The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2024-32474 | Sentry is an error tracking and performance monitoring platform. Prior to 24.4.1, when authenticating as a superuser to Sentry with a username and password, the password is leaked as cleartext in logs under the _event_: `auth-index.validate_superuser`. An attacker with access to the log data could use these leaked credentials to login to the Sentry system as superuser. Self-hosted users on affected versions should upgrade to 24.4.1 or later. Users can configure the logging level to exclude logs of the `INFO` level and only generate logs for levels at `WARNING` or more. | -- | Apr 18, 2024 |
| CVE-2024-32473 | Moby is an open source container framework that is a key component of Docker Engine, Docker Desktop, and other distributions of container tooling or runtimes. In 26.0.0, IPv6 is not disabled on network interfaces, including those belonging to networks where `--ipv6=false`. An container with an `ipvlan` or `macvlan` interface will normally be configured to share an external network link with the host machine. Because of this direct access, (1) Containers may be able to communicate with other hosts on the local network over link-local IPv6 addresses, (2) if router advertisements are being broadcast over the local network, containers may get SLAAC-assigned addresses, and (3) the interface will be a member of IPv6 multicast groups. This means interfaces in IPv4-only networks present an unexpectedly and unnecessarily increased attack surface. The issue is patched in 26.0.2. To completely disable IPv6 in a container, use `--sysctl=net.ipv6.conf.all.disable_ipv6=1` in the `docker create` or `docker run` command. Or, in the service configuration of a `compose` file. | -- | Apr 18, 2024 |
| CVE-2024-32472 | excalidraw is an open source virtual hand-drawn style whiteboard. A stored XSS vulnerability in Excalidraw\'s web embeddable component. This allows arbitrary JavaScript to be run in the context of the domain where the editor is hosted. There were two vectors. One rendering untrusted string as iframe\'s `srcdoc` without properly sanitizing against HTML injection. Second by improperly sanitizing against attribute HTML injection. This in conjunction with allowing `allow-same-origin` sandbox flag (necessary for several embeds) resulted in the XSS. This vulnerability is fixed in 0.17.6 and 0.16.4. | -- | Apr 18, 2024 |
| CVE-2024-32470 | Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4. | -- | Apr 18, 2024 |
| CVE-2024-32466 | Tolgee is an open-source localization platform. For the `/v2/projects/translations` and `/v2/projects/{projectId}/translations` endpoints, translation data was returned even when API key was missing `translation.view` scope. However, it was impossible to fetch the data when user was missing this scope. So this is only relevant for API keys generated by users permitted to `translation.view`. This vulnerability is fixed in v3.57.2 | -- | Apr 18, 2024 |
| CVE-2024-32463 | phlex is an open source framework for building object-oriented views in Ruby. There is a potential cross-site scripting (XSS) vulnerability that can be exploited via maliciously crafted user data. The filter to detect and prevent the use of the `javascript:` URL scheme in the `href` attribute of an `<a>` tag could be bypassed with tab `\\t` or newline `\\n` characters between the characters of the protocol, e.g. `java\\tscript:`. This vulnerability is fixed in 1.10.1, 1.9.2, 1.8.3, 1.7.2, 1.6.3, 1.5.3, and 1.4.2. Configuring a Content Security Policy that does not allow `unsafe-inline` would effectively prevent this vulnerability from being exploited. | -- | Apr 17, 2024 |
| CVE-2024-32462 | Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. Normally, the `--command` argument of `flatpak run` expects to be given a command to run in the specified Flatpak app, optionally along with some arguments. However it is possible to instead pass `bwrap` arguments to `--command=`, such as `--bind`. It\'s possible to pass an arbitrary `commandline` to the portal interface `org.freedesktop.portal.Background.RequestBackground` from within a Flatpak app. When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. The solution is to pass the `--` argument to `bwrap`, which makes it stop processing options. This has been supported since bubblewrap 0.3.0. All supported versions of Flatpak require at least that version of bubblewrap. xdg-desktop-portal version 1.18.4 will mitigate this vulnerability by only allowing Flatpak apps to create .desktop files for commands that do not start with --. The vulnerability is patched in 1.15.8, 1.10.9, 1.12.9, and 1.14.6. | -- | Apr 18, 2024 |
| CVE-2024-32461 | LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. A SQL injection vulnerability in POST /search/search=packages in LibreNMS prior to version 24.4.0 allows a user with global read privileges to execute SQL commands via the package parameter. With this vulnerability, an attacker can exploit a SQL injection time based vulnerability to extract all data from the database, such as administrator credentials. Version 24.4.0 contains a patch for the vulnerability. | -- | Apr 23, 2024 |
| CVE-2024-32460 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based based clients using `/bpp:32` legacy `GDI` drawing path with a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use modern drawing paths (e.g. `/rfx` or `/gfx` options). The workaround requires server side support. | -- | Apr 17, 2024 |
| CVE-2024-32459 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients and servers that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. No known workarounds are available. | -- | Apr 17, 2024 |
| CVE-2024-32458 | FreeRDP is a free implementation of the Remote Desktop Protocol. FreeRDP based clients that use a version of FreeRDP prior to 3.5.0 or 2.11.6 are vulnerable to out-of-bounds read. Versions 3.5.0 and 2.11.6 patch the issue. As a workaround, use `/gfx` or `/rfx` modes (on by default, require server side support). | -- | Apr 17, 2024 |
| CVE-2024-32457 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in The CSSIgniter Team Elements Plus! allows Stored XSS.This issue affects Elements Plus!: from n/a through 2.16.3. | -- | Apr 17, 2024 |
| CVE-2024-32456 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in EnvoThemes Envo Extra allows Stored XSS.This issue affects Envo Extra: from n/a through 1.8.11. | -- | Apr 17, 2024 |
| CVE-2024-32455 | Missing Authorization vulnerability in Very Good Plugins Fatal Error Notify.This issue affects Fatal Error Notify: from n/a through 1.5.2. | -- | Apr 16, 2024 |
| CVE-2024-32454 | Server-Side Request Forgery (SSRF) vulnerability in Wappointment Appointment Bookings for Zoom GoogleMeet and more – Wappointment.This issue affects Appointment Bookings for Zoom GoogleMeet and more – Wappointment: from n/a through 2.6.0. | -- | Apr 15, 2024 |
| CVE-2024-32453 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in POEditor allows Stored XSS.This issue affects POEditor: from n/a through 0.9.8. | -- | Apr 15, 2024 |
| CVE-2024-32452 | Cross-Site Request Forgery (CSRF) vulnerability in WP EasyCart.This issue affects WP EasyCart: from n/a through 5.5.19. | -- | Apr 15, 2024 |
| CVE-2024-32451 | Cross-Site Request Forgery (CSRF) vulnerability in wpWax Legal Pages.This issue affects Legal Pages: from n/a through 1.4.2. | -- | Apr 15, 2024 |
| CVE-2024-32450 | Cross-Site Request Forgery (CSRF) vulnerability in MagePeople Team WpTravelly.This issue affects WpTravelly: from n/a through 1.6.0. | -- | Apr 15, 2024 |
| CVE-2024-32449 | Cross-Site Request Forgery (CSRF) vulnerability in MagniGenie RestroPress.This issue affects RestroPress: from n/a through 3.1.2. | -- | Apr 15, 2024 |
| CVE-2024-32448 | Cross-Site Request Forgery (CSRF) vulnerability in VideoYield.Com Ads.Txt Admin.This issue affects Ads.Txt Admin: from n/a through 1.3. | -- | Apr 15, 2024 |
| CVE-2024-32447 | Cross-Site Request Forgery (CSRF) vulnerability in AWP Classifieds Team AWP Classifieds.This issue affects AWP Classifieds: from n/a through 4.3.1. | -- | Apr 15, 2024 |
| CVE-2024-32446 | Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce.This issue affects Wallet System for WooCommerce: from n/a through 2.5.9. | -- | Apr 15, 2024 |
| CVE-2024-32445 | Cross-Site Request Forgery (CSRF) vulnerability in Saleswonder Team WebinarIgnition.This issue affects WebinarIgnition: from n/a through 3.05.8. | -- | Apr 15, 2024 |
| CVE-2024-32443 | Cross-Site Request Forgery (CSRF) vulnerability in IP2Location Download IP2Location Country Blocker.This issue affects Download IP2Location Country Blocker: from n/a through 2.34.2. | -- | Apr 15, 2024 |
| CVE-2024-32442 | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7. | -- | Apr 15, 2024 |
| CVE-2024-32441 | Cross-Site Request Forgery (CSRF) vulnerability in Zoho Campaigns.This issue affects Zoho Campaigns: from n/a through 2.0.7. | -- | Apr 15, 2024 |
| CVE-2024-32440 | Cross-Site Request Forgery (CSRF) vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.8.0. | -- | Apr 15, 2024 |
| CVE-2024-32439 | Cross-Site Request Forgery (CSRF) vulnerability in SwitchWP WP Client Reports.This issue affects WP Client Reports: from n/a through 1.0.22. | -- | Apr 15, 2024 |
| CVE-2024-32438 | Cross-Site Request Forgery (CSRF) vulnerability in cleverplugins.Com SEO Booster.This issue affects SEO Booster: from n/a through 3.8.9. | -- | Apr 15, 2024 |
| CVE-2024-32437 | Cross-Site Request Forgery (CSRF) vulnerability in impleCode eCommerce Product Catalog.This issue affects eCommerce Product Catalog: from n/a through 3.3.28. | -- | Apr 15, 2024 |
| CVE-2024-32436 | Cross-Site Request Forgery (CSRF) vulnerability in Codemenschen Gift Vouchers.This issue affects Gift Vouchers: from n/a through 4.4.0. | -- | Apr 15, 2024 |
| CVE-2024-32435 | Cross-Site Request Forgery (CSRF) vulnerability in Affieasy Team AffiEasy.This issue affects AffiEasy: from n/a through 1.1.4. | -- | Apr 15, 2024 |
| CVE-2024-32434 | Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Order Delivery Date for WooCommerce.This issue affects Order Delivery Date for WooCommerce: from n/a through 3.20.2. | -- | Apr 15, 2024 |
| CVE-2024-32433 | Cross-Site Request Forgery (CSRF) vulnerability in Themefic BEAF.This issue affects BEAF: from n/a through 4.5.4. | -- | Apr 15, 2024 |
| CVE-2024-32431 | Deserialization of Untrusted Data vulnerability in WP All Import Import Users from CSV.This issue affects Import Users from CSV: from n/a through 1.2. | -- | Apr 15, 2024 |
| CVE-2024-32430 | Server-Side Request Forgery (SSRF) vulnerability in ActiveCampaign.This issue affects ActiveCampaign: from n/a through 8.1.14. | -- | Apr 15, 2024 |
| CVE-2024-32429 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in WPChill Remove Footer Credit allows Stored XSS.This issue affects Remove Footer Credit: from n/a through 1.0.13. | -- | Apr 15, 2024 |
| CVE-2024-32428 | Improper Neutralization of Input During Web Page Generation (\'Cross-site Scripting\') vulnerability in Moss Web Works MWW Disclaimer Buttons allows Stored XSS.This issue affects MWW Disclaimer Buttons: from n/a through 3.0.2. | -- | Apr 15, 2024 |
| CVE-2024-32418 | An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component. | -- | Apr 22, 2024 |
| CVE-2024-32409 | An issue in SEMCMS v.4.8 allows a remote attacker to execute arbitrary code via a crafted script. | -- | Apr 19, 2024 |
| CVE-2024-32407 | An issue in inducer relate before v.2024.1 allows a remote attacker to execute arbitrary code via a crafted payload to the Page Sandbox feature. | -- | Apr 22, 2024 |
| CVE-2024-32405 | Cross Site Scripting vulnerability in inducer relate before v.2024.1 allows a remote attacker to escalate privileges via a crafted payload to the Answer field of InlineMultiQuestion parameter on Exam function. | -- | Apr 23, 2024 |
| CVE-2024-32399 | Directory Traversal vulnerability in RaidenMAILD Mail Server v.4.9.4 and before allows a remote attacker to obtain sensitive information via the /webeditor/ component. | -- | Apr 23, 2024 |
| CVE-2024-32394 | An issue in ruijie.com/cn RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 and RG-RSR10-01G-T(WA)-S RSR_3.0(1)B9P2_RSR10-01G-TW-S_07150910 allows a remote attacker to execute arbitrary code via a crafted HTTP request. | -- | Apr 23, 2024 |
| CVE-2024-32392 | Cross Site Scripting vulnerability in CmSimple v.5.15 allows a remote attacker to execute arbitrary code via the functions.php component. | -- | Apr 22, 2024 |
| CVE-2024-32391 | Cross Site Scripting vulnerability in MacCMS v.10 v.2024.1000.3000 allows a remote attacker to execute arbitrary code via a crafted payload. | -- | Apr 22, 2024 |
| CVE-2024-32368 | Insecure Permission vulnerability in Agasta Sanketlife 2.0 Pocket 12-Lead ECG Monitor FW Version 3.0 allows a local attacker to cause a denial of service via the Bluetooth Low Energy (BLE) component. | -- | Apr 22, 2024 |
| CVE-2024-32345 | A cross-site scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Configuration parameter under the Language section. | -- | Apr 18, 2024 |
| CVE-2024-32344 | A cross-site scripting (XSS) vulnerability in the Settings menu of CMSimple v5.15 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit parameter under the Language section. | -- | Apr 18, 2024 |
