Anti-tampering protection of the Zscaler Client Connector can be bypassed under certain conditions when running the Repair App functionality. This affects Zscaler Client Connector on Windows prior to 4.2.1

Wallos before 1.15.3 is vulnerable to SQL Injection via the category and payment parameters to /subscriptions/get.php.

Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

Cross Site Scripting vulnerability in MajorDoMo before v.0662e5e allows an attacker to escalate privileges via the the thumb/thumb.php component.

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to obtain sensitive information via an insecure API endpoint

An issue in TVS Motor Company Limited TVS Connet Android v.4.5.1 and iOS v.5.0.0 allows a remote attacker to escalate privileges via the Emergency Contact Feature.

SQL injection vulnerability in Webbax supernewsletter v.1.4.21 and before allows a remote attacker to escalate privileges via the Super Newsletter module in the product_search.php components.

Directory Traversal vulnerability in FME Modules customfields v.2.2.7 and before allows a remote attacker to obtain sensitive information via the Custom Checkout Fields, Add Custom Fields to Checkout parameter of the ajax.php

SQL injection vulnerability in shipup before v.3.3.0 allows a remote attacker to escalate privileges via the getShopID function.

An issue in FME Modules fileuploads v.2.0.3 and before and fixed in v2.0.4 allows a remote attacker to obtain sensitive information via the uploadfiles.php component.

SQL Injection vulnerability in Hero hfheropayment v.1.2.5 and before allows an attacker to escalate privileges via the HfHeropaymentGatewayBackModuleFrontController::initContent() function.

Vault Enterprise, when configured with performance standby nodes and a configured audit device, will inadvertently log request headers on the standby node. These logs may have included sensitive HTTP request information in cleartext. This vulnerability, CVE-2024-2877, was fixed in Vault Enterprise 1.15.8.

An issue in OpenStack Storlets yoga-eom allows a remote attacker to execute arbitrary code via the gateway.py component.

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Barcode widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

A use-after-free vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a ComboBox widget. A specially crafted JavaScript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

A type confusion vulnerability vulnerability exists in the way Foxit Reader 2024.1.0.23997 handles a Lock object. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.

ProQuality pqprintshippinglabels before v.4.15.0 is vulnerable to Directory Traversal via the pqprintshippinglabels module.

IBM Storage Scale 5.1.0.0 through 5.1.9.2 could allow an authenticated user to steal or manipulate an active session to gain access to the system. IBM X-Force ID: 260208.

An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An unquoted Windows search path vulnerability exists in the KSchedulerSvc.exe and AMPTools.exe components. This allows local attackers to execute code of their choice with NT Authority\SYSTEM privileges.

An issue was discovered in Quest KACE Agent for Windows 12.0.38 and 13.1.23.0. An Arbitrary file delete vulnerability exists in the KSchedulerSvc.exe component. Local attackers can delete any file of their choice with NT Authority\SYSTEM privileges.