The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-33595 | Missing Authorization vulnerability in Jewel Theme Master Addons for Elementor.This issue affects Master Addons for Elementor: from n/a through 2.0.5.4.1. | -- | Apr 29, 2024 |
| CVE-2024-33594 | Missing Authorization vulnerability in Leaky Paywall.This issue affects Leaky Paywall: from n/a through 4.20.8. | -- | Apr 29, 2024 |
| CVE-2024-33593 | Missing Authorization vulnerability in RedNao Smart Forms.This issue affects Smart Forms: from n/a through 2.6.91. | -- | Apr 29, 2024 |
| CVE-2024-33591 | Missing Authorization vulnerability in Tips and Tricks HQ Easy Accept Payments.This issue affects Easy Accept Payments: from n/a through 4.9.10. | -- | Apr 29, 2024 |
| CVE-2024-33590 | Server-Side Request Forgery (SSRF) vulnerability in codeSavory Knowledge Base documentation & wiki plugin – BasePress.This issue affects Knowledge Base documentation & wiki plugin – BasePress: from n/a through 2.16.1. | -- | Apr 29, 2024 |
| CVE-2024-33589 | Missing Authorization vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.6.0. | -- | Apr 29, 2024 |
| CVE-2024-33588 | Missing Authorization vulnerability in codeSavory Knowledge Base documentation & wiki plugin – BasePress.This issue affects Knowledge Base documentation & wiki plugin – BasePress: from n/a through 2.16.1. | -- | Apr 29, 2024 |
| CVE-2024-33587 | Missing Authorization vulnerability in Copy Content Protection Team Secure Copy Content Protection and Content Locking.This issue affects Secure Copy Content Protection and Content Locking: from n/a through 3.9.0. | -- | Apr 29, 2024 |
| CVE-2024-33586 | Missing Authorization vulnerability in Photo Gallery Team Photo Gallery by 10Web.This issue affects Photo Gallery by 10Web: from n/a through 1.8.20. | -- | Apr 29, 2024 |
| CVE-2024-33585 | Missing Authorization vulnerability in Tyche Softwares Payment Gateway Based Fees and Discounts for WooCommerce.This issue affects Payment Gateway Based Fees and Discounts for WooCommerce: from n/a through 2.12.1. | -- | Apr 29, 2024 |
| CVE-2024-33584 | URL Redirection to Untrusted Site (\'Open Redirect\') vulnerability in Deepen Bajracharya Video Conferencing with Zoom.This issue affects Video Conferencing with Zoom: from n/a through 4.4.4. | -- | Apr 29, 2024 |
| CVE-2024-33575 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0. | -- | Apr 29, 2024 |
| CVE-2024-33571 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Infomaniak Staff VOD Infomaniak allows Reflected XSS.This issue affects VOD Infomaniak: from n/a through 1.5.6. | -- | Apr 29, 2024 |
| CVE-2024-33566 | Missing Authorization vulnerability in N-Media OrderConvo allows OS Command Injection.This issue affects OrderConvo: from n/a through 12.4. | -- | Apr 29, 2024 |
| CVE-2024-33562 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in 8theme XStore allows Reflected XSS.This issue affects XStore: from n/a through 9.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33559 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in 8theme XStore allows SQL Injection.This issue affects XStore: from n/a through 9.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33558 | Missing Authorization vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33554 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in 8theme XStore Core allows Reflected XSS.This issue affects XStore Core: from n/a through 5.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33553 | Deserialization of Untrusted Data vulnerability in 8theme XStore Core.This issue affects XStore Core: from n/a through 5.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33551 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in 8theme XStore Core allows SQL Injection.This issue affects XStore Core: from n/a through 5.3.5. | -- | Apr 29, 2024 |
| CVE-2024-33548 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AA-Team WZone allows Reflected XSS.This issue affects WZone: from n/a through 14.0.10. | -- | Apr 29, 2024 |
| CVE-2024-33546 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in AA-Team WZone allows SQL Injection.This issue affects WZone: from n/a through 14.0.10. | -- | Apr 29, 2024 |
| CVE-2024-33544 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in AA-Team WZone allows SQL Injection.This issue affects WZone: from n/a through 14.0.10. | -- | Apr 29, 2024 |
| CVE-2024-33542 | Authorization Bypass Through User-Controlled Key vulnerability in Fabio Rinaldi Crelly Slider.This issue affects Crelly Slider: from n/a through 1.4.5. | -- | Apr 29, 2024 |
| CVE-2024-33540 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ThemeGrill ColorNews allows Stored XSS.This issue affects ColorNews: from n/a through 1.2.6. | -- | Apr 29, 2024 |
| CVE-2024-33539 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPZOOM WPZOOM Addons for Elementor (Templates, Widgets) allows Stored XSS.This issue affects WPZOOM Addons for Elementor (Templates, Widgets): from n/a through 1.1.35. | -- | Apr 29, 2024 |
| CVE-2024-33538 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Fastline Media LLC Assistant – Every Day Productivity Apps.This issue affects Assistant – Every Day Productivity Apps: from n/a through 1.4.9.1. | -- | Apr 29, 2024 |
| CVE-2024-33537 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Theme Horse WP Portfolio allows Stored XSS.This issue affects WP Portfolio: from n/a through 2.4. | -- | Apr 29, 2024 |
| CVE-2024-33522 | In vulnerable versions of Calico (v3.27.2 and below), Calico Enterprise (v3.19.0-1, v3.18.1, v3.17.3 and below), and Calico Cloud (v19.2.0 and below), an attacker who has local access to the Kubernetes node, can escalate their privileges by exploiting a vulnerability in the Calico CNI install binary. The issue arises from an incorrect SUID (Set User ID) bit configuration in the binary, combined with the ability to control the input binary, allowing an attacker to execute an arbitrary binary with elevated privileges. | -- | Apr 29, 2024 |
| CVE-2024-33449 | An SSRF issue in the PDFMyURL service allows a remote attacker to obtain sensitive information and execute arbitrary code via a POST request in the url parameter | -- | Apr 29, 2024 |
| CVE-2024-33445 | An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component. | -- | Apr 29, 2024 |
| CVE-2024-33444 | SQL injection vulnerability in onethink v.1.1 allows a remote attacker to escalate privileges via a crafted script to the ModelModel.class.php component. | -- | Apr 29, 2024 |
| CVE-2024-33443 | An issue in onethink v.1.1 allows a remote attacker to execute arbitrary code via a crafted script to the AddonsController.class.php component. | -- | Apr 29, 2024 |
| CVE-2024-33438 | File Upload vulnerability in CubeCart before 6.5.5 allows an authenticated user to execute arbitrary code via a crafted .phar file. | -- | Apr 29, 2024 |
| CVE-2024-33435 | Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via the /manage/IPSetup.php backend function | -- | Apr 29, 2024 |
| CVE-2024-33401 | Cross Site Scripting vulnerability in DedeCMS v.5.7.113 allows a remote attacker to run arbitrary code via the mnum parameter. | -- | Apr 29, 2024 |
| CVE-2024-33350 | Directory Traversal vulnerability in TaoCMS v.3.0.2 allows a remote attacker to execute arbitrary code and obtain sensitive information via the include/model/file.php component. | -- | Apr 29, 2024 |
| CVE-2024-33345 | D-Link DIR-823G A1V1.0.2B05 was found to contain a Null-pointer dereference in the main function of upload_firmware.cgi, which allows remote attackers to cause a Denial of Service (DoS) via a crafted input. | -- | Apr 29, 2024 |
| CVE-2024-33339 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Apr 29, 2024 |
| CVE-2024-33338 | Cross Site Scripting vulnerability in jizhicms v.2.5.4 allows a remote attacker to obtain sensitive information via a crafted article publication request. | -- | Apr 29, 2024 |
| CVE-2024-33276 | SQL Injection vulnerability in FME Modules preorderandnotication v.3.1.0 and before allows a remote attacker to run arbitrary SQL commands via the PreorderModel::getIdProductAttributesByIdAttributes() method. | -- | Apr 29, 2024 |
| CVE-2024-33272 | SQL injection vulnerability in KnowBand for PrestaShop autosuggest before 2.0.0 allows an attacker to run arbitrary SQL commands via the AutosuggestSearchModuleFrontController::initContent(), and AutosuggestSearchModuleFrontController::getKbProducts() components. | -- | Apr 29, 2024 |
| CVE-2024-33271 | An issue in FME Modules eventsmanager before 4.4.0 allows an attacker to obtain sensitive information from the ps_customer component. | -- | Apr 29, 2024 |
| CVE-2024-33269 | SQL Injection vulnerability in Prestaddons flashsales 1.9.7 and before allows an attacker to run arbitrary SQL commands via the FsModel::getFlashSales method. | -- | Apr 29, 2024 |
| CVE-2024-33268 | SQL Injection vulnerability in Digincube mdgiftproduct before 1.4.1 allows an attacker to run arbitrary SQL commands via the MdGiftRule::addGiftToCart method. | -- | Apr 29, 2024 |
| CVE-2024-33266 | SQL Injection vulnerability in Helloshop deliveryorderautoupdate v.2.8.1 and before allows an attacker to run arbitrary SQL commands via the DeliveryorderautoupdateOrdersModuleFrontController::initContent function. | -- | Apr 29, 2024 |
| CVE-2024-32887 | Sidekiq is simple, efficient background processing for Ruby. Sidekiq is reflected XSS vulnerability. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, performing CORS attacks, defacement of the web application, etc. This issue has been patched in version 7.2.4. | -- | Apr 29, 2024 |
| CVE-2024-32883 | MCUboot is a secure bootloader for 32-bits microcontrollers. MCUboot uses a TLV (tag-length-value) structure to represent the meta data associated with an image. The TLVs themselves are divided into two sections, a protected and an unprotected section. The protected TLV entries are included as part of the image signature to avoid tampering. However, the code does not distinguish which TLV entries should be protected or not, so it is possible for an attacker to add unprotected TLV entries that should be protected. Currently, the primary protected TLV entries should be the dependency indication, and the boot record. An injected dependency value would primarily result in an otherwise acceptable image being rejected. A boot record injection could allow fields in a later attestation record to include data not intended, which could cause an image to appear to have properties that it should not have. As a workaround, disable the boot record functionality. | -- | Apr 29, 2024 |
| CVE-2024-32881 | Danswer is the AI Assistant connected to company\'s docs, apps, and people. Danswer is vulnerable to unauthorized access to GET/SET of Slack Bot Tokens. Anyone with network access can steal slack bot tokens and set them. This implies full compromise of the customer\'s slack bot, leading to internal Slack access. This issue was patched in version 3.63. | -- | Apr 29, 2024 |
| CVE-2024-32878 | Llama.cpp is LLM inference in C/C++. There is a use of uninitialized heap variable vulnerability in gguf_init_from_file, the code will free this uninitialized variable later. In a simple POC, it will directly cause a crash. If the file is carefully constructed, it may be possible to control this uninitialized value and cause arbitrary address free problems. This may further lead to be exploited. Causes llama.cpp to crash (DoS) and may even lead to arbitrary code execution (RCE). This vulnerability has been patched in commit b2740. | -- | Apr 29, 2024 |
