The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-27932 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier\'s hostname is equal to or a child of a token\'s hostname, which can cause tokens to be sent to servers they shouldn\'t be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue | -- | Mar 21, 2024 | n/a |
| CVE-2024-27933 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. In version 1.39.0, use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors, allowing standard input to be re-opened as a different resource resulting in permission prompt bypass. Node child_process IPC relies on the JS side to pass the raw IPC file descriptor to `op_node_ipc_pipe()`, which returns a `IpcJsonStreamResource` ID associated with the file descriptor. On closing the resource, the raw file descriptor is closed together. Use of raw file descriptors in `op_node_ipc_pipe()` leads to premature close of arbitrary file descriptors. This allow standard input (fd 0) to be closed and re-opened for a different resource, which allows a silent permission prompt bypass. This is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable. There is a working exploit that achieves arbitrary code execution by bypassing prompts from zero permissions, additionally abusing the fact that Cache API lacks filesystem permission checks. The attack can be conducted silently as stderr can also be closed, suppressing all prompt outputs. Version 1.39.1 fixes the bug. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27934 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.36.2 and prior to version 1.40.3, use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, resulting in arbitrary code execution. Use of inherently unsafe `*const c_void` and `ExternalPointer` leads to use-after-free access of the underlying structure, which is exploitable by an attacker controlling the code executed inside a Deno runtime to obtain arbitrary code execution on the host machine regardless of permissions. This bug is known to be exploitable for both `*const c_void` and `ExternalPointer` implementations. Version 1.40.3 fixes this issue. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27935 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.35.1 and prior to version 1.36.3, a vulnerability in Deno\'s Node.js compatibility runtime allows for cross-session data contamination during simultaneous asynchronous reads from Node.js streams sourced from sockets or files. The issue arises from the re-use of a global buffer (BUF) in stream_wrap.ts used as a performance optimization to limit allocations during these asynchronous read operations. This can lead to data intended for one session being received by another session, potentially resulting in data corruption and unexpected behavior. This affects all users of Deno that use the node.js compatibility layer for network communication or other streams, including packages that may require node.js libraries indirectly. Version 1.36.3 contains a patch for this issue. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27936 | Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Starting in version 1.32.1 and prior to version 1.41 of the deno_runtime library, maliciously crafted permission request can show the spoofed permission prompt by inserting a broken ANSI escape sequence into the request contents. Deno is stripping any ANSI escape sequences from the permission prompt, but permissions given to the program are based on the contents that contain the ANSI escape sequences. Any Deno program can spoof the content of the interactive permission prompt by inserting a broken ANSI code, which allows a malicious Deno program to display the wrong file path or program name to the user. Version 1.41 of the deno_runtime library contains a patch for the issue. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27937 | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. An authenticated user can obtain the email address of all GLPI users. This issue has been patched in version 10.0.13. | -- | Mar 18, 2024 | n/a |
| CVE-2024-27938 | Postal is an open source SMTP server. Postal versions less than 3.0.0 are vulnerable to SMTP Smuggling attacks which may allow incoming e-mails to be spoofed. This, in conjunction with a cooperative outgoing SMTP service, would allow for an incoming e-mail to be received by Postal addressed from a server that a user has \'authorised\' to send mail on their behalf but were not the genuine author of the e-mail. Postal is not affected for sending outgoing e-mails as email is re-encoded with `<CR><LF>` line endings when transmitted over SMTP. This issue has been addressed and users should upgrade to Postal v3.0.0 or higher. Once upgraded, Postal will only accept End of DATA sequences which are explicitly `<CR><LF>.<CR><LF>`. If a non-compliant sequence is detected it will be logged to the SMTP server log. There are no workarounds for this issue. | -- | Mar 12, 2024 | n/a |
| CVE-2024-27939 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow the upload of arbitrary files of any unauthenticated user. An attacker could leverage this vulnerability and achieve arbitrary code execution with system privileges. | -- | May 14, 2024 | n/a |
| CVE-2024-27940 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any authenticated user to send arbitrary SQL commands to the SQL server. An attacker could use this vulnerability to compromise the whole database. | -- | May 14, 2024 | n/a |
| CVE-2024-27941 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected client systems do not properly sanitize input data before sending it to the SQL server. An attacker could use this vulnerability to compromise the whole database. | -- | May 14, 2024 | n/a |
| CVE-2024-27942 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow any unauthenticated client to disconnect any active user from the server. An attacker could use this vulnerability to prevent any user to perform actions in the system, causing a denial of service situation. | -- | May 14, 2024 | n/a |
| CVE-2024-27943 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload generic files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | -- | May 14, 2024 | n/a |
| CVE-2024-27944 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems allow a privileged user to upload firmware files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | -- | May 14, 2024 | n/a |
| CVE-2024-27945 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The bulk import feature of the affected systems allow a privileged user to upload files to the root installation directory of the system. By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. | -- | May 14, 2024 | n/a |
| CVE-2024-27946 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). Downloading files overwrites files with the same name in the installation directory of the affected systems. The filename for the target file can be specified, thus arbitrary files can be overwritten by an attacker with the required privileges. | -- | May 14, 2024 | n/a |
| CVE-2024-27947 | A vulnerability has been identified in RUGGEDCOM CROSSBOW (All versions < V5.5). The affected systems could allow log messages to be forwarded to a specific client under certain circumstances. An attacker could leverage this vulnerability to forward log messages to a specific compromised client. | -- | May 14, 2024 | n/a |
| CVE-2024-27948 | Cross-Site Request Forgery (CSRF) vulnerability in bytesforall Atahualpa.This issue affects Atahualpa: from n/a through 3.7.24. | -- | Feb 29, 2024 | n/a |
| CVE-2024-27949 | Server-Side Request Forgery (SSRF) vulnerability in sirv.Com Image Optimizer, Resizer and CDN – Sirv.This issue affects Image Optimizer, Resizer and CDN – Sirv: from n/a through 7.2.0. | -- | Mar 1, 2024 | n/a |
| CVE-2024-27950 | Missing Authorization vulnerability in sirv.Com Image Optimizer, Resizer and CDN – Sirv.This issue affects Image Optimizer, Resizer and CDN – Sirv: from n/a through 7.2.0. | -- | Mar 1, 2024 | n/a |
| CVE-2024-27951 | Unrestricted Upload of File with Dangerous Type vulnerability in Themeisle Multiple Page Generator Plugin – MPG allows Upload a Web Shell to a Web Server.This issue affects Multiple Page Generator Plugin – MPG: from n/a through 3.4.0. | -- | Apr 3, 2024 | n/a |
| CVE-2024-27952 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Codeus Advanced Sermons allows Reflected XSS.This issue affects Advanced Sermons: from n/a through 3.2. | -- | Mar 13, 2024 | n/a |
| CVE-2024-27953 | Missing Authorization vulnerability in Cool Plugins Cryptocurrency Widgets – Price Ticker & Coins List.This issue affects Cryptocurrency Widgets – Price Ticker & Coins List: from n/a through 2.6.8. | -- | Mar 13, 2024 | n/a |
| CVE-2024-27956 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27957 | Unrestricted Upload of File with Dangerous Type vulnerability in Pie Register.This issue affects Pie Register: from n/a through 3.8.3.1. | -- | Mar 17, 2024 | n/a |
| CVE-2024-27958 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themeisle Visualizer allows Reflected XSS.This issue affects Visualizer: from n/a through 3.10.5. | -- | Mar 17, 2024 | n/a |
| CVE-2024-27959 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Wpexpertsio WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management allows Reflected XSS.This issue affects WC Shop Sync – Integrate Square and WooCommerce for Seamless Shop Management: from n/a through 4.2.9. | -- | Mar 17, 2024 | n/a |
| CVE-2024-27960 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in I Thirteen Web Solution Email Subscription Popup allows Stored XSS.This issue affects Email Subscription Popup: from n/a through 1.2.20. | -- | Mar 17, 2024 | n/a |
| CVE-2024-27961 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Codekraft AntiSpam for Contact Form 7 allows Reflected XSS.This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.0. | -- | Mar 17, 2024 | n/a |
| CVE-2024-27962 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Florian \'fkrauthan\' Krauthan allows Reflected XSS.This issue affects wp-mpdf: from n/a through 3.7.1. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27963 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Crisp allows Stored XSS.This issue affects Crisp: from n/a through 0.44. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27964 | Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy.This issue affects Zippy: from n/a through 1.6.9. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27965 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPFunnels Team WPFunnels allows Stored XSS.This issue affects WPFunnels: from n/a through 3.0.6. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27966 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in ExpressTech Quiz And Survey Master allows Stored XSS.This issue affects Quiz And Survey Master: from n/a through 8.2.2. | -- | Apr 11, 2024 | n/a |
| CVE-2024-27967 | Cross-Site Request Forgery (CSRF) vulnerability in Michael Leithold DSGVO All in one for WP.This issue affects DSGVO All in one for WP: from n/a through 4.3. | -- | Apr 11, 2024 | n/a |
| CVE-2024-27968 | Cross-Site Request Forgery (CSRF) vulnerability in Optimole Super Page Cache for Cloudflare allows Stored XSS.This issue affects Super Page Cache for Cloudflare: from n/a through 4.7.5. | -- | Mar 21, 2024 | n/a |
| CVE-2024-27969 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WP Enhanced Free Downloads WooCommerce allows Stored XSS.This issue affects Free Downloads WooCommerce: from n/a through 3.5.8.2. | -- | Apr 11, 2024 | n/a |
| CVE-2024-27970 | Missing Authorization vulnerability in BogdanFix WP SendFox.This issue affects WP SendFox: from n/a through 1.3.0. | -- | Apr 11, 2024 | n/a |
| CVE-2024-27972 | Improper Neutralization of Special Elements used in a Command (\'Command Injection\') vulnerability in Very Good Plugins WP Fusion Lite allows Command Injection.This issue affects WP Fusion Lite: from n/a through 3.41.24. | -- | Apr 3, 2024 | n/a |
| CVE-2024-27974 | Cross-site request forgery vulnerability in FUJIFILM printers which implement CentreWare Internet Services or Internet Services allows a remote unauthenticated attacker to alter user information. In the case the user is an administrator, the settings such as the administrator\'s ID, password, etc. may be altered. As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed under [References]. | -- | Mar 18, 2024 | n/a |
| CVE-2024-27975 | An Use-after-free vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 | n/a |
| CVE-2024-27976 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to execute arbitrary commands as SYSTEM. | -- | Apr 19, 2024 | n/a |
| CVE-2024-27977 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete arbitrary files, thereby leading to Denial-of-Service. | -- | Apr 19, 2024 | n/a |
| CVE-2024-27978 | A Null Pointer Dereference vulnerability in WLAvalancheService component of Ivanti Avalanche before 6.4.3 allows an authenticated remote attacker to perform denial of service attacks. | -- | Apr 19, 2024 | n/a |
| CVE-2024-27980 | -- | Apr 12, 2024 | n/a | |
| CVE-2024-27981 | A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network Application Administrator credentials to escalate privileges to root on the host device. Affected Products: UniFi Network Application (Version 8.0.28 and earlier) . Mitigation: Update UniFi Network Application to Version 8.1.113 or later. | -- | Apr 5, 2024 | n/a |
| CVE-2024-27982 | The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. | -- | Apr 4, 2024 | n/a |
| CVE-2024-27983 | An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition. | -- | Apr 9, 2024 | n/a |
| CVE-2024-27984 | A Path Traversal vulnerability in web component of Ivanti Avalanche before 6.4.3 allows a remote authenticated attacker to delete specific type of files and/or cause denial of service. | -- | Apr 19, 2024 | n/a |
| CVE-2024-27985 | Deserialization of Untrusted Data vulnerability in PropertyHive.This issue affects PropertyHive: from n/a through 2.0.9. | -- | Apr 11, 2024 | n/a |
| CVE-2024-27986 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Livemesh Elementor Addons by Livemesh allows Stored XSS.This issue affects Elementor Addons by Livemesh: from n/a through 8.3.5. | -- | Mar 14, 2024 | n/a |
