The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2024-33670 | Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33669 | An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt\'s HTTPS queries to the Pwned Password API to more easily brute force passwords that are manually typed by the user. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33668 | An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33667 | An issue was discovered in Zammad before 6.3.0. An authenticated agent could perform a remote Denial of Service attack by calling an endpoint that accepts a generic method name, which was not properly sanitized against an allowlist. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33666 | An issue was discovered in Zammad before 6.3.0. Users with customer access to a ticket could have accessed time accounting details of this ticket via the API. This data should be available only to agents. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33665 | angular-translate through 2.19.1 allows XSS via a crafted key that is used by the translate directive. NOTE: the vendor indicates that there is no documentation indicating that a key is supposed to be safe against XSS attacks. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33664 | python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a JWT bomb. This is similar to CVE-2024-21319. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33663 | python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33661 | Portainer before 2.20.0 allows redirects when the target is not index.yaml. | -- | Apr 26, 2024 | n/a |
| CVE-2024-33602 | -- | Apr 26, 2024 | n/a | |
| CVE-2024-33601 | -- | Apr 26, 2024 | n/a | |
| CVE-2024-33600 | -- | Apr 26, 2024 | n/a | |
| CVE-2024-33599 | -- | Apr 26, 2024 | n/a | |
| CVE-2024-33592 | Server-Side Request Forgery (SSRF) vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73. | -- | Apr 25, 2024 | n/a |
| CVE-2024-33531 | cdbattags lua-resty-jwt 0.2.3 allows attackers to bypass all JWT-parsing signature checks by crafting a JWT with an enc header with the value A256GCM. | -- | Apr 24, 2024 | n/a |
| CVE-2024-33247 | Sourcecodester Employee Task Management System v1.0 is vulnerable to SQL Injection via admin-manage-user.php. | -- | Apr 25, 2024 | n/a |
| CVE-2024-33217 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the page parameter in ip/goform/addressNat. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33215 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/addressNat. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33214 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter in ip/goform/RouteStatic. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33213 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/RouteStatic. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33212 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter in ip/goform/setcfm. | -- | Apr 23, 2024 | n/a |
| CVE-2024-33211 | Tenda FH1206 V1.2.0.8(8155)_EN was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter in ip/goform/QuickIndex. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32961 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Creative Themes HQ Blocksy allows Stored XSS.This issue affects Blocksy: from n/a through 2.0.33. | -- | Apr 25, 2024 | n/a |
| CVE-2024-32958 | Cross-Site Request Forgery (CSRF) vulnerability in Giorgos Sarigiannidis Slash Admin allows Cross-Site Scripting (XSS).This issue affects Slash Admin: from n/a through 3.8.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32956 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Rometheme RomethemeKit For Elementor allows Stored XSS.This issue affects RomethemeKit For Elementor: from n/a through 1.4.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32955 | Server-Side Request Forgery (SSRF) vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.43.7212. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32954 | Unrestricted Upload of File with Dangerous Type vulnerability in Tribulant Newsletters.This issue affects Newsletters: from n/a through 4.9.5. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32953 | Insertion of Sensitive Information into Log File vulnerability in Newsletters.This issue affects Newsletters: from n/a through 4.9.5. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32952 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in BloomPixel Max Addons Pro for Bricks allows Reflected XSS.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32951 | Missing Authorization vulnerability in BloomPixel Max Addons Pro for Bricks.This issue affects Max Addons Pro for Bricks: from n/a through 1.6.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32950 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in DeBAAT WP Media Category Management allows Reflected XSS.This issue affects WP Media Category Management: from n/a through 2.2. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32948 | Missing Authorization vulnerability in Repute Infosystems ARMember.This issue affects ARMember: from n/a through 4.0.28. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32947 | Cross-Site Request Forgery (CSRF) vulnerability in AlumniOnline Web Services LLC WP ADA Compliance Check Basic.This issue affects WP ADA Compliance Check Basic: from n/a through 3.1.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32879 | Python Social Auth is a social authentication/registration mechanism. Prior to version 5.4.1, due to default case-insensitive collation in MySQL or MariaDB databases, third-party authentication user IDs are not case-sensitive and could cause different IDs to match. This issue has been addressed by a fix released in version 5.4.1. An immediate workaround would be to change collation of the affected field. | -- | Apr 25, 2024 | n/a |
| CVE-2024-32876 | NewPipe is an Android app for video streaming written in Java. It supports exporting and importing backups, as a way to let users move their data to a new device effortlessly. However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in Arbitrary Code Execution. This is because backups are serialized/deserialized using Java\'s Object Serialization Stream Protocol, which can allow constructing any class in the app, unless properly restricted. To exploit this vulnerability, an attacker would need to build a backup file containing the exploit, and then persuade a user into importing it. During the import process, the malicious code would be executed, possibly crashing the app, stealing user data from the NewPipe app, performing nasty actions through Android APIs, and attempting Android JVM/Sandbox escapes through vulnerabilities in the Android OS. The attack can take place only if the user imports a malicious backup file, so an attacker would need to trick a user into importing a backup file from a source they can control. The implementation details of the malicious backup file can be independent of the attacked user or the device they are being run on, and do not require additional privileges. All NewPipe versions from 0.13.4 to 0.26.1 are vulnerable. NewPipe version 0.27.0 fixes the issue by doing the following: Restrict the classes that can be deserialized when calling Java\'s Object Serialization Stream Protocol, by adding a whitelist with only innocuous data-only classes that can\'t lead to Arbitrary Code Execution; deprecate backups serialized with Java\'s Object Serialization Stream Protocol; use JSON serialization for all newly created backups (but still include an alternative file serialized with Java\'s Object Serialization Stream Protocol in the backup zip for backwards compatibility); show a warning to the user when attempting to import a backup where the only available serialization mode is Java\'s Object Serialization Stream Protocol (note that in the future this serialization mode will be removed completely). | -- | Apr 24, 2024 | n/a |
| CVE-2024-32875 | Hugo is a static site generator. Starting in version 0.123.0 and prior to version 0.125.3, title arguments in Markdown for links and images not escaped in internal render hooks. Hugo users who are impacted are those who have these hooks enabled and do not trust their Markdown content files. The issue is patched in v0.125.3. As a workaround, replace the templates with user defined templates or disable the internal templates. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32872 | Umbraco workflow provides workflows for the Umbraco content management system. Prior to versions 10.3.9, 12.2.6, and 13.0.6, an Umbraco Backoffice user can modify requests to a particular API endpoint to include SQL, which will be executed by the server. Umbraco Workflow versions 10.3.9, 12.2.6, 13.0.6, as well as Umbraco Plumber version 10.1.2, contain a patch for this issue. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32869 | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.2.7, when using serveStatic with deno, it is possible to traverse the directory where `main.ts` is located. This can result in retrieval of unexpected files. Version 4.2.7 contains a patch for the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32868 | ZITADEL provides users the possibility to use Time-based One-Time-Password (TOTP) and One-Time-Password (OTP) through SMS and Email. While ZITADEL already gives administrators the option to define a `Lockout Policy` with a maximum amount of failed password check attempts, there was no such mechanism for (T)OTP checks. This issue has been patched in version 2.50.0. | -- | Apr 26, 2024 | n/a |
| CVE-2024-32867 | -- | Apr 24, 2024 | n/a | |
| CVE-2024-32866 | Conform, a type-safe form validation library, allows the parsing of nested objects in the form of `object.property`. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to `parseWith...` functions. Applications that use conform for server-side validation of form data or URL parameters are affected by this vulnerability. Version 1.1.1 contains a patch for the issue. | -- | Apr 23, 2024 | n/a |
| CVE-2024-32836 | Unrestricted Upload of File with Dangerous Type vulnerability in WP Lab WP-Lister Lite for eBay.This issue affects WP-Lister Lite for eBay: from n/a through 3.5.11. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32835 | Deserialization of Untrusted Data vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a through 2.5.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32834 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WebToffee WooCommerce Shipping Label allows Stored XSS.This issue affects WooCommerce Shipping Label: from n/a through 2.3.8. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32833 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Nick Halsey List Custom Taxonomy Widget allows Stored XSS.This issue affects List Custom Taxonomy Widget: from n/a through 4.1. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32825 | Insertion of Sensitive Information into Log File vulnerability in Patrick Posner Simply Static.This issue affects Simply Static: from n/a through 3.1.3. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32823 | Authorization Bypass Through User-Controlled Key vulnerability in FeedbackWP Rate my Post – WP Rating System.This issue affects Rate my Post – WP Rating System: from n/a through 3.4.4. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32819 | Server-Side Request Forgery (SSRF) vulnerability in Culqi.This issue affects Culqi: from n/a through 3.0.14. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32817 | Deserialization of Untrusted Data vulnerability in Import and export users and customers.This issue affects Import and export users and customers: from n/a through 1.26.2. | -- | Apr 24, 2024 | n/a |
| CVE-2024-32816 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid.This issue affects Post Grid: from n/a through 2.2.78. | -- | Apr 24, 2024 | n/a |
