U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.


The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity
  • CVE-2024-4619 - The Elementor Website Builder – More than Just a Page Builder plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the ‘hover_animation’ parameter in versions up to, and including, 3.21.4 due to insufficient input saniti... read CVE-2024-4619
    Published: May 21, 2024; 7:15:09 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-9630 - The WPS Telegram Chat plugin for WordPress is vulnerable to authorization bypass due to a missing capability check when accessing messages in versions up to, and including, 4.5.4. This makes it possible for unauthenticated attackers to view the me... read CVE-2024-9630
    Published: October 25, 2024; 4:15:03 AM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-4876 - The HT Mega – Absolute Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘popover_header_text’ parameter in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escapin... read CVE-2024-4876
    Published: May 21, 2024; 7:15:09 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-5025 - The Memberpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘arglist’ parameter in all versions up to, and including, 1.11.29 due to insufficient input sanitization and output escaping. This makes it possible for auth... read CVE-2024-5025
    Published: May 22, 2024; 5:15:13 AM -0400

    V3.1: 5.4 MEDIUM

  • CVE-2024-27102 - Wings is the server control plane for Pterodactyl Panel. This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impa... read CVE-2024-27102
    Published: March 13, 2024; 5:15:59 PM -0400

    V3.1: 8.5 HIGH

  • CVE-2024-27097 - A user endpoint didn't perform filtering on an incoming parameter, which was added directly to the application log. This could lead to an attacker injecting false log entries or corrupt the log file format. This has been fixed in the CKAN versions... read CVE-2024-27097
    Published: March 13, 2024; 5:15:58 PM -0400

    V3.1: 5.3 MEDIUM

  • CVE-2024-9628 - The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::check?onnection' function in versions up to, and including, 4.5.4. Th... read CVE-2024-9628
    Published: October 25, 2024; 4:15:03 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2024-1884 - This is a Server-Side Request Forgery (SSRF) vulnerability in the PaperCut NG/MF server-side module that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker's choosing.
    Published: March 14, 2024; 12:15:08 AM -0400

    V3.1: 6.5 MEDIUM

  • CVE-2024-1883 - This is a reflected cross site scripting vulnerability in the PaperCut NG/MF application server. An attacker can exploit this weakness by crafting a malicious URL that contains a script. When an unsuspecting user clicks on this malicious link, it ... read CVE-2024-1883
    Published: March 14, 2024; 12:15:08 AM -0400

    V3.1: 6.1 MEDIUM

  • CVE-2024-50603 - An issue was discovered in Aviatrix Controller before 7.1.4191 and 7.2.x before 7.2.4996. Due to the improper neutralization of special elements used in an OS command, an unauthenticated attacker is able to execute arbitrary code. Shell metacharac... read CVE-2024-50603
    Published: January 07, 2025; 8:15:07 PM -0500

    V3.1: 9.8 CRITICAL

  • CVE-2024-44195 - A logic issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.1. An app may be able to read arbitrary files.
    Published: December 19, 2024; 11:15:05 PM -0500

    V3.1: 7.5 HIGH

  • CVE-2024-47761 - GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an administrator with access to the sent notifications contents can take control of an account with higher privileges. Version 10.0.17 ... read CVE-2024-47761
    Published: December 11, 2024; 12:15:16 PM -0500

    V3.1: 7.2 HIGH

  • CVE-2024-1882 - This vulnerability allows an already authenticated admin user to create a malicious payload that could be leveraged for remote code execution on the server hosting the PaperCut NG/MF application server.
    Published: March 14, 2024; 12:15:08 AM -0400

    V3.1: 7.2 HIGH

  • CVE-2024-1654 - This vulnerability potentially allows unauthorized write operations which may lead to remote code execution. An attacker must already have authenticated admin access and knowledge of both an internal system identifier and details of another valid ... read CVE-2024-1654
    Published: March 13, 2024; 11:15:08 PM -0400

    V3.1: 7.2 HIGH

  • CVE-2024-1223 - This vulnerability potentially allows unauthorized enumeration of information from the embedded device APIs. An attacker must already have existing knowledge of some combination of valid usernames, device names and an internal system key. For such... read CVE-2024-1223
    Published: March 13, 2024; 11:15:07 PM -0400

    V3.1: 4.8 MEDIUM

  • CVE-2024-47760 - GLPI is a free asset and IT management software package. Starting in version 9.1.0 and prior to version 10.0.17, a technician with an access to the API can take control of an account with higher privileges. Version 10.0.17 contains a patch for thi... read CVE-2024-47760
    Published: December 11, 2024; 12:15:16 PM -0500

    V3.1: 8.8 HIGH

  • CVE-2024-1222 - This allows attackers to use a maliciously formed API request to gain access to an API authorization level with elevated privileges. This applies to a small subset of PaperCut NG/MF API calls.
    Published: March 13, 2024; 11:15:07 PM -0400

    V3.1: 9.8 CRITICAL

  • CVE-2024-1221 - This vulnerability potentially allows files on a PaperCut NG/MF server to be exposed using a specifically formed payload against the impacted API endpoint. The attacker must carry out some reconnaissance to gain knowledge of a system token. This C... read CVE-2024-1221
    Published: March 13, 2024; 11:15:06 PM -0400

    V3.1: 3.1 LOW

  • CVE-2024-11598 - Under specific circumstances, insecure permissions in Ivanti Application Control before version 2024.3 HF1, 2024.1 HF2, or 2023.3 HF3 allows a local authenticated attacker to achieve local privilege escalation.
    Published: December 11, 2024; 12:15:14 PM -0500

    V3.1: 7.8 HIGH

  • CVE-2024-11597 - Under specific circumstances, insecure permissions in Ivanti Performance Manager before version 2024.3 HF1, 2024.1 HF1, or 2023.3 HF1 allows a local authenticated attacker to achieve local privilege escalation.
    Published: December 11, 2024; 12:15:14 PM -0500

    V3.1: 7.8 HIGH

Created September 20, 2022 , Updated August 27, 2024