The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-50451 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Stored XSS.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | -- | Oct 29, 2024 |
| CVE-2024-50450 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | -- | Oct 29, 2024 |
| CVE-2024-50449 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in RedefiningTheWeb PDF Generator Addon for Elementor Page Builder allows Stored XSS.This issue affects PDF Generator Addon for Elementor Page Builder: from n/a through 1.7.4. | -- | Oct 29, 2024 |
| CVE-2024-50448 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Reflected XSS.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.14.1. | -- | Oct 29, 2024 |
| CVE-2024-50447 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in EnvoThemes Envo\'s Elementor Templates & Widgets for WooCommerce allows Stored XSS.This issue affects Envo\'s Elementor Templates & Widgets for WooCommerce: from n/a through 1.4.19. | -- | Oct 29, 2024 |
| CVE-2024-50446 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in FuturioWP Futurio Extra allows Stored XSS.This issue affects Futurio Extra: from n/a through 2.0.11. | -- | Oct 29, 2024 |
| CVE-2024-50445 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Merkulove Selection Lite allows Stored XSS.This issue affects Selection Lite: from n/a through 1.13. | -- | Oct 29, 2024 |
| CVE-2024-50443 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Post Grid Team by WPXPO PostX allows Stored XSS.This issue affects PostX: from n/a through 4.1.12. | -- | Oct 29, 2024 |
| CVE-2024-50442 | Improper Restriction of XML External Entity Reference vulnerability in WP Royal Royal Elementor Addons allows XML Injection.This issue affects Royal Elementor Addons: from n/a through 1.3.980. | -- | Oct 29, 2024 |
| CVE-2024-50441 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in CozyThemes Cozy Blocks allows Stored XSS.This issue affects Cozy Blocks: from n/a through 2.0.15. | -- | Oct 29, 2024 |
| CVE-2024-50440 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Chris Coyier CodePen Embedded Pens Shortcode allows Stored XSS.This issue affects CodePen Embedded Pens Shortcode: from n/a through 1.0.2. | -- | Oct 29, 2024 |
| CVE-2024-50439 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Brainstorm Force Astra Widgets allows Stored XSS.This issue affects Astra Widgets: from n/a through 1.2.14. | -- | Oct 29, 2024 |
| CVE-2024-50438 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Andy Moyle Church Admin allows Reflected XSS.This issue affects Church Admin: from n/a before 5.0.0. | -- | Oct 29, 2024 |
| CVE-2024-50437 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in AyeCode GeoDirectory allows Stored XSS.This issue affects GeoDirectory: from n/a through 2.3.80. | -- | Oct 29, 2024 |
| CVE-2024-50436 | Improper Control of Filename for Include/Require Statement in PHP Program (\'PHP Remote File Inclusion\') vulnerability in Theme Horse Clean Retina.This issue affects Clean Retina: from n/a through 3.0.6. | -- | Oct 29, 2024 |
| CVE-2024-50435 | Improper Control of Filename for Include/Require Statement in PHP Program (\'PHP Remote File Inclusion\') vulnerability in Theme Horse Meta News.This issue affects Meta News: from n/a through 1.1.7. | -- | Oct 29, 2024 |
| CVE-2024-50434 | Improper Control of Filename for Include/Require Statement in PHP Program (\'PHP Remote File Inclusion\') vulnerability in Theme Horse NewsCard.This issue affects NewsCard: from n/a through 1.3. | -- | Oct 29, 2024 |
| CVE-2024-50433 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in wowDevs Sky Addons for Elementor allows Stored XSS.This issue affects Sky Addons for Elementor: from n/a through 2.5.15. | -- | Oct 29, 2024 |
| CVE-2024-50432 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Stored XSS.This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.2.93. | -- | Oct 29, 2024 |
| CVE-2024-50431 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Cloudways Breeze allows Stored XSS.This issue affects Breeze: from n/a through 2.1.14. | -- | Oct 29, 2024 |
| CVE-2024-50430 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in The Beaver Builder Team Beaver Builder allows Stored XSS.This issue affects Beaver Builder: from n/a through 2.8.3.7. | -- | Nov 19, 2024 |
| CVE-2024-50429 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in WPBlockArt Magazine Blocks allows Stored XSS.This issue affects Magazine Blocks: from n/a through 1.3.15. | -- | Oct 29, 2024 |
| CVE-2024-50428 | Missing Authorization vulnerability in Mondula GmbH Multi Step Form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Multi Step Form: from n/a through 1.7.21. | -- | Oct 29, 2024 |
| CVE-2024-50427 | Unrestricted Upload of File with Dangerous Type vulnerability in Devsoft Baltic OÜ SurveyJS: Drag & Drop WordPress Form Builder.This issue affects SurveyJS: Drag & Drop WordPress Form Builder: from n/a through 1.9.136. | -- | Oct 29, 2024 |
| CVE-2024-50426 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Survey Maker team Survey Maker allows Stored XSS.This issue affects Survey Maker: from n/a through 5.0.2. | -- | Oct 29, 2024 |
| CVE-2024-50425 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Veribo, Roland Murg WP Booking System.This issue affects WP Booking System: from n/a through 2.0.19.10. | -- | Oct 29, 2024 |
| CVE-2024-50424 | Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5. | -- | Oct 29, 2024 |
| CVE-2024-50423 | Missing Authorization vulnerability in Templately allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templately: from n/a through 3.1.5. | -- | Oct 29, 2024 |
| CVE-2024-50422 | Missing Authorization vulnerability in Cloudways Breeze allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze: from n/a through 2.1.14. | -- | Oct 29, 2024 |
| CVE-2024-50421 | Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through 3.8.6. | -- | Oct 29, 2024 |
| CVE-2024-50420 | Unrestricted Upload of File with Dangerous Type vulnerability in adirectory aDirectory allows Upload a Web Shell to a Web Server.This issue affects aDirectory: from n/a through 1.3. | -- | Oct 29, 2024 |
| CVE-2024-50419 | Incorrect Authorization vulnerability in Wpsoul Greenshift – animation and page builder blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Greenshift – animation and page builder blocks: from n/a through 9.7. | -- | Nov 1, 2024 |
| CVE-2024-50418 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Time Slot Booking Time Slot allows Stored XSS.This issue affects Time Slot: from n/a through 1.3.6. | -- | Oct 29, 2024 |
| CVE-2024-50417 | Missing Authorization vulnerability in BoldThemes Bold Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bold Page Builder: from n/a through 5.1.3. | -- | Nov 19, 2024 |
| CVE-2024-50416 | Deserialization of Untrusted Data vulnerability in WPClever WPC Shop as a Customer for WooCommerce allows Object Injection.This issue affects WPC Shop as a Customer for WooCommerce: from n/a through 1.2.6. | -- | Oct 29, 2024 |
| CVE-2024-50415 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Pagup Ads.Txt & App-ads.Txt Manager for WordPress allows Stored XSS.This issue affects Ads.Txt & App-ads.Txt Manager for WordPress: from n/a through 1.1.7.1. | -- | Oct 29, 2024 |
| CVE-2024-50414 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in VirusTran Button contact VR allows Stored XSS.This issue affects Button contact VR: from n/a through 4.7.9.1. | -- | Oct 29, 2024 |
| CVE-2024-50413 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in codection Import and export users and customers allows Stored XSS.This issue affects Import and export users and customers: from n/a through 1.27.5. | -- | Oct 29, 2024 |
| CVE-2024-50412 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Jules Colle Conditional Fields for Contact Form 7 allows Stored XSS.This issue affects Conditional Fields for Contact Form 7: from n/a through 2.4.15. | -- | Oct 29, 2024 |
| CVE-2024-50411 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Kevon Adonis WP Abstracts allows Stored XSS.This issue affects WP Abstracts: from n/a through 2.7.1. | -- | Oct 29, 2024 |
| CVE-2024-50410 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Kiboko Labs Namaste! LMS allows Stored XSS.This issue affects Namaste! LMS: from n/a through 2.6.4. | -- | Oct 29, 2024 |
| CVE-2024-50409 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Kiboko Labs Namaste! LMS allows Stored XSS.This issue affects Namaste! LMS: from n/a through 2.6.2. | -- | Oct 29, 2024 |
| CVE-2024-50408 | Deserialization of Untrusted Data vulnerability in Kiboko Labs Namaste! LMS allows Object Injection.This issue affects Namaste! LMS: from n/a through 2.6.3. | -- | Oct 29, 2024 |
| CVE-2024-50407 | Improper Neutralization of Input During Web Page Generation (XSS or \'Cross-site Scripting\') vulnerability in Kiboko Labs Namaste! LMS allows Reflected XSS.This issue affects Namaste! LMS: from n/a through 2.6.2. | -- | Oct 29, 2024 |
| CVE-2024-50386 | Account users in Apache CloudStack by default are allowed to register templates to be downloaded directly to the primary storage for deploying instances. Due to missing validation checks for KVM-compatible templates in CloudStack 4.0.0 through 4.18.2.4 and 4.19.0.0 through 4.19.1.2, an attacker that can register templates, can use them to deploy malicious instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.5 or 4.19.1.3, or later, which addresses this issue. Additionally, all user-registered KVM-compatible templates can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run the following command on their file-based primary storage(s) and inspect the output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. However, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully.; qemu-img info -U $file | grep file: ; printf \\n\\n; done For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\\-]*.*); do echo Retrieving file [$file] info.; qemu-img info -U $file; printf \\n\\n; done | -- | Nov 12, 2024 |
| CVE-2024-50383 | Botan before 3.6.0, when certain GCC versions are used, has a compiler-induced secret-dependent operation in lib/utils/donna128.h in donna128 (used in Chacha-Poly1305 and x25519). An addition can be skipped if a carry is not set. This was observed for GCC 11.3.0 with -O2 on MIPS, and GCC on x86-i386. (Only 32-bit processors can be affected.) | -- | Oct 24, 2024 |
| CVE-2024-50382 | Botan before 3.6.0, when certain LLVM versions are used, has compiler-induced secret-dependent control flow in lib/utils/ghash/ghash.cpp in GHASH in AES-GCM. There is a branch instead of an XOR with carry. This was observed for Clang in LLVM 15 on RISC-V. | -- | Oct 24, 2024 |
| CVE-2024-50378 | Airflow versions before 2.10.3 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive variables were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.10.3 or a later version, which addresses this issue. Users who previously used the CLI to set secret variables should manually delete entries with those variables from the log table. | -- | Nov 8, 2024 |
| CVE-2024-50356 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). The password could be reset by anyone who have access to the mail inbox circumventing the 2FA. Even though they wouldn\'t be able to login by bypassing the 2FA. Only users who have enabled 2FA are affected. Commit ba0007c28ac814260f836849bc07d29beea7deb6 patches this bug. | -- | Nov 1, 2024 |
| CVE-2024-50355 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. User with Admin role can edit the Display Name of a device, the application did not properly sanitize the user input in the device Display Name, if java script code is inside the name of the device Display Name, its can be trigger from different sources. This vulnerability is fixed in 24.10.0. | -- | Nov 18, 2024 |
