The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-32493 | An issue was discovered in Znuny LTS 6.5.1 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in agent is able to inject SQL in the draft form ID parameter of an AJAX request. | -- | Apr 29, 2024 |
| CVE-2024-32492 | An issue was discovered in Znuny 7.0.1 through 7.0.16 where the ticket detail view in the customer front allows the execution of external JavaScript. | -- | Apr 29, 2024 |
| CVE-2024-32491 | An issue was discovered in Znuny and Znuny LTS 6.0.31 through 6.5.7 and Znuny 7.0.1 through 7.0.16 where a logged-in user can upload a file (via a manipulated AJAX Request) to an arbitrary writable location by traversing paths. Arbitrary code can be executed if this location is publicly available through the web server. | -- | Apr 29, 2024 |
| CVE-2024-32269 | An issue in Yonganda YAD-LOJ V3.0.561 allows a remote attacker to cause a denial of service via a crafted packet. | -- | Apr 29, 2024 |
| CVE-2024-32268 | An issue in Tuya Smart camera U6N v.3.2.5 allows a remote attacker to cause a denial of service via a crafted packet to the network connection component. | -- | Apr 29, 2024 |
| CVE-2024-31828 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | -- | Apr 29, 2024 |
| CVE-2024-31823 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the removeSecondaryImage method of the Publish.php component. | -- | Apr 29, 2024 |
| CVE-2024-31822 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component. | -- | Apr 29, 2024 |
| CVE-2024-31821 | SQL Injection vulnerability in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the manageQuantitiesAndProcurement method of the Orders_model.php component. | -- | Apr 29, 2024 |
| CVE-2024-31820 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the getLangFolderForEdit method of the Languages.php component. | -- | Apr 29, 2024 |
| CVE-2024-31801 | Directory Traversal vulnerability in NEXSYS-ONE before v.Rev.15320 allows a remote attacker to obtain sensitive information via a crafted request. | -- | Apr 29, 2024 |
| CVE-2024-31747 | An issue in Yealink VP59 Microsoft Teams Phone firmware 91.15.0.118 (fixed in 122.15.0.142) allows a physically proximate attacker to disable the phone lock via the Walkie Talkie menu option. | -- | Apr 29, 2024 |
| CVE-2024-31741 | Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login. | -- | Apr 29, 2024 |
| CVE-2024-31705 | An issue in Infotel Conseil GLPI v.10.X.X and after allows a remote attacker to execute arbitrary code via the insufficient validation of user-supplied input. | -- | Apr 29, 2024 |
| CVE-2024-31621 | An issue in FlowiseAI Inc Flowise v.1.6.2 and before allows a remote attacker to execute arbitrary code via a crafted script to the api/v1 component. | -- | Apr 29, 2024 |
| CVE-2024-31601 | An issue in Beijing Panabit Network Software Co., Ltd Panalog big data analysis platform v. 20240323 and before allows attackers to execute arbitrary code via the exportpdf.php component. | -- | Apr 29, 2024 |
| CVE-2024-31551 | Directory Traversal vulnerability in lib/admin/image.admin.php in cmseasy v7.7.7.9 20240105 allows attackers to delete arbitrary files via crafted GET request. | -- | Apr 29, 2024 |
| CVE-2024-31502 | An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff. | -- | Apr 29, 2024 |
| CVE-2024-30804 | An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests. | -- | Apr 29, 2024 |
| CVE-2024-28961 | Dell OpenManage Enterprise, versions 4.0.0 and 4.0.1, contains a sensitive information disclosure vulnerability. A local low privileged malicious user could potentially exploit this vulnerability to obtain credentials leading to unauthorized access with elevated privileges. This could lead to further attacks, thus Dell recommends customers to upgrade at the earliest opportunity. | -- | Apr 29, 2024 |
| CVE-2024-28326 | Incorrect Access Control in Asus RT-N12+ B1 routers allows local attackers to obtain root terminal access via the the UART interface. | -- | Apr 29, 2024 |
| CVE-2024-28322 | SQL Injection vulnerability in /event-management-master/backend/register.php in PuneethReddyHC Event Management 1.0 allows attackers to run arbitrary SQL commands via the event_id parameter in a crafted POST request. | -- | Apr 29, 2024 |
| CVE-2024-28320 | Insecure Direct Object References (IDOR) vulnerability in Hospital Management System 1.0 allows attackers to manipulate user parameters for unauthorized access and modifications via crafted POST request to /patient/edit-user.php. | -- | Apr 29, 2024 |
| CVE-2024-28294 | Limbas up to v5.2.14 was discovered to contain a SQL injection vulnerability via the ftid parameter. | -- | Apr 29, 2024 |
| CVE-2024-27518 | An issue in SUPERAntiSyware Professional X 10.0.1262 and 10.0.1264 allows unprivileged attackers to escalate privileges via a restore of a crafted DLL file into the C:\\Program Files\\SUPERAntiSpyware folder. | -- | Apr 29, 2024 |
| CVE-2024-27322 | Deserialization of untrusted data can occur in the R statistical programming language, on any version starting at 1.4.0 up to and not including 4.4.0, enabling a maliciously crafted RDS (R Data Serialization) formatted file or R package to run arbitrary code on an end user’s system when interacted with. | -- | Apr 29, 2024 |
| CVE-2024-26928 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential UAF in cifs_debug_files_proc_show() Skip sessions that are being teared down (status == SES_EXITING) to avoid UAF. | -- | Apr 29, 2024 |
| CVE-2024-26927 | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Add some bounds checking to firmware data Smatch complains about head->full_size - head->header_size can underflow. To some extent, we\'re always going to have to trust the firmware a bit. However, it\'s easy enough to add a check for negatives, and let\'s add a upper bounds check as well. | -- | Apr 29, 2024 |
| CVE-2024-25343 | Tenda N300 F3 router vulnerability allows users to bypass intended security policy and create weak passwords. | -- | Apr 29, 2024 |
| CVE-2024-25050 | IBM i 7.2, 7.3, 7.4, 7.5 and IBM Rational Development Studio for i 7.2, 7.3, 7.4, 7.5 networking and compiler infrastructure could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privileges. IBM X-Force ID: 283242. | -- | Apr 29, 2024 |
| CVE-2024-25048 | IBM MQ Appliance 9.3 CD and LTS are vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash. IBM X-Force ID: 283137. | -- | Apr 29, 2024 |
| CVE-2024-23995 | Cross Site Scripting (XSS) in Beekeeper Studio 4.1.13 and earlier allows remote attackers to execute arbitrary code in the column name of a database table in tabulator-popup-container. | -- | Apr 29, 2024 |
| CVE-2024-4310 | Cross-site Scripting (XSS) vulnerability in HubBank affecting version 1.0.2. This vulnerability allows an attacker to send a specially crafted JavaScript payload to registration and profile forms and trigger the payload when any authenticated user loads the page, resulting in a session takeover. | -- | Apr 29, 2024 |
| CVE-2024-4309 | SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints (/user/transaction.php?id=1, /user/credit-debit_transaction.php?id=1,/user/view_transaction. php?id=1 and /user/viewloantrans.php?id=1, id parameter) and retrieve the information stored in the database. | -- | Apr 29, 2024 |
| CVE-2024-4308 | SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints (/admin/view_users.php?id=1,/admin/viewloan-trans.php?id=1,/admin/view-deposit.php?id=1,/admin/view-domtrans.php?id=1, /admin/delete_cards.php?id=1,/admin/view_cards.php?id=1 and /admin/view_users.php?id=1, id parameter) and retrieve the information stored in the database. | -- | Apr 29, 2024 |
| CVE-2024-4307 | SQL injection vulnerability in HubBank affecting version 1.0.2. This vulnerability could allow an attacker to send a specially crafted SQL query to the database through different endpoints (/accounts/activities.php?id=1, /accounts/view-deposit.php?id=1, /accounts/view_cards. php?id=1, /accounts/wire-transfer.php?id=1 and /accounts/wiretransfer-pending.php?id=1, id parameter) and retrieve the information stored in the database. | -- | Apr 29, 2024 |
| CVE-2024-4306 | Critical unrestricted file upload vulnerability in HubBank affecting version 1.0.2. This vulnerability allows a registered user to upload malicious PHP files via upload document fields, resulting in webshell execution. | -- | Apr 29, 2024 |
| CVE-2024-4304 | A Cross-Site Scripting XSS vulnerability has been detected on GT3 Soluciones SWAL. This vulnerability consists in a reflected XSS in the Titular parameter inside Gestion \'Documental > Seguimiento de Expedientes > Alta de Expedientes\'. | -- | Apr 29, 2024 |
| CVE-2024-4303 | ArmorX Android APP\'s multi-factor authentication (MFA) for the login function is not properly implemented. Remote attackers who obtain user credentials can bypass MFA, allowing them to successfully log into the APP. | -- | Apr 29, 2024 |
| CVE-2024-4302 | Super 8 Live Chat online customer service platform fails to properly filter user input, allowing unauthenticated remote attackers to insert JavaScript code into the chat box. When the message recipient views the message, they become susceptible to Cross-site Scripting (XSS) attacks. | -- | Apr 29, 2024 |
| CVE-2024-4301 | N-Reporter and N-Cloud, products of the N-Partner, have an OS Command Injection vulnerability. Remote attackers with normal user privilege can execute arbitrary system commands by manipulating user inputs on a specific page. | -- | Apr 29, 2024 |
| CVE-2024-4300 | E-WEBInformationCo. FS-EZViewer(Web) exposes sensitive information in the service. A remote attacker can obtain the database configuration file path through the webpage source code without login. Accessing this path allows attacker to obtain the database credential with the highest privilege and database host IP address. With this information, attackers can connect to the database and perform actions such as adding, modifying, or deleting database contents. | -- | Apr 29, 2024 |
| CVE-2024-4299 | The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands. | -- | Apr 29, 2024 |
| CVE-2024-4298 | The email search interface of HGiga iSherlock (including MailSherlock, SpamSherock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability for Command Injection attacks, enabling execution of arbitrary system commands. | -- | Apr 29, 2024 |
| CVE-2024-4297 | The system configuration interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files. | -- | Apr 29, 2024 |
| CVE-2024-4296 | The account management interface of HGiga iSherlock (including MailSherlock, SpamSherlock, AuditSherlock) fails to filter special characters in certain function parameters, allowing remote attackers with administrative privileges to exploit this vulnerability to download arbitrary system files. | -- | Apr 29, 2024 |
| CVE-2024-4294 | A vulnerability, which was classified as critical, has been found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this issue is some unknown functionality of the file /doctor/view-appointment-detail.php. The manipulation of the argument editid leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-262226 is the identifier assigned to this vulnerability. | -- | Apr 29, 2024 |
| CVE-2024-4293 | A vulnerability classified as problematic was found in PHPGurukul Doctor Appointment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file appointment-bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262225 was assigned to this vulnerability. | -- | Apr 29, 2024 |
| CVE-2024-4292 | A vulnerability classified as critical has been found in Contemporary Controls BASrouter BACnet BASRT-B 2.7.2. Affected is an unknown function of the component Device-Communication-Control Service. The manipulation with the input 55ff0500370015f30104025506110afb7519035d0841e4bece257b6acfc71f leads to denial of service. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-262224. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 29, 2024 |
| CVE-2024-4291 | A vulnerability was found in Tenda A301 15.13.08.12_multi_TDE01. It has been rated as critical. This issue affects the function formAddMacfilterRule of the file /goform/setBlackRule. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-262223. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 29, 2024 |
