Total 265782 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-7489 2024-10-16 4.4 Medium
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9937 2024-10-16 6.1 Medium
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
CVE-2024-9888 2024-10-16 5.4 Medium
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-9873 2024-10-16 5.4 Medium
The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2024-3056 3 Fedoraproject, Podman Project, Redhat 5 Fedora, Podman, Enterprise Linux and 2 more 2024-10-16 7.7 High
A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.
CVE-2023-23758 1 Creative-solutions 1 Creative Gallery 2024-10-16 9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
CVE-2023-34476 1 Mooj 1 Proforms 2024-10-16 9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
CVE-2023-39974 1 Acymailing 1 Acymailing 2024-10-16 5.3 Medium
Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list.
CVE-2023-39973 1 Acymailing 1 Acymailing 2024-10-16 4.3 Medium
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns.
CVE-2023-39972 1 Acymailing 1 Acymailing 2024-10-16 4.3 Medium
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists.
CVE-2023-34477 1 Braincert 1 Virtual Classroom 2024-10-16 9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
CVE-2023-39970 1 Acyba 1 Acymailing Starter 2024-10-16 9.8 Critical
Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla. It allows remote code execution.
CVE-2023-40630 1 Joomcode 1 Jcdashboard 2024-10-16 9.8 Critical
Unauthenticated LFI/SSRF in JCDashboards component for Joomla.
CVE-2023-23757 1 Bestaddon 1 Bestaddon Gallery 2024-10-16 9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
CVE-2023-39971 1 Acymailing 1 Acymailing 2024-10-16 6.1 Medium
Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3.
CVE-2023-38044 1 Hikashop 1 Hikashop 2024-10-16 9.8 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection.
CVE-2024-45409 3 Gitlab, Omniauth, Onelogin 4 Gitlab, Omniauth-saml, Omniauth Saml and 1 more 2024-10-16 10 Critical
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3.
CVE-2024-10018 2024-10-16 N/A
Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component.
CVE-2024-9891 2024-10-16 4.3 Medium
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site.
CVE-2024-9652 2024-10-16 6.1 Medium
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.