Total
6195 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 9.8 Critical |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | ||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 9.8 Critical |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | ||||
| CVE-2024-45507 | 1 Apache | 1 Ofbiz | 2024-11-21 | 9.8 Critical |
| Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | ||||
| CVE-2024-41468 | 2 Tenda, Tendacn | 3 Fh1201, Fh1201, Fh1201 Firmware | 2024-11-21 | 9.8 Critical |
| Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand | ||||
| CVE-2024-40735 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-outlets/{id}/edit/. | ||||
| CVE-2024-40726 | 1 Netbox | 1 Netbox | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability in netbox v4.0.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter at /dcim/power-ports/{id}/edit/. | ||||
| CVE-2024-40546 | 1 Publiccms | 1 Publiccms | 2024-11-21 | 8.8 High |
| An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. | ||||
| CVE-2024-3408 | 2 Man, Man-group | 2 D-tale, Dtale | 2024-11-21 | 9.8 Critical |
| man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. The vulnerability arises from a hardcoded `SECRET_KEY` in the flask configuration, allowing attackers to forge a session cookie if authentication is enabled. Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. | ||||
| CVE-2024-3121 | 1 Lollms | 1 Lollms | 2024-11-21 | 3.3 Low |
| A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands. | ||||
| CVE-2024-39877 | 1 Apache | 1 Airflow | 2024-11-21 | 8.8 High |
| Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability. | ||||
| CVE-2024-38458 | 1 Xenforo | 1 Xenforo | 2024-11-21 | 8.8 High |
| Xenforo before 2.2.16 allows code injection. | ||||
| CVE-2024-38319 | 1 Ibm | 1 Soar | 2024-11-21 | 7.5 High |
| IBM Security SOAR 51.0.2.0 could allow an authenticated user to execute malicious code loaded from a specially crafted script. IBM X-Force ID: 294830. | ||||
| CVE-2024-37934 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | 5.4 Medium |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4. | ||||
| CVE-2024-37885 | 2 Apple, Nextcloud | 2 Macos, Desktop | 2024-11-21 | 3.8 Low |
| The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0. | ||||
| CVE-2024-37849 | 1 Itsourcecode | 1 Billing System | 2024-11-21 | 9.8 Critical |
| A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter. | ||||
| CVE-2024-37109 | 1 Wishlistmember | 1 Wishlist Member | 2024-11-21 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7. | ||||
| CVE-2024-37084 | 1 Vmware | 1 Spring Cloud Data Flow | 2024-11-21 | 9.8 Critical |
| In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server | ||||
| CVE-2024-37014 | 1 Langflow | 1 Langflow | 2024-11-21 | 8.8 High |
| Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script. | ||||
| CVE-2024-36268 | 1 Apache | 1 Inlong | 2024-11-21 | 9.8 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1] https://github.com/apache/inlong/pull/10251 | ||||
| CVE-2024-36120 | 1 Ben-sb | 1 Javascript Deobfuscator | 2024-11-21 | 8.2 High |
| javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature. | ||||