Total
305640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-46840 | 1 Linux | 1 Linux Kernel | 2024-10-08 | N/A | 5.5 MEDIUM |
| In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren't holding a lock on the extent leaf and thus could get a transient incorrect answer. In walk_down_proc we also BUG_ON(refs == 0), which could happen if we have extent tree corruption. Change that to return -EUCLEAN. In do_walk_down() we catch this case and handle it correctly, however we return -EIO, which -EUCLEAN is a more appropriate error code. Finally in walk_up_proc we have the same BUG_ON(refs == 0), so convert that to proper error handling. Also adjust the error message so we can actually do something with the information. | |||||
| CVE-2024-9172 | 1 Kraftplugins | 1 Demo Importer Plus | 2024-10-08 | N/A | 6.4 MEDIUM |
| The Demo Importer Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-44439 | 2024-10-08 | N/A | 5.9 MEDIUM | ||
| An issue in Shanghai Zhouma Network Technology CO., Ltd IMS Intelligent Manufacturing Collaborative Internet of Things System v.1.9.1 allows a remote attacker to escalate privileges via the open port. | |||||
| CVE-2024-9242 | 1 Memberful | 1 Memberful | 2024-10-08 | N/A | 6.4 MEDIUM |
| The Memberful – Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'memberful_buy_subscription_link' and 'memberful_podcasts_link' shortcodes in all versions up to, and including, 1.73.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-9306 | 1 Wpbookingcalendar | 1 Wp Booking Calendar | 2024-10-08 | N/A | 4.4 MEDIUM |
| The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 10.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. In addition, site administrators have the option to grant lower-level users with access to manage the plugin's settings which may extend this vulnerability to those users. | |||||
| CVE-2024-9435 | 1 Plainware | 1 Shiftcontroller | 2024-10-08 | N/A | 6.1 MEDIUM |
| The ShiftController Employee Shift Scheduling plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL keys in all versions up to, and including, 4.9.66 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2024-9071 | 1 Sigmadevs | 1 Easy Demo Importer | 2024-10-08 | N/A | 6.4 MEDIUM |
| The Easy Demo Importer – A Modern One-Click Demo Import Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-20434 | 1 Cisco | 1 Ios Xe | 2024-10-08 | N/A | 4.3 MEDIUM |
| A vulnerability in Cisco IOS XE Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on the control plane of an affected device. This vulnerability is due to improper handling of frames with VLAN tag information. An attacker could exploit this vulnerability by sending crafted frames to an affected device. A successful exploit could allow the attacker to render the control plane of the affected device unresponsive. The device would not be accessible through the console or CLI, and it would not respond to ping requests, SNMP requests, or requests from other control plane protocols. Traffic that is traversing the device through the data plane is not affected. A reload of the device is required to restore control plane services. | |||||
| CVE-2024-9271 | 1 Remilia | 1 Re\ | 2024-10-08 | N/A | 6.4 MEDIUM |
| The Re:WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | |||||
| CVE-2024-9345 | 1 Tychesoftwares | 1 Product Delivery Date For Woocommerce | 2024-10-08 | N/A | 6.1 MEDIUM |
| The Product Delivery Date for WooCommerce – Lite plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.3. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when notices are present. | |||||
| CVE-2022-49037 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 6.5 MEDIUM |
| Insertion of sensitive information into log file vulnerability in proxy settings component in Synology Drive Client before 3.3.0-15082 allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2022-49038 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 7.8 HIGH |
| Inclusion of functionality from untrusted control sphere vulnerability in OpenSSL DLL component in Synology Drive Client before 3.3.0-15082 allows local users to execute arbitrary code via unspecified vectors. | |||||
| CVE-2022-49039 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 6.7 MEDIUM |
| Out-of-bounds write vulnerability in backup task management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2024-20492 | 1 Cisco | 1 Telepresence Video Communication Server | 2024-10-08 | N/A | 6.0 MEDIUM |
| A vulnerability in the restricted shell of Cisco Expressway Series could allow an authenticated, local attacker to perform command injection attacks on the underlying operating system and elevate privileges to root. To exploit this vulnerability, the attacker must have Administrator-level credentials with read-write privileges on an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a series of crafted CLI commands. A successful exploit could allow the attacker to escape the restricted shell and gain root privileges on the underlying operating system of the affected device. Note: Cisco Expressway Series refers to Cisco Expressway Control (Expressway-C) devices and Cisco Expressway Edge (Expressway-E) devices. | |||||
| CVE-2022-49040 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 4.4 MEDIUM |
| Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in connection management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to crash the client via unspecified vectors. | |||||
| CVE-2022-49041 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 4.4 MEDIUM |
| Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in backup task management functionality in Synology Drive Client before 3.4.0-15721 allows local users with administrator privileges to crash the client via unspecified vectors. | |||||
| CVE-2024-20477 | 1 Cisco | 2 Nexus Dashboard, Nexus Dashboard Fabric Controller | 2024-10-08 | N/A | 5.4 MEDIUM |
| A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to upload or delete files on an affected device. This vulnerability exists because of missing authorization controls on the affected REST API endpoint. An attacker could exploit this vulnerability by sending crafted API requests to the affected endpoint. A successful exploit could allow the attacker to upload files into a specific container or delete files from a specific folder within that container. This vulnerability only affects a specific REST API endpoint and does not affect the web-based management interface. | |||||
| CVE-2024-20491 | 1 Cisco | 3 Nexus Dashboard Fabric Controller, Nexus Dashboard Insights, Nexus Dashboard Orchestrator | 2024-10-08 | N/A | 6.3 MEDIUM |
| A vulnerability in a logging function of Cisco Nexus Dashboard Insights could allow an attacker with access to a tech support file to view sensitive information. This vulnerability exists because remote controller credentials are recorded in an internal log that is stored in the tech support file. An attacker could exploit this vulnerability by accessing a tech support file that is generated from an affected system. A successful exploit could allow the attacker to view remote controller admin credentials in clear text. Note: Best practice is to store debug logs and tech support files safely and to share them only with trusted parties because they may contain sensitive information. | |||||
| CVE-2023-52946 | 1 Synology | 1 Drive Client | 2024-10-08 | N/A | 8.2 HIGH |
| Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in vss service component in Synology Drive Client before 3.5.0-16084 allows remote attackers to overwrite trivial buffers and crash the client via unspecified vectors. | |||||
| CVE-2024-43699 | 1 Deltaww | 1 Diaenergie | 2024-10-08 | N/A | 9.8 CRITICAL |
| Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product. | |||||