The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-29109 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jan-Peter Lambeck & 3UU Shariff Wrapper allows Stored XSS.This issue affects Shariff Wrapper: from n/a through 4.6.10. | -- | Mar 19, 2024 |
| CVE-2024-29110 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Pauple Table & Contact Form 7 Database – Tablesome allows Reflected XSS.This issue affects Table & Contact Form 7 Database – Tablesome: from n/a through 1.0.27. | -- | Mar 19, 2024 |
| CVE-2024-29111 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Webvitaly Sitekit allows Stored XSS.This issue affects Sitekit: from n/a through 1.6. | -- | Mar 19, 2024 |
| CVE-2024-29112 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Marketing Robot WooCommerce Google Feed Manager allows Stored XSS.This issue affects WooCommerce Google Feed Manager: from n/a through 2.2.0. | -- | Mar 19, 2024 |
| CVE-2024-29113 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Metagauss RegistrationMagic allows Reflected XSS.This issue affects RegistrationMagic: from n/a through 5.2.5.9. | -- | Mar 19, 2024 |
| CVE-2024-29114 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in W3 Eden, Inc. Download Manager allows Stored XSS.This issue affects Download Manager: from n/a through 3.2.84. | -- | Mar 19, 2024 |
| CVE-2024-29115 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Zaytech Smart Online Order for Clover allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through 1.5.5. | -- | Mar 19, 2024 |
| CVE-2024-29116 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in IconicWP WooThumbs for WooCommerce by Iconic allows Reflected XSS.This issue affects WooThumbs for WooCommerce by Iconic: from n/a through 5.5.3. | -- | Mar 19, 2024 |
| CVE-2024-29117 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Cimatti Consulting Contact Forms by Cimatti allows Stored XSS.This issue affects Contact Forms by Cimatti: from n/a through 1.7.0. | -- | Mar 19, 2024 |
| CVE-2024-29118 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Scrollsequence allows Stored XSS.This issue affects Scrollsequence: from n/a through 1.5.4. | -- | Mar 19, 2024 |
| CVE-2024-29121 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Firassaidi WooCommerce License Manager allows Reflected XSS.This issue affects WooCommerce License Manager: from n/a through 5.3.1. | -- | Mar 19, 2024 |
| CVE-2024-29122 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Foliovision: Making the web work for you FV Flowplayer Video Player allows Stored XSS.This issue affects FV Flowplayer Video Player: from n/a through 7.5.41.7212. | -- | Mar 19, 2024 |
| CVE-2024-29123 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Yannick Lefebvre Link Library allows Reflected XSS.This issue affects Link Library: from n/a through 7.6. | -- | Mar 19, 2024 |
| CVE-2024-29124 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AAM Advanced Access Manager allows Stored XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20. | -- | Mar 19, 2024 |
| CVE-2024-29125 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Elliot Sowersby, RelyWP Coupon Affiliates allows Reflected XSS.This issue affects Coupon Affiliates: from n/a through 5.12.7. | -- | Mar 19, 2024 |
| CVE-2024-29126 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jose Mortellaro Specific Content For Mobile – Customize the mobile version without redirections allows Reflected XSS.This issue affects Specific Content For Mobile – Customize the mobile version without redirections: from n/a through 0.1.9.5. | -- | Mar 19, 2024 |
| CVE-2024-29127 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AAM Advanced Access Manager allows Reflected XSS.This issue affects Advanced Access Manager: from n/a through 6.9.20. | -- | Mar 19, 2024 |
| CVE-2024-29128 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Post SMTP POST SMTP allows Reflected XSS.This issue affects POST SMTP: from n/a through 2.8.6. | -- | Mar 19, 2024 |
| CVE-2024-29129 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPLIT Pty Ltd OxyExtras allows Reflected XSS.This issue affects OxyExtras: from n/a through 1.4.4. | -- | Mar 19, 2024 |
| CVE-2024-29130 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Scott Paterson Contact Form 7 – PayPal & Stripe Add-on allows Reflected XSS.This issue affects Contact Form 7 – PayPal & Stripe Add-on: from n/a through 2.0. | -- | Mar 19, 2024 |
| CVE-2024-29131 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | -- | Mar 21, 2024 |
| CVE-2024-29133 | Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue. | -- | Mar 21, 2024 |
| CVE-2024-29134 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themefic Tourfic allows Stored XSS.This issue affects Tourfic: from n/a through 2.11.8. | -- | Mar 19, 2024 |
| CVE-2024-29135 | Unrestricted Upload of File with Dangerous Type vulnerability in Tourfic.This issue affects Tourfic: from n/a through 2.11.15. | -- | Mar 19, 2024 |
| CVE-2024-29136 | Deserialization of Untrusted Data vulnerability in Themefic Tourfic.This issue affects Tourfic: from n/a through 2.11.17. | -- | Mar 19, 2024 |
| CVE-2024-29137 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themefic Tourfic allows Reflected XSS.This issue affects Tourfic: from n/a through 2.11.7. | -- | Mar 19, 2024 |
| CVE-2024-29138 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DEV Institute Restrict User Access – Membership Plugin with Force allows Reflected XSS.This issue affects Restrict User Access – Membership Plugin with Force: from n/a through 2.5. | -- | Mar 19, 2024 |
| CVE-2024-29139 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Mark Tilly MyCurator Content Curation allows Reflected XSS.This issue affects MyCurator Content Curation: from n/a through 3.76. | -- | Mar 19, 2024 |
| CVE-2024-29140 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Matt Manning MJM Clinic allows Stored XSS.This issue affects MJM Clinic: from n/a through 1.1.22. | -- | Mar 19, 2024 |
| CVE-2024-29141 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in PDF Embedder allows Stored XSS.This issue affects PDF Embedder: from n/a through 4.6.4. | -- | Mar 19, 2024 |
| CVE-2024-29142 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WebberZone Better Search – Relevant search results for WordPress allows Stored XSS.This issue affects Better Search – Relevant search results for WordPress: from n/a through 3.3.0. | -- | Mar 19, 2024 |
| CVE-2024-29143 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2. | -- | Mar 19, 2024 |
| CVE-2024-29149 | An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of a time-of-check time-of-use vulnerability, an authenticated attacker is able to replace the verified firmware image with malicious firmware during the update process. | -- | May 7, 2024 |
| CVE-2024-29150 | An issue was discovered in Alcatel-Lucent ALE NOE deskphones through 86x8_NOE-R300.1.40.12.4180 and SIP deskphones through 86x8_SIP-R200.1.01.10.728. Because of improper privilege management, an authenticated attacker is able to create symlinks to sensitive and protected data in locations that are used for debugging files. Given that the process of gathering debug logs is carried out with root privileges, any file referenced in the symlink is consequently written to the debug archive, thereby granting accessibility to the attacker. | -- | May 7, 2024 |
| CVE-2024-29151 | Rocket.Chat.Audit through 5ad78e8 depends on filecachetools, which does not exist in PyPI. | -- | Mar 18, 2024 |
| CVE-2024-29154 | danielmiessler fabric through 1.3.0 allows installer/client/gui/static/js/index.js XSS because of innerHTML mishandling, such as in htmlToPlainText. | -- | Mar 18, 2024 |
| CVE-2024-29156 | In OpenStack Murano through 16.0.0, when YAQL before 3.0.0 is used, the Murano service\'s MuranoPL extension to the YAQL language fails to sanitize the supplied environment, leading to potential leakage of sensitive service account information. | -- | Mar 18, 2024 |
| CVE-2024-29157 | HDF5 through 1.14.3 contains a heap buffer overflow in H5HG_read, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29158 | HDF5 through 1.14.3 contains a stack buffer overflow in H5FL_arr_malloc, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29159 | HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_scaleoffset, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29160 | HDF5 through 1.14.3 contains a heap buffer overflow in H5HG__cache_heap_deserialize, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29161 | HDF5 through 1.14.3 contains a heap buffer overflow in H5A__attr_release_table, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29162 | HDF5 through 1.13.3 and/or 1.14.2 contains a stack buffer overflow in H5HG_read, resulting in denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29163 | HDF5 through 1.14.3 contains a heap buffer overflow in H5T__bit_find, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29164 | HDF5 through 1.14.3 contains a stack buffer overflow in H5R__decode_heap, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29165 | HDF5 through 1.14.3 contains a buffer overflow in H5Z__filter_fletcher32, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29166 | HDF5 through 1.14.3 contains a buffer overflow in H5O__linfo_decode, resulting in the corruption of the instruction pointer and causing denial of service or potential code execution. | -- | May 14, 2024 |
| CVE-2024-29167 | SVR-116 firmware version 1.6.0.30028871 allows a remote authenticated attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. | -- | Apr 4, 2024 |
| CVE-2024-29179 | phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks. | -- | Mar 26, 2024 |
| CVE-2024-29180 | Prior to versions 7.1.0, 6.1.2, and 5.3.4, the webpack-dev-middleware development middleware for devpack does not validate the supplied URL address sufficiently before returning the local file. It is possible to access any file on the developer\'s machine. The middleware can either work with the physical filesystem when reading the files or it can use a virtualized in-memory `memfs` filesystem. If `writeToDisk` configuration option is set to `true`, the physical filesystem is used. The `getFilenameFromUrl` method is used to parse URL and build the local file path. The public path prefix is stripped from the URL, and the `unsecaped` path suffix is appended to the `outputPath`. As the URL is not unescaped and normalized automatically before calling the midlleware, it is possible to use `%2e` and `%2f` sequences to perform path traversal attack. Developers using `webpack-dev-server` or `webpack-dev-middleware` are affected by the issue. When the project is started, an attacker might access any file on the developer\'s machine and exfiltrate the content. If the development server is listening on a public IP address (or `0.0.0.0`), an attacker on the local network can access the local files without any interaction from the victim (direct connection to the port). If the server allows access from third-party domains, an attacker can send a malicious link to the victim. When visited, the client side script can connect to the local server and exfiltrate the local files. Starting with fixed versions 7.1.0, 6.1.2, and 5.3.4, the URL is unescaped and normalized before any further processing. | -- | Mar 21, 2024 |
