Total
5230 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36581 | 2024-11-21 | N/A | 7.6 HIGH | ||
| A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm. | |||||
| CVE-2024-36575 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. | |||||
| CVE-2024-36456 | 2024-11-21 | N/A | N/A | ||
| This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file. | |||||
| CVE-2024-36361 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
| Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers. | |||||
| CVE-2024-36268 | 1 Apache | 1 Inlong | 2024-11-21 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251 | |||||
| CVE-2024-36120 | 2024-11-21 | N/A | 8.1 HIGH | ||
| javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature. | |||||
| CVE-2024-36075 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint. | |||||
| CVE-2024-36074 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution. | |||||
| CVE-2024-34761 | 2024-11-21 | N/A | 8.5 HIGH | ||
| Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10. | |||||
| CVE-2024-34405 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| Improper deep link validation in McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to launch an arbitrary URL within the app. | |||||
| CVE-2024-33644 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9. | |||||
| CVE-2024-33335 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| SQL Injection vulnerability in H3C technology company SeaSQL DWS V2.0 allows a remote attacker to execute arbitrary code via a crafted file. | |||||
| CVE-2024-33294 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component. | |||||
| CVE-2024-33228 | 2024-11-21 | N/A | 8.4 HIGH | ||
| An issue in the component segwindrvx64.sys of Insyde Software Corp SEG Windows Driver v100.00.07.02 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | |||||
| CVE-2024-33225 | 2024-11-21 | N/A | 7.8 HIGH | ||
| An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp Realtek(r) High Definition Audio Function Driver v6.0.9549.1 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests. | |||||
| CVE-2024-32599 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Deepak anand WP Dummy Content Generator.This issue affects WP Dummy Content Generator: from n/a through 3.2.1. | |||||
| CVE-2024-32030 | 2024-11-21 | N/A | 8.1 HIGH | ||
| Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. This vulnerability affects the deployments where one of the following occurs: 1. dynamic.config.enabled property is set in settings. It's not enabled by default, but it's suggested to be enabled in many tutorials for Kafka UI, including its own README.md. OR 2. an attacker has access to the Kafka cluster that is being connected to Kafka UI. In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. Instead of setting up a legitimate JMX port, an attacker can create an RMI listener that returns a malicious serialized object for any RMI call. In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. This is particularly dangerous as Kafka-UI does not have authentication enabled by default. This issue has been addressed in version 0.7.2. All users are advised to upgrade. There are no known workarounds for this vulnerability. These issues were discovered and reported by the GitHub Security lab and is also tracked as GHSL-2023-230. | |||||
| CVE-2024-31974 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions). | |||||
| CVE-2024-31390 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| : Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Breakdance allows : Code Injection.This issue affects Breakdance: from n/a through 1.7.2. | |||||
| CVE-2024-31380 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9. | |||||