7.2
CVE-2024-1596 - Ninja Forms File Uploads <= 3.3.16 - Unauthenticated Stored Cross-Site Scripting via File Upload
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded file (e.g. RTX file) in all versions up to, and including, 3.3.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injeβ¦
5.1
CVE-2024-8523 - lmxcms SQL Command Execution Module admin.php formatData code injection
A vulnerability was found in lmxcms up to 1.4 and classified as critical. Affected by this issue is the function formatData of the file /admin.php?m=Acquisi&a=testcj&lid=1 of the component SQL Command Execution Module. The manipulation of the argument data leads to code injection. The attack may beβ¦
6.4
CVE-2024-6849 - Preloader Plus β WordPress Loading Screen Plugin <= 2.2.1 - Authenticated (Author+) Stored Cross-Siβ¦
The Preloader Plus β WordPress Loading Screen Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, witβ¦
4.3
CVE-2024-8538 - Big File Uploads <= 2.1.2 - Authenticated (Author+) Full Path Disclosure
The Big File Uploads β Increase Maximum File Upload Size plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.1.2. This is due the plugin not sanitizing a file path in an error message. This makes it possible for authenticated attackers, with author-levβ¦
6.9
CVE-2024-8521 - Wavelog Live QSO qso index cross site scripting
A vulnerability, which was classified as problematic, was found in Wavelog up to 1.8.0. Affected is the function index of the file /qso of the component Live QSO. The manipulation of the argument manual leads to cross site scripting. It is possible to launch the attack remotely. The exploit has beeβ¦
8.8
CVE-2024-45034 - Apache Airflow: Authenticated DAG authors could execute code on scheduler nodes
Apache Airflow versions before 2.10.1 have a vulnerability that allowsΒ DAG authors to add local settings to the DAG folder and get it executed by the scheduler, where the scheduler is not supposed to execute code submitted by the DAG author. Users are advised to upgrade to version 2.10.1 or later,β¦
8.8
CVE-2024-45498 - Apache Airflow: Command Injection in an example DAG
Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied theβ¦
7.5
CVE-2024-34158 - Stack exhaustion in Parse in go/build/constraint
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion.
7.5
CVE-2024-34156 - Stack exhaustion in Decoder.Decode in encoding/gob
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635.
4.3
CVE-2024-34155 - Stack exhaustion in all Parse functions in go/parser
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion.