The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-31805 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function. | -- | Apr 8, 2024 |
| CVE-2024-31806 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization. | -- | Apr 8, 2024 |
| CVE-2024-31807 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. | -- | Apr 8, 2024 |
| CVE-2024-31808 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. | -- | Apr 8, 2024 |
| CVE-2024-31809 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function. | -- | Apr 8, 2024 |
| CVE-2024-31811 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the langType parameter in the setLanguageCfg function. | -- | Apr 8, 2024 |
| CVE-2024-31812 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig. | -- | Apr 8, 2024 |
| CVE-2024-31813 | TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default. | -- | Apr 8, 2024 |
| CVE-2024-31814 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. | -- | Apr 8, 2024 |
| CVE-2024-31815 | In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | -- | Apr 8, 2024 |
| CVE-2024-31816 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getEasyWizardCfg. | -- | Apr 8, 2024 |
| CVE-2024-31817 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getSysStatusCfg. | -- | Apr 8, 2024 |
| CVE-2024-31818 | Directory Traversal vulnerability in DerbyNet v.9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component. | -- | Apr 15, 2024 |
| CVE-2024-31819 | An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. | -- | Apr 11, 2024 |
| CVE-2024-31820 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the getLangFolderForEdit method of the Languages.php component. | -- | Apr 29, 2024 |
| CVE-2024-31821 | SQL Injection vulnerability in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the manageQuantitiesAndProcurement method of the Orders_model.php component. | -- | Apr 29, 2024 |
| CVE-2024-31822 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component. | -- | Apr 29, 2024 |
| CVE-2024-31823 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the removeSecondaryImage method of the Publish.php component. | -- | Apr 29, 2024 |
| CVE-2024-31828 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | -- | Apr 29, 2024 |
| CVE-2024-31839 | Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component. | -- | Apr 15, 2024 |
| CVE-2024-31841 | An issue was discovered in Italtel Embrace 1.6.4. The web server fails to sanitize input data, allowing remote unauthenticated attackers to read arbitrary files on the filesystem. | -- | Apr 19, 2024 |
| CVE-2024-31846 | An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | -- | Apr 19, 2024 |
| CVE-2024-31848 | A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. | -- | Apr 8, 2024 |
| CVE-2024-31849 | A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. | -- | Apr 8, 2024 |
| CVE-2024-31850 | A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions. | -- | Apr 8, 2024 |
| CVE-2024-31851 | A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions. | -- | Apr 8, 2024 |
| CVE-2024-31852 | LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is we don\'t have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production. | LOW | Apr 8, 2024 |
| CVE-2024-31857 | Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user\'s web browser. | -- | Apr 23, 2024 |
| CVE-2024-31860 | Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31861 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn\'t have Shell interpreter by default. | -- | Apr 11, 2024 |
| CVE-2024-31862 | Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\'s UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31863 | Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31864 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31865 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31866 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31867 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31868 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
| CVE-2024-31869 | Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the configuration UI page when non-sensitive-only was set as webserver.expose_config configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your expose_config configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page. | -- | Apr 18, 2024 |
| CVE-2024-31871 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. IBM X-Force ID: 287306. | -- | Apr 10, 2024 |
| CVE-2024-31872 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation. IBM X-Force ID: 287316. | -- | Apr 10, 2024 |
| CVE-2024-31873 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 contains hard-coded credentials which it uses for its own inbound authentication that could be obtained by a malicious actor. IBM X-Force ID: 287317. | -- | Apr 10, 2024 |
| CVE-2024-31874 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 uses uninitialized variables when deploying that could allow a local user to cause a denial of service. IBM X-Force ID: 287318. | -- | Apr 10, 2024 |
| CVE-2024-31887 | IBM Security Verify Privilege 11.6.25 could allow an unauthenticated actor to obtain sensitive information from the SOAP API. IBM X-Force ID: 287651. | -- | Apr 16, 2024 |
| CVE-2024-31920 | Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Currency per Product for WooCommerce.This issue affects Currency per Product for WooCommerce: from n/a through 1.6.0. | -- | Apr 15, 2024 |
| CVE-2024-31921 | Cross-Site Request Forgery (CSRF) vulnerability in Etoile Web Design Ultimate Product Catalogue.This issue affects Ultimate Product Catalogue: from n/a through 5.2.15. | -- | Apr 15, 2024 |
| CVE-2024-31922 | Cross-Site Request Forgery (CSRF) vulnerability in Anton Aleksandrov WordPress Hosting Benchmark tool.This issue affects WordPress Hosting Benchmark tool: from n/a through 1.3.6. | -- | Apr 15, 2024 |
| CVE-2024-31923 | Cross-Site Request Forgery (CSRF) vulnerability in PluginOps Feather Login Page.This issue affects Feather Login Page: from n/a through 1.1.5. | -- | Apr 15, 2024 |
| CVE-2024-31924 | Cross-Site Request Forgery (CSRF) vulnerability in Exactly WWW EWWW Image Optimizer.This issue affects EWWW Image Optimizer: from n/a through 7.2.3. | -- | Apr 10, 2024 |
| CVE-2024-31925 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in FAKTOR VIER F4 Improvements allows Stored XSS.This issue affects F4 Improvements: from n/a through 1.8.0. | -- | Apr 11, 2024 |
| CVE-2024-31926 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BracketSpace Advanced Cron Manager – debug & control allows Stored XSS.This issue affects Advanced Cron Manager – debug & control: from n/a through 2.5.2. | -- | Apr 11, 2024 |
