The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2024-31817 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getSysStatusCfg. | -- | Apr 8, 2024 | n/a |
CVE-2024-31816 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getEasyWizardCfg. | -- | Apr 8, 2024 | n/a |
CVE-2024-31815 | In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | -- | Apr 8, 2024 | n/a |
CVE-2024-31814 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31813 | TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default. | -- | Apr 8, 2024 | n/a |
CVE-2024-31812 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig. | -- | Apr 8, 2024 | n/a |
CVE-2024-31811 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the langType parameter in the setLanguageCfg function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31809 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31808 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31807 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31806 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization. | -- | Apr 8, 2024 | n/a |
CVE-2024-31805 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function. | -- | Apr 8, 2024 | n/a |
CVE-2024-31544 | A stored cross-site scripting (XSS) vulnerability in Computer Laboratory Management System v1.0 allows attackers to execute arbitrary JavaScript code by including malicious payloads into “remarks”, “borrower_name”, “faculty_department” parameters in /classes/Master.php?f=save_record. | -- | Apr 9, 2024 | n/a |
CVE-2024-31507 | Sourcecodester Online Graduate Tracer System v1.0 is vulnerable to SQL Injection via the request parameter in admin/fetch_gendercs.php. | -- | Apr 9, 2024 | n/a |
CVE-2024-31506 | Sourcecodester Online Graduate Tracer System v1.0 is vulnerable to SQL Injection via the id parameter in admin/admin_cs.php. | -- | Apr 9, 2024 | n/a |
CVE-2024-31498 | Yubico ykman-gui (aka YubiKey Manager GUI) before 1.2.6 on Windows, when Edge is not used, allows privilege escalation because browser windows can open as Administrator. | -- | Apr 8, 2024 | n/a |
CVE-2024-31487 | A improper limitation of a pathname to a restricted directory (\'path traversal\') in Fortinet FortiSandbox version 4.4.0 through 4.4.4 and 4.2.0 through 4.2.6 and 4.0.0 through 4.0.5 and 3.2.0 through 3.2.4 and 3.1.0 through 3.1.5 and 3.0.0 through 3.0.7 and 2.5.0 through 2.5.2 and 2.4.0 through 2.4.1 may allows attacker to information disclosure via crafted http requests. | -- | Apr 9, 2024 | n/a |
CVE-2024-31457 | gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. gin-vue-admin pseudoversion 0.0.0-20240407133540-7bc7c3051067, corresponding to version 2.6.1, has a code injection vulnerability in the backend. In the Plugin System -> Plugin Template feature, an attacker can perform directory traversal by manipulating the `plugName` parameter. They can create specific folders such as `api`, `config`, `global`, `model`, `router`, `service`, and `main.go` function within the specified traversal directory. Moreover, the Go files within these folders can have arbitrary code inserted based on a specific PoC parameter. The main reason for the existence of this vulnerability is the controllability of the PlugName field within the struct. Pseudoversion 0.0.0-20240409100909-b1b7427c6ea6, corresponding to commit b1b7427c6ea6c7a027fa188c6be557f3795e732b, contains a patch for the issue. As a workaround, one may manually use a filtering method available in the GitHub Security Advisory to rectify the directory traversal problem. | -- | Apr 9, 2024 | n/a |
CVE-2024-31455 | Minder by Stacklok is an open source software supply chain security platform. A refactoring in commit `5c381cf` added the ability to get GitHub repositories registered to a project without specifying a specific provider. Unfortunately, the SQL query for doing so was missing parenthesis, and would select a random repository. This issue is patched in pull request 2941. As a workaround, revert prior to `5c381cf`, or roll forward past `2eb94e7`. | -- | Apr 9, 2024 | n/a |
CVE-2024-31454 | PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which is designed for uploading files, allows an attacker who received the id of a file distribution to change the files that are in this distribution. The vulnerability allows an attacker to influence those users who come to the file distribution after them and slip the victim files with a malicious or phishing signature. Version 2.2.0 contains a patch for this issue. CVE-2024-31454 allows users to violate the integrity of a file that is uploaded by another user. In this case, additional files are not loaded into the file bucket. Violation of integrity at the level of individual files. While the vulnerability with the number CVE-2024-31453 allows users to violate the integrity of a file bucket without violating the integrity of files uploaded by other users. Thus, vulnerabilities are reproduced differently, require different security recommendations and affect different objects of the application’s business logic. | -- | Apr 9, 2024 | n/a |
CVE-2024-31453 | PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.2.0, the absence of restrictions on the endpoint, which allows users to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution. The vulnerability allows an attacker to influence those users who come to the file distribution after them and slip the victim files with a malicious or phishing signature. Version 2.2.0 contains a patch for the issue. CVE-2024-31453 allows users to violate the integrity of a file bucket and upload new files there, while the vulnerability with the number CVE-2024-31454 allows users to violate the integrity of a single file that is uploaded by another user by writing data there and not allows you to upload new files to the bucket. Thus, vulnerabilities are reproduced differently, require different security recommendations and affect different objects of the application’s business logic. | -- | Apr 9, 2024 | n/a |
CVE-2024-31447 | Shopware 6 is an open commerce platform based on Symfony Framework and Vue. Starting in version 6.3.5.0 and prior to versions 6.6.1.0 and 6.5.8.8, when a authenticated request is made to `POST /store-api/account/logout`, the cart will be cleared, but the User won\'t be logged out. This affects only the direct store-api usage, as the PHP Storefront listens additionally on `CustomerLogoutEvent` and invalidates the session additionally. The problem has been fixed in Shopware 6.6.1.0 and 6.5.8.8. Those who are unable to update can install the latest version of the Shopware Security Plugin as a workaround. | -- | Apr 8, 2024 | n/a |
CVE-2024-31442 | Redon Hub is a Roblox Product Delivery Bot, also known as a Hub. In all hubs before version 1.0.2, all commands are capable of being ran by all users, including admin commands. This allows users to receive products for free and delete/create/update products/tags/etc. The only non-affected command is `/products admin clear` as this was already programmed for bot owners only. All users should upgrade to version 1.0.2 to receive a patch. | -- | Apr 8, 2024 | n/a |
CVE-2024-31420 | A NULL pointer dereference flaw was found in KubeVirt. This flaw allows an attacker who has access to a virtual machine guest on a node with DownwardMetrics enabled to cause a denial of service by issuing a high number of calls to vm-dump-metrics --virtio and then deleting the virtual machine. | -- | Apr 3, 2024 | n/a |
CVE-2024-31419 | An information disclosure flaw was found in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default. This issue could expose limited host metrics of a node to any guest in any namespace without being explicitly enabled by an administrator. | -- | Apr 3, 2024 | n/a |
CVE-2024-31393 | Dragging Javascript URLs to the address bar could cause them to be loaded, bypassing restrictions and security protections This vulnerability affects Firefox for iOS < 124. | -- | Apr 3, 2024 | n/a |
CVE-2024-31392 | If an insecure element was added to a page after a delay, Firefox would not replace the secure icon with a mixed content security status This vulnerability affects Firefox for iOS < 124. | -- | Apr 3, 2024 | n/a |
CVE-2024-31390 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.1. | -- | Apr 5, 2024 | n/a |
CVE-2024-31380 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Soflyy Oxygen Builder allows Code Injection.This issue affects Oxygen Builder: from n/a through 4.8.2. | -- | Apr 5, 2024 | n/a |
CVE-2024-31375 | Missing Authorization vulnerability in Saleswonder.Biz Team WP2LEADS.This issue affects WP2LEADS: from n/a through 3.2.7. | -- | Apr 8, 2024 | n/a |
CVE-2024-31370 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in CodeIsAwesome AIKit.This issue affects AIKit: from n/a through 4.14.1. | -- | Apr 9, 2024 | n/a |
CVE-2024-31369 | Cross-Site Request Forgery (CSRF) vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | -- | Apr 9, 2024 | n/a |
CVE-2024-31368 | Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | -- | Apr 9, 2024 | n/a |
CVE-2024-31367 | Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2. | -- | Apr 9, 2024 | n/a |
CVE-2024-31366 | Missing Authorization vulnerability in Themify Post Type Builder (PTB).This issue affects Post Type Builder (PTB): from n/a through 2.0.8. | -- | Apr 9, 2024 | n/a |
CVE-2024-31365 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themify Post Type Builder (PTB) allows Reflected XSS.This issue affects Post Type Builder (PTB): from n/a through 2.0.8. | -- | Apr 9, 2024 | n/a |
CVE-2024-31357 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BdThemes Ultimate Store Kit Elementor Addons allows Stored XSS.This issue affects Ultimate Store Kit Elementor Addons: from n/a through 1.5.2. | -- | Apr 8, 2024 | n/a |
CVE-2024-31349 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in MailMunch MailMunch – Grow your Email List allows Stored XSS.This issue affects MailMunch – Grow your Email List: from n/a through 3.1.6. | -- | Apr 8, 2024 | n/a |
CVE-2024-31348 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Themepoints Testimonials allows Stored XSS.This issue affects Testimonials: from n/a through 3.0.5. | -- | Apr 8, 2024 | n/a |
CVE-2024-31346 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Blocksmarket Gradient Text Widget for Elementor allows Stored XSS.This issue affects Gradient Text Widget for Elementor: from n/a through 1.0.1. | -- | Apr 8, 2024 | n/a |
CVE-2024-31345 | Unrestricted Upload of File with Dangerous Type vulnerability in Sukhchain Singh Auto Poster.This issue affects Auto Poster: from n/a through 1.2. | -- | Apr 8, 2024 | n/a |
CVE-2024-31344 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Phpbits Creative Studio Easy Login Styler – White Label Admin Login Page for WordPress allows Stored XSS.This issue affects Easy Login Styler – White Label Admin Login Page for WordPress: from n/a through 1.0.6. | -- | Apr 8, 2024 | n/a |
CVE-2024-31308 | Deserialization of Untrusted Data vulnerability in VJInfotech WP Import Export Lite.This issue affects WP Import Export Lite: from n/a through 3.9.26. | -- | Apr 8, 2024 | n/a |
CVE-2024-31306 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPDeveloper Essential Blocks for Gutenberg allows Stored XSS.This issue affects Essential Blocks for Gutenberg: from n/a through 4.5.3. | -- | Apr 8, 2024 | n/a |
CVE-2024-31296 | Authorization Bypass Through User-Controlled Key vulnerability in Repute Infosystems BookingPress.This issue affects BookingPress: from n/a through 1.0.81. | -- | Apr 8, 2024 | n/a |
CVE-2024-31292 | Unrestricted Upload of File with Dangerous Type vulnerability in Moove Agency Import XML and RSS Feeds.This issue affects Import XML and RSS Feeds: from n/a through 2.1.5. | -- | Apr 8, 2024 | n/a |
CVE-2024-31291 | Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.6. | -- | Apr 8, 2024 | n/a |
CVE-2024-31288 | Server-Side Request Forgery (SSRF) vulnerability in RapidLoad RapidLoad Power-Up for Autoptimize.This issue affects RapidLoad Power-Up for Autoptimize: from n/a through 2.2.11. | -- | Apr 8, 2024 | n/a |
CVE-2024-31286 | Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before 8.6.03.005. | -- | Apr 8, 2024 | n/a |
CVE-2024-31280 | Unrestricted Upload of File with Dangerous Type vulnerability in Andy Moyle Church Admin.This issue affects Church Admin: from n/a through 4.1.5. | -- | Apr 8, 2024 | n/a |