The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-29399 | An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. | -- | Apr 11, 2024 |
| CVE-2024-29387 | projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php. | -- | Apr 5, 2024 |
| CVE-2024-29386 | projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php. | -- | Apr 5, 2024 |
| CVE-2024-29385 | DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function. | -- | Mar 22, 2024 |
| CVE-2024-29375 | CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters. | -- | Apr 4, 2024 |
| CVE-2024-29374 | A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the GET /?lang= URL parameter. | -- | Mar 21, 2024 |
| CVE-2024-29366 | A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03. | -- | Mar 22, 2024 |
| CVE-2024-29338 | Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/categories/delete/2. | -- | Mar 22, 2024 |
| CVE-2024-29316 | NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via isadmin:true. | -- | Mar 28, 2024 |
| CVE-2024-29303 | The delete admin users function of SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection | -- | Mar 26, 2024 |
| CVE-2024-29302 | SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection via update-employee.php. | -- | Mar 26, 2024 |
| CVE-2024-29301 | SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection via update-admin.php?admin_id= | -- | Mar 26, 2024 |
| CVE-2024-29296 | A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | -- | Apr 10, 2024 |
| CVE-2024-29291 | An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. | -- | Apr 16, 2024 |
| CVE-2024-29278 | funboot v1.1 is vulnerable to Cross Site Scripting (XSS) via the title field in create a message . | -- | Apr 1, 2024 |
| CVE-2024-29276 | An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component. | -- | Apr 2, 2024 |
| CVE-2024-29275 | SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php. | -- | Mar 22, 2024 |
| CVE-2024-29273 | There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document. | -- | Mar 22, 2024 |
| CVE-2024-29272 | Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. | -- | Mar 22, 2024 |
| CVE-2024-29271 | Reflected Cross-Site Scripting (XSS) vulnerability in VvvebJs before version 1.7.7, allows remote attackers to execute arbitrary code and obtain sensitive information via the action parameter in save.php. | -- | Mar 22, 2024 |
| CVE-2024-29269 | An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter. | -- | Apr 11, 2024 |
| CVE-2024-29244 | Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the pin_code_3g parameter at /apply.cgi. | -- | Mar 21, 2024 |
| CVE-2024-29243 | Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the vpn_client_ip parameter at /apply.cgi. | -- | Mar 21, 2024 |
| CVE-2024-29241 | Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29240 | Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29239 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29238 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29237 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29236 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29235 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29234 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29233 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Emap.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29232 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Alert.Enum webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29231 | Improper validation of array index vulnerability in UserPrivilege.Enum webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29230 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in SnapShot.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29229 | Missing authorization vulnerability in GetLiveViewPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29228 | Missing authorization vulnerability in GetStmUrlPath webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to obtain sensitive information via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29227 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Layout.LayoutSave webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 |
| CVE-2024-29225 | WRC-X3200GST3-B v1.25 and earlier, and WRC-G01-W v1.24 and earlier allow a network-adjacent unauthenticated attacker to obtain the configuration file containing sensitive information by sending a specially crafted request. | -- | Apr 4, 2024 |
| CVE-2024-29221 | Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the Add Members permission was explicitly removed from team admins. | -- | Apr 5, 2024 |
| CVE-2024-29220 | Ninja Forms prior to 3.8.1 contains a cross-site scripting vulnerability in custom fields for labels. If this vulnerability is exploited, an arbitrary script may be executed on the web browser of the user who is accessing to the website using the product. | -- | Apr 11, 2024 |
| CVE-2024-29219 | Out-of-bounds read vulnerability exists in KV STUDIO Ver.11.64 and earlier and KV REPLAY VIEWER Ver.2.64 and earlier, which may lead to information disclosure or arbitrary code execution by having a user of the affected product open a specially crafted file. | -- | Apr 15, 2024 |
| CVE-2024-29218 | Out-of-bounds write vulnerability exists in KV STUDIO Ver.11.64 and earlier and KV REPLAY VIEWER Ver.2.64 and earlier, which may lead to information disclosure or arbitrary code execution by having a user of the affected product open a specially crafted file. | -- | Apr 15, 2024 |
| CVE-2024-29216 | Exposed IOCTL with insufficient access control issue exists in cg6kwin2k.sys prior to 2.1.7.0. By sending a specific IOCTL request, a user without the administrator privilege may perform I/O to arbitrary hardware port or physical address, resulting in erasing or altering the firmware. | -- | Mar 25, 2024 |
| CVE-2024-29203 | TinyMCE is an open source rich text editor. A cross-site scripting (XSS) vulnerability was discovered in TinyMCE’s content insertion code. This allowed `iframe` elements containing malicious code to execute when inserted into the editor. These `iframe` elements are restricted in their permissions by same-origin browser protections, but could still trigger operations such as downloading of malicious assets. This vulnerability is fixed in 6.8.1. | -- | Mar 26, 2024 |
| CVE-2024-29202 | JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer\'s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7. | -- | Apr 1, 2024 |
| CVE-2024-29201 | JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer\'s Ansible to execute arbitrary code within the Celery container. Since the Celery container runs with root privileges and has database access, attackers could steal sensitive information from all hosts or manipulate the database. This vulnerability is fixed in v3.10.7. | -- | Apr 1, 2024 |
| CVE-2024-29200 | Kimai is a web-based multi-user time-tracking application. The permission `view_other_timesheet` performs differently for the Kimai UI and the API, thus returning unexpected data through the API. When setting the `view_other_timesheet` permission to true, on the frontend, users can only see timesheet entries for teams they are a part of. When requesting all timesheets from the API, however, all timesheet entries are returned, regardless of whether the user shares team permissions or not. This vulnerability is fixed in 2.13.0. | -- | Mar 28, 2024 |
| CVE-2024-29199 | Nautobot is a Network Source of Truth and Network Automation Platform. A number of Nautobot URL endpoints were found to be improperly accessible to unauthenticated (anonymous) users. These endpoints will not disclose any Nautobot data to an unauthenticated user unless the Nautobot configuration variable EXEMPT_VIEW_PERMISSIONS is changed from its default value (an empty list) to permit access to specific data by unauthenticated users. This vulnerability is fixed in 1.6.16 and 2.1.9. | -- | Mar 26, 2024 |
| CVE-2024-29197 | Pimcore is an Open Source Data & Experience Management Platform. Any call with the query argument `?pimcore_preview=true` allows to view unpublished sites. In previous versions of Pimcore, session information would propagate to previews, so only a logged in user could open a preview. This no longer applies. Previews are broad open to any user and with just the hint of a restricted link one could gain access to possible confident / unreleased information. This vulnerability is fixed in 11.2.2 and 11.1.6.1. | -- | Mar 26, 2024 |
