CVEs from 2024
Total
6,592
critical
critical 174
high
high 1,069
medium
medium 2,083
low
low 49
% Critical
2.6%
% with KEV
2.5%
% with exploit
3.4%
Top products
- mbed_tls 15
- operations_analytics_log_analysis 14
- surveillance_station 12
- checkmk 10
- office 8
- profilegrid 8
- office_long_term_servicing_channel 6
- propertyhive 5
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-31943 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Octolize USPS Shipping for WooCommerce – Live Rates.This issue affects USPS Shipping for WooCommerce – Live Rates: from n/a through 1.9.2. | |||
| CVE-2024-22155 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Automattic WooCommerce.This issue affects WooCommerce: from n/a through 8.5.2. | |||
| CVE-2024-29225 | medium | 4.3 | 4.3 | 2y ago | ELECOM wireless LAN routers allow a network-adjacent unauthenticated attacker to obtain the configuration file containing sensitive information by sending a specially crafted request. | |||
| CVE-2024-31096 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in kopatheme Nictitate.This issue affects Nictitate: from n/a through 1.1.4. | |||
| CVE-2024-30541 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in LWS LWS Optimize.This issue affects LWS Optimize: from n/a through 1.9.1. | |||
| CVE-2024-30536 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in WPFactory Slugs Manager.This issue affects Slugs Manager: from n/a through 2.6.7. | |||
| CVE-2024-30526 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Easy Social Feed.This issue affects Easy Social Feed: from n/a through 6.5.6. | |||
| CVE-2024-30468 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in All In One WP Security & Firewall Team All In One WP Security & Firewall.This issue affects All In One WP Security & Firewall: from n/a through 5.2.… | |||
| CVE-2024-30460 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Tumult Inc Tumult Hype Animations.This issue affects Tumult Hype Animations: from n/a through 1.9.11. | |||
| CVE-2024-30455 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in GamiPress.This issue affects GamiPress: from n/a through 6.8.5. | |||
| CVE-2024-30518 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in ThemeLocation Custom WooCommerce Checkout Fields Editor.This issue affects Custom WooCommerce Checkout Fields Editor: from n/a through 1.3.0. | |||
| CVE-2024-30492 | medium | 4.3 | 4.3 | 2y ago | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WebToffee Import Export WordPress Users.This issue affects Import Export WordPress Users: from n/a thro… | |||
| CVE-2024-30421 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Pixelite Events Manager.This issue affects Events Manager: from n/a through 6.4.7.1. | |||
| CVE-2024-28004 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in ExtendThemes Colibri Page Builder.This issue affects Colibri Page Builder: from n/a through 1.0.248. | |||
| CVE-2024-2951 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic.This issue affects RegistrationMagic: from n/a through 5.3.0.0. | |||
| CVE-2024-24719 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in Uriahs Victor Location Picker at Checkout for WooCommerce.This issue affects Location Picker at Checkout for WooCommerce: from n/a through 1.8.9. | |||
| CVE-2024-24711 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in weDevs WooCommerce Conversion Tracking.This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.11. | |||
| CVE-2024-23520 | medium | 4.3 | 4.3 | 2y ago | Missing Authorization vulnerability in AccessAlly PopupAlly.This issue affects PopupAlly: from n/a through 2.1.0. | |||
| CVE-2024-24708 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in W3speedster W3SPEEDSTER.This issue affects W3SPEEDSTER: from n/a through 7.19. | |||
| CVE-2024-24837 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Frédéric GILLES FG PrestaShop to WooCommerce, Frédéric GILLES FG Drupal to WordPress, Frédéric GILLES FG Joomla to WordPress.This issue affects FG P… | |||
| CVE-2024-24706 | medium | 4.3 | 4.3 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in Forum One WP-CFM wp-cfm.This issue affects WP-CFM: from n/a through 1.7.8. | |||
| CVE-2024-0456 | medium | 4.3 | 4.3 | 2y ago | An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. An unauthorized attacker is able to assign arbitrary users to MRs that t… | |||
| CVE-2024-47263 | medium | 4.1 | 4.1 | 4d ago | An improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Backup.Repository webapi component in Synology Hyper Backup before 4.1.2-4036 allows remote authenti… | |||
| CVE-2024-56275 | medium | 4.1 | 4.1 | 1y ago | Server-Side Request Forgery (SSRF) vulnerability in Envato Envato Elements allows Server Side Request Forgery.This issue affects Envato Elements: from n/a through 2.0.14. | |||
| CVE-2024-32078 | medium | 4.1 | 4.1 | 2y ago | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Foliovision FV Flowplayer Video Player.This issue affects FV Flowplayer Video Player: from n/a through 7.5.44.7212. | |||
| CVE-2024-12970 | low | 3.9 | 3.9 | 1y ago | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TUBITAK BILGEM Pardus OS My Computer allows OS Command Injection. This issue affects Pardu… | |||
| CVE-2024-31265 | low | 3.7 | 3.7 | 2y ago | Cross-Site Request Forgery (CSRF) vulnerability in SumoMe Sumo.This issue affects Sumo: from n/a through 1.34. | |||
| CVE-2024-7083 | low | 3.5 | 3.5 | 2mo ago | The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks… | |||
| CVE-2024-47175 | low | — | 3.5 | 2y ago | Low: cups security update | |||
| CVE-2024-6006 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Summer Schedule Handler. The … | |||
| CVE-2024-6005 | low | 3.5 | 3.5 | 2y ago | A vulnerability was found in ZKTeco ZKBio CVSecurity V5000 4.1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component Department Section. … | |||
| CVE-2024-6807 | low | 3.4 | 3.4 | 2y ago | A vulnerability was found in SourceCodester Student Study Center Desk Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /sscdms/cla… | |||
| CVE-2024-50044 | low | 3.3 | 3.3 | 1y ago | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: RFCOMM: FIX possible deadlock in rfcomm_sk_state_change rfcomm_sk_state_change attempts to use sock_lock so it must ne… | |||
| CVE-2024-35935 | low | 3.3 | 3.3 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: btrfs: send: handle path ref underflow in header iterate_inode_ref() Change BUG_ON to proper error handling if building the path … | |||
| CVE-2024-28085 | low | 3.3 | 3.3 | 2y ago | wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from … | |||
| CVE-2024-42206 | low | 3.1 | 3.1 | 5d ago | HCL iReflection Third party vulnerable and outdated components issue was detected in the web application | |||
| CVE-2024-3932 | low | 3.1 | 3.1 | 2y ago | A vulnerability classified as problematic has been found in Totara LMS up to 18.7. This affects an unknown part of the component User Selector. The manipulation leads to cross-site request forgery. I… | |||
| CVE-2024-47272 | low | 2.7 | 2.7 | 11d ago | Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to … | |||
| CVE-2024-47270 | low | 2.7 | 2.7 | 11d ago | Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administra… | |||
| CVE-2024-47267 | low | 2.7 | 2.7 | 11d ago | Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows … | |||
| CVE-2024-10492 | low | 2.7 | 2.7 | 2y ago | Keycloak Path Traversal Vulnerability Due to External Control of File Name or Path | |||
| CVE-2024-30507 | low | 2.7 | 2.7 | 2y ago | Authorization Bypass Through User-Controlled Key vulnerability in Molongui.This issue affects Molongui: from n/a through 4.7.7. | |||
| CVE-2024-7399 | unknown | — | 2.5 | 1mo ago | Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority. | |||
| CVE-2024-56433 | low | — | 2.5 | 7mo ago | Low: shadow-utils security update | |||
| CVE-2024-57727 | unknown | — | 2.5 | 1y ago | SimpleHelp remote support software contains multiple path traversal vulnerabilities that allow unauthenticated remote attackers to download arbitrary files from the SimpleHelp host via crafted HTTP r… | |||
| CVE-2024-12356 | unknown | — | 2.5 | 2y ago | BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain a command injection vulnerability, which can allow an unauthenticated attacker to inject commands that are run as a site use… | |||
| CVE-2024-56145 | unknown | — | 2.5 | 2y ago | Craft CMS contains a code injection vulnerability. Users with affected versions are vulnerable to remote code execution if their php.ini configuration has `register_argc_argv` enabled. | |||
| CVE-2024-54677 | low | — | 2.5 | 2y ago | Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.… | |||
| CVE-2024-55956 | unknown | — | 2.5 | 2y ago | Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload vulnerability that could allow an unauthenticated user to import and execute arbitra… | |||
| CVE-2024-35250 | unknown | — | 2.5 | 2y ago | Microsoft Windows Kernel-Mode Driver contains an untrusted pointer dereference vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-20767 | unknown | — | 2.5 | 2y ago | Adobe ColdFusion contains an improper access control vulnerability that could allow an attacker to access or modify restricted files via an internet-exposed admin panel. | |||
| CVE-2024-7592 | low | — | 2.5 | 2y ago | There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie… | |||
| CVE-2024-49138 | unknown | — | 2.5 | 2y ago | Microsoft Windows Common Log File System (CLFS) driver contains a heap-based buffer overflow vulnerability that allows a local attacker to escalate privileges. | |||
| CVE-2024-51378 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass and the execution of arbitrary commands using shell metacharacters in the statusfile property. | |||
| CVE-2024-11680 | unknown | — | 2.5 | 2y ago | ProjectSend contains an improper authentication vulnerability that allows a remote, unauthenticated attacker to enable unauthorized modification of the application's configuration via crafted HTTP re… | |||
| CVE-2024-52800 | low | — | 2.5 | 2y ago | veraPDF CLI has potential XXE (XML External Entity Injection) vulnerability | |||
| CVE-2024-27043 | low | — | 2.5 | 2y ago | In the Linux kernel, the following vulnerability has been resolved: media: edia: dvbdev: fix a use-after-free In dvb_register_device, *pdvbdev is set equal to dvbdev, which is freed in several erro… | |||
| CVE-2024-0012 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an authentication bypass vulnerability in the web-based management interface for several PAN-OS products, including firewalls and VPN concentrators. | |||
| CVE-2024-9474 | unknown | — | 2.5 | 2y ago | Palo Alto Networks PAN-OS contains an OS command injection vulnerability that allows for privilege escalation through the web-based management interface for several PAN products, including firewalls … | |||
| CVE-2024-1212 | unknown | — | 2.5 | 2y ago | Progress Kemp LoadMaster contains an OS command injection vulnerability that allows an unauthenticated, remote attacker to access the system through the LoadMaster management interface, enabling arbi… | |||
| CVE-2024-26461 | low | — | 2.5 | 2y ago | RHSA-2024:3268: krb5 security update (Low) | |||
| CVE-2024-6126 | low | — | 2.5 | 2y ago | A flaw was found in the cockpit package. This flaw allows an authenticated user to kill any process when enabling the pam_env's user_readenv option, which leads to a denial of service (DoS) attack. | |||
| CVE-2024-29038 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |||
| CVE-2024-6501 | low | — | 2.5 | 2y ago | Low: NetworkManager security update | |||
| CVE-2024-4741 | low | — | 2.5 | 2y ago | Low: openssl security update | |||
| CVE-2024-2313 | low | — | 2.5 | 2y ago | RHSA-2024:8830: bpftrace security update (Low) | |||
| CVE-2024-2314 | low | — | 2.5 | 2y ago | RHSA-2024:8831: bcc security update (Low) | |||
| CVE-2024-5742 | low | — | 2.5 | 2y ago | RHSA-2024:6986: nano security update (Low) | |||
| CVE-2024-26458 | low | — | 2.5 | 2y ago | RHSA-2024:3268: krb5 security update (Low) | |||
| CVE-2024-29039 | low | — | 2.5 | 2y ago | Low: tpm2-tools security update | |||
| CVE-2024-4603 | low | — | 2.5 | 2y ago | Low: openssl security update | |||
| CVE-2024-51567 | unknown | — | 2.5 | 2y ago | CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root. | |||
| CVE-2024-5910 | unknown | — | 2.5 | 2y ago | Palo Alto Networks Expedition contains a missing authentication vulnerability that allows an attacker with network access to takeover an Expedition admin account and potentially access configuration … | |||
| CVE-2024-36387 | low | — | 2.5 | 2y ago | Serving WebSocket protocol upgrades over a HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process, degrading performance. | |||
| CVE-2024-37383 | unknown | — | 2.5 | 2y ago | RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code. | |||
| CVE-2024-47575 | unknown | — | 2.5 | 2y ago | Fortinet FortiManager contains a missing authentication vulnerability in the fgfmd daemon that allows a remote, unauthenticated attacker to execute arbitrary code or commands via specially crafted re… | |||
| CVE-2024-28987 | unknown | — | 2.5 | 2y ago | SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. | |||
| CVE-2024-29824 | unknown | — | 2.5 | 2y ago | Ivanti Endpoint Manager (EPM) contains a SQL injection vulnerability in Core server that allows an unauthenticated attacker within the same network to execute arbitrary code. | |||
| CVE-2024-6670 | unknown | — | 2.5 | 2y ago | Progress WhatsUp Gold contains a SQL injection vulnerability that allows an unauthenticated attacker to retrieve the user's encrypted password if the application is configured with only a single user. | |||
| CVE-2024-38856 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. | |||
| CVE-2024-38193 | unknown | — | 2.5 | 2y ago | Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain SYSTEM privileges. | |||
| CVE-2024-32113 | unknown | — | 2.5 | 2y ago | Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. | |||
| CVE-2024-4879 | unknown | — | 2.5 | 2y ago | ServiceNow Utah, Vancouver, and Washington DC Now Platform releases contain a jelly template injection vulnerability in UI macros. An unauthenticated user could exploit this vulnerability to execute … | |||
| CVE-2024-4032 | low | — | 2.5 | 2y ago | Low: python3 security update | |||
| CVE-2024-4418 | low | — | 2.5 | 2y ago | RHSA-2024:4351: virt:rhel and virt-devel:rhel security and bug fix update (Low) | |||
| CVE-2024-28995 | unknown | — | 2.5 | 2y ago | SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. | |||
| CVE-2024-23692 | unknown | — | 2.5 | 2y ago | Rejetto HTTP File Server contains an improper neutralization of special elements used in a template engine vulnerability. This allows a remote, unauthenticated attacker to execute commands on the aff… | |||
| CVE-2024-36401 | unknown | — | 2.5 | 2y ago | OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath expressions. This allows unau… | |||
| CVE-2024-34102 | unknown | — | 2.5 | 2y ago | Adobe Commerce and Magento Open Source contain an improper restriction of XML external entity reference (XXE) vulnerability that allows for remote code execution. | |||
| CVE-2024-4358 | unknown | — | 2.5 | 2y ago | Progress Telerik Report Server contains an authorization bypass by spoofing vulnerability that allows an attacker to obtain unauthorized access. | |||
| CVE-2024-4577 | unknown | — | 2.5 | 2y ago | PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. This vulnerability is a patch bypass for CVE-2012-1823. | |||
| CVE-2024-5629 | low | — | 2.5 | 2y ago | RHSA-2025:8419: python36:3.6 security update (Low) | |||
| CVE-2024-24919 | unknown | — | 2.5 | 2y ago | Check Point Quantum Security Gateways contain an unspecified information disclosure vulnerability. The vulnerability potentially allows an attacker to access information on Gateways connected to the … | |||
| CVE-2024-35176 | low | — | 2.5 | 2y ago | RHSA-2024:5338: pcs security update (Low) | |||
| CVE-2024-25629 | low | — | 2.5 | 2y ago | RHSA-2024:4249: c-ares security update (Low) | |||
| CVE-2024-4040 | unknown | — | 2.5 | 2y ago | CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). | |||
| CVE-2024-27348 | unknown | — | 2.5 | 2y ago | Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. | |||
| CVE-2024-3852 | low | — | 2.5 | 2y ago | GetBoundName could return the wrong version of an object when JIT optimizations were applied. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 115.10. | |||
| CVE-2024-3854 | low | — | 2.5 | 2y ago | In some code patterns the JIT incorrectly optimized switch statements and generated code with out-of-bounds-reads. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, and Thunderbird < 11… | |||
| CVE-2024-3857 | low | — | 2.5 | 2y ago | The JIT created incorrect code for arguments in certain cases. This led to potential use-after-free crashes during garbage collection. This vulnerability affects Firefox < 125, Firefox ESR < 115.10, … |