Total
4525 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-39331 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| In Emacs before 29.4, org-link-expand-abbrev in lisp/ol.el expands a %(...) link abbrev even when it specifies an unsafe function, such as shell-command-to-string. This affects Org Mode before 9.7.5. | |||||
| CVE-2024-39236 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself. | |||||
| CVE-2024-39209 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter. | |||||
| CVE-2024-39071 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. | |||||
| CVE-2024-39017 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39015 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-39002 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function util.clone. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38993 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| rjrodger jsonic-next v2.12.1 was discovered to contain a prototype pollution via the function empty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38990 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |||||
| CVE-2024-38944 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component. | |||||
| CVE-2024-38458 | 1 Xenforo | 1 Xenforo | 2024-11-21 | N/A | 8.8 HIGH |
| Xenforo before 2.2.16 allows code injection. | |||||
| CVE-2024-38448 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used. | |||||
| CVE-2024-38396 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| An issue was discovered in iTerm2 3.5.x before 3.5.2. Unfiltered use of an escape sequence to report a window title, in combination with the built-in tmux integration feature (enabled by default), allows an attacker to inject arbitrary code into the terminal, a different vulnerability than CVE-2024-38395. | |||||
| CVE-2024-38395 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable." | |||||
| CVE-2024-38319 | 2024-11-21 | N/A | 7.5 HIGH | ||
| IBM Security SOAR 51.0.2.0 could allow an authenticated user to execute malicious code loaded from a specially crafted script. IBM X-Force ID: 294830. | |||||
| CVE-2024-37934 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 5.4 MEDIUM |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4. | |||||
| CVE-2024-37885 | 2 Apple, Nextcloud | 2 Macos, Desktop | 2024-11-21 | N/A | 3.8 LOW |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0. | |||||
| CVE-2024-37855 | 2024-11-21 | N/A | 8.4 HIGH | ||
| An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials. | |||||
| CVE-2024-37849 | 1 Itsourcecode | 1 Billing System | 2024-11-21 | N/A | 9.8 CRITICAL |
| A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter. | |||||
| CVE-2024-37821 | 2024-11-21 | N/A | 8.8 HIGH | ||
| An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. | |||||