The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-2434 | An issue has been discovered in GitLab affecting all versions of GitLab CE/EE 16.9 prior to 16.9.6, 16.10 prior to 16.10.4, and 16.11 prior to 16.11.1 where path traversal could lead to DoS and restricted file read. | -- | Apr 25, 2024 | n/a |
| CVE-2024-1726 | A flaw was discovered in the RESTEasy Reactive implementation in Quarkus. Due to security checks for some JAX-RS endpoints being performed after serialization, more processing resources are consumed while the HTTP request is checked. In certain configurations, if an attacker has knowledge of any POST, PUT, or PATCH request paths, they can potentially identify vulnerable endpoints and trigger excessive resource usage as the endpoints process the requests. This can result in a denial of service. | -- | Apr 25, 2024 | n/a |
| CVE-2024-1657 | A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine in the CIDR block could download all rulebook data from the WebSocket, resulting in loss of confidentiality and integrity of the system. | -- | Apr 25, 2024 | n/a |
| CVE-2024-1347 | An issue has been discovered in GitLab CE/EE affecting all versions before 16.9.6, all versions starting from 16.10 before 16.10.4, all versions starting from 16.11 before 16.11.1. Under certain conditions, an attacker through a crafted email address may be able to bypass domain based restrictions on an instance or a group. | -- | Apr 25, 2024 | n/a |
| CVE-2024-1139 | A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret. | -- | Apr 25, 2024 | n/a |
| CVE-2024-1102 | A vulnerability was found in jberet-core logging. An exception in \'dbProperties\' might display user credentials such as the username and password for the database-connection. | -- | Apr 25, 2024 | n/a |
| CVE-2024-0916 | Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. | -- | Apr 25, 2024 | n/a |
| CVE-2024-0874 | A flaw was found in coredns. This issue could lead to invalid cache entries returning due to incorrectly implemented caching. | -- | Apr 25, 2024 | n/a |
| CVE-2024-0151 | Insufficient argument checking in Secure state Entry functions in software using Cortex-M Security Extensions (CMSE), that has been compiled using toolchains that implement \'Arm v8-M Security Extensions Requirements on Development Tools\' prior to version 1.4, allows an attacker to pass values to Secure state that are out of range for types smaller than 32-bits. Out of range values might lead to incorrect operations in secure state. | -- | Apr 25, 2024 | n/a |
| CVE-2023-52220 | Missing Authorization vulnerability in MonsterInsights Google Analytics by Monster Insights.This issue affects Google Analytics by Monster Insights: from n/a through 8.21.0. | -- | Apr 25, 2024 | n/a |
| CVE-2023-51484 | Improper Authentication vulnerability in wp-buy Login as User or Customer (User Switching) allows Privilege Escalation.This issue affects Login as User or Customer (User Switching): from n/a through 3.8. | -- | Apr 25, 2024 | n/a |
| CVE-2023-51482 | Improper Authentication vulnerability in EazyPlugins Eazy Plugin Manager allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Eazy Plugin Manager: from n/a through 4.1.2. | -- | Apr 25, 2024 | n/a |
| CVE-2023-51478 | Improper Authentication vulnerability in Abdul Hakeem Build App Online allows Privilege Escalation.This issue affects Build App Online: from n/a through 1.0.19. | -- | Apr 25, 2024 | n/a |
| CVE-2023-20249 | A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | -- | Apr 25, 2024 | n/a |
| CVE-2023-20248 | A vulnerability in the web-based management interface of Cisco TelePresence Management Suite (TMS) Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient input validation by the web-based management interface. An attacker could exploit this vulnerability by inserting malicious data in a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. | -- | Apr 25, 2024 | n/a |
| CVE-2023-6787 | A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter prompt=login, prompting the user to re-enter their credentials. If the user cancels this re-authentication by selecting Restart login, an account takeover may occur, as the new session, with a different SUB, will possess the same SID as the previous session. | -- | Apr 25, 2024 | n/a |
| CVE-2023-6717 | A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance. | -- | Apr 25, 2024 | n/a |
| CVE-2023-6596 | An incomplete fix was shipped for the Rapid Reset (CVE-2023-44487/CVE-2023-39325) vulnerability for an OpenShift Containers. | -- | Apr 25, 2024 | n/a |
| CVE-2023-6544 | A flaw was found in the Keycloak package. This issue occurs due to a permissive regular expression hardcoded for filtering which allows hosts to register a dynamic client. A malicious user with enough information about the environment could jeopardize an environment with this specific Dynamic Client Registration and TrustedDomain configuration previously unauthorized. | -- | Apr 25, 2024 | n/a |
| CVE-2023-6484 | A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity. | -- | Apr 25, 2024 | n/a |
| CVE-2023-5675 | A flaw was found in Quarkus. When a Quarkus RestEasy Classic or Reactive JAX-RS endpoint has its methods declared in the abstract Java class or customized by Quarkus extensions using the annotation processor, the authorization of these methods will not be enforced if it is enabled by either \'quarkus.security.jaxrs.deny-unannotated-endpoints\' or \'quarkus.security.jaxrs.default-roles-allowed\' properties. | -- | Apr 25, 2024 | n/a |
| CVE-2023-3597 | A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and bypass authentication. | -- | Apr 25, 2024 | n/a |
| CVE-2022-36029 | Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | -- | Apr 25, 2024 | n/a |
| CVE-2022-36028 | Greenlight is an end-user interface for BigBlueButton servers. Versions prior to 2.13.0 have an open redirect vulnerability in the Login page due to unchecked the value of the `return_to` cookie. Versions 2.13.0 contains a patch for the issue. | -- | Apr 25, 2024 | n/a |
| CVE-2024-33531 | cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an enc header with the value A256GCM. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32958 | Cross-Site Request Forgery (CSRF) vulnerability in Giorgos Sarigiannidis Slash Admin allows Cross-Site Scripting (XSS).This issue affects Slash Admin: from n/a through 3.8.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32956 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rometheme RomethemeKit For Elementor allows Stored XSS.This issue affects RomethemeKit For Elementor: from n/a through 1.4.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32955 | Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32954 | Unrestricted Upload of File with Dangerous Type vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.5. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32953 | Insertion of Sensitive Information into Log File vulnerability in Newsletters.This issue affects Newsletters: from n/a through 4.9.5. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32952 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BloomPixel Max Addons Pro for Bricks allows Reflected XSS.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32951 | Missing Authorization vulnerability in BloomPixel Max Addons Pro for Bricks.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32950 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DeBAAT WP Media Category Management allows Reflected XSS.This issue affects WP Media Category Management: from n/a through 2.2. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32948 | Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32947 | Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Services LLC WP ADA Compliance Check Basic.This issue affects WP ADA Compliance Check Basic: from n/a through 3.1.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32876 | NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in Arbitrary Code Execution. This is because backups are serialized/deserialized using Java\'s Object Serialization Stream Protocol, which can allow constructing any class in the app, unless properly restricted. To exploit this vulnerability, an attacker would need to build a backup file containing the exploit, and then persuade a user into importing it. During the import process, the malicious code would be executed, possibly crashing the app, stealing user data from the NewPipe app, performing nasty actions through Android APIs, and attempting Android JVM/Sandbox escapes through vulnerabilities in the Android OS. The attack can take place only if the user imports a malicious backup file, so an attacker would need to trick a user into importing a backup file from a source they can control. The implementation details of the malicious backup file can be independent of the attacked user or the device they are being run on, and do not require additional privileges. All NewPipe versions from 0.13.4 to 0.26.1 are vulnerable. NewPipe version 0.27.0 fixes the issue by doing the following: Restrict the classes that can be deserialized when calling Java\'s Object Serialization Stream Protocol, by adding a whitelist with only innocuous data-only classes that can\'t lead to Arbitrary Code Execution; deprecate backups serialized with Java\'s Object Serialization Stream Protocol; use JSON serialization for all newly created backups (but still include an alternative file serialized with Java\'s Object Serialization Stream Protocol in the backup zip for backwards compatibility); show a warning to the user when attempting to import a backup where the only available serialization mode is Java\'s Object Serialization Stream Protocol (note that in the future this serialization mode will be removed completely). | -- | Apr 24, 2024 | n/a |
| CVE-2024-32872 | Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32836 | Unrestricted Upload of File with Dangerous Type vulnerability in WP Lab WP-Lister Lite for eBay.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.11. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32835 | Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32834 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WebToffee WooCommerce Shipping Label allows Stored XSS.This issue affects WooCommerce Shipping Label: from n/a through 2.3.8. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32833 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Nick Halsey List Custom Taxonomy Widget allows Stored XSS.This issue affects List Custom Taxonomy Widget: from n/a through 4.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32825 | Insertion of Sensitive Information into Log File vulnerability in Patrick Posner Simply Static.This issue affects Simply Static: from n/a through 3.1.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32823 | Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32819 | Server-Side Request Forgery (SSRF) vulnerability in Culqi.This issue affects Culqi: from n/a through 3.0.14. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32817 | Deserialization of Untrusted Data vulnerability in Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.26.2. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32816 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid.This issue affects Post Grid: from n/a through 2.2.78. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32815 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jeroen Peters All-in-one Like Widget allows Stored XSS.This issue affects All-in-one Like Widget: from n/a through 2.2.7. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32812 | Server-Side Request Forgery (SSRF) vulnerability in Podlove Podlove Podcast Publisher.This issue affects Podlove Podcast Publisher: from n/a through 4.0.11. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32808 | Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32806 | Cross-Site Request Forgery (CSRF) vulnerability in CoSchedule Headline Analyzer.This issue affects Headline Analyzer: from n/a through 1.3.3. | -- | Apr 24, 2024 | n/a |
