Total
4517 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-48964 | 1 Snyk | 1 Snyk Cli | 2024-10-30 | N/A | 7.5 HIGH |
| The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects. | |||||
| CVE-2024-48655 | 2024-10-29 | N/A | 8.8 HIGH | ||
| An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file. | |||||
| CVE-2024-48700 | 2024-10-29 | N/A | 7.2 HIGH | ||
| Kliqqi-CMS has a background arbitrary code execution vulnerability that attackers can exploit to implant backdoors or getShell via the edit_page.php component. | |||||
| CVE-2024-10073 | 1 Informatik.hu-berlin | 1 Flair | 2024-10-29 | 5.1 MEDIUM | 5.0 MEDIUM |
| A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\models\clustering.py of the component Mode File Loader. The manipulation leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-50450 | 1 Pluginus | 1 Wordpress Meta Data And Taxonomies Filter | 2024-10-29 | N/A | 7.3 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Injection.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.4. | |||||
| CVE-2024-9593 | 1 Wpplugin | 1 Time Clock | 2024-10-29 | N/A | 8.3 HIGH |
| The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified. | |||||
| CVE-2024-48581 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
| File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. | |||||
| CVE-2024-48204 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
| SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script. | |||||
| CVE-2024-9162 | 2024-10-28 | N/A | 7.2 HIGH | ||
| The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. | |||||
| CVE-2024-48579 | 2024-10-28 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. | |||||
| CVE-2024-41712 | 2024-10-23 | N/A | 6.6 MEDIUM | ||
| A vulnerability in the Web Conferencing Component of Mitel MiCollab through 9.8.1.5 could allow an authenticated attacker to conduct a command injection attack, due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary commands on the system within the context of the user. | |||||
| CVE-2024-35315 | 2024-10-23 | N/A | 5.6 MEDIUM | ||
| A vulnerability in the Desktop Client of Mitel MiCollab through 9.7.1.110, and MiVoice Business Solution Virtual Instance (MiVB SVI) 1.0.0.25, could allow an authenticated attacker to conduct a privilege escalation attack due to improper file validation. A successful exploit could allow an attacker to run arbitrary code with elevated privileges. | |||||
| CVE-2024-41714 | 2024-10-23 | N/A | 8.8 HIGH | ||
| A vulnerability in the Web Interface component of Mitel MiCollab through 9.8 SP1 (9.8.1.5) and MiVoice Business Solution Virtual Instance (MiVB SVI) through 1.0.0.27 could allow an authenticated attacker to conduct a command injection attack, due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands with elevated privileges within the context of the system. | |||||
| CVE-2024-27766 | 2024-10-21 | N/A | 5.7 MEDIUM | ||
| An issue in MariaDB v.11.1 allows a remote attacker to execute arbitrary code via the lib_mysqludf_sys.so function. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | |||||
| CVE-2023-39593 | 2024-10-21 | N/A | 5.6 MEDIUM | ||
| Insecure permissions in the sys_exec function of MariaDB v10.5 allows authenticated attackers to execute arbitrary commands with elevated privileges. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | |||||
| CVE-2023-26785 | 2024-10-21 | N/A | 9.8 CRITICAL | ||
| MariaDB v10.5 was discovered to contain a remote code execution (RCE) vulnerability via UDF Code in a Shared Object File, followed by a "create function" statement. NOTE: this is disputed by the MariaDB Foundation because no privilege boundary is crossed. | |||||
| CVE-2024-43363 | 1 Cacti | 1 Cacti | 2024-10-17 | N/A | 7.2 HIGH |
| Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-41997 | 2024-10-16 | N/A | 6.6 MEDIUM | ||
| An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine. | |||||
| CVE-2023-31493 | 2024-10-16 | N/A | 6.6 MEDIUM | ||
| RCE (Remote Code Execution) exists in ZoneMinder through 1.36.33 as an attacker can create a new .php log file in language folder, while executing a crafted payload and escalate privileges allowing execution of any commands on the remote system. | |||||
| CVE-2024-49254 | 2024-10-16 | N/A | 10.0 CRITICAL | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Sunjianle allows Code Injection.This issue affects ajax-extend: from n/a through 1.0. | |||||