The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-32595 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Mat Bao Corp WP Helper Premium allows Reflected XSS.This issue affects WP Helper Premium: from n/a before 4.6.0. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32594 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AttesaWP Attesa Extra allows Stored XSS.This issue affects Attesa Extra: from n/a through 1.3.9. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32593 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.3.4.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32592 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in VoidCoders, innovs Void Elementor WHMCS Elements For Elementor Page Builder allows Stored XSS.This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32591 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Daniele De Rosa Backend Designer allows Stored XSS.This issue affects Backend Designer: from n/a through 1.3. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32590 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Webfood Kattene allows Stored XSS.This issue affects Kattene: from n/a through 1.7. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32588 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ThimPress LearnPress Export Import allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through 4.0.3. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32587 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in EnvialoSimple EnvíaloSimple allows Reflected XSS.This issue affects EnvíaloSimple: from n/a through 2.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32586 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Munir Kamal Gutenberg Block Editor Toolkit allows Stored XSS.This issue affects Gutenberg Block Editor Toolkit: from n/a through 1.40.4. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32585 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in extendWP Import Content in WordPress & WooCommerce with Excel allows Reflected XSS.This issue affects Import Content in WordPress & WooCommerce with Excel: from n/a through 4.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32584 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in StandaloneTech TeraWallet – For WooCommerce allows Stored XSS.This issue affects TeraWallet – For WooCommerce: from n/a through 1.5.0. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32583 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32582 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Bowo Debug Log Manager allows Stored XSS.This issue affects Debug Log Manager: from n/a through 2.3.1. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32581 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Lenderd Mortgage Calculators WP allows Stored XSS.This issue affects Mortgage Calculators WP: from n/a through 1.56. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32580 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Averta Master Slider allows Stored XSS.This issue affects Master Slider: from n/a through 3.9.8. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32579 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in GloriaFood Restaurant Menu – Food Ordering System – Table Reservation allows Stored XSS.This issue affects Restaurant Menu – Food Ordering System – Table Reservation: from n/a through 2.4.1. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32578 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in 10Web Slider by 10Web allows Reflected XSS.This issue affects Slider by 10Web: from n/a through 1.2.54. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32577 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Codeboxr Team CBX Bookmark & Favorite cbxwpbookmark allows Stored XSS.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.20. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32576 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Booking Algorithms BA Book Everything allows Stored XSS.This issue affects BA Book Everything: from n/a through 1.6.8. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32575 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Kraftplugins Mega Elements allows Stored XSS.This issue affects Mega Elements: from n/a through 1.1.9. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32574 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Ashish Ajani WP Simple HTML Sitemap allows Reflected XSS.This issue affects WP Simple HTML Sitemap: from n/a through 2.8. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32573 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Lab WP-Lister Lite for eBay allows Stored XSS.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.11. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32572 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BdThemes Element Pack Elementor Addons allows Stored XSS.This issue affects Element Pack Elementor Addons: from n/a through 5.6.0. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32571 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in naa986 WP Stripe Checkout allows Stored XSS.This issue affects WP Stripe Checkout: from n/a through 1.2.2.41. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32570 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32569 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Metaphor Creations Ditty allows Stored XSS.This issue affects Ditty: from n/a through 3.1.31. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32568 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Melapress WP 2FA allows Reflected XSS.This issue affects WP 2FA: from n/a through 2.6.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32567 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Designinvento DirectoryPress allows Reflected XSS.This issue affects DirectoryPress: from n/a through 3.6.7. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32566 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Club Manager allows Stored XSS.This issue affects WP Club Manager: from n/a through 2.2.11. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32565 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Appcheap.Io App Builder allows Stored XSS.This issue affects App Builder: from n/a through 3.8.8. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32564 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Post Grid Team by WPXPO PostX – Gutenberg Blocks for Post Grid allows Stored XSS.This issue affects PostX – Gutenberg Blocks for Post Grid: from n/a through 4.0.1. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32563 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in VikBooking Hotel Booking Engine & PMS allows Reflected XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through 1.6.7. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32562 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in VIICTORY MEDIA LLC Z Y N I T H allows Stored XSS.This issue affects Z Y N I T H: from n/a through 7.4.9. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32561 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Tagembed allows Stored XSS.This issue affects Tagembed: from n/a through 4.7. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32560 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Sharabindu QR Code Composer allows Stored XSS.This issue affects QR Code Composer: from n/a through 2.0.3. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32559 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in hwk-fr WP 404 Auto Redirect to Similar Post allows Reflected XSS.This issue affects WP 404 Auto Redirect to Similar Post: from n/a through 1.0.4. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32558 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in impleCode eCommerce Product Catalog allows Reflected XSS.This issue affects eCommerce Product Catalog: from n/a through 3.3.32. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32556 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Nabil Lemsieh HurryTimer allows Stored XSS.This issue affects HurryTimer: from n/a through 2.9.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32554 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Knight Lab Knight Lab Timeline allows Stored XSS.This issue affects Knight Lab Timeline: from n/a through 3.9.3.4. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32553 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in looks_awesome Superfly Menu allows Stored XSS.This issue affects Superfly Menu: from n/a through 5.0.25. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32552 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Tagbox Taggbox allows Stored XSS.This issue affects Taggbox: from n/a through 3.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32551 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Smartypants SP Project & Document Manager.This issue affects SP Project & Document Manager : from n/a through 4.71. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32477 | Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. By using ANSI escape sequences and a race between `libc::tcflush(0, libc::TCIFLUSH)` and reading standard input, it\'s possible to manipulate the permission prompt and force it to allow an unsafe action regardless of the user input. Some ANSI escape sequences act as a info request to the master terminal emulator and the terminal emulator sends back the reply in the PTY channel. standard streams also use this channel to send and get data. For example the `\\033[6n` sequence requests the current cursor position. These sequences allow us to append data to the standard input of Deno. This vulnerability allows an attacker to bypass Deno permission policy. This vulnerability is fixed in 1.42.2. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32475 | Envoy is a cloud-native, open source edge and service proxy. When an upstream TLS cluster is used with `auto_sni` enabled, a request containing a `host`/`:authority` header longer than 255 characters triggers an abnormal termination of Envoy process. Envoy does not gracefully handle an error when setting SNI for outbound TLS connection. The error can occur when Envoy attempts to use the `host`/`:authority` header value longer than 255 characters as SNI for outbound TLS connection. SNI length is limited to 255 characters per the standard. Envoy always expects this operation to succeed and abnormally aborts the process when it fails. This vulnerability is fixed in 1.30.1, 1.29.4, 1.28.3, and 1.27.5. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32474 | Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32473 | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32472 | excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw\'s web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe\'s `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32470 | Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32466 | Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2 | -- | Apr 18, 2024 | n/a |
| CVE-2024-32462 | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\'s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6. | -- | Apr 18, 2024 | n/a |
