The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-3860 | An out-of-memory condition during object initialization could result in an empty shape list. If the JIT subsequently traced the object it would crash. This vulnerability affects Firefox < 125. | -- | Apr 16, 2024 |
| CVE-2024-3859 | On 32-bit versions there were integer-overflows that led to an out-of-bounds-read that potentially could be triggered by a malformed OpenType font. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | -- | Apr 16, 2024 |
| CVE-2024-3858 | It was possible to mutate a JavaScript object so that the JIT could crash while tracing it. This vulnerability affects Firefox < 125. | -- | Apr 16, 2024 |
| CVE-2024-3857 | The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | -- | Apr 16, 2024 |
| CVE-2024-3856 | A use-after-free could occur during WASM execution if garbage collection ran during the creation of an array. This vulnerability affects Firefox < 125. | -- | Apr 16, 2024 |
| CVE-2024-3855 | In certain cases the JIT incorrectly optimized MSubstr operations, which led to out-of-bounds reads. This vulnerability affects Firefox < 125. | -- | Apr 16, 2024 |
| CVE-2024-3854 | In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | -- | Apr 16, 2024 |
| CVE-2024-3853 | A use-after-free could result if a JavaScript realm was in the process of being initialized when a garbage collection started. This vulnerability affects Firefox < 125. | -- | Apr 16, 2024 |
| CVE-2024-3852 | GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | -- | Apr 16, 2024 |
| CVE-2024-3847 | Insufficient policy enforcement in WebUI in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | -- | Apr 17, 2024 |
| CVE-2024-3846 | Inappropriate implementation in Prompts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | -- | Apr 17, 2024 |
| CVE-2024-3845 | Inappropriate implementation in Networks in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass mixed content policy via a crafted HTML page. (Chromium security severity: Low) | -- | Apr 17, 2024 |
| CVE-2024-3844 | Inappropriate implementation in Extensions in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) | -- | Apr 17, 2024 |
| CVE-2024-3843 | Insufficient data validation in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3841 | Insufficient data validation in Browser Switcher in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to inject scripts or HTML into a privileged page via a malicious file. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3840 | Insufficient policy enforcement in Site Isolation in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3839 | Out of bounds read in Fonts in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3838 | Inappropriate implementation in Autofill in Google Chrome prior to 124.0.6367.60 allowed an attacker who convinced a user to install a malicious app to perform UI spoofing via a crafted app. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3837 | Use after free in QUIC in Google Chrome prior to 124.0.6367.60 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | -- | Apr 17, 2024 |
| CVE-2024-3834 | Use after free in Downloads in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | -- | Apr 17, 2024 |
| CVE-2024-3833 | Object corruption in WebAssembly in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | -- | Apr 17, 2024 |
| CVE-2024-3832 | Object corruption in V8 in Google Chrome prior to 124.0.6367.60 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | -- | Apr 17, 2024 |
| CVE-2024-3804 | A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The manipulation of the argument file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 16, 2024 |
| CVE-2024-3803 | A vulnerability classified as critical was found in Vesystem Cloud Desktop up to 20240408. This vulnerability affects unknown code of the file /Public/webuploader/0.1.5/server/fileupload.php. The manipulation of the argument file leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260776. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 16, 2024 |
| CVE-2024-3802 | Vulnerabilities in Celeste 22.x was vulnerable to takeover from unauthenticated local attacker. | -- | Apr 15, 2024 |
| CVE-2024-3797 | A vulnerability was found in SourceCodester QR Code Bookmark System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/delete-bookmark.php?bookmark=1. The manipulation of the argument bookmark leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260764. | -- | Apr 15, 2024 |
| CVE-2024-3786 | Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device Synchronizations (/admin/DeviceReplication). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. | -- | Apr 15, 2024 |
| CVE-2024-3785 | Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through Device NAS shared section (/admin/DeviceNAS). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. | -- | Apr 15, 2024 |
| CVE-2024-3784 | Vulnerability in WBSAirback 21.02.04, which involves improper neutralisation of Server-Side Includes (SSI), through S3 Accounts (/admin/CloudAccounts). Exploitation of this vulnerability could allow a remote user to execute arbitrary code. | -- | Apr 15, 2024 |
| CVE-2024-3783 | The Backup Agents section in WBSAirback 21.02.04 is affected by a Path Traversal vulnerability, allowing a user with low privileges to download files from the system. | -- | Apr 15, 2024 |
| CVE-2024-3782 | Cross-Site Request Forgery vulnerability in WBSAirback 21.02.04, which could allow an attacker to create a manipulated HTML form to perform privileged actions once it is executed by a privileged user. | -- | Apr 15, 2024 |
| CVE-2024-3781 | Command injection vulnerability in the operating system. Improper neutralisation of special elements in Active Directory integration allows the intended command to be modified when sent to a downstream component in WBSAirback 21.02.04. | -- | Apr 15, 2024 |
| CVE-2024-3780 | A vulnerability of Information Exposure has been found on Technicolor CGA2121 affecting the version 1.01, this vulnerability allows a local attacker to obtain sensitive information stored on the device such as wifi network\'s SSID and their respective passwords. | -- | Apr 15, 2024 |
| CVE-2024-3778 | The file upload functionality of Ai3 QbiBot does not properly restrict types of uploaded files, allowing remote attackers with administrator privilege to upload files with dangerous type containing malicious code. | -- | Apr 15, 2024 |
| CVE-2024-3777 | The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user\'s password. | -- | Apr 15, 2024 |
| CVE-2024-3776 | The parameter used in the login page of Netvision airPASS is not properly filtered for user input. An unauthenticated remote attacker can insert JavaScript code to the parameter for Reflected Cross-site scripting attacks. | -- | Apr 15, 2024 |
| CVE-2024-3775 | aEnrich Technology a+HRD\'s functionality for downloading files using youtube-dl.exe does not properly restrict user input. This allows attackers to pass arbitrary arguments to youtube-dl.exe, leading to the download of partial unauthorized files. | -- | Apr 15, 2024 |
| CVE-2024-3774 | aEnrich Technology a+HRD\'s functionality for front-end retrieval of system configuration values lacks proper restrictions on a specific parameter, allowing attackers to modify this parameter to access certain sensitive system configuration values. | -- | Apr 15, 2024 |
| CVE-2024-3772 | Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string. | -- | Apr 15, 2024 |
| CVE-2024-3771 | A vulnerability was found in PHPGurukul Student Record System 3.20 and classified as critical. Affected by this issue is some unknown functionality of the file /edit-subject.php. The manipulation of the argument sub1/sub2/sub3/sub4/udate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260618 is the identifier assigned to this vulnerability. | -- | Apr 15, 2024 |
| CVE-2024-3770 | A vulnerability has been found in PHPGurukul Student Record System 3.20 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /manage-courses.php?del=1. The manipulation of the argument del leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260617 was assigned to this vulnerability. | -- | Apr 15, 2024 |
| CVE-2024-3769 | A vulnerability, which was classified as critical, was found in PHPGurukul Student Record System 3.20. Affected is an unknown function of the file /login.php. The manipulation of the argument id/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-260616. | -- | Apr 15, 2024 |
| CVE-2024-3768 | A vulnerability, which was classified as critical, has been found in PHPGurukul News Portal 4.1. This issue affects some unknown processing of the file search.php. The manipulation of the argument searchtitle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260615. | -- | Apr 15, 2024 |
| CVE-2024-3767 | A vulnerability classified as critical was found in PHPGurukul News Portal 4.1. This vulnerability affects unknown code of the file /admin/edit-post.php. The manipulation of the argument posttitle leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260614 is the identifier assigned to this vulnerability. | -- | Apr 15, 2024 |
| CVE-2024-3766 | A vulnerability, which was classified as problematic, has been found in slowlyo OwlAdmin up to 3.5.7. Affected by this issue is some unknown functionality of the file /admin-api/upload_image of the component Image File Upload. The manipulation of the argument file leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260606 is the identifier assigned to this vulnerability. | -- | Apr 15, 2024 |
| CVE-2024-3765 | A vulnerability classified as critical was found in Xiongmai AHB7804R-MH-V2, AHB8004T-GL, AHB8008T-GL, AHB7004T-GS-V3, AHB7004T-MHV2, AHB8032F-LME and XM530_R80X30-PQ_8M. Affected by this vulnerability is an unknown functionality of the component Sofia Service. The manipulation with the input ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 15, 2024 |
| CVE-2024-3764 | ** DISPUTED ** A vulnerability classified as problematic has been found in Tuya SDK up to 5.0.x. Affected is an unknown function of the component MQTT Packet Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. Upgrading to version 5.1.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-260604. NOTE: The vendor explains that a malicious actor would have to crack TLS first or use a legitimate login to initiate the attack. | -- | Apr 16, 2024 |
| CVE-2024-3763 | A vulnerability was found in Emlog Pro 2.2.10. It has been rated as problematic. This issue affects some unknown processing of the file /admin/tag.php of the component Post Tag Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260603. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 15, 2024 |
| CVE-2024-3762 | A vulnerability was found in Emlog Pro 2.2.10. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/twitter.php of the component Whisper Page. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-260602 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 15, 2024 |
| CVE-2024-3740 | A vulnerability, which was classified as critical, has been found in cym1102 nginxWebUI up to 3.9.9. This issue affects the function exec of the file /adminPage/conf/reload. The manipulation of the argument nginxExe leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-260579. | -- | Apr 15, 2024 |
