The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2024-34558 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in realmag777 WOLF allows Stored XSS.This issue affects WOLF: from n/a through 1.0.8.2. | -- | May 8, 2024 |
CVE-2024-34557 | Cross-Site Request Forgery (CSRF) vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. | -- | May 14, 2024 |
CVE-2024-34556 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.4. | -- | May 14, 2024 |
CVE-2024-34555 | Unrestricted Upload of File with Dangerous Type vulnerability in URBAN BASE Z-Downloads.This issue affects Z-Downloads: from n/a through 1.11.3. | -- | May 14, 2024 |
CVE-2024-34553 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Select-Themes Stockholm Core allows Reflected XSS.This issue affects Stockholm Core: from n/a through 2.4.1. | -- | May 8, 2024 |
CVE-2024-34550 | Insertion of Sensitive Information into Log File vulnerability in AlexaCRM Dynamics 365 Integration.This issue affects Dynamics 365 Integration: from n/a through 1.3.17. | -- | May 14, 2024 |
CVE-2024-34549 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Automattic WP Job Manager.This issue affects WP Job Manager: from n/a through 2.2.2. | -- | May 14, 2024 |
CVE-2024-34548 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themesgrove WidgetKit allows Stored XSS.This issue affects WidgetKit: from n/a through 2.4.8. | -- | May 8, 2024 |
CVE-2024-34547 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Noor alam Magical Addons For Elementor allows Stored XSS.This issue affects Magical Addons For Elementor: from n/a through 1.1.34. | -- | May 8, 2024 |
CVE-2024-34546 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in HabibCoder Sticky Social Link allows Stored XSS.This issue affects Sticky Social Link: from n/a through 1.0.0. | -- | May 8, 2024 |
CVE-2024-34538 | Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography. | -- | May 6, 2024 |
CVE-2024-34534 | A SQL injection vulnerability in Cybrosys Techno Solutions Text Commander module (aka text_commander) 16.0 through 16.0.1 allows a remote attacker to gain privileges via the data parameter to models/ir_model.py:IrModel::chech_model. | -- | May 7, 2024 |
CVE-2024-34533 | A SQL injection vulnerability in ZI PT Solusi Usaha Mudah Analytic Data Query module (aka izi_data) 11.0 through 17.x before 17.0.3 allows a remote attacker to gain privileges via a query to IZITools::query_check, IZITools::query_fetch, or IZITools::query_execute. | -- | May 7, 2024 |
CVE-2024-34532 | A SQL injection vulnerability in Yvan Dotet PostgreSQL Query Deluxe module (aka query_deluxe) 17.x before 17.0.0.4 allows a remote attacker to gain privileges via the query parameter to models/querydeluxe.py:QueryDeluxe::get_result_from_query. | -- | May 7, 2024 |
CVE-2024-34529 | Nebari through 2024.4.1 prints the temporary Keycloak root password. | -- | May 6, 2024 |
CVE-2024-34528 | WordOps through 3.20.0 has a wo/cli/plugins/stack_pref.py TOCTOU race condition because the conf_path os.open does not use a mode parameter during file creation. | -- | May 6, 2024 |
CVE-2024-34527 | spaces_plugin/app.py in SolidUI 0.4.0 has an unnecessary print statement for an OpenAI key. The printed string might be logged. | -- | May 6, 2024 |
CVE-2024-34525 | FileCodeBox 2.0 stores a OneDrive password and AWS key in a cleartext env file. | -- | May 6, 2024 |
CVE-2024-34524 | In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | -- | May 6, 2024 |
CVE-2024-34523 | AChecker 1.5 allows remote attackers to read the contents of arbitrary files via the download.php path parameter by using Unauthenticated Path Traversal. This occurs through readfile in PHP. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | -- | May 7, 2024 |
CVE-2024-34519 | Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its auto-login user has privileges that a dashboard visitor should not have. | -- | May 5, 2024 |
CVE-2024-34517 | The Cypher component in Neo4j before 5.19.0 mishandles IMMUTABLE privileges. | -- | May 7, 2024 |
CVE-2024-34515 | image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists(). | -- | May 5, 2024 |
CVE-2024-34511 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-1561. Reason: This candidate is a duplicate of CVE-2024-1561. Notes: All CVE users should reference CVE-2024-1561 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | May 5, 2024 |
CVE-2024-34510 | Gradio before 4.20 allows credential leakage on Windows. | -- | May 5, 2024 |
CVE-2024-34509 | dcmdata in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. | -- | May 5, 2024 |
CVE-2024-34508 | dcmnet in DCMTK before 3.6.9 has a segmentation fault via an invalid DIMSE message. | -- | May 5, 2024 |
CVE-2024-34507 | An issue was discovered in includes/CommentFormatter/CommentParser.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. XSS can occur because of mishandling of the 0x1b character, as demonstrated by Special:RecentChanges#%1b0000000. | -- | May 5, 2024 |
CVE-2024-34506 | An issue was discovered in includes/specials/SpecialMovePage.php in MediaWiki before 1.39.7, 1.40.x before 1.40.3, and 1.41.x before 1.41.1. If a user with the necessary rights to move the page opens Special:MovePage for a page with tens of thousands of subpages, then the page will exceed the maximum request time, leading to a denial of service. | -- | May 5, 2024 |
CVE-2024-34502 | An issue was discovered in WikibaseLexeme in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. Loading Special:MergeLexemes will (attempt to) make an edit that merges the from-id to the to-id, even if the request was not a POST request, and even if it does not contain an edit token. | -- | May 5, 2024 |
CVE-2024-34500 | An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class. | -- | May 5, 2024 |
CVE-2024-34490 | In Maxima through 5.47.0 before 51704c, the plotting facilities make use of predictable names under /tmp. Thus, the contents may be controlled by a local attacker who can create files in advance with these names. This affects, for example, plot2d. | -- | May 5, 2024 |
CVE-2024-34489 | OFPHello in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via length=0. | -- | May 5, 2024 |
CVE-2024-34488 | OFPMultipartReply in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via b.length=0. | -- | May 5, 2024 |
CVE-2024-34487 | OFPFlowStats in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via inst.length=0. | -- | May 5, 2024 |
CVE-2024-34486 | OFPPacketQueue in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via OFPQueueProp.len=0. | -- | May 5, 2024 |
CVE-2024-34484 | OFPBucket in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via action.len=0. | -- | May 5, 2024 |
CVE-2024-34483 | OFPGroupDescStats in parser.py in Faucet SDN Ryu 4.34 allows attackers to cause a denial of service (infinite loop) via OFPBucket.len=0. | -- | May 5, 2024 |
CVE-2024-34478 | btcd before 0.24.0 does not correctly implement the consensus rules outlined in BIP 68 and BIP 112, making it susceptible to consensus failures. Specifically, it uses the transaction version as a signed integer when it is supposed to be treated as unsigned. There can be a chain split and loss of funds. | -- | May 5, 2024 |
CVE-2024-34476 | Open5GS before 2.7.1 is vulnerable to a reachable assertion that can cause an AMF crash via NAS messages from a UE: ogs_nas_encrypt in lib/nas/common/security.c for pkbuf->len. | -- | May 5, 2024 |
CVE-2024-34475 | Open5GS before 2.7.1 is vulnerable to a reachable assertion that can cause an AMF crash via NAS messages from a UE: gmm_state_authentication in amf/gmm-sm.c for != OGS_ERROR. | -- | May 5, 2024 |
CVE-2024-34474 | Clario through 2024-04-11 for Desktop has weak permissions for %PROGRAMDATA%\\Clario and tries to load DLLs from there as SYSTEM. | -- | May 5, 2024 |
CVE-2024-34473 | An issue was discovered in appmgr in O-RAN Near-RT RIC I-Release. An attacker could register an unintended RMR message type during xApp registration to disrupt other service components. | -- | May 4, 2024 |
CVE-2024-34472 | An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An authenticated blind SQL injection vulnerability exists in the mliRealtimeEmails.php file. The ordemGrid parameter in a POST request to /mailinspector/mliRealtimeEmails.php does not properly sanitize input, allowing an authenticated attacker to execute arbitrary SQL commands, leading to the potential disclosure of the entire application database. | -- | May 6, 2024 |
CVE-2024-34471 | An issue was discovered in HSC Mailinspector 5.2.17-3. A Path Traversal vulnerability (resulting in file deletion) exists in the mliRealtimeEmails.php file. The filename parameter in the export HTML functionality does not properly validate the file location, allowing an attacker to read and delete arbitrary files on the server. This was observed when the mliRealtimeEmails.php file itself was read and subsequently deleted, resulting in a 404 error for the file and disruption of email information loading. | -- | May 6, 2024 |
CVE-2024-34470 | An issue was discovered in HSC Mailinspector 5.2.17-3 through v.5.2.18. An Unauthenticated Path Traversal vulnerability exists in the /public/loader.php file. The path parameter does not properly filter whether the file and directory passed are part of the webroot, allowing an attacker to read arbitrary files on the server. | -- | May 6, 2024 |
CVE-2024-34469 | Rukovoditel before 3.5.3 allows XSS via user_photo to index.php?module=users/registration&action=save. | -- | May 4, 2024 |
CVE-2024-34468 | Rukovoditel before 3.5.3 allows XSS via user_photo to My Page. | -- | May 4, 2024 |
CVE-2024-34467 | ThinkPHP 8.0.3 allows remote attackers to discover the PHPSESSION cookie because think_exception.tpl (aka the debug error output source code) provides this in an error message for a crafted URI in a GET request. | -- | May 4, 2024 |
CVE-2024-34466 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-34467. Reason: This candidate is a reservation duplicate of CVE-2024-34467. Notes: All CVE users should reference CVE-2024-34467 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | May 6, 2024 |