CVSS 8-9

CVE IDCVSSVendorExploitPatchTrends
CVE-2024-49050Visual Studio Code Python Extension Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49048TorchGeo Remote Code Execution Vulnerability
CVSS 8.1Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49039Windows Task Scheduler Elevation of Privilege Vulnerability
CVSS 8.8Microsoft

Exploit

Patched

Trending graph for this CVE
CVE-2024-49018SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49017SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49016SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49015SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49014SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49013SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49012SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49011SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49010SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49009SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49008SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49007SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49006SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49005SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49004SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49003SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49002SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49001SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-49000SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48999SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48998SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48997SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48996SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48995SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48994SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48993SQL Server Native Client Remote Code Execution Vulnerability
CVSS 8.8Microsoft

-

Patched

Trending graph for this CVE
CVE-2024-48964The package Snyk CLI before 1.1294.0 is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects.
CVSS 8.8Snyk

-

Patched

Trending graph for this CVE
CVE-2024-48955Broken access control in NetAdmin 4.030319 returns data with functionalities on the endpoint that "assembles" the functionalities menus, the return of this call is not encrypted and as the system does not validate the session authorization, an attacker can copy the content of the browser of a user with greater privileges having access to the functionalities of the user that the code was copied.
CVSS 8.1

-

-

Trending graph for this CVE
CVE-2024-4888BerriAI's litellm, in its latest version, is vulnerable to arbitrary file deletion due to improper input validation on the `/audio/transcriptions` endpoint. An attacker can exploit this vulnerability by sending a specially crafted request that includes a file path to the server, which then deletes the specified file without proper authorization or validation. This vulnerability is present in the code where `os.remove(file.filename)` is used to delete a file, allowing any user to delete critical files on the server such as SSH keys, SQLite databases, or configuration files.
CVSS 8.1Litellm

Exploit

Patched

Trending graph for this CVE
CVE-2024-48878Zohocorp ManageEngine ADManager Plus versions 7241 and prior are vulnerable to SQL Injection in Archived Audit Report.
CVSS 8.8Zohocorp

-

Patched

Trending graph for this CVE
CVE-2024-48827An issue in sbondCo Watcharr v.1.43.0 allows a remote attacker to execute arbitrary code and escalate privileges via the Change Password function.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48826Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.
CVSS 8Tenda

-

-

Trending graph for this CVE
CVE-2024-48825Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code.
CVSS 8Tenda

-

-

Trending graph for this CVE
CVE-2024-48822Privilege escalation in Automatic Systems Maintenance SlimLane 29565_d74ecce0c1081d50546db573a499941b10799fb7 allows a remote attacker to escalate privileges via the FtpConfig.php page.
CVSS 8.8Automaticsystems

-

-

Trending graph for this CVE
CVE-2024-48813SQL injection vulnerability in employee-management-system-php-and-mysql-free-download.html taskmatic 1.0 allows a remote attacker to execute arbitrary code via the admin_id parameter of the /update-employee.php component.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48770An issue in Plug n Play Camera com.wisdomcity.zwave 1.1.0 allows a remote attacker to obtain sensitive information via the firmware update process.
CVSS 8.2

-

-

Trending graph for this CVE
CVE-2024-48734Unrestricted file upload in /SASStudio/SASStudio/sasexec/{sessionID}/{InternalPath} in SAS Studio 9.4 allows remote attacker to upload malicious files. NOTE: this is disputed by the vendor because file upload is allowed for authorized users.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48733SQL injection vulnerability in /SASStudio/sasexec/sessions/{sessionID}/sql in SAS Studio 9.4 allows remote attacker to execute arbitrary SQL commands via the POST body request. NOTE: this is disputed by the vendor because SQL statement execution is allowed for authorized users.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-4872A vulnerability exists in the query validation of the MicroSCADA Pro/X SYS600 product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.
CVSS 8.8Apache, et al

-

Patched

Trending graph for this CVE
CVE-2024-48655An issue in Total.js CMS v.1.0 allows a remote attacker to execute arbitrary code via the func.js file.
CVSS 8.8Totaljs

-

-

Trending graph for this CVE
CVE-2024-48646An Unrestricted File Upload vulnerability exists in Sage 1000 v7.0.0, which allows authorized users to upload files without proper validation. An attacker could exploit this vulnerability by uploading malicious files, such as HTML, scripts, or other executable content, that may be executed on the server, leading to further system compromise.
CVSS 8.1

-

-

Trending graph for this CVE
CVE-2024-48638D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SubnetMask parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48637D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:1/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48636D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:0/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48635D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the VLANID:2/VID parameter in the SetVLANSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48634D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the key parameter in the SetWLanRadioSecurity function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48633D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the ExternalPort, InternalPort, ProtocolNumber, and LocalIPAddress parameters in the SetVirtualServerSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48632D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain multiple command injection vulnerabilities via the LocalIPAddress, TCPPorts, and UDPPorts parameters in the SetPortForwardingSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48631D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the SSID parameter in the SetWLanRadioSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48630D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the MacAddress parameter in the SetMACFilters2 function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48629D-Link DIR_882_FW130B06 and DIR_878 DIR_878_FW130B08 were discovered to contain a command injection vulnerability via the IPAddress parameter in the SetGuestZoneRouterSettings function. This vulnerability allows attackers to execute arbitrary OS commands via a crafted POST request.
CVSS 8Dlink

-

-

Trending graph for this CVE
CVE-2024-48597Online Clinic Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /success/editp.php?action=edit.
CVSS 8.1Php

-

-

Trending graph for this CVE
CVE-2024-48594File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component.
CVSS 8.8Prison management system project

-

-

Trending graph for this CVE
CVE-2024-48547Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-48546Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-48545Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-48544Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-48542Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4Yamaha

-

-

Trending graph for this CVE
CVE-2024-48541Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-4847The Alt Text AI – Automatically generate image alt text for SEO and accessibility plugin for WordPress is vulnerable to generic SQL Injection via the ‘last_post_id’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 8.8Wordpress

-

-

Trending graph for this CVE
CVE-2024-4845The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 8.8Wordpress, et al

-

Patched

Trending graph for this CVE
CVE-2024-48441Wuhan Tianyu Information Industry Co., Ltd Tianyu CPE Router CommonCPExCPETS_v3.2.468.11.04_P4 was discovered to contain a command injection vulnerability via the component at_command.asp.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48440Shenzhen Tuoshi Network Communications Co.,Ltd 5G CPE Router NR500-EA RG500UEAABxCOMSLICv3.2.2543.12.18 was discovered to contain a command injection vulnerability via the component at_command.asp.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48427A SQL injection vulnerability in Sourcecodester Packers and Movers Management System v1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in /mpms/admin/?page=services/manage_service&id
CVSS 8.8Oretnom23

-

-

Trending graph for this CVE
CVE-2024-4838The ConvertPlus plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.5.26 via deserialization of untrusted input from the 'settings_encoded' attribute of the 'smile_modal' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
CVSS 8.8Convertplug, et al

-

-

Trending graph for this CVE
CVE-2024-4835A XSS condition exists within GitLab in versions 15.11 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this condition, an attacker can craft a malicious page to exfiltrate sensitive user information.
CVSS 8Gitlab

-

-

Trending graph for this CVE
CVE-2024-48336The install() function of ProviderInstaller.java in Magisk App before canary version 27007 does not verify the GMS app before loading it, which allows a local untrusted app with no additional privileges to silently execute arbitrary code in the Magisk app and escalate privileges to root via a crafted package, aka Bug #8279. User interaction is not needed for exploitation.
CVSS 8.4

-

-

Trending graph for this CVE
CVE-2024-48325Portabilis i-Educar 2.8.0 is vulnerable to SQL Injection in the "getDocuments" function of the "InstituicaoDocumentacaoController" class. The "instituicao_id" parameter in "/module/Api/InstituicaoDocumentacao?oper=get&resource=getDocuments&instituicao_id" is not properly sanitized, allowing an unauthenticated remote attacker to inject malicious SQL commands.
CVSS 8.1Portabilis

-

-

Trending graph for this CVE
CVE-2024-48322UsersController.php in Run.codes 1.5.2 and older has a reset password race condition vulnerability.
CVSS 8.1

-

-

Trending graph for this CVE
CVE-2024-48311Piwigo v14.5.0 was discovered to contain a Cross-Site Request Forgery (CSRF) via the Edit album function.
CVSS 8.8Piwigo

-

-

Trending graph for this CVE
CVE-2024-48292An issue in the wssrvc.exe service of QuickHeal Antivirus Pro Version v24.0 and Quick Heal Total Security v24.0 allows authenticated attackers to escalate privileges.
CVSS 8.8Quickheal

-

-

Trending graph for this CVE
CVE-2024-48271D-Link DSL6740C v6.TR069.20211230 was discovered to use insecure default credentials for Administrator access, possibly allowing attackers to bypass authentication and escalate privileges on the device via a bruteforce attack.
CVSS 8.8Dlink

-

-

Trending graph for this CVE
CVE-2024-48217An Insecure Direct Object Reference (IDOR) in the dashboard of SiSMART v7.4.0 allows attackers to execute a horizontal-privilege escalation.
CVSS 8.8

-

-

Trending graph for this CVE
CVE-2024-48214KERUI HD 3MP 1080P Tuya Camera 1.0.4 has a command injection vulnerability in the module that connects to the local network via a QR code. This vulnerability allows an attacker to create a custom, unauthenticated QR code and abuse one of the parameters, either SSID or PASSWORD, in the JSON data contained within the QR code. By that, the attacker can execute arbitrary code on the camera.
CVSS 8.4Kerui

-

-

Trending graph for this CVE
CVE-2024-48208pure-ftpd before 1.0.52 is vulnerable to Buffer Overflow. There is an out of bounds read in the domlsd() function of the ls.c file.
CVSS 8.6Pureftpd

-

Patched

Trending graph for this CVE
CVE-2024-48200An issue in MobaXterm v24.2 allows a local attacker to escalate privileges and execute arbitrary code via the remove function of the MobaXterm MSI is spawning one Administrative cmd (conhost.exe)
CVSS 8.4Mobatek

-

-

Trending graph for this CVE
CVE-2024-48192Tenda G3 v15.01.0.5(2848_755)_EN was discovered to contain a hardcoded password vulnerability in /etc_ro/shadow, which allows attackers to log in as root
CVSS 8Tenda

-

-

Trending graph for this CVE
CVE-2024-48178newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter.
CVSS 8.1Newbee-mall project

-

-

Trending graph for this CVE
CVE-2024-48177MRCMS 3.1.2 contains a SQL injection vulnerability via the RID parameter in /admin/article/delete.do.
CVSS 8.8Mrcms

-

-

Trending graph for this CVE
CVE-2024-48093Unrestricted File Upload in the Discussions tab in Operately v.0.1.0 allows a privileged user to achieve Remote Code Execution via uploading and executing malicious files without validating file extensions or content types.
CVSS 8

-

-

Trending graph for this CVE
CVE-2024-48074An authorized RCE vulnerability exists in the DrayTek Vigor2960 router version 1.4.4, where an attacker can place a malicious command into the table parameter of the doPPPoE function in the cgi-bin/mainfunction.cgi route, and finally the command is executed by the system function.
CVSS 8Draytek

-

-

Trending graph for this CVE
CVE-2024-48045Missing Authorization vulnerability in Leevio Happy Addons for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Happy Addons for Elementor: from n/a through 3.12.3.
CVSS 8.8Elementor, et al

-

-

Trending graph for this CVE
CVE-2024-48044Missing Authorization vulnerability in ShortPixel – Convert WebP/AVIF & Optimize Images ShortPixel Image Optimizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShortPixel Image Optimizer: from n/a through 5.6.3.
CVSS 8.8Shortpixel

-

-

Trending graph for this CVE
CVE-2024-48040Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tainacan.Org Tainacan allows SQL Injection.This issue affects Tainacan: from n/a through 0.21.8.
CVSS 8.5Tainacan

-

-

Trending graph for this CVE
CVE-2024-48039Missing Authorization vulnerability in CubeWP CubeWP – All-in-One Dynamic Content Framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CubeWP – All-in-One Dynamic Content Framework: from n/a through 1.1.15.
CVSS 8.8Cubewp, et al

-

-

Trending graph for this CVE
CVE-2024-48020Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Revmakx Backup and Staging by WP Time Capsule allows SQL Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21.
CVSS 8.5Revmakx, et al

-

-

Trending graph for this CVE
CVE-2024-47912A vulnerability in the AWV (Audio, Web, and Video) Conferencing component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to perform unauthorized data-access attacks due to missing authentication mechanisms. A successful exploit could allow an attacker to access and delete sensitive information.
CVSS 8.2Mitel

-

-

Trending graph for this CVE
CVE-2024-47881OpenRefine is a free, open source tool for working with messy data. Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. The attacker needs to have network access to the OpenRefine instance. Version 3.8.3 fixes this issue.
CVSS 8.8Openrefine

Exploit

Patched

Trending graph for this CVE
CVE-2024-47870What kind of vulnerability is it? Who is impacted? This vulnerability involves a race condition in the update_root_in_config function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition.
CVSS 8.1Gradio project

-

Patched

Trending graph for this CVE
CVE-2024-47846Cross-Site Request Forgery (CSRF) vulnerability in The Wikimedia Foundation Mediawiki - Cargo allows Cross Site Request Forgery.This issue affects Mediawiki - Cargo: from 3.6.X before 3.6.1.
CVSS 8.8Mediawiki

Exploit

Patched

Trending graph for this CVE
CVE-2024-47845Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2.
CVSS 8.2Mediawiki, et al

Exploit

Patched

Trending graph for this CVE
CVE-2024-47819Umbraco, a free and open source .NET content management system, has a cross-site scripting vulnerability starting in version 14.0.0 and prior to versions 14.3.1 and 15.0.0. This can be leveraged to gain access to higher-privilege endpoints, e.g. if you get a user with admin privileges to run the code, you can potentially elevate all users and grant them admin privileges or access protected content. Versions 14.3.1 and 15.0.0 contain a patch. As a workaround, ensure that access to the Dictionary section is only granted to trusted users.
CVSS 8.7Umbraco

-

Patched

Trending graph for this CVE
CVE-2024-47807Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the iss (Issuer) claim of an ID Token during its authentication flow, a value that identifies the Originating Party (IdP). This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the iss (Issuer) claim of an ID Token during its authentication flow when the Issuer is known.
CVSS 8.1Jenkins

-

Patched

Trending graph for this CVE
CVE-2024-47806Jenkins OpenId Connect Authentication Plugin 4.354.v321ce67a_1de8 and earlier does not check the aud (Audience) claim of an ID Token during its authentication flow, a value to verify the token is issued for the correct client. This vulnerability may allow attackers to subvert the authentication flow, potentially gaining administrator access to Jenkins. OpenId Connect Authentication Plugin 4.355.v3a_fb_fca_b_96d4 checks the aud (Audience) claim of an ID Token during its authentication flow.
CVSS 8.1Jenkins

-

Patched

Trending graph for this CVE
CVE-2024-4779The Unlimited Elements For Elementor (Free Widgets, Addons, Templates) plugin for WordPress is vulnerable to SQL Injection via the ‘data[post_ids][0]’ parameter in all versions up to, and including, 1.5.107 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS 8.8Wordpress

-

-

Trending graph for this CVE
CVE-2024-47773Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value.
CVSS 8.2Discourse

-

-

Trending graph for this CVE
CVE-2024-47768Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.
CVSS 8.1Lifplatforms

-

Patched

Trending graph for this CVE