Total
255441 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37111 | 2024-06-28 | 7.5 High | ||
| Missing Authorization vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
| CVE-2024-20271 | 2024-06-28 | 8.6 High | ||
| A vulnerability in the IP packet processing of Cisco Access Point (AP) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient input validation of certain IPv4 packets. An attacker could exploit this vulnerability by sending a crafted IPv4 packet either to or through an affected device. A successful exploit could allow the attacker to cause an affected device to reload unexpectedly, resulting in a DoS condition. To successfully exploit this vulnerability, the attacker does not need to be associated with the affected AP. This vulnerability cannot be exploited by sending IPv6 packets. | ||||
| CVE-2024-37107 | 2024-06-28 | 8.8 High | ||
| Improper Privilege Management vulnerability in Membership Software WishList Member X allows Privilege Escalation.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
| CVE-2024-37109 | 2024-06-28 | 9.9 Critical | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
| CVE-2024-3816 | 2024-06-28 | N/A | ||
| Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to a blind SQL Injection executed using the search bar. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | ||||
| CVE-2024-3801 | 2024-06-28 | N/A | ||
| Sites managed in S@M CMS (Concept Intermedia) might be vulnerable to Reflected XSS via including scripts in one of GET header parameters. Only a part of observed services is vulnerable, but since vendor has not investigated the root problem, it is hard to determine when the issue appears. | ||||
| CVE-2024-37741 | 2024-06-28 | N/A | ||
| OpenPLC 3 through 9cd8f1b allows XSS via an SVG document as a profile picture. | ||||
| CVE-2024-6307 | 2024-06-28 | 6.4 Medium | ||
| WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5736 | 2024-06-28 | N/A | ||
| Server Side Request Forgery (SSRF) vulnerability in AdmirorFrames Joomla! extension in afGdStream.php script allows to access local files or server pages available only from localhost. This issue affects AdmirorFrames: before 5.0. | ||||
| CVE-2024-5735 | 2024-06-28 | N/A | ||
| Full Path Disclosure vulnerability in AdmirorFrames Joomla! extension in afHelper.php script allows an unauthorised attacker to retrieve location of web root folder. This issue affects AdmirorFrames: before 5.0. | ||||
| CVE-2024-5737 | 2024-06-28 | N/A | ||
| Script afGdStream.php in AdmirorFrames Joomla! extension doesn’t specify a content type and as a result default (text/html) is used. An attacker may embed HTML tags directly in image data which is rendered by a webpage as HTML. This issue affects AdmirorFrames: before 5.0. | ||||
| CVE-2024-5922 | 2024-06-28 | 6.4 Medium | ||
| The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5662 | 2024-06-28 | 6.4 Medium | ||
| The Ultimate Post Kit Addons For Elementor – (Post Grid, Post Carousel, Post Slider, Category List, Post Tabs, Timeline, Post Ticker, Tag Cloud) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the Social Count (Static) widget in all versions up to, and including, 3.11.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-5424 | 2024-06-28 | 6.4 Medium | ||
| The Gallery Blocks with Lightbox. Image Gallery, (HTML5 video , YouTube, Vimeo) Video Gallery and Lightbox for native gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘galleryID’ and 'className' parameters in all versions up to, and including, 3.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-6288 | 2024-06-28 | 4.7 Medium | ||
| The Conversios – Google Analytics 4 (GA4), Meta Pixel & more Via Google Tag Manager For WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘tiktok_user_id’ parameter in all versions up to, and including, 7.0.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2024-2795 | 2024-06-28 | 5.3 Medium | ||
| The SEO SIMPLE PACK plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 3.2.1 via META description. This makes it possible for unauthenticated attackers to extract limited information about password protected posts. | ||||
| CVE-2024-5788 | 2024-06-28 | 6.4 Medium | ||
| The Silesia theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘link’ attribute within the theme's Button shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-30111 | 2024-06-28 | 3.3 Low | ||
| HCL DRYiCE AEX product is impacted by Missing Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted device due to which malicious users can gain unauthorized access to the rooted devices, compromising security and potentially leading to data breaches or other malicious activities. | ||||
| CVE-2024-39347 | 2024-06-28 | 5.9 Medium | ||
| Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors. | ||||
| CVE-2024-39352 | 2024-06-28 | 4.9 Medium | ||
| A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500. | ||||