The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-32867 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-32664 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-32663 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-27282 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-4093 | A vulnerability, which was classified as critical, was found in SourceCodester Simple Subscription Website 1.0. Affected is an unknown function of the file view_application.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-261822 is the identifier assigned to this vulnerability. | -- | Apr 24, 2024 | n/a |
| CVE-2023-50186 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-33217 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter in ip/goform/addressNat. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33215 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/addressNat. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33214 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter in ip/goform/RouteStatic. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33213 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/RouteStatic. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33212 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter in ip/goform/setcfm. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33211 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter in ip/goform/QuickIndex. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32875 | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32869 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32866 | Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32679 | Missing Authorization vulnerability in Shared Files PRO Shared Files.This issue affects Shared Files: from n/a through 1.7.16. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32662 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. This occurs when `WCHAR` string is read with twice the size it has and converted to `UTF-8`, `base64` decoded. The string is only used to compare against the redirection server certificate. Version 3.5.1 contains a patch for the issue. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32661 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to a possible `NULL` access and crash. Version 3.5.1 contains a patch for the issue. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32660 | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.5.1, a malicious server can crash the FreeRDP client by sending invalid huge allocation size. Version 3.5.1 contains a patch for the issue. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32659 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read if `((nWidth == 0) and (nHeight == 0))`. Version 3.5.1 contains a patch for the issue. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32658 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients prior to version 3.5.1 are vulnerable to out-of-bounds read. Version 3.5.1 contains a patch for the issue. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32657 | Hydra is a Continuous Integration service for Nix based projects. Attackers can execute arbitrary code in the browser context of Hydra and execute authenticated HTTP requests. The abused feature allows Nix builds to specify files that Hydra serves to clients. One use of this functionality is serving NixOS `.iso` files. The issue is only with html files served by Hydra. The issue has been patched on https://hydra.nixos.org around 2024-04-21 14:30 UTC. The nixpkgs package were fixed in unstable and 23.11. Users with custom Hydra packages can apply the fix commit to their local installations. The vulnerability is only triggered when opening HTML build artifacts, so not opening them until the vulnerability is fixed works around the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32656 | Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the `antmedia.service` file. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32653 | jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32482 | The Tillitis TKey signer device application is an ed25519 signing tool. A vulnerability has been found that makes it possible to disclose portions of the TKey’s data in RAM over the USB interface. To exploit the vulnerability an attacker needs to use a custom client application and to touch the TKey. No secret is disclosed. All client applications integrating tkey-device-signer should upgrade to version 1.0.0 to receive a fix. No known workarounds are available. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32480 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Versions prior to 24.4.0 are vulnerable to SQL injection. The `order` parameter is obtained from `$request`. After performing a string check, the value is directly incorporated into an SQL statement and concatenated, resulting in a SQL injection vulnerability. An attacker may extract a whole database this way. Version 24.4.0 fixes the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32479 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Prior to version 24.4.0, there is improper sanitization on the `Service` template name, which can lead to stored Cross-site Scripting. Version 24.4.0 fixes this vulnerability. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32461 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A SQL injection vulnerability in POST /search/search=packages in LibreNMS prior to version 24.4.0 allows a user with global read privileges to execute SQL commands via the package parameter. With this vulnerability, an attacker can exploit a SQL injection time based vulnerability to extract all data from the database, such as administrator credentials. Version 24.4.0 contains a patch for the vulnerability. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32405 | Cross Site Scripting vulnerability in inducer relate before v.2024.1 allows a remote attacker to escalate privileges via a crafted payload to the Answer field of InlineMultiQuestion parameter on Exam function. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32399 | Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32394 | An issue in ruijie.com/cn RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 and RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 allows a remote attacker to execute arbitrary code via a crafted HTTP request. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32258 | The network server of fceux 2.7.0 has a path traversal vulnerability, allowing attackers to overwrite any files on the server without authentication by fake ROM. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32238 | H3C ER8300G2-X is vulnerable to Incorrect Access Control. The password for the router\'s management system can be accessed via the management system page login interface. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31857 | Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user\'s web browser. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31804 | An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31616 | An issue discovered in RG-RSR10-01G-T(W)-S and RG-RSR10-01G-T(WA)-S routers with firmware version RSR10-01G-T-S_RSR_3.0(1)B9P2, Release(07150910) allows attackers to execute arbitrary code via the common_quick_config.lua file. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31208 | Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31077 | Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition. | -- | Apr 23, 2024 | n/a |
| CVE-2024-31036 | A heap-buffer-overflow vulnerability in the read_byte function in NanoMQ v.0.21.7 allows attackers to cause a denial of service via transmission of crafted hexstreams. | -- | Apr 23, 2024 | n/a |
| CVE-2024-30886 | A stored cross-site scripting (XSS) vulnerability in the remotelink function of HadSky v7.6.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter. | -- | Apr 23, 2024 | n/a |
| CVE-2024-30800 | PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly zones by breaching the geofence using flaws in the function. | -- | Apr 23, 2024 | n/a |
| CVE-2024-29368 | An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. | -- | Apr 23, 2024 | n/a |
| CVE-2024-28890 | Forminator prior to 1.29.0 contains an unrestricted upload of file with dangerous type vulnerability. If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. | -- | Apr 23, 2024 | n/a |
| CVE-2024-28627 | An issue in Flipsnack v.18/03/2024 allows a local attacker to obtain sensitive information via the reader.gz.js file. | -- | Apr 23, 2024 | n/a |
| CVE-2024-28130 | An incorrect type conversion vulnerability exists in the DVPSSoftcopyVOI_PList::createFromImage functionality of OFFIS DCMTK 3.6.8. A specially crafted malformed file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | -- | Apr 23, 2024 | n/a |
| CVE-2024-27574 | SQL Injection vulnerability in Trainme Academy version Ichin v.1.3.2 allows a remote attacker to obtain sensitive information via the informacion, idcurso, and tit parameters. | -- | Apr 23, 2024 | n/a |
| CVE-2024-27537 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Apr 23, 2024 | n/a |
| CVE-2024-27536 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | -- | Apr 23, 2024 | n/a |
| CVE-2024-26922 | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: validate the parameters of bo mapping operations more clearly Verify the parameters of amdgpu_vm_bo_(map/replace_map/clearing_mappings) in one common place. | -- | Apr 23, 2024 | n/a |
| CVE-2024-21979 | An out of bounds write vulnerability in the AMD Radeon™ user mode driver for DirectX® 11 could allow an attacker with access to a malformed shader to potentially achieve arbitrary code execution. | -- | Apr 23, 2024 | n/a |
