The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-29234 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Group.Save webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29235 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in IOModule.EnumLog webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29236 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in AudioPattern.Delete webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29237 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in ActionRule.Delete webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29238 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Log.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29239 | Improper neutralization of special elements used in an SQL command (\'SQL Injection\') vulnerability in Recording.CountByCategory webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to inject SQL commands via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29240 | Missing authorization vulnerability in LayoutSave webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to conduct denial-of-service attacks via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29241 | Missing authorization vulnerability in System webapi component in Synology Surveillance Station before 9.2.0-9289 and 9.2.0-11289 allows remote authenticated users to bypass security constraints via unspecified vectors. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29243 | Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the vpn_client_ip parameter at /apply.cgi. | -- | Mar 21, 2024 | n/a |
| CVE-2024-29244 | Shenzhen Libituo Technology Co., Ltd LBT-T300-mini v1.2.9 was discovered to contain a buffer overflow via the pin_code_3g parameter at /apply.cgi. | -- | Mar 21, 2024 | n/a |
| CVE-2024-29269 | An issue discovered in Telesquare TLR-2005Ksh 1.0.0 and 1.1.4 allows attackers to run arbitrary system commands via the Cmd parameter. | -- | Apr 11, 2024 | n/a |
| CVE-2024-29271 | Reflected Cross-Site Scripting (XSS) vulnerability in VvvebJs before version 1.7.7, allows remote attackers to execute arbitrary code and obtain sensitive information via the action parameter in save.php. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29272 | Arbitrary File Upload vulnerability in VvvebJs before version 1.7.5, allows unauthenticated remote attackers to execute arbitrary code and obtain sensitive information via the sanitizeFileName parameter in save.php. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29273 | There is Stored Cross-Site Scripting (XSS) in dzzoffice 2.02.1 SC UTF8 in uploadfile to index.php, with the XSS payload in an SVG document. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29275 | SQL injection vulnerability in SeaCMS version 12.9, allows remote unauthenticated attackers to execute arbitrary code and obtain sensitive information via the id parameter in class.php. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29276 | An issue was discovered in seeyonOA version 8, allows remote attackers to execute arbitrary code via the importProcess method in WorkFlowDesignerController.class component. | -- | Apr 2, 2024 | n/a |
| CVE-2024-29278 | funboot v1.1 is vulnerable to Cross Site Scripting (XSS) via the title field in create a message . | -- | Apr 1, 2024 | n/a |
| CVE-2024-29291 | An issue in Laravel Framework 8 through 11 might allow a remote attacker to discover database credentials in storage/logs/laravel.log. NOTE: this is disputed by multiple third parties because the owner of a Laravel Framework installation can choose to have debugging logs, but needs to set the access control appropriately for the type of data that may be logged. | -- | Apr 16, 2024 | n/a |
| CVE-2024-29296 | A user enumeration vulnerability was found in Portainer CE 2.19.4. This issue occurs during user authentication process, where a difference in response time could allow a remote unauthenticated user to determine if a username is valid or not. | -- | Apr 10, 2024 | n/a |
| CVE-2024-29301 | SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection via update-admin.php?admin_id= | -- | Mar 26, 2024 | n/a |
| CVE-2024-29302 | SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection via update-employee.php. | -- | Mar 26, 2024 | n/a |
| CVE-2024-29303 | The delete admin users function of SourceCodester PHP Task Management System 1.0 is vulnerable to SQL Injection | -- | Mar 26, 2024 | n/a |
| CVE-2024-29309 | An issue in Alfresco Content Services v.23.3.0.7 allows a remote attacker to execute arbitrary code via the Transfer Service. | -- | May 2, 2024 | n/a |
| CVE-2024-29316 | NodeBB 3.6.7 is vulnerable to Incorrect Access Control, e.g., a low-privileged attacker can access the restricted tabs for the Admin group via isadmin:true. | -- | Mar 28, 2024 | n/a |
| CVE-2024-29320 | Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php. | -- | Apr 30, 2024 | n/a |
| CVE-2024-29338 | Anchor CMS v0.12.7 was discovered to contain a Cross-Site Request Forgery (CSRF) via /anchor/admin/categories/delete/2. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29366 | A command injection vulnerability exists in the cgibin binary in DIR-845L router firmware <= v1.01KRb03. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29368 | An arbitrary file upload vulnerability in the file handling module of moziloCMS v2.0 allows attackers to bypass extension restrictions via file renaming, potentially leading to unauthorized file execution or storage of malicious content. | -- | Apr 23, 2024 | n/a |
| CVE-2024-29374 | A Cross-Site Scripting (XSS) vulnerability exists in the way MOODLE 3.10.9 handles user input within the GET /?lang= URL parameter. | -- | Mar 21, 2024 | n/a |
| CVE-2024-29375 | CSV Injection vulnerability in Addactis IBNRS v.3.10.3.107 allows a remote attacker to execute arbitrary code via a crafted .ibnrs file to the Project Description, Identifiers, Custom Triangle Name (inside Input Triangles) and Yield Curve Name parameters. | -- | Apr 4, 2024 | n/a |
| CVE-2024-29376 | Sylius 1.12.13 is vulnerable to Cross Site Scripting (XSS) via the Province field in Address Book. | -- | Apr 22, 2024 | n/a |
| CVE-2024-29384 | An issue in CSS Exfil Protection v.1.1.0 allows a remote attacker to obtain sensitive information via the content.js and parseCSSRules functions. | -- | May 1, 2024 | n/a |
| CVE-2024-29385 | DIR-845L router <= v1.01KRb03 has an Unauthenticated remote code execution vulnerability in the cgibin binary via soapcgi_main function. | -- | Mar 22, 2024 | n/a |
| CVE-2024-29386 | projeqtor up to 11.2.0 was discovered to contain a SQL injection vulnerability via the component /view/criticalResourceExport.php. | -- | Apr 5, 2024 | n/a |
| CVE-2024-29387 | projeqtor up to 11.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component /view/print.php. | -- | Apr 5, 2024 | n/a |
| CVE-2024-29399 | An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. | -- | Apr 11, 2024 | n/a |
| CVE-2024-29400 | An issue was discovered in RuoYi v4.5.1, allows attackers to obtain sensitive information via the status parameter. | -- | Apr 12, 2024 | n/a |
| CVE-2024-29401 | xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything. | -- | Mar 26, 2024 | n/a |
| CVE-2024-29402 | cskefu v7 suffers from Insufficient Session Expiration, which allows attackers to exploit the old session for malicious activity. | -- | Apr 16, 2024 | n/a |
| CVE-2024-29413 | Cross Site Scripting vulnerability in Webasyst v.2.9.9 allows a remote attacker to run arbitrary code via the Instant messenger field in the Contact info function. | -- | Apr 4, 2024 | n/a |
| CVE-2024-29417 | Insecure Permissions vulnerability in e-trust Horacius 1.0, 1.1, and 1.2 allows a local attacker to escalate privileges via the password reset function. | -- | May 3, 2024 | n/a |
| CVE-2024-29419 | There is a Cross-site scripting (XSS) vulnerability in the Wireless settings under the Easy Setup Page of TOTOLINK X2000R before v1.0.0-B20231213.1013. | -- | Mar 20, 2024 | n/a |
| CVE-2024-29432 | Alldata v0.4.6 was discovered to contain a SQL injection vulnerability via the tablename parameter at /data/masterdata/datas. | -- | Apr 2, 2024 | n/a |
| CVE-2024-29433 | A deserialization vulnerability in the FASTJSON component of Alldata v0.4.6 allows attackers to execute arbitrary commands via supplying crafted data. | -- | Apr 2, 2024 | n/a |
| CVE-2024-29434 | An issue in the system image upload interface of Alldata v0.4.6 allows attackers to execute a directory traversal when uploading a file. | -- | Apr 2, 2024 | n/a |
| CVE-2024-29435 | An issue discovered in Alldata v0.4.6 allows attacker to run arbitrary commands via the processId parameter. | -- | Apr 2, 2024 | n/a |
| CVE-2024-29439 | An unauthorized node injection vulnerability has been identified in ROS2 Humble Hawksbill in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to escalate privileges and inject malicious ROS2 nodes into the system. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. | -- | Apr 11, 2024 | n/a |
| CVE-2024-29440 | An unauthorized access vulnerability has been discovered in ROS2 Humble Hawksbill versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could potentially allow a malicious user to gain unauthorized access to multiple ROS2 nodes remotely. Unauthorized access to these nodes could result in compromised system integrity, the execution of arbitrary commands, and disclosure of sensitive information. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. | -- | Mar 26, 2024 | n/a |
| CVE-2024-29441 | An issue was discovered in ROS2 (Robot Operating System 2) Humble Hawksbill in ROS_VERSION 2 and ROS_PYTHON_VERSION 3, allows remote attackers to cause a denial of service (DoS) via the ROS2 nodes. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. | -- | Apr 11, 2024 | n/a |
| CVE-2024-29442 | An unauthorized access vulnerability has been discovered in ROS2 Humble Hawksbill versions where ROS_VERSION is 2 and ROS_PYTHON_VERSION is 3. This vulnerability could potentially allow a malicious user to gain unauthorized access to multiple ROS2 nodes remotely. Unauthorized access to these nodes could result in compromised system integrity, the execution of arbitrary commands, and disclosure of sensitive information. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. | -- | Mar 26, 2024 | n/a |
