The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2023-50008 | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the av_malloc function in libavutil/mem.c:105:9 component. | -- | Apr 19, 2024 |
| CVE-2023-50007 | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via theav_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component. | -- | Apr 19, 2024 |
| CVE-2023-49963 | DYMO LabelWriter Print Server through 2.366 contains a backdoor hard-coded password that could allow an attacker to take control. | -- | Apr 19, 2024 |
| CVE-2023-49502 | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component. | -- | Apr 19, 2024 |
| CVE-2023-49501 | Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the config_eq_output function in the libavfilter/asrc_afirsrc.c:495:30 component. | -- | Apr 19, 2024 |
| CVE-2023-49275 | Wazuh is a free and open source platform used for threat prevention, detection, and response. A NULL pointer dereference was detected during fuzzing of the analysis engine, allowing malicious clients to DoS the analysis engine. The bug occurs when `analysisd` receives a syscollector message with the `hotfix` `msg_type` but lacking a `timestamp`. It uses `cJSON_GetObjectItem()` to get the `timestamp` object item and dereferences it without checking for a `NULL` value. A malicious client can DoS the analysis engine. This vulnerability is fixed in 4.7.1. | -- | Apr 19, 2024 |
| CVE-2023-47435 | An issue in the verifyPassword function of hexo-theme-matery v2.0.0 allows attackers to bypass authentication and access password protected pages. | -- | Apr 19, 2024 |
| CVE-2023-37400 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to escalate their privileges due to insecure credential storage. IBM X-Force ID: 259677. | -- | Apr 19, 2024 |
| CVE-2023-37397 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain or modify sensitive information due to improper encryption of certain data. IBM X-Force ID: 259672. | -- | Apr 19, 2024 |
| CVE-2023-37396 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to improper encryption of certain data. IBM X-Force ID: 259671. | -- | Apr 19, 2024 |
| CVE-2023-27279 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a user to cause a denial of service due to missing API rate limiting. IBM X-Force ID: 248533. | -- | Apr 19, 2024 |
| CVE-2023-22869 | IBM Aspera Faspex 5.0.0 through 5.0.7 stores potentially sensitive information in log files that could be read by a local user. IBM X-Force ID: 244119. | -- | Apr 19, 2024 |
| CVE-2022-40745 | IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452. | -- | Apr 19, 2024 |
| CVE-2024-31750 | SQL injection vulnerability in f-logic datacube3 v.1.0 allows a remote attacker to obtain sensitive information via the req_id parameter. | -- | Apr 19, 2024 |
| CVE-2024-30938 | SQL Injection vulnerability in SEMCMS v.4.8 allows a remote attacker to obtain sensitive information via the ID parameter in the SEMCMS_User.php component. | -- | Apr 19, 2024 |
| CVE-2024-29204 | A Heap Overflow vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | -- | Apr 19, 2024 |
| CVE-2024-27984 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. | -- | Apr 19, 2024 |
| CVE-2024-27978 | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | -- | Apr 19, 2024 |
| CVE-2024-27977 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service. | -- | Apr 19, 2024 |
| CVE-2024-27976 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-27975 | An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-25000 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24999 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24998 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24997 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24996 | A Heap overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to execute arbitrary commands. | -- | Apr 19, 2024 |
| CVE-2024-24995 | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24994 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24993 | A Race Condition (TOCTOU) vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24992 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-24991 | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | -- | Apr 19, 2024 |
| CVE-2024-23535 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-23534 | An Unrestricted File-upload vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 |
| CVE-2024-23533 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an authenticated remote attacker to read sensitive information in memory. | -- | Apr 19, 2024 |
| CVE-2024-23532 | An out-of-bounds Read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. In certain conditions this could also lead to remote code execution. | -- | Apr 19, 2024 |
| CVE-2024-23531 | An Integer Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows an unauthenticated remote attacker to perform denial of service attacks. In certain rare conditions this could also lead to reading content from memory. | -- | Apr 19, 2024 |
| CVE-2024-23530 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | -- | Apr 19, 2024 |
| CVE-2024-23529 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | -- | Apr 19, 2024 |
| CVE-2024-23528 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | -- | Apr 19, 2024 |
| CVE-2024-23526 | An out-of-bounds read vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3, in certain conditions can allow an unauthenticated remote attacker to read sensitive information in memory. | -- | Apr 19, 2024 |
| CVE-2024-22061 | A Heap Overflow vulnerability in WLInfoRailService component of Ivanti Avalanche before 6.4.3 allows a remote unauthenticated attacker to execute arbitrary commands | -- | Apr 19, 2024 |
| CVE-2024-3818 | The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s Social Icons block in all versions up to, and including, 4.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 19, 2024 |
| CVE-2024-3731 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \'s\' parameter in all versions up to, and including, 5.47.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | -- | Apr 19, 2024 |
| CVE-2024-3615 | The Media Library Folders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \'s\' parameter in all versions up to, and including, 8.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | -- | Apr 19, 2024 |
| CVE-2024-3600 | The Poll Maker – Best WordPress Poll Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting due to a missing capability check on the ays_poll_maker_quick_start AJAX action in addition to insufficient escaping and sanitization in all versions up to, and including, 5.1.8. This makes it possible for unauthenticated attackers to create quizzes and inject malicious web scripts into them that execute when a user visits the page. | -- | Apr 19, 2024 |
| CVE-2024-3598 | The ElementsKit Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s Creative Button widget in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 19, 2024 |
| CVE-2024-3560 | The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id value in all versions up to, and including, 4.2.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 19, 2024 |
| CVE-2024-2410 | The JsonToBinaryStream() function is part of the protocol buffers C++ implementation and is used to parse JSON from a stream. If the input is broken up into separate chunks in a certain way, the parser will attempt to read bytes from a chunk that has already been freed. | -- | Apr 19, 2024 |
| CVE-2024-32698 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Leevio Happy Addons for Elementor allows Stored XSS.This issue affects Happy Addons for Elementor: from n/a through 3.10.4. | -- | Apr 22, 2024 |
| CVE-2024-32697 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in HelloAsso allows Stored XSS.This issue affects HelloAsso: from n/a through 1.1.5. | -- | Apr 22, 2024 |
