The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-23557 | HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack. | -- | Apr 18, 2024 | n/a |
| CVE-2024-22186 | The application suffers from a privilege escalation vulnerability. An attacker logged in as guest can escalate his privileges by poisoning the cookie to become administrator. | -- | Apr 18, 2024 | n/a |
| CVE-2024-22179 | The application is vulnerable to an unauthenticated parameter manipulation that allows an attacker to set the credentials to blank giving her access to the admin panel. Also vulnerable to account takeover and arbitrary password change. | -- | Apr 18, 2024 | n/a |
| CVE-2024-21990 | ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x contain hard-coded credentials that could allow an attacker to view Deploy configuration information and modify the account credentials. | -- | Apr 18, 2024 | n/a |
| CVE-2024-21989 | ONTAP Select Deploy administration utility versions 9.12.1.x, 9.13.1.x and 9.14.1.x are susceptible to a vulnerability which when successfully exploited could allow a read-only user to escalate their privileges. | -- | Apr 18, 2024 | n/a |
| CVE-2024-21872 | The device allows an unauthenticated attacker to bypass authentication and modify the cookie to reveal hidden pages that allows more critical operations to the transmitter. | -- | Apr 18, 2024 | n/a |
| CVE-2024-21846 | An unauthenticated attacker can reset the board and stop transmitter operations by sending a specially-crafted GET request to the command.cgi gateway, resulting in a denial-of-service scenario. | -- | Apr 18, 2024 | n/a |
| CVE-2024-20380 | A vulnerability in the HTML parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. The vulnerability is due to an issue in the C to Rust foreign function interface. An attacker could exploit this vulnerability by submitting a crafted file containing HTML content to be scanned by ClamAV on an affected device. An exploit could allow the attacker to cause the ClamAV scanning process to terminate, resulting in a DoS condition on the affected software. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3948 | A vulnerability was found in SourceCodester Home Clean Service System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file \\admin\\student.add.php of the component Photo Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261440. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3932 | A vulnerability classified as problematic has been found in Totara LMS 18.0.1 Build 20231128.01. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261369 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3931 | A vulnerability was found in Totara LMS 18.0.1 Build 20231128.01. It has been rated as problematic. Affected by this issue is some unknown functionality of the file admin/roles/check.php of the component Profile Handler. The manipulation of the argument ID Number leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-261368. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3928 | A vulnerability was found in Dromara open-capacity-platform 2.0.1. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /actuator/heapdump of the component auth-server. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-261367. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3817 | HashiCorp’s go-getter library is vulnerable to argument injection when executing Git to discover remote branches. This vulnerability does not affect the go-getter/v2 branch and package. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3742 | Electrolink transmitters store credentials in clear-text. Use of these credentials could allow an attacker to access the system. | -- | Apr 18, 2024 | n/a |
| CVE-2024-3741 | Electrolink transmitters are vulnerable to an authentication bypass vulnerability affecting the login cookie. An attacker can set an arbitrary value except \'NO\' to the login cookie and have full system access. | -- | Apr 18, 2024 | n/a |
| CVE-2024-2833 | The Jobs for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘job-search’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | -- | Apr 18, 2024 | n/a |
| CVE-2024-2796 | A server-side request forgery (SSRF) was discovered in the Akana Community Manager Developer Portal in versions prior to and including 2022.1.3. Reported by Jakob Antonsson. | -- | Apr 18, 2024 | n/a |
| CVE-2024-2729 | The Otter Blocks WordPress plugin before 2.6.6 does not properly escape its mainHeadings blocks\' attribute before appending it to the final rendered block, allowing contributors to conduct Stored XSS attacks. | -- | Apr 18, 2024 | n/a |
| CVE-2024-1491 | The devices allow access to an unprotected endpoint that allows MPFS file system binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial flash, or internal flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server\'s main interfaces and execute arbitrary code. | -- | Apr 18, 2024 | n/a |
| CVE-2024-1429 | The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tab_link’ attribute of the Panel Slider widget in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 18, 2024 | n/a |
| CVE-2024-1426 | The Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form, Twitter Grid) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ attribute of the Price List widget in all versions up to, and including, 5.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 18, 2024 | n/a |
| CVE-2024-0257 | RoboDK v5.5.4 is vulnerable to heap-based buffer overflow while processing a specific project file. The resulting memory corruption may crash the application. | -- | Apr 18, 2024 | n/a |
| CVE-2023-50885 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in AGILELOGIX Store Locator WordPress.This issue affects Store Locator WordPress: from n/a through 1.4.14. | -- | Apr 18, 2024 | n/a |
| CVE-2023-49768 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in FormAssembly / Drew Buschhorn WP-FormAssembly allows Stored XSS.This issue affects WP-FormAssembly: from n/a through 2.0.10. | -- | Apr 18, 2024 | n/a |
| CVE-2023-49742 | Missing Authorization vulnerability in Support Genix.This issue affects Support Genix: from n/a through 1.2.3. | -- | Apr 18, 2024 | n/a |
| CVE-2023-47843 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in Zachary Segal CataBlog.This issue affects CataBlog: from n/a through 1.7.0. | -- | Apr 18, 2024 | n/a |
| CVE-2023-41864 | Cross-Site Request Forgery (CSRF) vulnerability in Pepro Dev. Group PeproDev CF7 Database.This issue affects PeproDev CF7 Database: from n/a through 1.8.0. | -- | Apr 18, 2024 | n/a |
| CVE-2023-6897 | The EAN for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.9.2 via the the \'alg_wc_ean_product_meta\' shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to expose potentially sensitive post metadata. | -- | Apr 18, 2024 | n/a |
| CVE-2023-6892 | The EAN for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\'s \'alg_wc_ean_product_meta\' shortcode in all versions up to, and including, 4.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | -- | Apr 18, 2024 | n/a |
| CVE-2023-4509 | It is possible for an API key to be logged in clear text in the audit log file after an invalid login attempt. | -- | Apr 18, 2024 | n/a |
| CVE-2023-4235 | A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_deliver_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_deliver_report(). | -- | Apr 18, 2024 | n/a |
| CVE-2023-4234 | A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_submit_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_submit_report(). | -- | Apr 18, 2024 | n/a |
| CVE-2023-4233 | A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the sms_decode_address_field() function during the SMS PDU decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. | -- | Apr 18, 2024 | n/a |
| CVE-2023-4232 | A flaw was found in ofono, an Open Source Telephony on Linux. A stack overflow bug is triggered within the decode_status_report() function during the SMS decoding. It is assumed that the attack scenario is accessible from a compromised modem, a malicious base station, or just SMS. There is a bound check for this memcpy length in decode_submit(), but it was forgotten in decode_status_report(). | -- | Apr 18, 2024 | n/a |
| CVE-2023-3758 | A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. | -- | Apr 18, 2024 | n/a |
| CVE-2023-3675 | Improper Limitation of a Pathname to a Restricted Directory (\'Path Traversal\') vulnerability in Secomea GateManager (Web GUI) allows Reading Data from System Resources.This issue affects GateManager: from 11.0.623074018 before 11.0.623373051. | -- | Apr 18, 2024 | n/a |
| CVE-2024-32550 | Cross-Site Request Forgery (CSRF) vulnerability in BMI Adult & Kid Calculator allows Stored XSS.This issue affects BMI Adult & Kid Calculator: from n/a through 1.2.1. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32549 | Cross-Site Request Forgery (CSRF) vulnerability in Microkid Related Posts for WordPress allows Cross-Site Scripting (XSS).This issue affects Related Posts for WordPress: from n/a through 4.0.3. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32548 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Hideki Tanaka What\'s New Generator allows Stored XSS.This issue affects What\'s New Generator: from n/a through 2.0.2. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32547 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Max Bond Code Insert Manager (Q2W3 Inc Manager) allows Reflected XSS.This issue affects Code Insert Manager (Q2W3 Inc Manager): from n/a through 2.5.3. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32546 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Adam Bowen Tax Rate Upload allows Reflected XSS.This issue affects Tax Rate Upload: from n/a through 2.4.5. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32545 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Canva Canva – Design beautiful blog graphics allows Reflected XSS.This issue affects Canva – Design beautiful blog graphics: from n/a through 1.2.4. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32544 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Netgsm allows Reflected XSS.This issue affects Netgsm: from n/a through 2.8. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32543 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Minoji MJ Update History allows Reflected XSS.This issue affects MJ Update History: from n/a through 1.0.4. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32542 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Organic Themes Bulk Block Converter allows Reflected XSS.This issue affects Bulk Block Converter: from n/a through 1.0.1. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32541 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Tobias Battenberg WP-Cufon allows Stored XSS.This issue affects WP-Cufon: from n/a through 1.6.10. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32540 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Web357 Fixed HTML Toolbar allows Stored XSS.This issue affects Fixed HTML Toolbar: from n/a through 1.0.7. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32539 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in JoomUnited WP File Download Light allows Stored XSS.This issue affects WP File Download Light: from n/a through 1.3.3. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32538 | Cross-Site Request Forgery (CSRF) vulnerability in Joshua Eldridge Easy CountDowner allows Stored XSS.This issue affects Easy CountDowner: from n/a through 1.0.8. | -- | Apr 17, 2024 | n/a |
| CVE-2024-32536 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Trade Pips WP TradingView allows Stored XSS.This issue affects WP TradingView: from n/a through 1.7. | -- | Apr 17, 2024 | n/a |
