The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-25151 | The Calendar module in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 15, and older unsupported versions does not escape user supplied data in the default notification email template, which allows remote authenticated users to inject arbitrary web script or HTML via the title of a calendar event or the user\'s name. This may lead to a content spoofing or cross-site scripting (XSS) attacks depending on the capability of the receiver\'s mail client. | -- | Feb 21, 2024 |
| CVE-2024-25152 | Stored cross-site scripting (XSS) vulnerability in Message Board widget in Liferay Portal 7.2.0 through 7.4.2, and older unsupported versions, and Liferay DXP 7.3 before service pack 3, 7.2 before fix pack 17, and older unsupported versions allows remote authenticated users to inject arbitrary web script or HTML via the filename of an attachment. | -- | Feb 21, 2024 |
| CVE-2024-25153 | A directory traversal within the ‘ftpservlet’ of the FileCatalyst Workflow Web Portal allows files to be uploaded outside of the intended ‘uploadtemp’ directory with a specially crafted POST request. In situations where a file is successfully uploaded to web portal’s DocumentRoot, specially crafted JSP files could be used to execute code, including web shells. | -- | Mar 13, 2024 |
| CVE-2024-25154 | Improper URL validation leads to path traversal in FileCatalyst Direct 3.8.8 and earlier allowing an encoded payload to cause the web server to return files located outside of the web root which may lead to data leakage. | -- | Mar 13, 2024 |
| CVE-2024-25155 | In FileCatalyst Direct 3.8.8 and earlier through 3.8.6, the web server does not properly sanitize illegal characters in a URL which is then displayed on a subsequent error page. A malicious actor could craft a URL which would then execute arbitrary code within an HTML script tag. | -- | Mar 13, 2024 |
| CVE-2024-25156 | A path traversal vulnerability exists in GoAnywhere MFT prior to 7.4.2 which allows attackers to circumvent endpoint-specific permission checks in the GoAnywhere Admin and Web Clients. | -- | Mar 14, 2024 |
| CVE-2024-25164 | iA Path Traversal vulnerability exists in iDURAR v2.0.0, that allows unauthenticated attackers to expose sensitive files via the download functionality. | -- | Mar 5, 2024 |
| CVE-2024-25165 | A global-buffer-overflow vulnerability was found in SWFTools v0.9.2, in the function LineText at lib/swf5compiler.flex. | -- | Feb 15, 2024 |
| CVE-2024-25166 | Cross Site Scripting vulnerability in 71CMS v.1.0.0 allows a remote attacker to execute arbitrary code via the uploadfile action parameter in the controller.php file. | -- | Feb 27, 2024 |
| CVE-2024-25167 | Cross Site Scripting vulnerability in eblog v1.0 allows a remote attacker to execute arbitrary code via a crafted script to the argument description parameter when submitting a comment on a post. | -- | Mar 21, 2024 |
| CVE-2024-25168 | SQL injection vulnerability in snow snow v.2.0.0 allows a remote attacker to execute arbitrary code via the dataScope parameter of the system/role/list interface. | -- | Mar 22, 2024 |
| CVE-2024-25169 | An issue in Mezzanine v6.0.0 allows attackers to bypass access control mechanisms in the admin panel via a crafted request. | -- | Feb 29, 2024 |
| CVE-2024-25170 | An issue in Mezzanine v6.0.0 allows attackers to bypass access controls via manipulating the Host header. | -- | Feb 29, 2024 |
| CVE-2024-25175 | An issue in Kickdler before v1.107.0 allows attackers to provide an XSS payload via a HTTP response splitting attack. | -- | Mar 25, 2024 |
| CVE-2024-25180 | An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers. | -- | Feb 29, 2024 |
| CVE-2024-25187 | Server Side Request Forgery (SSRF) vulnerability in 71cms v1.0.0, allows remote unauthenticated attackers to obtain sensitive information via getweather.html. | -- | Apr 2, 2024 |
| CVE-2024-25189 | libjwt 1.15.3 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | -- | Feb 8, 2024 |
| CVE-2024-25190 | l8w8jwt 2.2.1 uses memcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | -- | Feb 8, 2024 |
| CVE-2024-25191 | php-jwt 1.0.0 uses strcmp (which is not constant time) to verify authentication, which makes it easier to bypass authentication via a timing side channel. | -- | Feb 8, 2024 |
| CVE-2024-25196 | Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a buffer overflow via the nav2_controller process. This vulnerability is triggerd via sending a crafted .yaml file. | -- | Feb 20, 2024 |
| CVE-2024-25197 | Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions were discovered to contain a NULL pointer dereference via the isCurrent() function at /src/layered_costmap.cpp. | -- | Feb 20, 2024 |
| CVE-2024-25198 | Inappropriate pointer order of laser_scan_filter_.reset() and tf_listener_.reset() (amcl_node.cpp) in Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions leads to a use-after-free. | -- | Feb 20, 2024 |
| CVE-2024-25199 | Inappropriate pointer order of map_sub_ and map_free(map_) (amcl_node.cpp) in Open Robotics Robotic Operating Sytstem 2 (ROS2) and Nav2 humble versions leads to a use-after-free. | -- | Feb 20, 2024 |
| CVE-2024-25200 | Espruino 2v20 (commit fcc9ba4) was discovered to contain a Stack Overflow via the jspeFactorFunctionCall at src/jsparse.c. | -- | Feb 7, 2024 |
| CVE-2024-25201 | Espruino 2v20 (commit fcc9ba4) was discovered to contain an Out-of-bounds Read via jsvStringIteratorPrintfCallback at src/jsvar.c. | -- | Feb 7, 2024 |
| CVE-2024-25202 | Cross Site Scripting vulnerability in Phpgurukul User Registration & Login and User Management System 1.0 allows attackers to run arbitrary code via the search bar. | -- | Feb 29, 2024 |
| CVE-2024-25207 | Barangay Population Monitoring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Add Resident function at /barangay-population-monitoring-system/masterlist.php. This vulnerabiity allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Contact Number parameter. | -- | Feb 15, 2024 |
| CVE-2024-25208 | Barangay Population Monitoring System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the Add Resident function at /barangay-population-monitoring-system/masterlist.php. This vulnerabiity allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Full Name parameter. | -- | Feb 15, 2024 |
| CVE-2024-25209 | Barangay Population Monitoring System 1.0 was discovered to contain a SQL injection vulnerability via the resident parameter at /endpoint/delete-resident.php. | -- | Feb 14, 2024 |
| CVE-2024-25210 | Simple Expense Tracker v1.0 was discovered to contain a SQL injection vulnerability via the expense parameter at /endpoint/delete_expense.php. | -- | Feb 14, 2024 |
| CVE-2024-25211 | Simple Expense Tracker v1.0 was discovered to contain a SQL injection vulnerability via the category parameter at /endpoint/delete_category.php. | -- | Feb 14, 2024 |
| CVE-2024-25212 | Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /delete.php. | -- | Feb 15, 2024 |
| CVE-2024-25213 | Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /edit.php. | -- | Feb 15, 2024 |
| CVE-2024-25214 | An issue in Employee Managment System v1.0 allows attackers to bypass authentication via injecting a crafted payload into the E-mail and Password parameters at /alogin.html. | -- | Feb 15, 2024 |
| CVE-2024-25215 | Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the pwd parameter at /aprocess.php. | -- | Feb 15, 2024 |
| CVE-2024-25216 | Employee Managment System v1.0 was discovered to contain a SQL injection vulnerability via the mailud parameter at /aprocess.php. | -- | Feb 15, 2024 |
| CVE-2024-25217 | Online Medicine Ordering System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /omos/?p=products/view_product. | -- | Feb 14, 2024 |
| CVE-2024-25218 | A cross-site scripting (XSS) vulnerability in Task Manager App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Project Name parameter /TaskManager/Projects.php. | -- | Feb 16, 2024 |
| CVE-2024-25219 | A cross-site scripting (XSS) vulnerability in Task Manager App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Task Name parameter /TaskManager/Task.php. | -- | Feb 16, 2024 |
| CVE-2024-25220 | Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the taskID parameter at /TaskManager/EditTask.php. | -- | Feb 16, 2024 |
| CVE-2024-25221 | A cross-site scripting (XSS) vulnerability in Task Manager App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Note Section parameter at /TaskManager/Tasks.php. | -- | Feb 16, 2024 |
| CVE-2024-25222 | Task Manager App v1.0 was discovered to contain a SQL injection vulnerability via the projectID parameter at /TaskManager/EditProject.php. | -- | Feb 16, 2024 |
| CVE-2024-25223 | Simple Admin Panel App v1.0 was discovered to contain a SQL injection vulnerability via the orderID parameter at /adminView/viewEachOrder.php. | -- | Feb 14, 2024 |
| CVE-2024-25224 | A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Size Number parameter under the Add Size function. | -- | Feb 14, 2024 |
| CVE-2024-25225 | A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter under the Add Category function. | -- | Feb 14, 2024 |
| CVE-2024-25226 | A cross-site scripting (XSS) vulnerability in Simple Admin Panel App v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter under the Add Category function. | -- | Feb 14, 2024 |
| CVE-2024-25227 | SQL Injection vulnerability in ABO.CMS version 5.8, allows remote attackers to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information via the tb_login parameter in admin login page. | -- | Mar 15, 2024 |
| CVE-2024-25228 | Vinchin Backup and Recovery 7.2 and Earlier is vulnerable to Authenticated Remote Code Execution (RCE) via the getVerifydiyResult function in ManoeuvreHandler.class.php. | -- | Mar 14, 2024 |
| CVE-2024-25239 | SQL Injection vulnerability in Sourcecodester Employee Management System v1.0 allows attackers to run arbitrary SQL commands via crafted POST request to /emloyee_akpoly/Account/login.php. | -- | Mar 21, 2024 |
| CVE-2024-25247 | SQL Injection vulnerability in /app/api/controller/Store.php in Niushop B2B2C V5 allows attackers to run arbitrary SQL commands via latitude and longitude parameters. | -- | Feb 26, 2024 |
