Total
5266 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-45766 | 1 Dell | 1 Openmanage Enterprise | 2024-12-02 | 8 High |
| Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Control of Generation of Code ('Code Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. | ||||
| CVE-2024-8672 | 1 Marketingfire | 1 Widget-options | 2024-11-29 | 9.9 Critical |
| The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. This is due to the plugin allowing users to supply input that will be passed through eval() without any filtering or capability checks. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. Special note: We suggested the vendor implement an allowlist of functions and limit the ability to execute commands to just administrators, however, they did not take our advice. We are considering this patched, however, we believe it could still be further hardened and there may be residual risk with how the issue is currently patched. | ||||
| CVE-2024-11620 | 1 Rank Math Seo | 1 Rank Math Seo | 2024-11-29 | 7.2 High |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Rank Math SEO allows Code Injection.This issue affects Rank Math SEO: from n/a through 1.0.231. | ||||
| CVE-2023-35150 | 1 Xwiki | 1 Xwiki | 2024-11-29 | 9.9 Critical |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. | ||||
| CVE-2023-35152 | 1 Xwiki | 1 Xwiki | 2024-11-27 | 10 Critical |
| XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. | ||||
| CVE-2023-32728 | 1 Zabbix | 1 Zabbix-agent2 | 2024-11-27 | 4.6 Medium |
| The Zabbix Agent 2 item key smart.disk.get does not sanitize its parameters before passing them to a shell command resulting possible vulnerability for remote code execution. | ||||
| CVE-2024-8923 | 1 Servicenow | 1 Servicenow | 2024-11-27 | 9.8 Critical |
| ServiceNow has addressed an input validation vulnerability that was identified in the Now Platform. This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ServiceNow deployed an update to hosted instances and ServiceNow provided the update to our partners and self-hosted customers. Further, the vulnerability is addressed in the listed patches and hot fixes. | ||||
| CVE-2024-44758 | 1 Erp | 1 Management Software | 2024-11-27 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. | ||||
| CVE-2024-51367 | 1 Husrev | 1 Blackboard | 2024-11-27 | 9.8 Critical |
| An arbitrary file upload vulnerability in the component \Users\username.BlackBoard of BlackBoard v2.0.0.2 allows attackers to execute arbitrary code via uploading a crafted .xml file. | ||||
| CVE-2024-51330 | 2024-11-27 | 4.4 Medium | ||
| An issue in UltiMaker Cura v.4.41 and 5.8.1 and before allows a local attacker to execute arbitrary code via Inter-process communication (IPC) mechanism between Cura application and CuraEngine processes, localhost network stack, printing settings and G-code processing and transmission components, Ultimaker 3D Printers. | ||||
| CVE-2023-33570 | 1 Webkul | 1 Bagisto | 2024-11-27 | 8.8 High |
| Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). | ||||
| CVE-2024-52959 | 1 Galaxy Software Services Corporation | 1 Iota C.ai Conversational Platform | 2024-11-27 | N/A |
| A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file. | ||||
| CVE-2023-39018 | 1 Bramp | 1 Ffmpeg-cli-wrapper | 2024-11-27 | 9.8 Critical |
| FFmpeg 0.7.0 and below was discovered to contain a code injection vulnerability in the component net.bramp.ffmpeg.FFmpeg.<constructor>. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple third parties because there are no realistic use cases in which FFmpeg.java uses untrusted input for the path of the executable file. | ||||
| CVE-2024-29014 | 1 Sonicwall | 1 Netextender | 2024-11-27 | 7.1 High |
| Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. | ||||
| CVE-2023-45311 | 1 Fsevents Project | 1 Fsevents | 2024-11-26 | 9.8 Critical |
| fsevents before 1.2.11 depends on the https://fsevents-binaries.s3-us-west-2.amazonaws.com URL, which might allow an adversary to execute arbitrary code if any JavaScript project (that depends on fsevents) distributes code that was obtained from that URL at a time when it was controlled by an adversary. NOTE: some sources feel that this means that no version is affected any longer, because the URL is not controlled by an adversary. | ||||
| CVE-2024-10899 | 1 Wcproducttable | 2 Woocommerce Product Table, Woocommerce Product Table Lite | 2024-11-26 | 7.3 High |
| The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. The same 'id' parameter is vulnerable to Reflected Cross-Site Scripting as well. | ||||
| CVE-2023-49314 | 2 Apple, Asana | 2 Macos, Desktop | 2024-11-26 | 7.8 High |
| Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack. | ||||
| CVE-2023-33466 | 1 Orthanc-server | 1 Orthanc | 2024-11-26 | 8.8 High |
| Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE). | ||||
| CVE-2024-11034 | 1 Wpbean | 1 Request A Quote | 2024-11-26 | 7.3 High |
| The The Request a Quote for WooCommerce and Elementor – Get a Quote Button – Product Enquiry Form Popup – Product Quotation plugin for WordPress is vulnerable to arbitrary shortcode execution via fire_contact_form AJAX action in all versions up to, and including, 1.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-53554 | 1 Taigaio | 1 Taiga Front | 2024-11-26 | 8 High |
| A Client-Side Template Injection (CSTI) vulnerability in the component /project/new/scrum of Taiga v 8.6.1 allows remote attackers to execute arbitrary code by injecting a malicious payload within the new project details. | ||||