Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-3121 | 1 Lollms | 1 Lollms | 2024-11-21 | N/A | 3.3 LOW |
|
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.
|
|||||
| CVE-2024-3098 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method restrictions and execute unauthorized code. The vulnerability is a bypass of the previously addressed CVE-2023-39662, demonstrated through a proof of concept that creates a file on the system by exploi ...
Show More |
|||||
| CVE-2024-39915 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
|
Thruk is a multibackend monitoring webinterface for Naemon, Nagios, Icinga and Shinken using the Livestatus API. This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. The Thruk web application does not properly process the url parameter when generating a PDF report. An authorized attacker with access to the reporting functionality could inject arbitrary commands that would be executed when the ...
Show More |
|||||
| CVE-2024-39877 | 1 Apache | 1 Airflow | 2024-11-21 | N/A | 8.8 HIGH |
|
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability.
|
|||||
| CVE-2024-39844 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
|
|||||
| CVE-2024-39669 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security.
|
|||||
| CVE-2024-39209 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
luci-app-sms-tool v1.9-6 was discovered to contain a command injection vulnerability via the score parameter.
|
|||||
| CVE-2024-39071 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php.
|
|||||
| CVE-2024-39017 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-39015 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38990 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
Tada5hi sp-common v0.5.4 was discovered to contain a prototype pollution via the function mergeDeep. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
|
|||||
| CVE-2024-38944 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi?formID=142 component.
|
|||||
| CVE-2024-38458 | 1 Xenforo | 1 Xenforo | 2024-11-21 | N/A | 8.8 HIGH |
|
Xenforo before 2.2.16 allows code injection.
|
|||||
| CVE-2024-38448 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
htags in GNU Global through 6.6.12 allows code execution in situations where dbpath (aka -d) is untrusted, because shell metacharacters may be used.
|
|||||
| CVE-2024-37934 | 1 Ninjaforms | 1 Ninja Forms | 2024-11-21 | N/A | 5.4 MEDIUM |
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.
|
|||||
| CVE-2024-37885 | 2 Apple, Nextcloud | 2 Macos, Desktop | 2024-11-21 | N/A | 3.8 LOW |
|
The Nextcloud Desktop Client is a tool to synchronize files from Nextcloud Server with your computer. A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0.
|
|||||
| CVE-2024-37855 | 2024-11-21 | N/A | 8.4 HIGH | ||
|
An issue in Nepstech Wifi Router xpon (terminal) NTPL-Xpon1GFEVN, hardware verstion 1.0 firmware 2.0.1 allows a remote attacker to execute arbitrary code via the router's Telnet port 2345 without requiring authentication credentials.
|
|||||
| CVE-2024-37849 | 1 Itsourcecode | 1 Billing System | 2024-11-21 | N/A | 9.8 CRITICAL |
|
A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter.
|
|||||
| CVE-2024-37405 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory.
|
|||||
| CVE-2024-37273 | 1 Homebrew | 1 Jan | 2024-11-21 | N/A | 9.8 CRITICAL |
|
An arbitrary file upload vulnerability in the /v1/app/appendFileSync interface of Jan v0.4.12 allows attackers to execute arbitrary code via uploading a crafted file.
|
|||||
| CVE-2024-37124 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed.
|
|||||
| CVE-2024-37109 | 1 Wishlistmember | 1 Wishlist Member | 2024-11-21 | N/A | 9.9 CRITICAL |
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7.
|
|||||
| CVE-2024-37084 | 1 Vmware | 1 Spring Cloud Data Flow | 2024-11-21 | N/A | 9.8 CRITICAL |
|
In Spring Cloud Data Flow versions prior to 2.11.4, a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
|
|||||
| CVE-2024-37014 | 1 Langflow | 1 Langflow | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
|
|||||
| CVE-2024-36679 | 2024-11-21 | N/A | 10.0 CRITICAL | ||
|
In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a white writer that can inject PHP code into a PHP file.
|
|||||
| CVE-2024-36598 | 2024-11-21 | N/A | 8.1 HIGH | ||
|
An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted image file.
|
|||||
| CVE-2024-36581 | 2024-11-21 | N/A | 7.6 HIGH | ||
|
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
|
|||||
| CVE-2024-36575 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
|
A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.
|
|||||
| CVE-2024-36456 | 2024-11-21 | N/A | N/A | ||
|
This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.
|
|||||
| CVE-2024-36361 | 2024-11-21 | N/A | 6.8 MEDIUM | ||
|
Pug through 3.0.2 allows JavaScript code execution if an application accepts untrusted input for the name option of the compileClient, compileFileClient, or compileClientWithDependenciesTracked function. NOTE: these functions are for compiling Pug templates into JavaScript, and there would typically be no reason to allow untrusted callers.
|
|||||
| CVE-2024-36268 | 1 Apache | 1 Inlong | 2024-11-21 | N/A | 9.8 CRITICAL |
|
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong.
This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/10251
|
|||||
| CVE-2024-36075 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
|
The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint.
|
|||||
| CVE-2024-36074 | 2024-11-21 | N/A | 7.2 HIGH | ||
|
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution.
|
|||||
| CVE-2024-34761 | 2024-11-21 | N/A | 8.5 HIGH | ||
|
Vulnerability discovered by executing a planned security audit.
Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.
|
|||||
| CVE-2024-34405 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
Improper deep link validation in McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to launch an arbitrary URL within the app.
|
|||||
| CVE-2024-33644 | 2024-11-21 | N/A | 9.9 CRITICAL | ||
|
Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9.
|
|||||
| CVE-2024-33335 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
|
SQL Injection vulnerability in H3C technology company SeaSQL DWS V2.0 allows a remote attacker to execute arbitrary code via a crafted file.
|
|||||
| CVE-2024-33294 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component.
|
|||||
| CVE-2024-33228 | 2024-11-21 | N/A | 8.4 HIGH | ||
|
An issue in the component segwindrvx64.sys of Insyde Software Corp SEG Windows Driver v100.00.07.02 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
|
|||||
| CVE-2024-33225 | 2024-11-21 | N/A | 7.8 HIGH | ||
|
An issue in the component RTKVHD64.sys of Realtek Semiconductor Corp Realtek(r) High Definition Audio Function Driver v6.0.9549.1 allows attackers to escalate privileges and execute arbitrary code via sending crafted IOCTL requests.
|
|||||