The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-31069 | IO-1020 Micro ELD web server uses a default password for authentication. | -- | Apr 15, 2024 |
| CVE-2024-31077 | Forminator prior to 1.29.3 contains a SQL injection vulnerability. If this vulnerability is exploited, a remote authenticated attacker with an administrative privilege may obtain and alter any information in the database and cause a denial-of-service (DoS) condition. | -- | Apr 23, 2024 |
| CVE-2024-31080 | A heap-based buffer over-read vulnerability was found in the X.org server\'s ProcXIGetSelectedEvents() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker\'s inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | -- | Apr 4, 2024 |
| CVE-2024-31081 | A heap-based buffer over-read vulnerability was found in the X.org server\'s ProcXIPassiveGrabDevice() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker\'s inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | -- | Apr 4, 2024 |
| CVE-2024-31082 | A heap-based buffer over-read vulnerability was found in the X.org server\'s ProcAppleDRICreatePixmap() function. This issue occurs when byte-swapped length values are used in replies, potentially leading to memory leakage and segmentation faults, particularly when triggered by a client with a different endianness. This vulnerability could be exploited by an attacker to cause the X server to read heap memory values and then transmit them back to the client until encountering an unmapped page, resulting in a crash. Despite the attacker\'s inability to control the specific memory copied into the replies, the small length values typically stored in a 32-bit integer can result in significant attempted out-of-bounds reads. | -- | Apr 4, 2024 |
| CVE-2024-31083 | A use-after-free vulnerability was found in the ProcRenderAddGlyphs() function of Xorg servers. This issue occurs when AllocateGlyph() is called to store new glyphs sent by the client to the X server, potentially resulting in multiple entries pointing to the same non-refcounted glyphs. Consequently, ProcRenderAddGlyphs() may free a glyph, leading to a use-after-free scenario when the same glyph pointer is subsequently accessed. This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request. | -- | Apr 5, 2024 |
| CVE-2024-31084 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Pulsar Web Design Weekly Class Schedule allows Reflected XSS.This issue affects Weekly Class Schedule: from n/a through 3.19. | -- | Apr 1, 2024 |
| CVE-2024-31085 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rob Marsh, SJ Post-Plugin Library allows Reflected XSS.This issue affects Post-Plugin Library: from n/a through 2.6.2.1. | -- | Apr 1, 2024 |
| CVE-2024-31086 | Cross-Site Request Forgery (CSRF) vulnerability in Venugopal Change default login logo,url and title allows Cross-Site Scripting (XSS).This issue affects Change default login logo,url and title: from n/a through 2.0. | -- | Apr 15, 2024 |
| CVE-2024-31087 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Joel Starnes pageMash > Page Management allows Reflected XSS.This issue affects pageMash > Page Management: from n/a through 1.3.0. | -- | Apr 1, 2024 |
| CVE-2024-31089 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Techblissonline.Com (Rajesh) Platinum SEO allows Stored XSS.This issue affects Platinum SEO: from n/a through 2.4.0. | -- | Apr 1, 2024 |
| CVE-2024-31090 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ???? Hacklog Down As PDF allows Reflected XSS.This issue affects Hacklog Down As PDF: from n/a through 2.3.6. | -- | Apr 1, 2024 |
| CVE-2024-31091 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in SparkWeb Interactive, Inc. Custom Field Bulk Editor allows Reflected XSS.This issue affects Custom Field Bulk Editor: from n/a through 1.9.1. | -- | Apr 1, 2024 |
| CVE-2024-31092 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Philip M. Hofer (Frumph) Comic Easel allows Reflected XSS.This issue affects Comic Easel: from n/a through 1.15. | -- | Apr 1, 2024 |
| CVE-2024-31093 | Cross-Site Request Forgery (CSRF) vulnerability in Kaloyan K. Tsvetkov Broken Images allows Cross-Site Scripting (XSS).This issue affects Broken Images: from n/a through 0.2. | -- | Apr 15, 2024 |
| CVE-2024-31094 | Deserialization of Untrusted Data vulnerability in Filter Custom Fields & Taxonomies Light.This issue affects Filter Custom Fields & Taxonomies Light: from n/a through 1.05. | -- | Apr 1, 2024 |
| CVE-2024-31095 | Authorization Bypass Through User-Controlled Key vulnerability in Ricard Torres Thumbs Rating.This issue affects Thumbs Rating: from n/a through 5.1.0. | -- | Apr 1, 2024 |
| CVE-2024-31096 | Cross-Site Request Forgery (CSRF) vulnerability in kopatheme Nictitate.This issue affects Nictitate: from n/a through 1.1.4. | -- | Apr 1, 2024 |
| CVE-2024-31097 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Stephan Spencer SEO Title Tag allows Reflected XSS.This issue affects SEO Title Tag: from n/a through 3.5.9. | -- | Apr 1, 2024 |
| CVE-2024-31099 | Missing Authorization vulnerability in Averta Shortcodes and extra features for Phlox theme.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.15.5. | -- | Apr 1, 2024 |
| CVE-2024-31100 | Cross-Site Request Forgery (CSRF) vulnerability in Festi-Team Popup Cart Lite for WooCommerce.This issue affects Popup Cart Lite for WooCommerce: from n/a through 1.1. | -- | Apr 1, 2024 |
| CVE-2024-31101 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in August Infotech AI Twitter Feeds (Twitter widget & shortcode) allows Stored XSS.This issue affects AI Twitter Feeds (Twitter widget & shortcode): from n/a through 2.4. | -- | Apr 1, 2024 |
| CVE-2024-31102 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Scimone Ignazio Prenotazioni allows Stored XSS.This issue affects Prenotazioni: from n/a through 1.7.4. | -- | Apr 1, 2024 |
| CVE-2024-31103 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Kanban for WordPress Kanban Boards for WordPress allows Reflected XSS.This issue affects Kanban Boards for WordPress: from n/a through 2.5.21. | -- | Apr 1, 2024 |
| CVE-2024-31104 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in GetResponse GetResponse for WordPress allows Stored XSS.This issue affects GetResponse for WordPress: from n/a through 5.5.33. | -- | Apr 1, 2024 |
| CVE-2024-31105 | Cross-Site Request Forgery (CSRF) vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5. | -- | Apr 2, 2024 |
| CVE-2024-31106 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Yooslider Yoo Slider allows Reflected XSS.This issue affects Yoo Slider: from n/a through 2.1.1. | -- | Apr 1, 2024 |
| CVE-2024-31107 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DiSo Development Team OpenID allows Reflected XSS.This issue affects OpenID: from n/a through 3.6.1. | -- | Apr 1, 2024 |
| CVE-2024-31108 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in iFlyChat Team iFlyChat – WordPress Chat iflychat allows Stored XSS.This issue affects iFlyChat – WordPress Chat: from n/a through 4.7.2. | -- | Apr 1, 2024 |
| CVE-2024-31109 | Cross-Site Request Forgery (CSRF) vulnerability in Toastie Studio Woocommerce Social Media Share Buttons allows Stored XSS.This issue affects Woocommerce Social Media Share Buttons: from n/a through 1.3.0. | -- | Apr 2, 2024 |
| CVE-2024-31110 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Katz Web Services, Inc. Contact Form 7 Newsletter allows Reflected XSS.This issue affects Contact Form 7 Newsletter: from n/a through 2.2. | -- | Apr 1, 2024 |
| CVE-2024-31112 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Stephanie Leary Convert Post Types allows Reflected XSS.This issue affects Convert Post Types: from n/a through 1.4. | -- | Apr 1, 2024 |
| CVE-2024-31114 | Unrestricted Upload of File with Dangerous Type vulnerability in biplob018 Shortcode Addons.This issue affects Shortcode Addons: from n/a through 3.2.5. | -- | Apr 1, 2024 |
| CVE-2024-31115 | Unrestricted Upload of File with Dangerous Type vulnerability in QuanticaLabs Chauffeur Taxi Booking System for WordPress.This issue affects Chauffeur Taxi Booking System for WordPress: from n/a through 6.9. | -- | Apr 1, 2024 |
| CVE-2024-31116 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in 10Web 10Web Map Builder for Google Maps.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.74. | -- | Apr 1, 2024 |
| CVE-2024-31117 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moises Heberle WooCommerce Bookings Calendar.This issue affects WooCommerce Bookings Calendar: from n/a through 1.0.36. | -- | Apr 1, 2024 |
| CVE-2024-31120 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in wpdevart Responsive Image Gallery, Gallery Album allows Stored XSS.This issue affects Responsive Image Gallery, Gallery Album: from n/a through 2.0.3. | -- | Apr 1, 2024 |
| CVE-2024-31121 | Contributor Cross Site Scripting (XSS) in HeartThis <= 0.1.0 versions. | -- | Apr 1, 2024 |
| CVE-2024-31122 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Prism IT Systems User Rights Access Manager allows Reflected XSS.This issue affects User Rights Access Manager: from n/a through 1.1.2. | -- | Apr 1, 2024 |
| CVE-2024-31123 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WebDorado SpiderFAQ allows Reflected XSS.This issue affects SpiderFAQ: from n/a through 1.3.2. | -- | Apr 1, 2024 |
| CVE-2024-31134 | In JetBrains TeamCity before 2024.03 authenticated users without administrative permissions could register other users when self-registration was disabled | -- | Mar 28, 2024 |
| CVE-2024-31135 | In JetBrains TeamCity before 2024.03 open redirect was possible on the login page | -- | Mar 28, 2024 |
| CVE-2024-31136 | In JetBrains TeamCity before 2024.03 2FA could be bypassed by providing a special URL parameter | -- | Mar 28, 2024 |
| CVE-2024-31137 | In JetBrains TeamCity before 2024.03 reflected XSS was possible via Space connection configuration | -- | Mar 28, 2024 |
| CVE-2024-31138 | In JetBrains TeamCity before 2024.03 xSS was possible via Agent Distribution settings | -- | Mar 28, 2024 |
| CVE-2024-31139 | In JetBrains TeamCity before 2024.03 xXE was possible in the Maven build steps detector | -- | Mar 28, 2024 |
| CVE-2024-31140 | In JetBrains TeamCity before 2024.03 server administrators could remove arbitrary files from the server by installing tools | -- | Mar 28, 2024 |
| CVE-2024-31204 | mailcow: dockerized is an open source groupware/email suite based on docker. A security vulnerability has been identified in mailcow affecting versions prior to 2024-04. This vulnerability resides in the exception handling mechanism, specifically when not operating in DEV_MODE. The system saves exception details into a session array without proper sanitization or encoding. These details are later rendered into HTML and executed in a JavaScript block within the user\'s browser, without adequate escaping of HTML entities. This flaw allows for Cross-Site Scripting (XSS) attacks, where attackers can inject malicious scripts into the admin panel by triggering exceptions with controlled input. The exploitation method involves using any function that might throw an exception with user-controllable argument. This issue can lead to session hijacking and unauthorized administrative actions, posing a significant security risk. Version 2024-04 contains a fix for the issue. | -- | Apr 5, 2024 |
| CVE-2024-31205 | Saleor is an e-commerce platform. Starting in version 3.10.0 and prior to versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19, an attacker may bypass cross-set request forgery (CSRF) validation when calling refresh token mutation with empty string. When a user provides an empty string in `refreshToken` mutation, while the token persists in `JWT_REFRESH_TOKEN_COOKIE_NAME` cookie, application omits validation against CSRF token and returns valid access token. Versions 3.14.64, 3.15.39, 3.16.39, 3.17.35, 3.18.31, and 3.19.19 contain a patch for the issue. As a workaround, one may replace `saleor.graphql.account.mutations.authentication.refresh_token.py.get_refresh_token`. This will fix the issue, but be aware, that it returns `JWT_MISSING_TOKEN` instead of `JWT_INVALID_TOKEN`. | -- | Apr 8, 2024 |
| CVE-2024-31206 | dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In `dectalk-tts@1.0.0`, network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victim of a man-in-the-middle (MITM) attack. The network request was upgraded to HTTPS in version `1.0.1`. There are no workarounds, but some precautions include not sending any sensitive information and carefully verifying the API response before saving it. | -- | Apr 5, 2024 |
