2 Scottcart, Scottcart | 2024-10-31 | 8.3 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection.This issue affects ScottCart: from n/a through 1.1. | ||||
| CVE-2024-9061 | 1 Themehunk | 1 Wp Popup Builder | 2024-10-30 | 7.3 High |
| The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. | ||||
| CVE-2024-50611 | 1 Cyclonedx | 1 Cdxgen | 2024-10-30 | 7.2 High |
| CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. NOTE: this has been characterized as a design limitation, rather than an implementation mistake. | ||||
| CVE-2024-48964 | 1 Snyk | 2 Snyk Cli, Snyk Gradle Plugin | 2024-10-30 | 7.5 High |
| The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects. | ||||
| CVE-2024-10073 | 1 Informatik.hu-berlin | 1 Flair | 2024-10-29 | 5 Medium |
| A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\models\clustering.py of the component Mode File Loader. The manipulation leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-50450 | 2 Pluginus, Realmag777 | 2 Wordpress Meta Data And Taxonomies Filter, Wordpress Meta Data And Taxonomies Filter | 2024-10-29 | 7.3 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | ||||
| CVE-2024-9593 | 1 Wpplugin | 2 Time Clock, Time Clock Pro | 2024-10-29 | 8.3 High |
| The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified. | ||||
| CVE-2024-48204 | 1 Hanzhou Haboo | 1 Network Management System | 2024-10-28 | 9.8 Critical |
| SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script. | ||||
| CVE-2024-9162 | 1 Yaniiliev | 1 All In One Wp Migration And Backup | 2024-10-28 | 7.2 High |
| The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. | ||||
| CVE-2024-43363 | 1 Cacti | 1 Cacti | 2024-10-17 | 7.2 High |
| Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-41997 | 1 Warp Terminal | 1 Warp Terminal | 2024-10-16 | 6.6 Medium |
| An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine. | ||||
| CVE-2024-49254 | 1 Sunjianle | 1 Ajax Extend | 2024-10-16 | 10 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Sunjianle allows Code Injection.This issue affects ajax-extend: from n/a through 1.0. | ||||
| CVE-2024-9581 | 1 Happyplugins | 1 Shortcodes Anywhere | 2024-10-15 | 7.3 High |
| The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-9837 | 1 Numanrki | 1 Aadmy Add Auto Date Month Year Into Posts | 2024-10-15 | 7.3 High |
| The The AADMY – Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-44414 | 1 Wayos | 1 Fbm 292w Firmware | 2024-10-15 | 8.8 High |
| A vulnerability was discovered in FBM_292W-21.03.10V, which has been classified as critical. This issue affects the sub_4901E0 function in the msp_info.htm file. Manipulation of the path parameter can lead to command injection. | ||||
| CVE-2024-45873 | 1 Vegabird | 1 Yaazhini | 2024-10-10 | 9.8 Critical |
| A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | ||||
| CVE-2024-45874 | 1 Vegabird | 1 Vooki | 2024-10-10 | 9.8 Critical |
| A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | ||||