The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-31302 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in CodePeople Contact Form Email.This issue affects Contact Form Email: from n/a through 1.3.44. | -- | Apr 10, 2024 |
| CVE-2024-31299 | Cross-Site Request Forgery (CSRF) vulnerability in Reservation Diary ReDi Restaurant Reservation allows Cross-Site Scripting (XSS).This issue affects ReDi Restaurant Reservation: from n/a through 24.0128. | -- | Apr 10, 2024 |
| CVE-2024-31298 | Insertion of Sensitive Information into Log File vulnerability in Joel Hardi User Spam Remover.This issue affects User Spam Remover: from n/a through 1.0. | -- | Apr 10, 2024 |
| CVE-2024-31297 | Missing Authorization vulnerability in WPExperts Wholesale For WooCommerce.This issue affects Wholesale For WooCommerce: from n/a through 2.3.0. | -- | Apr 10, 2024 |
| CVE-2024-31287 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in Max Foundry Media Library Folders.This issue affects Media Library Folders: from n/a through 8.1.8. | -- | Apr 10, 2024 |
| CVE-2024-31282 | URL Redirection to Untrusted Site (\'Open Redirect\') vulnerability in Appcheap.Io App Builder.This issue affects App Builder: from n/a through 3.8.7. | -- | Apr 10, 2024 |
| CVE-2024-31278 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Leap13 Premium Addons for Elementor.This issue affects Premium Addons for Elementor: from n/a through 4.10.22. | -- | Apr 10, 2024 |
| CVE-2024-31259 | Insertion of Sensitive Information into Log File vulnerability in Searchiq SearchIQ.This issue affects SearchIQ: from n/a through 4.5. | -- | Apr 10, 2024 |
| CVE-2024-31254 | Insertion of Sensitive Information into Log File vulnerability in WebToffee WordPress Backup & Migration.This issue affects WordPress Backup & Migration: from n/a through 1.4.7. | -- | Apr 10, 2024 |
| CVE-2024-31253 | URL Redirection to Untrusted Site (\'Open Redirect\') vulnerability in WP OAuth Server OAuth Server.This issue affects OAuth Server: from n/a through 4.3.3. | -- | Apr 10, 2024 |
| CVE-2024-31249 | Insertion of Sensitive Information into Log File vulnerability in WPKube Subscribe To Comments Reloaded.This issue affects Subscribe To Comments Reloaded: from n/a through 220725. | -- | Apr 10, 2024 |
| CVE-2024-31247 | Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Drupal to WordPress.This issue affects FG Drupal to WordPress: from n/a through 3.70.3. | -- | Apr 10, 2024 |
| CVE-2024-31245 | Insertion of Sensitive Information into Log File vulnerability in ConvertKit.This issue affects ConvertKit: from n/a through 2.4.5. | -- | Apr 10, 2024 |
| CVE-2024-31242 | Missing Authorization vulnerability in Bricksforge.This issue affects Bricksforge: from n/a through 2.0.17. | -- | Apr 10, 2024 |
| CVE-2024-31240 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in InfoTheme WP Poll Maker.This issue affects WP Poll Maker: from n/a through 3.1. | -- | Apr 10, 2024 |
| CVE-2024-31230 | Missing Authorization vulnerability in ShortPixel ShortPixel Adaptive Images.This issue affects ShortPixel Adaptive Images: from n/a through 3.8.2. | -- | Apr 10, 2024 |
| CVE-2024-31214 | Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name. While it\'s not for an attacker to overwrite an existing file, an attacker can create new files with certain names and attacker-controlled extensions anywhere on the file system. This can potentially lead to remote code execution, XSS, DOS, etc. The default install of Traccar makes this vulnerability more severe. Self-registration is enabled by default, allowing anyone to create an account to exploit this vulnerability. Traccar also runs by default with root/system privileges, allowing files to be placed anywhere on the file system. Version 6.0 contains a fix for the issue. One may also turn off self-registration by default, as that would make most vulnerabilities in the application much harder to exploit by default and reduce the severity considerably. | -- | Apr 10, 2024 |
| CVE-2024-30737 | An issue was discovered in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows remote attackers to execute arbitrary code via packages or nodes within the ROS system. | -- | Apr 10, 2024 |
| CVE-2024-30736 | An insecure deserialization vulnerability has been identified in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows attackers to execute arbitrary code and obtain sensitive information via the Data Serialization and Deserialization Components, Inter-Process Communication Mechanisms, and Network Communication Interfaces. | -- | Apr 10, 2024 |
| CVE-2024-30735 | An arbitrary file upload vulnerability has been discovered in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows attackers to execute arbitrary code, cause a denial of service (DoS), and obtain sensitive information via crafted payload to the file upload mechanism of the ROS system, including the server’s functionality for handling file uploads and the associated validation processes. | -- | Apr 10, 2024 |
| CVE-2024-30733 | A buffer overflow vulnerability has been discovered in the C++ components of ROS Kinetic Kame in ROS_VERSION 1 and ROS_ PYTHON_VERSION 3, allows attackers to execute arbitrary code or cause a denial of service (DoS) via improper handling of arrays or strings within these components. | -- | Apr 10, 2024 |
| CVE-2024-30730 | An insecure logging vulnerability has been identified within ROS Kinetic Kame in ROS_VERSION 1 and ROS_ PYTHON_VERSION 3, allows attackers to obtain sensitive information via inadequate security measures implemented within the logging mechanisms of ROS. | -- | Apr 10, 2024 |
| CVE-2024-30729 | An OS command injection vulnerability has been discovered in ROS Kinetic Kame in ROS_VERSION 1 and ROS_ PYTHON_VERSION 3, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the External Command Execution Modules, System Call Handlers, and Interface Scripts. | -- | Apr 10, 2024 |
| CVE-2024-30727 | An issue was discovered in ROS Kinetic Kame in Kinetic Kame ROS_VERSION 1 and ROS_ PYTHON_VERSION 3, where the system transmits messages in plaintext, allowing attackers to obtain sensitive information via a man-in-the-middle attack. | -- | Apr 10, 2024 |
| CVE-2024-30726 | A shell injection vulnerability was discovered in ROS (Robot Operating System) Kinetic Kame in ROS_VERSION 1 and ROS_ PYTHON_VERSION 3, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information due to the way ROS handles shell command execution in components like command interpreters or interfaces that process external inputs. | -- | Apr 10, 2024 |
| CVE-2024-30724 | An issue was discovered in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows remote attackers to execute arbitrary code, escalate privileges, obtain sensitive information, and gain unauthorized access to multiple ROS nodes. | -- | Apr 10, 2024 |
| CVE-2024-30723 | An unauthorized node injection vulnerability has been identified in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows remote attackers to escalate privileges and inject malicious ROS nodes into the system due to insecure permissions. | -- | Apr 10, 2024 |
| CVE-2024-30722 | An issue was discovered in ROS Kinetic Kame in ROS_VERSION 1 and ROS_PYTHON_VERSION 3, allows remote attackers to cause a denial of service (DoS) via the ROS nodes. | -- | Apr 10, 2024 |
| CVE-2024-30721 | An arbitrary file upload vulnerability has been discovered in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows attackers to execute arbitrary code, cause a denial of service (DoS), and obtain sensitive information via a crafted payload to the file upload mechanism of the ROS2 system, including the server’s functionality for handling file uploads and the associated validation processes. | -- | Apr 10, 2024 |
| CVE-2024-30719 | An insecure deserialization vulnerability has been identified in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows attackers to execute arbitrary code and obtain sensitive information via Data Serialization and Deserialization Components, Inter-Process Communication Mechanisms, and Network Communication Interfaces. | -- | Apr 10, 2024 |
| CVE-2024-30718 | An issue was discovered in ROS2 Dashing Diademata in ROS_VERSION=2 and ROS_PYTHON_VERSION=3, allows remote attackers to execute arbitrary code via packages or nodes within the ROS2 system. | -- | Apr 10, 2024 |
| CVE-2024-30716 | An insecure logging vulnerability in ROS2 Dashing Diademata ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows attacks to obtain sensitive information via inadequate security measures implemented within the logging mechanisms of ROS2. | -- | Apr 10, 2024 |
| CVE-2024-30715 | A buffer overflow vulnerability has been discovered in the C++ components of ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via improper handling of arrays or strings. | -- | Apr 10, 2024 |
| CVE-2024-30713 | An OS command injection vulnerability has been discovered in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information via the External Command Execution Modules, System Call Handlers, and Interface Scripts. | -- | Apr 10, 2024 |
| CVE-2024-30712 | A shell injection vulnerability was discovered in ROS2 (Robot Operating System 2) Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to execute arbitrary code, escalate privileges, and obtain sensitive information due to the way ROS2 handles shell command execution in components like command interpreters or interfaces that process external inputs. | -- | Apr 10, 2024 |
| CVE-2024-30711 | An issue was discovered in the default configurations of ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows unauthenticated attackers to gain access using default credentials. | -- | Apr 10, 2024 |
| CVE-2024-30710 | An issue was discovered in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, where the system transmits messages in plaintext. This flaw exposes sensitive information, making it vulnerable to man-in-the-middle (MitM) attacks, and allowing attackers to easily intercept and access this data. | -- | Apr 10, 2024 |
| CVE-2024-30708 | An issue was discovered in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to cause a denial of service (DoS) via the ROS2 nodes. | -- | Apr 10, 2024 |
| CVE-2024-30707 | Unauthorized node injection vulnerability in ROS2 Dashing Diademata in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to escalate privileges and inject malicious ROS2 nodes into the system. | -- | Apr 10, 2024 |
| CVE-2024-29296 | A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | -- | Apr 10, 2024 |
| CVE-2024-28345 | An issue discovered in Sipwise C5 NGCP Dashboard below mr11.5.1 allows a low privileged user to access the Journal endpoint by directly visit the URL. | -- | Apr 10, 2024 |
| CVE-2024-28344 | An Open Redirect vulnerability was found in Sipwise C5 NGCP Dashboard below mr11.5.1. The Open Redirect vulnerability allows attackers to control the back parameter in the URL through a double encoded URL. | -- | Apr 10, 2024 |
| CVE-2024-27477 | In Leantime 3.0.6, a Cross-Site Scripting vulnerability exists within the ticket creation and modification functionality, allowing attackers to inject malicious JavaScript code into the title field of tickets (also known as to-dos). This stored XSS vulnerability can be exploited to perform Server-Side Request Forgery (SSRF) attacks. | -- | Apr 10, 2024 |
| CVE-2024-27476 | Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. | -- | Apr 10, 2024 |
| CVE-2024-27474 | Leantime 3.0.6 is vulnerable to Cross Site Request Forgery (CSRF). This vulnerability allows malicious actors to perform unauthorized actions on behalf of authenticated users, specifically administrators. | -- | Apr 10, 2024 |
| CVE-2024-26816 | In the Linux kernel, the following vulnerability has been resolved: x86, relocs: Ignore relocations in .notes section When building with CONFIG_XEN_PV=y, .text symbols are emitted into the .notes section so that Xen can find the startup_xen entry point. This information is used prior to booting the kernel, so relocations are not useful. In fact, performing relocations against the .notes section means that the KASLR base is exposed since /sys/kernel/notes is world-readable. To avoid leaking the KASLR base without breaking unprivileged tools that are expecting to read /sys/kernel/notes, skip performing relocations in the .notes section. The values readable in .notes are then identical to those found in System.map. | -- | Apr 10, 2024 |
| CVE-2024-26815 | In the Linux kernel, the following vulnerability has been resolved: net/sched: taprio: proper TCA_TAPRIO_TC_ENTRY_INDEX check taprio_parse_tc_entry() is not correctly checking TCA_TAPRIO_TC_ENTRY_INDEX attribute: int tc; // Signed value tc = nla_get_u32(tb[TCA_TAPRIO_TC_ENTRY_INDEX]); if (tc >= TC_QOPT_MAX_QUEUE) { NL_SET_ERR_MSG_MOD(extack, TC entry index out of range); return -ERANGE; } syzbot reported that it could fed arbitary negative values: UBSAN: shift-out-of-bounds in net/sched/sch_taprio.c:1722:18 shift exponent -2147418108 is negative CPU: 0 PID: 5066 Comm: syz-executor367 Not tainted 6.8.0-rc7-syzkaller-00136-gc8a5c731fd12 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/29/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e7/0x2e0 lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:217 [inline] __ubsan_handle_shift_out_of_bounds+0x3c7/0x420 lib/ubsan.c:386 taprio_parse_tc_entry net/sched/sch_taprio.c:1722 [inline] taprio_parse_tc_entries net/sched/sch_taprio.c:1768 [inline] taprio_change+0xb87/0x57d0 net/sched/sch_taprio.c:1877 taprio_init+0x9da/0xc80 net/sched/sch_taprio.c:2134 qdisc_create+0x9d4/0x1190 net/sched/sch_api.c:1355 tc_modify_qdisc+0xa26/0x1e40 net/sched/sch_api.c:1776 rtnetlink_rcv_msg+0x885/0x1040 net/core/rtnetlink.c:6617 netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2543 netlink_unicast_kernel net/netlink/af_netlink.c:1341 [inline] netlink_unicast+0x7ea/0x980 net/netlink/af_netlink.c:1367 netlink_sendmsg+0xa3b/0xd70 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2584 ___sys_sendmsg net/socket.c:2638 [inline] __sys_sendmsg+0x2b0/0x3a0 net/socket.c:2667 do_syscall_64+0xf9/0x240 entry_SYSCALL_64_after_hwframe+0x6f/0x77 RIP: 0033:0x7f1b2dea3759 Code: 48 83 c4 28 c3 e8 d7 19 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffd4de452f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f1b2def0390 RCX: 00007f1b2dea3759 RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000004 RBP: 0000000000000003 R08: 0000555500000000 R09: 0000555500000000 R10: 0000555500000000 R11: 0000000000000246 R12: 00007ffd4de45340 R13: 00007ffd4de45310 R14: 0000000000000001 R15: 00007ffd4de45340 | -- | Apr 10, 2024 |
| CVE-2024-26122 | Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | -- | Apr 10, 2024 |
| CVE-2024-26098 | Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | -- | Apr 10, 2024 |
| CVE-2024-26097 | Adobe Experience Manager versions 6.5.19 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | -- | Apr 10, 2024 |
