The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-30200 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in realmag777 BEAR allows Reflected XSS.This issue affects BEAR: from n/a through 1.1.4.2. | -- | Mar 28, 2024 |
| CVE-2024-30201 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Xylus Themes WordPress Importer allows Reflected XSS.This issue affects WordPress Importer: from n/a through 1.0.4. | -- | Mar 27, 2024 |
| CVE-2024-30202 | In Emacs before 29.3, arbitrary Lisp code is evaluated as part of turning on Org mode. This affects Org Mode before 9.6.23. | -- | Mar 25, 2024 |
| CVE-2024-30203 | In Emacs before 29.3, Gnus treats inline MIME contents as trusted. | -- | Mar 25, 2024 |
| CVE-2024-30204 | In Emacs before 29.3, LaTeX preview is enabled by default for e-mail attachments. | -- | Mar 25, 2024 |
| CVE-2024-30205 | In Emacs before 29.3, Org mode considers contents of remote files to be trusted. This affects Org Mode before 9.6.23. | -- | Mar 25, 2024 |
| CVE-2024-30210 | IO-1020 Micro ELD uses a default WIFI password that could allow an adjacent attacker to connect to the device. | -- | Apr 15, 2024 |
| CVE-2024-30214 | The application allows a high privilege attacker to append a malicious GET query parameter to Service invocations, which are reflected in the server response. Under certain circumstances, if the parameter contains a JavaScript, the script could be processed on client side. | -- | Apr 9, 2024 |
| CVE-2024-30215 | The Resource Settings page allows a high privilege attacker to load exploitable payload to be stored and reflected whenever a User visits the page. In a successful attack, some information could be obtained and/or modified. However, the attacker does not have control over what information is obtained, or the amount or kind of loss is limited. | -- | Apr 9, 2024 |
| CVE-2024-30216 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, attacker can add notes in the review request with \'completed\' status affecting the integrity of the application. Confidentiality and Availability are not impacted. | -- | Apr 9, 2024 |
| CVE-2024-30217 | Cash Management in SAP S/4 HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. By exploiting this vulnerability, an attacker can approve or reject a bank account application affecting the integrity of the application. Confidentiality and Availability are not impacted. | -- | Apr 9, 2024 |
| CVE-2024-30218 | The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability. | -- | Apr 9, 2024 |
| CVE-2024-30219 | Active debug code vulnerability exists in MZK-MF300N all firmware versions. If a logged-in user who knows how to use the debug function accesses the device\'s management page, an unintended operation may be performed. | -- | Apr 15, 2024 |
| CVE-2024-30220 | Command injection vulnerability in MZK-MF300N all firmware versions allows a network-adjacent unauthenticated attacker to execute an arbitrary command by sending a specially crafted request to a certain port. | -- | Apr 15, 2024 |
| CVE-2024-30221 | Deserialization of Untrusted Data vulnerability in WP Sunshine Sunshine Photo Cart.This issue affects Sunshine Photo Cart: from n/a through 3.1.1. | -- | Mar 28, 2024 |
| CVE-2024-30222 | Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | -- | Mar 28, 2024 |
| CVE-2024-30223 | Deserialization of Untrusted Data vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.26. | -- | Mar 28, 2024 |
| CVE-2024-30224 | Deserialization of Untrusted Data vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.2. | -- | Mar 28, 2024 |
| CVE-2024-30225 | Deserialization of Untrusted Data vulnerability in WPENGINE, INC. WP Migrate.This issue affects WP Migrate: from n/a through 2.6.10. | -- | Mar 28, 2024 |
| CVE-2024-30226 | Deserialization of Untrusted Data vulnerability in WPDeveloper BetterDocs.This issue affects BetterDocs: from n/a through 3.3.3. | -- | Mar 28, 2024 |
| CVE-2024-30227 | Deserialization of Untrusted Data vulnerability in INFINITUM FORM Geo Controller.This issue affects Geo Controller: from n/a through 8.6.4. | -- | Mar 28, 2024 |
| CVE-2024-30228 | Deserialization of Untrusted Data vulnerability in Hercules Design Hercules Core.This issue affects Hercules Core : from n/a through 6.4. | -- | Mar 28, 2024 |
| CVE-2024-30229 | Deserialization of Untrusted Data vulnerability in GiveWP.This issue affects GiveWP: from n/a through 3.4.2. | -- | Mar 28, 2024 |
| CVE-2024-30230 | Deserialization of Untrusted Data vulnerability in Acowebs PDF Invoices and Packing Slips For WooCommerce.This issue affects PDF Invoices and Packing Slips For WooCommerce: from n/a through 1.3.7. | -- | Mar 28, 2024 |
| CVE-2024-30231 | Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.4.1. | -- | Mar 26, 2024 |
| CVE-2024-30232 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Exclusive Addons Exclusive Addons Elementor allows Stored XSS.This issue affects Exclusive Addons Elementor: from n/a through 2.6.9. | -- | Mar 26, 2024 |
| CVE-2024-30233 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1. | -- | Mar 26, 2024 |
| CVE-2024-30234 | Missing Authorization vulnerability in Wholesale Team WholesaleX.This issue affects WholesaleX: from n/a through 1.3.1. | -- | Mar 26, 2024 |
| CVE-2024-30235 | Missing Authorization vulnerability in Themeisle Multiple Page Generator Plugin – MPG.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. | -- | Mar 26, 2024 |
| CVE-2024-30236 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Contest Gallery.This issue affects Contest Gallery: from n/a through 21.3.4. | -- | Mar 28, 2024 |
| CVE-2024-30237 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Supsystic Slider by Supsystic.This issue affects Slider by Supsystic: from n/a through 1.8.10. | -- | Mar 28, 2024 |
| CVE-2024-30238 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Contest Gallery.This issue affects Contest Gallery: from n/a through 21.3.2. | -- | Mar 27, 2024 |
| CVE-2024-30239 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.6. | -- | Mar 28, 2024 |
| CVE-2024-30240 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Typps Calendarista.This issue affects Calendarista: from n/a through 15.5.7. | -- | Mar 28, 2024 |
| CVE-2024-30241 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.1. | -- | Mar 28, 2024 |
| CVE-2024-30242 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in IT Path Solutions Contact Form to Any API.This issue affects Contact Form to Any API: from n/a through 1.1.8. | -- | Mar 28, 2024 |
| CVE-2024-30243 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Tomas WordPress Tooltips.This issue affects WordPress Tooltips: from n/a before 9.4.5. | -- | Mar 28, 2024 |
| CVE-2024-30244 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.0.27. | -- | Mar 28, 2024 |
| CVE-2024-30245 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in DecaLog.This issue affects DecaLog: from n/a through 3.9.0. | -- | Mar 28, 2024 |
| CVE-2024-30246 | Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could exploit this issue on purpose to delete information on the instance or possibly gain access to restricted artifacts. It is however not possible to control exactly which information is deleted. Information from theDate, File, Float, Int, List, OpenList, Text, and Permissions on artifact (this one can lead to the disclosure of restricted information) fields can be impacted. This vulnerability is fixed in Tuleap Community Edition version 15.7.99.6 and Tuleap Enterprise Edition 15.7-2, 15.6-5, 15.5-6, 15.4-8, 15.3-6, 15.2-5, 15.1-9, 15.0-9, and 14.12-6. | -- | Apr 1, 2024 |
| CVE-2024-30247 | NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1. | -- | Apr 1, 2024 |
| CVE-2024-30248 | Piccolo Admin is an admin interface/content management system for Python, built on top of Piccolo. Piccolo\'s admin panel allows media files to be uploaded. As a default, SVG is an allowed file type for upload. An attacker can upload an SVG which when loaded can allow arbitrary access to the admin page. This vulnerability was patched in version 1.3.2. | -- | Apr 2, 2024 |
| CVE-2024-30249 | Cloudburst Network provides network components used within Cloudburst projects. A vulnerability in versions prior to `1.0.0.CR1-20240330.101522-15` impacts publicly accessible software depending on the affected versions of Network and allows an attacker to use Network as an amplification vector for a UDP denial of service attack against a third party or as an attempt to trigger service suspension of the host. All consumers of the library should upgrade to at least version `1.0.0.CR1-20240330.101522-15` to receive a fix. There are no known workarounds beyond updating the library. | -- | Apr 4, 2024 |
| CVE-2024-30250 | Astro-Shield is an integration to enhance website security with SubResource Integrity hashes, Content-Security-Policy headers, and other techniques. Versions from 1.2.0 to 1.3.1 of Astro-Shield allow bypass to the allow-lists for cross-origin resources by introducing valid `integrity` attributes to the injected code. This implies that the injected SRI hash would be added to the generated CSP header, which would lead the browser to believe that the injected resource is legit. This vulnerability is patched in version 1.3.2. | -- | Apr 4, 2024 |
| CVE-2024-30252 | Livemarks is a browser extension that provides RSS feed bookmark folders. Versions of Livemarks prior to 3.7 are vulnerable to cross-site request forgery. A malicious website may be able to coerce the extension to send an authenticated GET request to an arbitrary URL. An authenticated request is a request where the cookies of the browser are sent along with the request. The `subscribe.js` script uses the first parameter from the current URL location as the URL of the RSS feed to subscribe to and checks that the RSS feed is valid XML. `subscribe.js` is accessible by an attacker website due to its use in `subscribe.html`, an HTML page that is declared as a `web_accessible_resource` in `manifest.json`. This issue may lead to `Privilege Escalation`. A CSRF breaks the integrity of servers running on a private network. A user of the browser extension may have a private server with dangerous functionality, which is assumed to be safe due to network segmentation. Upon receiving an authenticated request instantiated from an attacker, this integrity is broken. Version 3.7 fixes this issue by removing subscribe.html from `web_accessible_resources`. | -- | Apr 4, 2024 |
| CVE-2024-30253 | @solana/web3.js is the Solana JavaScript SDK. Using particular inputs with `@solana/web3.js` will result in memory exhaustion (OOM). If you have a server, client, mobile, or desktop product that accepts untrusted input for use with `@solana/web3.js`, your application/service may crash, resulting in a loss of availability. This vulnerability is fixed in 1.0.1, 1.10.2, 1.11.1, 1.12.1, 1.1.2, 1.13.1, 1.14.1, 1.15.1, 1.16.2, 1.17.1, 1.18.1, 1.19.1, 1.20.3, 1.21.1, 1.22.1, 1.23.1, 1.24.3, 1.25.1, 1.26.1, 1.27.1, 1.28.1, 1.2.8, 1.29.4, 1.30.3, 1.31.1, 1.3.1, 1.32.3, 1.33.1, 1.34.1, 1.35.2, 1.36.1, 1.37.3, 1.38.1, 1.39.2, 1.40.2, 1.41.11, 1.4.1, 1.42.1, 1.43.7, 1.44.4, 1.45.1, 1.46.1, 1.47.5, 1.48.1, 1.49.1, 1.50.2, 1.51.1, 1.5.1, 1.52.1, 1.53.1, 1.54.2, 1.55.1, 1.56.3, 1.57.1, 1.58.1, 1.59.2, 1.60.1, 1.61.2, 1.6.1, 1.62.2, 1.63.2, 1.64.1, 1.65.1, 1.66.6, 1.67.3, 1.68.2, 1.69.1, 1.70.4, 1.71.1, 1.72.1, 1.7.2, 1.73.5, 1.74.1, 1.75.1, 1.76.1, 1.77.4, 1.78.8, 1.79.1, 1.80.1, 1.81.1, 1.8.1, 1.82.1, 1.83.1, 1.84.1, 1.85.1, 1.86.1, 1.87.7, 1.88.1, 1.89.2, 1.90.2, 1.9.2, and 1.91.3. | -- | Apr 17, 2024 |
| CVE-2024-30254 | MesonLSP is an unofficial, unendorsed language server for meson written in C++. A vulnerability in versions prior to 4.1.4 allows overwriting arbitrary files if the attacker can make the victim either run the language server within a specific crafted project or `mesonlsp --full`. Version 4.1.4 contains a patch for this issue. As a workaround, avoid running `mesonlsp --full` and set the language server option `others.neverDownloadAutomatically` to `true`. | -- | Apr 4, 2024 |
| CVE-2024-30255 | Envoy is a cloud-native, open source edge and service proxy. The HTTP/2 protocol stack in Envoy versions prior to 1.29.3, 1.28.2, 1.27.4, and 1.26.8 are vulnerable to CPU exhaustion due to flood of CONTINUATION frames. Envoy\'s HTTP/2 codec allows the client to send an unlimited number of CONTINUATION frames even after exceeding Envoy\'s header map limits. This allows an attacker to send a sequence of CONTINUATION frames without the END_HEADERS bit set causing CPU utilization, consuming approximately 1 core per 300Mbit/s of traffic and culminating in denial of service through CPU exhaustion. Users should upgrade to version 1.29.3, 1.28.2, 1.27.4, or 1.26.8 to mitigate the effects of the CONTINUATION flood. As a workaround, disable HTTP/2 protocol for downstream connections. | -- | Apr 5, 2024 |
| CVE-2024-30256 | Open WebUI is a user-friendly WebUI for LLMs. Open-webui is vulnerable to authenticated blind server-side request forgery. This vulnerability is fixed in 0.1.117. | -- | Apr 16, 2024 |
| CVE-2024-30257 | 1Panel is an open source Linux server operation and maintenance management panel. The password verification in the source code uses the != symbol instead hmac.Equal. This may lead to a timing attack vulnerability. This vulnerability is fixed in 1.10.3-lts. | -- | Apr 18, 2024 |
