Vulnerabilities (CVE)

Filtered by CWE-94
Total 3318 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-37770 2024-07-11 N/A 9.1 CRITICAL
14Finger v1.1 was discovered to contain a remote command execution (RCE) vulnerability in the fingerprint function. This vulnerability allows attackers to execute arbitrary commands via a crafted payload.
CVE-2023-6494 2024-07-11 N/A 4.4 MEDIUM
The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CVE-2023-44853 2024-07-11 N/A 4.8 MEDIUM
\An issue was discovered in Cobham SAILOR VSAT Ku v.164B019, allows a remote attacker to execute arbitrary code via a crafted script to the sub_219C4 function in the acu_web file.
CVE-2024-21832 2024-07-11 N/A 3.5 LOW
A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.
CVE-2024-36075 2024-07-09 N/A 6.5 MEDIUM
The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint.
CVE-2024-37934 2024-07-09 N/A 5.4 MEDIUM
Improper Control of Generation of Code ('Code Injection') vulnerability in Saturday Drive Ninja Forms allows Code Injection.This issue affects Ninja Forms: from n/a through 3.8.4.
CVE-2024-30878 2024-07-09 N/A 6.1 MEDIUM
A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43, allows remote attackers to execute arbitrary web scripts or HTML and obtain sensitive information via a crafted payload injected into the upload_drive parameter.
CVE-2023-39017 1 Softwareag 1 Quartz 2024-07-08 N/A 9.8 CRITICAL
quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute. This vulnerability is exploited via passing an unchecked argument. NOTE: this is disputed by multiple parties because it is not plausible that untrusted user input would reach the code location where injection must occur.
CVE-2024-38346 1 Apache 1 Cloudstack 2024-07-08 N/A 9.8 CRITICAL
The CloudStack cluster service runs on unauthenticated port (default 9090) that can be misused to run arbitrary commands on targeted hypervisors and CloudStack management server hosts. Some of these commands were found to have command injection vulnerabilities that can result in arbitrary code execution via agents on the hosts that may run as a privileged user. An attacker that can reach the cluster service on the unauthenticated port (default 9090), can exploit this to perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access to the cluster service port (default 9090) on a CloudStack management server host to only its peer CloudStack management server hosts. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
CVE-2024-39864 1 Apache 1 Cloudstack 2024-07-08 N/A 9.8 CRITICAL
The CloudStack integration API service allows running its unauthenticated API server (usually on port 8096 when configured and enabled via integration.api.port global setting) for internal portal integrations and for testing purposes. By default, the integration API service port is disabled and is considered disabled when integration.api.port is set to 0 or negative. Due to an improper initialisation logic, the integration API service would listen on a random port when its port value is set to 0 (default value). An attacker that can access the CloudStack management network could scan and find the randomised integration API service port and exploit it to perform unauthorised administrative actions and perform remote code execution on CloudStack managed hosts and result in complete compromise of the confidentiality, integrity, and availability of CloudStack managed infrastructure. Users are recommended to restrict the network access on the CloudStack management server hosts to only essential ports. Users are recommended to upgrade to version 4.18.2.1, 4.19.0.2 or later, which addresses this issue.
CVE-2024-6507 2024-07-08 N/A 8.1 HIGH
Command injection when ingesting a remote Kaggle dataset due to a lack of input sanitization in the ingest_kaggle() API
CVE-2024-39932 2024-07-08 N/A 9.9 CRITICAL
Gogs through 0.13.0 allows argument injection during the previewing of changes.
CVE-2024-39844 2024-07-08 N/A 9.8 CRITICAL
In ZNC before 1.9.1, remote code execution can occur in modtcl via a KICK.
CVE-2024-33871 2024-07-08 N/A 8.8 HIGH
An issue was discovered in Artifex Ghostscript before 10.03.1. contrib/opvp/gdevopvp.c allows arbitrary code execution via a custom Driver library, exploitable via a crafted PostScript document. This occurs because the Driver parameter for opvp (and oprp) devices can have an arbitrary name for a dynamic library; this library is then loaded.
CVE-2024-29500 2024-07-08 N/A 9.8 CRITICAL
An issue in the kiosk mode of Secure Lockdown Multi Application Edition v2.00.219 allows attackers to execute arbitrary code via running a ClickOnce application instance.
CVE-2024-25376 2024-07-08 N/A 7.8 HIGH
An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode.
CVE-2024-25086 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-07-08 N/A 7.8 HIGH
Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code.
CVE-2024-24486 2024-07-08 N/A 9.1 CRITICAL
An issue discovered in silex technology DS-600 Firmware v.1.4.1 allows a remote attacker to edit device settings via the SAVE EEP_DATA command.
CVE-2024-27857 1 Apple 5 Ipados, Iphone Os, Macos and 2 more 2024-07-03 N/A 7.8 HIGH
An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in visionOS 1.2, macOS Sonoma 14.5, tvOS 17.5, iOS 17.5 and iPadOS 17.5. A remote attacker may be able to cause unexpected app termination or arbitrary code execution.
CVE-2024-6376 1 Mongodb 1 Compass 2024-07-03 N/A 9.8 CRITICAL
MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2