The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2024-51432 | Cross Site Scripting vulnerability in FiberHome HG6544C RP2743 allows an attacker to execute arbitrary code via the SSID field in the WIFI Clients List not being sanitized | -- | Nov 4, 2024 |
CVE-2024-51431 | LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. | -- | Nov 1, 2024 |
CVE-2024-51430 | Cross Site Scripting vulnerability in online diagnostic lab management system using php v.1.0 allows a remote attacker to execute arbitrary code via the Test Name parameter on the diagnostic/add-test.php component. | -- | Nov 1, 2024 |
CVE-2024-51428 | An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet. | -- | Nov 7, 2024 |
CVE-2024-51427 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls. | -- | Nov 4, 2024 |
CVE-2024-51426 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the _transfer function. NOTE: this is disputed by third parties because the impact is limited to function calls. | -- | Nov 4, 2024 |
CVE-2024-51425 | An issue in the WaterToken smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact. NOTE: this is disputed by third parties because the impact is limited to function calls. | -- | Nov 4, 2024 |
CVE-2024-51424 | An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | -- | Nov 4, 2024 |
CVE-2024-51419 | Cross Site Scripting vulnerability in Shenzhen Interconnection Harbor Network Technology Co., Ltd Ofweek Online Exhibition v.1.0.0 allows a remote attacker to execute arbitrary code. | -- | Nov 1, 2024 |
CVE-2024-51409 | Buffer Overflow vulnerability in Tenda O3 v.1.0.0.5 allows a remote attacker to cause a denial of service via a network packet in a fixed format to a router running the corresponding version of the firmware. | -- | Nov 7, 2024 |
CVE-2024-51408 | AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata credentials. | -- | Nov 4, 2024 |
CVE-2024-51407 | Floodlight SDN OpenFlow Controller v.1.2 has an issue that allows local hosts to construct false broadcast ports causing inter-host communication anomalies. | -- | Nov 4, 2024 |
CVE-2024-51406 | Floodlight SDN Open Flow Controller v.1.2 has an issue that allows local hosts to build fake LLDP packets that allow specific clusters to be missed by Floodlight, which in turn leads to missed hosts inside and outside the cluster. | -- | Nov 4, 2024 |
CVE-2024-51399 | Altai Technologies Ltd Altai IX500 Indoor 22 802.11ac Wave 2 AP After login, there are file reads in the background, and attackers can obtain sensitive information such as user credentials, system configuration, and database connection strings, which can lead to data breaches and identity theft. | -- | Nov 1, 2024 |
CVE-2024-51398 | Altai Technologies Ltd Altai X500 Indoor 22 802.11ac Wave 2 AP web Management Weak password leakage in the background may lead to unauthorized access, data theft, and network attacks, seriously threatening network security. | -- | Nov 1, 2024 |
CVE-2024-51382 | Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 allows an attacker to reset the administrator\'s password. This critical security flaw can result in unauthorized access to the platform, enabling attackers to hijack admin accounts and compromise the integrity and security of the system. | -- | Nov 6, 2024 |
CVE-2024-51381 | Cross-Site Request Forgery (CSRF) vulnerability in JATOS v3.9.3 that allows attackers to perform actions reserved for administrators, including creating admin accounts. This critical flaw can lead to unauthorized activities, compromising the security and integrity of the platform, especially if an attacker gains administrative control. | -- | Nov 6, 2024 |
CVE-2024-51380 | Stored Cross-Site Scripting (XSS) vulnerability discovered in the Properties Component of JATOS v3.9.3. This flaw allows an attacker to inject malicious JavaScript into the properties section of a study, specifically within the UUID field. When an admin user accesses the study\'s properties, the injected script is executed in the admin\'s browser, which could lead to unauthorized actions, including account compromise and privilege escalation. | -- | Nov 6, 2024 |
CVE-2024-51379 | Stored Cross-Site Scripting (XSS) vulnerability discovered in JATOS v3.9.3. The vulnerability exists in the description component of the study section, where an attacker can inject JavaScript into the description field. This allows for the execution of malicious scripts when an admin views the description, potentially leading to account takeover and unauthorized actions. | -- | Nov 6, 2024 |
CVE-2024-51378 | getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. Versions through 2.3.6 and (unpatched) 2.3.7 are affected. | -- | Oct 30, 2024 |
CVE-2024-51377 | An issue in Ladybird Web Solution Faveo Helpdesk & Servicedesk (On-Premise and Cloud) 9.2.0 allows a remote attacker to execute arbitrary code via the Subject and Identifier fields | -- | Nov 4, 2024 |
CVE-2024-51362 | The LSC Smart Connect Indoor IP Camera V7.6.32 is vulnerable to an information disclosure issue where live camera footage can be accessed through the RTSP protocol on port 8554 without requiring authentication. This allows unauthorized users with network access to view the camera\'s feed, potentially compromising user privacy and security. No credentials or special permissions are required, and access can be gained remotely over the network. | -- | Nov 6, 2024 |
CVE-2024-51358 | An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. | -- | Nov 7, 2024 |
CVE-2024-51329 | A Host header injection vulnerability in Agile-Board 1.0 allows attackers to obtain the password reset token via user interaction with a crafted password reset link. | -- | Nov 4, 2024 |
CVE-2024-51328 | Cross Site Scripting vulnerability in addcategory.php in projectworld\'s Travel Management System v1.0 allows remote attacker to inject arbitrary code via the t2 parameter. | -- | Nov 4, 2024 |
CVE-2024-51327 | SQL Injection in loginform.php in ProjectWorld\'s Travel Management System v1.0 allows remote attackers to bypass authentication via SQL Injection in the \'username\' and \'password\' fields. | -- | Nov 4, 2024 |
CVE-2024-51326 | SQL Injection vulnerability in projectworlds Travel management System v.1.0 allows a remote attacker to execute arbitrary code via the \'t2\' parameter in deletesubcategory.php. | -- | Nov 4, 2024 |
CVE-2024-51304 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ldap_search_dn function. | -- | Nov 1, 2024 |
CVE-2024-51301 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function. | -- | Nov 1, 2024 |
CVE-2024-51300 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the get_rrd function. | -- | Nov 1, 2024 |
CVE-2024-51299 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the dumpSyslog function. | -- | Nov 1, 2024 |
CVE-2024-51298 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function. | -- | Nov 1, 2024 |
CVE-2024-51296 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the pingtrace function. | -- | Nov 1, 2024 |
CVE-2024-51260 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the acme_process function. | -- | Nov 1, 2024 |
CVE-2024-51259 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the setup_cacertificate function. | -- | Nov 1, 2024 |
CVE-2024-51258 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doSSLTunnel function. | -- | Nov 1, 2024 |
CVE-2024-51257 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function. | -- | Nov 1, 2024 |
CVE-2024-51255 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the ruequest_certificate function. | -- | Nov 1, 2024 |
CVE-2024-51254 | DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the sign_cacertificate function. | -- | Nov 1, 2024 |
CVE-2024-51253 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doL2TP function. | -- | Nov 4, 2024 |
CVE-2024-51252 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the restore function. | -- | Nov 4, 2024 |
CVE-2024-51251 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the backup function. | -- | Nov 4, 2024 |
CVE-2024-51249 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the reboot function. | -- | Nov 4, 2024 |
CVE-2024-51248 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the modifyrow function. | -- | Nov 4, 2024 |
CVE-2024-51247 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPPo function. | -- | Nov 4, 2024 |
CVE-2024-51246 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doPPTP function. | -- | Nov 4, 2024 |
CVE-2024-51245 | In DrayTek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the rename_table function. | -- | Nov 4, 2024 |
CVE-2024-51244 | In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doIPSec function. | -- | Nov 4, 2024 |
CVE-2024-51243 | The eladmin v2.7 and before contains a remote code execution (RCE) vulnerability that can control all application deployment servers of this management system via DeployController.java. | -- | Nov 1, 2024 |
CVE-2024-51242 | A Server-Side Request Forgery (SSRF) vulnerability has been identified in eladmin 2.7 and earlier in ServerDeployController.java. The manipulation of the HTTP Body ip parameter leads to SSRF. | -- | Nov 1, 2024 |