LiveActive security incident?Get immediate response
CVE archive

November 2024

Browse CVE records published in November 2024, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 3810 matching CVEs · Page 1 of 77.

Medium · CVSS 5.5

CVE-2024-11079: Ansible-core: unsafe tagging bypass via hostvars object in ansible-core

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

Published Nov 11, 2024 · Updated Jun 29, 2026

Medium · CVSS 5.3

CVE-2024-52616: Avahi: avahi wide-area dns predictable transaction ids

A flaw was found in the Avahi-daemon, where it initializes DNS transaction IDs randomly only once at startup, incrementing them sequentially after that. This predictable behavior facilitates DNS spoofing attacks, allowing attackers to guess transaction IDs.

Published Nov 21, 2024 · Updated Jun 29, 2026

Medium · CVSS 5.5

CVE-2024-52337: Tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.

Published Nov 26, 2024 · Updated Jun 26, 2026

High · CVSS 7.8

CVE-2024-52336: Tuned: `script_pre` and `script_post` options allow to pass arbitrary scripts executed by root

A script injection vulnerability was identified in the Tuned package. The `instance_create()` D-Bus function can be called by locally logged-in users without authentication. This flaw allows a local non-privileged user to execute a D-Bus call with `script_pre` or `script_post` options that permit arbitrary scripts with their absolute paths to be passed. These user or attacker-controlled executable scripts or programs could then be executed by Tuned with root privileges that could allow attackers to local privilege escalation.

Published Nov 26, 2024 · Updated Jun 26, 2026

High · CVSS 8.8

CVE-2024-3370: SQLi in Egebilgi Software's Website Template

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Egebilgi Software Website Template allows SQL Injection. This issue affects Website Template: before 29.04.2024.

Published Nov 18, 2024 · Updated Jun 3, 2026

Medium · CVSS 4.8

CVE-2024-7016: Stored XSS in Smarttek Informatics' Smart Doctor

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Smarttek Informatics Smart Doctor's allows Stored XSS required admin privileges. This issue affects Smart Doctor: through 21.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Nov 21, 2024 · Updated Jun 3, 2026

High · CVSS 7.5

CVE-2024-7026: SQLi in Teknogis Informatics' Closed Circuit Vehicle Tracking Software

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Teknogis Informatics Closed Circuit Vehicle Tracking Software allows SQL Injection, Blind SQL Injection. This issue affects Closed Circuit Vehicle Tracking Software: through 21.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Nov 21, 2024 · Updated Jun 3, 2026

High · CVSS 8.2

CVE-2024-7837: SQLi in Firmanet Software's ERP

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection. This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Published Nov 22, 2024 · Updated Jun 2, 2026

Medium · CVSS 6.5

CVE-2024-7882: SQLi in Special Minds' e-Commerce

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Special Minds Design and Software e-Commerce allows SQL Injection. This issue affects e-Commerce: before 22.11.2024.

Published Nov 22, 2024 · Updated Jun 2, 2026

Medium · CVSS 6.9

CVE-2024-9147: HTML Injection in Bna Informatics' PosPratik

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Bna Informatics PosPratik allows XSS Through HTTP Query Strings. This issue affects PosPratik: before v3.2.1.

Published Nov 4, 2024 · Updated Jun 2, 2026

Medium · CVSS 4.6

CVE-2024-9477: XSS in AirTies' Air4443 Firmware

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AirTies Air4443 Firmware allows Cross-Site Scripting (XSS). This issue affects Air4443 Firmware: through 14102024. NOTE: The vendor was contacted and it was learned that the product classified as End-of-Life and End-of-Support.

Published Nov 13, 2024 · Updated Jun 2, 2026

Critical · CVSS 9.2

CVE-2024-10035: Code Injection in BG-TEK's CoslatV3

Improper Control of Generation of Code ('Code Injection'), Improper Neutralization of Special Elements used in a Command ('Command Injection'), Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in BG-TEK Informatics Security Technologies CoslatV3 allows Command Injection, Privilege Escalation. This issue affects CoslatV3: through 3.1069. NOTE: The vendor was contacted and it was learned that the product is not supported.

Published Nov 4, 2024 · Updated Jun 2, 2026

High · CVSS 8.6

CVE-2024-10534: Improper Access Control in Dataprom Informatics' PACS-ACSS

Origin Validation Error vulnerability in Dataprom Informatics Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS) allows Traffic Injection. This issue affects Personnel Attendance Control Systems (PACS) / Access Control Security Systems (ACSS): before 2024.

Published Nov 15, 2024 · Updated Jun 2, 2026

Medium · CVSS 4.8

CVE-2024-11319: Stored XSS in Open Source Project "django-cms"

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django-cms allows Cross-Site Scripting (XSS). This issue affects django-cms: 3.11.7, 3.11.8, 4.1.2, 4.1.3.

Published Nov 18, 2024 · Updated Jun 2, 2026

Medium · CVSS 5.5

CVE-2024-11404: File Upload Bypass in django Filer

Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS. This issue affects django Filer: from 3 before 3.3.

Published Nov 20, 2024 · Updated Jun 2, 2026

Medium · CVSS 6.9

CVE-2024-11406: Stored XSS in django CMS Attributes Fields

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django CMS Attributes Fields allows Stored XSS. This issue affects django CMS Attributes Fields: before 4.0.

Published Nov 20, 2024 · Updated Jun 2, 2026

High · CVSS 7.4

CVE-2024-8676: Cri-o: checkpoint restore can be triggered from different namespaces

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Published Nov 26, 2024 · Updated May 18, 2026