LiveActive security incident?Get immediate response
CVE archive

September 2024

Browse CVE records published in September 2024, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 2470 matching CVEs · Page 1 of 50.

Medium · CVSS 6.7

CVE-2024-42642: Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be trigg...

Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller. NOTE: The supplier states that this vulnerability was fully remediated in December 2024 and that updated firmware is available through Crucial’s official support page.

Published Sep 4, 2024 · Updated Jul 5, 2026

Medium · CVSS 6.5

CVE-2024-48705: Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-au...

Wavlink AC1200 with firmware versions M32A3_V1410_230602 and M32A3_V1410_240222 are vulnerable to a post-authentication command injection while resetting the password. This vulnerability is specifically found within the "set_sys_adm" function of the "adm.cgi" binary, and is due to improper santization of the user provided "newpass" field

Published Sep 2, 2025 · Updated Jul 5, 2026

Low · CVSS 3.9

CVE-2024-45618: Libopensc: uninitialized values after incorrect or missing checking return values of functions in pkcs15init

A vulnerability was found in pkcs15-init in OpenSC. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

Published Sep 3, 2024 · Updated Jun 30, 2026

Low · CVSS 3.9

CVE-2024-45617: Libopensc: uninitialized values after incorrect or missing checking return values of functions in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. Insufficient or missing checking of return values of functions leads to unexpected work with variables that have not been initialized.

Published Sep 3, 2024 · Updated Jun 30, 2026

Low · CVSS 3.9

CVE-2024-45616: Libopensc: uninitialized values after incorrect check or usage of apdu response values in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. The following problems were caused by insufficient control of the response APDU buffer and its length when communicating with the card.

Published Sep 3, 2024 · Updated Jun 30, 2026

Low · CVSS 2.9

CVE-2024-8443: Libopensc: heap buffer overflow in openpgp driver when generating key

A heap-based buffer overflow vulnerability was found in the libopensc OpenPGP driver. A crafted USB device or smart card with malicious responses to the APDUs during the card enrollment process using the `pkcs15-init` tool may lead to out-of-bound rights, possibly resulting in arbitrary code execution.

Published Sep 10, 2024 · Updated Jun 30, 2026

Medium · CVSS 4.3

CVE-2024-45619: Libopensc: incorrect handling length of buffers or files in libopensc

A vulnerability was found in OpenSC, OpenSC tools, PKCS#11 module, minidriver, and CTK. An attacker could use a crafted USB Device or Smart Card, which would present the system with a specially crafted response to APDUs. When buffers are partially filled with data, initialized parts of the buffer can be incorrectly accessed.

Published Sep 3, 2024 · Updated Jun 30, 2026

High · CVSS 7.5

CVE-2024-8418: Containers/aardvark-dns: tcp query handling flaw in aardvark-dns leading to denial of service

A flaw was found in Aardvark-dns, which is vulnerable to a Denial of Service attack due to the serial processing of TCP DNS queries. An attacker can exploit this flaw by keeping a TCP connection open indefinitely, causing the server to become unresponsive and resulting in other DNS queries timing out. This issue prevents legitimate users from accessing DNS services, thereby disrupting normal operations and causing service downtime.

Published Sep 4, 2024 · Updated Jun 29, 2026

Critical · CVSS 9.2

CVE-2024-1744: IDOR in Ariva Computer's Accord ORS

Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Ariva Computer Accord ORS allows Retrieve Embedded Sensitive Data. This issue affects Accord ORS: before 7.3.2.1.

Published Sep 6, 2024 · Updated Jun 3, 2026

High · CVSS 8.8

CVE-2024-3305: IDOR in Utarit Information's SoliClub

Authorization Bypass Through User-Controlled Key, Missing Authorization vulnerability in Utarit Information SoliClub allows Retrieve Embedded Sensitive Data. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.

Published Sep 12, 2024 · Updated Jun 3, 2026

High · CVSS 8.8

CVE-2024-3306: IDOR in Utarit Information's SoliClub

Authorization Bypass Through User-Controlled Key vulnerability in Utarit Information SoliClub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SoliClub: before 4.4.0 for iOS, before 5.2.1 for Android.

Published Sep 12, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.2

CVE-2024-3373: SQLi in RSM Design's Website Template

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RSM Design Website Template allows SQL Injection. This issue affects Website Template: before 1.2.

Published Sep 27, 2024 · Updated Jun 3, 2026

Medium · CVSS 6.9

CVE-2024-4259: Sensetive Data Exposure in SAMPAS's AKOS

Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect Data as Provided by Users. This issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7.

Published Sep 3, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.3

CVE-2024-4657: Strored XSS in Talent Software's BAP Automation

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Talent Software BAP Automation allows Stored XSS. This issue affects BAP Automation: before 30840.

Published Sep 25, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.4

CVE-2024-5958: SQLi in Eliz Software's Panel

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eliz Software Panel allows Command Line Execution through SQL Injection. This issue affects Panel: before v2.3.24.

Published Sep 18, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.3

CVE-2024-5959: Stored XSS in Eliz Software's Panel

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows Stored XSS. This issue affects Panel: before v2.3.24.

Published Sep 18, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.2

CVE-2024-6401: SQLi in SFS Consulting's InsureE GL

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection. This issue affects InsureE GL: before 4.6.2.

Published Sep 16, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.4

CVE-2024-6877: Reflected XSS in Eliz Software's Panel

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows Reflected XSS. This issue affects Panel: before v2.3.24.

Published Sep 18, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.2

CVE-2024-6878: Directory Browsing in Eliz Software's Panel

Files or Directories Accessible to External Parties vulnerability in Eliz Software Panel allows Collect Data from Common Resource Locations. This issue affects Panel: before v2.3.24.

Published Sep 18, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.3

CVE-2024-6919: SQLi in NAC Telecommunication's NACPremium

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Blind SQL Injection. This issue affects NACPremium: through 01082024.

Published Sep 2, 2024 · Updated Jun 3, 2026

Medium · CVSS 4.8

CVE-2024-6920: Stored XSS in NAC Telecommunication's NACPremium

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NAC Telecommunication Systems Inc. NACPremium allows Stored XSS. This issue affects NACPremium: through 01082024.

Published Sep 2, 2024 · Updated Jun 3, 2026

Critical · CVSS 9.3

CVE-2024-7076: SQLi in Semtek Informatics Software's Semtek Sempos

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024.

Published Sep 4, 2024 · Updated Jun 3, 2026