Total
4690 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11102 | 2 Mayurik, Sourcecodester | 2 Hospital Management System, Online Hospital Management System | 2024-11-18 | 3.5 Low |
| A vulnerability was found in SourceCodester Hospital Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /vm/doctor/edit-doc.php. The manipulation of the argument name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | ||||
| CVE-2024-21534 | 2 Jsonpath-plus, Redhat | 2 Jsonpath, Openshift Devspaces | 2024-11-18 | 9.8 Critical |
| All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226). | ||||
| CVE-2024-11175 | 1 Publiccms | 1 Publiccms | 2024-11-15 | 3.5 Low |
| A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named b9530b9cc1f5cfdad4b637874f59029a6283a65c. It is recommended to apply a patch to fix this issue. | ||||
| CVE-2024-11130 | 1 Zzcms | 1 Zzcms | 2024-11-15 | 2.4 Low |
| A vulnerability was found in ZZCMS up to 2023. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/msg.php. The manipulation of the argument keyword leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-8069 | 1 Citrix Session Recording | 1 Citrix Session Recording | 2024-11-15 | 8.8 High |
| Limited remote code execution with privilege of a NetworkService Account access in Citrix Session Recording if the attacker is an authenticated user on the same intranet as the session recording server | ||||
| CVE-2024-10958 | 2 Opajaap, Wppa | 2 Wp Photo Album Plus, Wp Photo Album Plus | 2024-11-14 | 7.3 High |
| The The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution via getshortcodedrenderedfenodelay AJAX action in all versions up to, and including, 8.8.08.007 . This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-21976 | 1 Amd | 1 Ryzen | 2024-11-13 | 8.8 High |
| Improper input validation in the NPU driver could allow an attacker to supply a specially crafted pointer potentially leading to arbitrary code execution. | ||||
| CVE-2024-46965 | 1 Google | 1 Ds Allvideo.downloader.browser Application For Android | 2024-11-12 | 5.4 Medium |
| The DS allvideo.downloader.browser (aka Fast Video Downloader: Browser) application through 1.6-RC1 for Android allows an attacker to execute arbitrary JavaScript code via the allvideo.downloader.browser.DefaultBrowserActivity component. | ||||
| CVE-2024-46966 | 1 Google | 1 Android | 2024-11-12 | 8.1 High |
| The Ikhgur mn.ikhgur.khotoch (aka Video Downloader Pro & Browser) application through 1.0.42 for Android allows an attacker to execute arbitrary JavaScript code via the mn.ikhgur.khotoch.MainActivity component. | ||||
| CVE-2024-46964 | 1 Google | 1 Android | 2024-11-12 | 8.1 High |
| The com.video.downloader.all (aka All Video Downloader) application through 11.28 for Android allows an attacker to execute arbitrary JavaScript code via the com.video.downloader.all.StartActivity component. | ||||
| CVE-2024-46963 | 1 Google | 1 Android | 2024-11-12 | 8.1 High |
| The com.superfast.video.downloader (aka Super Unlimited Video Downloader - All in One) application through 5.1.9 for Android allows an attacker to execute arbitrary JavaScript code via the com.bluesky.browser.ui.BrowserMainActivity component. | ||||
| CVE-2024-46962 | 1 Google | 1 Android | 2024-11-12 | 9.1 Critical |
| The SYQ com.downloader.video.fast (aka Master Video Downloader) application through 2.0 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.video.fast.SpeedMainAct component. | ||||
| CVE-2024-10640 | 1 Realmag777 | 1 Fox-currency Switcher Professional | 2024-11-12 | 7.3 High |
| The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-51757 | 1 Capricorn86 | 1 Happy-dom | 2024-11-08 | N/A |
| happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-46961 | 1 Inshot.com | 1 X Downloader | 2024-11-08 | 8.1 High |
| The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity component. | ||||
| CVE-2024-46960 | 1 Asdcom | 1 Hd Video Downloader | 2024-11-08 | 8.8 High |
| The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component. | ||||
| CVE-2024-10263 | 1 Tickera | 1 Tickera | 2024-11-08 | 7.3 High |
| The Tickera – WordPress Event Ticketing plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.5.4.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-47826 | 1 Elabftw | 1 Elabftw | 2024-11-08 | 3.5 Low |
| eLabFTW is an open source electronic lab notebook for research labs. A vulnerability in versions prior to 5.1.5 allows an attacker to inject arbitrary HTML tags in the pages: "experiments.php" (show mode), "database.php" (show mode) or "search.php". It works by providing HTML code in the extended search string, which will then be displayed back to the user in the error message. This means that injected HTML will appear in a red "alert/danger" box, and be part of an error message. Due to some other security measures, it is not possible to execute arbitrary javascript from this attack. As such, this attack is deemed low impact. Users should upgrade to at least version 5.1.5 to receive a patch. No known workarounds are available. | ||||
| CVE-2024-10035 | 1 Bg-tek | 2 Coslat, Coslatv3 Firmware | 2024-11-08 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection.This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported. | ||||
| CVE-2024-48050 | 1 Modelscope | 1 Agentscope | 2024-11-06 | 9.8 Critical |
| In agentscope <=v0.0.4, the file agentscope\web\workstation\workflow_utils.py has the function is_callable_expression. Within this function, the line result = eval(s) poses a security risk as it can directly execute user-provided commands. | ||||