The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-32791 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Leap13 Premium Addons for Elementor allows Stored XSS.This issue affects Premium Addons for Elementor: from n/a through 4.10.25. | -- | Apr 24, 2024 |
| CVE-2024-32789 | Cross-Site Request Forgery (CSRF) vulnerability in Seers allows Cross-Site Scripting (XSS).This issue affects Seers: from n/a through 8.1.0. | -- | Apr 24, 2024 |
| CVE-2024-32788 | Insertion of Sensitive Information into Log File vulnerability in Frédéric GILLES FG Joomla to WordPress.This issue affects FG Joomla to WordPress: from n/a through 4.20.2. | -- | Apr 24, 2024 |
| CVE-2024-32785 | Cross-Site Request Forgery (CSRF) vulnerability in Webangon The Pack Elementor addons allows Cross-Site Scripting (XSS).This issue affects The Pack Elementor addons: from n/a through 2.0.8.3. | -- | Apr 24, 2024 |
| CVE-2024-32782 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HasThemes HT Mega.This issue affects HT Mega: from n/a through 2.4.7. | -- | Apr 24, 2024 |
| CVE-2024-32781 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ThemeHigh Email Customizer for WooCommerce.This issue affects Email Customizer for WooCommerce: from n/a through 2.6.0. | -- | Apr 24, 2024 |
| CVE-2024-32780 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in E4J s.R.L. VikRentCar.This issue affects VikRentCar: from n/a through 1.3.2. | -- | Apr 24, 2024 |
| CVE-2024-32775 | Server-Side Request Forgery (SSRF) vulnerability in Pavex Embed Google Photos album.This issue affects Embed Google Photos album: from n/a through 2.1.9. | -- | Apr 24, 2024 |
| CVE-2024-32773 | Cross-Site Request Forgery (CSRF) vulnerability in WP Royal Royal Elementor Kit.This issue affects Royal Elementor Kit: from n/a through 1.0.116. | -- | Apr 24, 2024 |
| CVE-2024-32772 | Authorization Bypass Through User-Controlled Key vulnerability in Metagauss ProfileGrid.This issue affects ProfileGrid : from n/a through 5.7.9. | -- | Apr 24, 2024 |
| CVE-2024-32728 | Cross-Site Request Forgery (CSRF) vulnerability in Cozmoslabs Paid Member Subscriptions.This issue affects Paid Member Subscriptions: from n/a through 2.11.0. | -- | Apr 24, 2024 |
| CVE-2024-32726 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in vinoth06. Frontend Dashboard.This issue affects Frontend Dashboard: from n/a through 2.2.2. | -- | Apr 24, 2024 |
| CVE-2024-32723 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Code Tides Advanced Floating Content allows Stored XSS.This issue affects Advanced Floating Content: from n/a through 1.2.5. | -- | Apr 24, 2024 |
| CVE-2024-32722 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Coupon & Discount Code Reveal Button allows Stored XSS.This issue affects Coupon & Discount Code Reveal Button: from n/a through 1.2.5. | -- | Apr 24, 2024 |
| CVE-2024-32721 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Jegtheme Jeg Elementor Kit allows Stored XSS.This issue affects Jeg Elementor Kit: from n/a through 2.6.3. | -- | Apr 24, 2024 |
| CVE-2024-32718 | Server-Side Request Forgery (SSRF) vulnerability in Webangon The Pack Elementor.This issue affects The Pack Elementor addons: from n/a through 2.0.8.2. | -- | Apr 24, 2024 |
| CVE-2024-32716 | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in StreamWeasels StreamWeasels Twitch Integration.This issue affects StreamWeasels Twitch Integration: from n/a through 1.7.8. | -- | Apr 24, 2024 |
| CVE-2024-32711 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in myCred allows Stored XSS.This issue affects myCred: from n/a through 2.6.3. | -- | Apr 24, 2024 |
| CVE-2024-32710 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5. | -- | Apr 24, 2024 |
| CVE-2024-32709 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Plechev Andrey WP-Recall.This issue affects WP-Recall: from n/a through 16.26.5. | -- | Apr 24, 2024 |
| CVE-2024-32707 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in GhozyLab Image Slider Widget allows Stored XSS.This issue affects Image Slider Widget: from n/a through 1.1.125. | -- | Apr 24, 2024 |
| CVE-2024-32706 | Improper Neutralization of Special Elements used in an SQL Command (\'SQL Injection\') vulnerability in Repute info systems ARForms.This issue affects ARForms: from n/a through 6.4. | -- | Apr 24, 2024 |
| CVE-2024-32702 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Repute info systems ARForms allows Reflected XSS.This issue affects ARForms: from n/a through 6.4. | -- | Apr 24, 2024 |
| CVE-2024-32699 | Cross-Site Request Forgery (CSRF) vulnerability in YITH YITH WooCommerce Compare.This issue affects YITH WooCommerce Compare: from n/a through 2.37.0. | -- | Apr 24, 2024 |
| CVE-2024-32678 | Missing Authorization vulnerability in TrackShip TrackShip for WooCommerce.This issue affects TrackShip for WooCommerce: from n/a through 1.7.5. | -- | Apr 24, 2024 |
| CVE-2024-32677 | Missing Authorization vulnerability in LoginPress LoginPress Pro.This issue affects LoginPress Pro: from n/a before 3.0.0. | -- | Apr 25, 2024 |
| CVE-2024-32676 | Improper Restriction of Excessive Authentication Attempts vulnerability in LoginPress LoginPress Pro.This issue affects LoginPress Pro: from n/a before 3.0.0. | -- | Apr 25, 2024 |
| CVE-2024-32675 | Missing Authorization vulnerability in Xfinity Soft Order Limit for WooCommerce.This issue affects Order Limit for WooCommerce: from n/a through 2.0.0. | -- | Apr 24, 2024 |
| CVE-2024-32651 | changedetection.io is an open source web page change detection, website watcher, restock monitor and notification service. There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. Attackers can run any system command without any restriction and they could use a reverse shell. The impact is critical as the attacker can completely takeover the server machine. This can be reduced if changedetection is behind a login page, but this isn\'t required by the application (not by default and not enforced). | -- | Apr 26, 2024 |
| CVE-2024-32649 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn\'t cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. | -- | Apr 25, 2024 |
| CVE-2024-32648 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don\'t respect nonreentrancy keys and the lock isn\'t emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue. | -- | Apr 25, 2024 |
| CVE-2024-32647 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn\'t cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist. | -- | Apr 25, 2024 |
| CVE-2024-32646 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. | -- | Apr 25, 2024 |
| CVE-2024-32645 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available. | -- | Apr 25, 2024 |
| CVE-2024-32481 | Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Starting in version 0.3.8 and prior to version 0.4.0b1, when looping over a `range` of the form `range(start, start + N)`, if `start` is negative, the execution will always revert. This issue is caused by an incorrect assertion inserted by the code generation of the range `stmt.parse_For_range()`. The issue arises when `start` is signed, instead of using `sle`, `le` is used and `start` is interpreted as an unsigned integer for the comparison. If it is a negative number, its 255th bit is set to `1` and is hence interpreted as a very large unsigned integer making the assertion always fail. Any contract having a `range(start, start + N)` where `start` is a signed integer with the possibility for `start` to be negative is affected. If a call goes through the loop while supplying a negative `start` the execution will revert. Version 0.4.0b1 fixes the issue. | -- | Apr 25, 2024 |
| CVE-2024-32467 | MeterSphere is an open source continuous testing platform. Prior to version 2.10.14-lts, members without space permissions can view member information from other workspaces beyond their authority. Version 2.10.14-lts fixes this issue. | -- | Apr 25, 2024 |
| CVE-2024-32432 | Missing Authorization vulnerability in Ovic Team Ovic Addon Toolkit.This issue affects Ovic Addon Toolkit: from n/a through 2.6.1. | -- | Apr 24, 2024 |
| CVE-2024-32358 | An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function. | -- | Apr 25, 2024 |
| CVE-2024-32324 | Buffer Overflow vulnerability in Shenzhen Libituo Technology Co., Ltd LBT-T300-T400 v.3.2 allows a local attacker to execute arbitrary code via the vpn_client_ip variable of the config_vpn_pptp function in rc program. | -- | Apr 25, 2024 |
| CVE-2024-32236 | An issue in CmsEasy v.7.7 and before allows a remote attacker to obtain sensitive information via the update function in the index.php component. | -- | Apr 25, 2024 |
| CVE-2024-32078 | URL Redirection to Untrusted Site (\'Open Redirect\') vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.44.7212. | -- | Apr 24, 2024 |
| CVE-2024-32051 | Insertion of sensitive information into log file issue exists in RoamWiFi R10 prior to 4.8.45. If this vulnerability is exploited, a network-adjacent unauthenticated attacker with access to the device may obtain sensitive information. | -- | Apr 24, 2024 |
| CVE-2024-31615 | ThinkCMF 6.0.9 is vulnerable to File upload via UeditorController.php. | -- | Apr 25, 2024 |
| CVE-2024-31610 | File Upload vulnerability in the function for employees to upload avatars in Code-Projects Simple School Management System v1.0 allows attackers to run arbitrary code via upload of crafted file. | -- | Apr 25, 2024 |
| CVE-2024-31609 | Cross Site Scripting (XSS) vulnerability in BOSSCMS v3.10 allows attackers to run arbitrary code via the header code and footer code fields in code configuration. | -- | Apr 25, 2024 |
| CVE-2024-31574 | Cross Site Scripting vulnerability in TWCMS v.2.6 allows a local attacker to execute arbitrary code via a crafted script | -- | Apr 25, 2024 |
| CVE-2024-31406 | Active debug code vulnerability exists in RoamWiFi R10 prior to 4.8.45. If this vulnerability is exploited, a network-adjacent unauthenticated attacker with access to the device may perform unauthorized operations. | -- | Apr 24, 2024 |
| CVE-2024-31266 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in AlgolPlus Advanced Order Export For WooCommerce allows Code Injection.This issue affects Advanced Order Export For WooCommerce: from n/a through 3.4.4. | -- | Apr 25, 2024 |
| CVE-2024-30939 | An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure. | -- | Apr 25, 2024 |
| CVE-2024-30890 | Cross Site Scripting vulnerability in ED01-CMS v.1.0 allows an attacker to obtain sensitive information via the categories.php component. | -- | Apr 25, 2024 |
