The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-32656 | Ant Media Server is live streaming engine software. A local privilege escalation vulnerability in present in versions 2.6.0 through 2.8.2 allows any unprivileged operating system user account to escalate privileges to the root user account on the system. This vulnerability arises from Ant Media Server running with Java Management Extensions (JMX) enabled and authentication disabled on localhost on port 5599/TCP. This vulnerability is nearly identical to the local privilege escalation vulnerability CVE-2023-26269 identified in Apache James. Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. Version 2.9.0 contains a patch for the issue. As a workaround, one may remove certain parameters from the `antmedia.service` file. | -- | Apr 23, 2024 |
| CVE-2024-32653 | jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability. | -- | Apr 23, 2024 |
| CVE-2024-32652 | The adapter @hono/node-server allows you to run your Hono application on Node.js. Prior to 1.10.1, the application hangs when receiving a Host header with a value that `@hono/node-server` can\'t handle well. Invalid values are those that cannot be parsed by the `URL` as a hostname such as an empty string, slashes `/`, and other strings. The version 1.10.1 includes the fix for this issue. | -- | Apr 22, 2024 |
| CVE-2024-32651 | changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\'t required by the application (not by default and not enforced). | -- | Apr 26, 2024 |
| CVE-2024-32650 | Rustls is a modern TLS library written in Rust. `rustls::ConnectionCommon::complete_io` could fall into an infinite loop based on network input. When using a blocking rustls server, if a client send a `close_notify` message immediately after `client_hello`, the server\'s `complete_io` will get in an infinite loop. This vulnerability is fixed in 0.23.5, 0.22.4, and 0.21.11. | -- | Apr 19, 2024 |
| CVE-2024-32649 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn\'t cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. | -- | Apr 25, 2024 |
| CVE-2024-32648 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don\'t respect nonreentrancy keys and the lock isn\'t emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue. | -- | Apr 25, 2024 |
| CVE-2024-32647 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn\'t cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist. | -- | Apr 25, 2024 |
| CVE-2024-32646 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. | -- | Apr 25, 2024 |
| CVE-2024-32645 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available. | -- | Apr 25, 2024 |
| CVE-2024-32644 | Evmos is a scalable, high-throughput Proof-of-Stake EVM blockchain that is fully compatible and interoperable with Ethereum. Prior to 17.0.0, there is a way to mint arbitrary tokens due to the possibility to have two different states not in sync during the execution of a transaction. The exploit is based on the fact that to sync the Cosmos SDK state and the EVM one, we rely on the `stateDB.Commit()` method. When we call this method, we iterate though all the `dirtyStorage` and, **if and only if** it is different than the `originStorage`, we set the new state. Setting the new state means we update the Cosmos SDK KVStore. If a contract storage state that is the same before and after a transaction, but is changed during the transaction and can call an external contract after the change, it can be exploited to make the transaction similar to non-atomic. The vulnerability is **critical** since this could lead to drain of funds through creative SC interactions. The issue has been patched in versions >=V17.0.0. | -- | Apr 19, 2024 |
| CVE-2024-32634 | In huge memory get unmapped area check, code can never be reached because of a logical contradiction. | -- | Apr 16, 2024 |
| CVE-2024-32633 | An unsigned value can never be negative, so eMMC full disk test will always evaluate the same way. | -- | Apr 16, 2024 |
| CVE-2024-32632 | A value in ATCMD will be misinterpreted by printf, causing incorrect output and possibly out-of-bounds memory access | -- | Apr 16, 2024 |
| CVE-2024-32631 | Out-of-Bounds read in ciCCIOTOPT in ASR180X will cause incorrect computations. | -- | Apr 16, 2024 |
| CVE-2024-32625 | In OffloadAMRWriter, a scalar field is not initialized so will contain an arbitrary value left over from earlier computations | -- | Apr 16, 2024 |
| CVE-2024-32604 | Authorization Bypass Through User-Controlled Key vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5. | -- | Apr 18, 2024 |
| CVE-2024-32603 | Deserialization of Untrusted Data vulnerability in ThemeKraft WooBuddy.This issue affects WooBuddy: from n/a through 3.4.20. | -- | Apr 18, 2024 |
| CVE-2024-32602 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in OnTheGoSystems WooCommerce Multilingual & Multicurrency.This issue affects WooCommerce Multilingual & Multicurrency: from n/a through 5.3.3.1. | -- | Apr 18, 2024 |
| CVE-2024-32601 | Missing Authorization vulnerability in WP OnlineSupport, Essential Plugin Popup Anything.This issue affects Popup Anything: from n/a through 2.8. | -- | Apr 18, 2024 |
| CVE-2024-32600 | Deserialization of Untrusted Data vulnerability in Averta Master Slider.This issue affects Master Slider: from n/a through 3.9.5. | -- | Apr 18, 2024 |
| CVE-2024-32599 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Deepak anand WP Dummy Content Generator.This issue affects WP Dummy Content Generator: from n/a through 3.2.1. | -- | Apr 18, 2024 |
| CVE-2024-32598 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Booking Algorithms BA Book Everything allows Stored XSS.This issue affects BA Book Everything: from n/a through 1.6.8. | -- | Apr 18, 2024 |
| CVE-2024-32597 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Xylus Themes WordPress Importer allows Stored XSS.This issue affects WordPress Importer: from n/a through 1.0.7. | -- | Apr 18, 2024 |
| CVE-2024-32596 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Eric-Oliver Mächler DSGVO Youtube allows Stored XSS.This issue affects DSGVO Youtube: from n/a through 1.4.5. | -- | Apr 18, 2024 |
| CVE-2024-32595 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Mat Bao Corp WP Helper Premium allows Reflected XSS.This issue affects WP Helper Premium: from n/a before 4.6.0. | -- | Apr 18, 2024 |
| CVE-2024-32594 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in AttesaWP Attesa Extra allows Stored XSS.This issue affects Attesa Extra: from n/a through 1.3.9. | -- | Apr 18, 2024 |
| CVE-2024-32593 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.3.4.2. | -- | Apr 18, 2024 |
| CVE-2024-32592 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in VoidCoders, innovs Void Elementor WHMCS Elements For Elementor Page Builder allows Stored XSS.This issue affects Void Elementor WHMCS Elements For Elementor Page Builder: from n/a through 2.0. | -- | Apr 18, 2024 |
| CVE-2024-32591 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Daniele De Rosa Backend Designer allows Stored XSS.This issue affects Backend Designer: from n/a through 1.3. | -- | Apr 18, 2024 |
| CVE-2024-32590 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Webfood Kattene allows Stored XSS.This issue affects Kattene: from n/a through 1.7. | -- | Apr 18, 2024 |
| CVE-2024-32588 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ThimPress LearnPress Export Import allows Reflected XSS.This issue affects LearnPress Export Import: from n/a through 4.0.3. | -- | Apr 18, 2024 |
| CVE-2024-32587 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in EnvialoSimple EnvíaloSimple allows Reflected XSS.This issue affects EnvíaloSimple: from n/a through 2.2. | -- | Apr 18, 2024 |
| CVE-2024-32586 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Munir Kamal Gutenberg Block Editor Toolkit allows Stored XSS.This issue affects Gutenberg Block Editor Toolkit: from n/a through 1.40.4. | -- | Apr 18, 2024 |
| CVE-2024-32585 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in extendWP Import Content in WordPress & WooCommerce with Excel allows Reflected XSS.This issue affects Import Content in WordPress & WooCommerce with Excel: from n/a through 4.2. | -- | Apr 18, 2024 |
| CVE-2024-32584 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in StandaloneTech TeraWallet – For WooCommerce allows Stored XSS.This issue affects TeraWallet – For WooCommerce: from n/a through 1.5.0. | -- | Apr 18, 2024 |
| CVE-2024-32583 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Photo Gallery Team Photo Gallery by 10Web allows Reflected XSS.This issue affects Photo Gallery by 10Web: from n/a through 1.8.21. | -- | Apr 18, 2024 |
| CVE-2024-32582 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Bowo Debug Log Manager allows Stored XSS.This issue affects Debug Log Manager: from n/a through 2.3.1. | -- | Apr 18, 2024 |
| CVE-2024-32581 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Lenderd Mortgage Calculators WP allows Stored XSS.This issue affects Mortgage Calculators WP: from n/a through 1.56. | -- | Apr 18, 2024 |
| CVE-2024-32580 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Averta Master Slider allows Stored XSS.This issue affects Master Slider: from n/a through 3.9.8. | -- | Apr 18, 2024 |
| CVE-2024-32579 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in GloriaFood Restaurant Menu – Food Ordering System – Table Reservation allows Stored XSS.This issue affects Restaurant Menu – Food Ordering System – Table Reservation: from n/a through 2.4.1. | -- | Apr 18, 2024 |
| CVE-2024-32578 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in 10Web Slider by 10Web allows Reflected XSS.This issue affects Slider by 10Web: from n/a through 1.2.54. | -- | Apr 18, 2024 |
| CVE-2024-32577 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Codeboxr Team CBX Bookmark & Favorite cbxwpbookmark allows Stored XSS.This issue affects CBX Bookmark & Favorite: from n/a through 1.7.20. | -- | Apr 18, 2024 |
| CVE-2024-32576 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Booking Algorithms BA Book Everything allows Stored XSS.This issue affects BA Book Everything: from n/a through 1.6.8. | -- | Apr 18, 2024 |
| CVE-2024-32575 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Kraftplugins Mega Elements allows Stored XSS.This issue affects Mega Elements: from n/a through 1.1.9. | -- | Apr 18, 2024 |
| CVE-2024-32574 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Ashish Ajani WP Simple HTML Sitemap allows Reflected XSS.This issue affects WP Simple HTML Sitemap: from n/a through 2.8. | -- | Apr 18, 2024 |
| CVE-2024-32573 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Lab WP-Lister Lite for eBay allows Stored XSS.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.11. | -- | Apr 18, 2024 |
| CVE-2024-32572 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BdThemes Element Pack Elementor Addons allows Stored XSS.This issue affects Element Pack Elementor Addons: from n/a through 5.6.0. | -- | Apr 18, 2024 |
| CVE-2024-32571 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in naa986 WP Stripe Checkout allows Stored XSS.This issue affects WP Stripe Checkout: from n/a through 1.2.2.41. | -- | Apr 18, 2024 |
| CVE-2024-32570 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Archetyped Cornerstone allows Reflected XSS.This issue affects Cornerstone: from n/a through 0.8.0. | -- | Apr 18, 2024 |
