Total
265782 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-7489 | 2024-10-16 | 4.4 Medium | ||
The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form color parameters in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2024-9937 | 2024-10-16 | 6.1 Medium | ||
The Woo Manage Fraud Orders plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 6.1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
CVE-2024-9888 | 2024-10-16 | 5.4 Medium | ||
The ElementInvader Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contact form widget redirect URL in all versions up to, and including, 1.2.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2024-9873 | 2024-10-16 | 5.4 Medium | ||
The Community by PeepSo – Social Network, Membership, Registration, User Profiles, Premium – Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in posts, comments, and profiles when Markdown support is enabled in all versions up to, and including, 6.4.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
CVE-2024-3056 | 3 Fedoraproject, Podman Project, Redhat | 5 Fedora, Podman, Enterprise Linux and 2 more | 2024-10-16 | 7.7 High |
A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system. | ||||
CVE-2023-23758 | 1 Creative-solutions | 1 Creative Gallery | 2024-10-16 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. | ||||
CVE-2023-34476 | 1 Mooj | 1 Proforms | 2024-10-16 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. | ||||
CVE-2023-39974 | 1 Acymailing | 1 Acymailing | 2024-10-16 | 5.3 Medium |
Exposure of Sensitive Information vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized actors to get the number of subscribers in a specific list. | ||||
CVE-2023-39973 | 1 Acymailing | 1 Acymailing | 2024-10-16 | 4.3 Medium |
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows the unauthorized removal of attachments from campaigns. | ||||
CVE-2023-39972 | 1 Acymailing | 1 Acymailing | 2024-10-16 | 4.3 Medium |
Improper Access Control vulnerability in AcyMailing Enterprise component for Joomla. It allows unauthorized users to create new mailing lists. | ||||
CVE-2023-34477 | 1 Braincert | 1 Virtual Classroom | 2024-10-16 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. | ||||
CVE-2023-39970 | 1 Acyba | 1 Acymailing Starter | 2024-10-16 | 9.8 Critical |
Unrestricted Upload of File with Dangerous Type vulnerability in AcyMailing component for Joomla. It allows remote code execution. | ||||
CVE-2023-40630 | 1 Joomcode | 1 Jcdashboard | 2024-10-16 | 9.8 Critical |
Unauthenticated LFI/SSRF in JCDashboards component for Joomla. | ||||
CVE-2023-23757 | 1 Bestaddon | 1 Bestaddon Gallery | 2024-10-16 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. | ||||
CVE-2023-39971 | 1 Acymailing | 1 Acymailing | 2024-10-16 | 6.1 Medium |
Improper Neutralization of Input During Web Page Generation vulnerability in AcyMailing Enterprise component for Joomla allows XSS. This issue affects AcyMailing Enterprise component for Joomla: 6.7.0-8.6.3. | ||||
CVE-2023-38044 | 1 Hikashop | 1 Hikashop | 2024-10-16 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability allows SQL Injection. | ||||
CVE-2024-45409 | 3 Gitlab, Omniauth, Onelogin | 4 Gitlab, Omniauth-saml, Omniauth Saml and 1 more | 2024-10-16 | 10 Critical |
The Ruby SAML library is for implementing the client side of a SAML authorization. Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system. This vulnerability is fixed in 1.17.0 and 1.12.3. | ||||
CVE-2024-10018 | 2024-10-16 | N/A | ||
Improper permission control in the mobile application (com.transsion.aivoiceassistant) can lead to the launch of any unexported component. | ||||
CVE-2024-9891 | 2024-10-16 | 4.3 Medium | ||
The Multiline files upload for contact form 7 plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the mfcf7_zl_custom_handle_deactivation_plugin_form_submission() function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate the plugin and send a custom reason from the site. | ||||
CVE-2024-9652 | 2024-10-16 | 6.1 Medium | ||
The Locatoraid Store Locator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via $_POST keys in all versions up to, and including, 3.9.47 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. |