Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45846 | 1 Mindsdb | 1 Mindsdb | 2024-09-16 | N/A | 8.8 HIGH |
| An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. | |||||
| CVE-2024-8374 | 1 Ultimaker | 1 Ultimaker Cura | 2024-09-16 | N/A | 7.8 HIGH |
| UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). The vulnerability arises from improper handling of the drop_to_buildplate property within 3MF files, which are ZIP archives containing the model data. When a 3MF file is loaded in Cura, the value of the drop_to_buildplate property is passed to the Python eval() function without proper sanitization, allowing an attacker to execute arbitrary code by crafting a malicious 3MF file. This vulnerability poses a significant risk as 3MF files are commonly shared via 3D model databases. | |||||
| CVE-2024-45390 | 1 Blakeembrey | 1 Template | 2024-09-12 | N/A | 9.8 CRITICAL |
| @blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature. | |||||
| CVE-2024-41127 | 1 Monkeytype | 1 Monkeytype | 2024-09-11 | N/A | 9.6 CRITICAL |
| Monkeytype is a minimalistic and customizable typing test. Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access. The ci-failure-comment.yml workflow is triggered when the Monkey CI workflow completes. When it runs, it will download an artifact uploaded by the triggering workflow and assign the contents of ./pr_num/pr_num.txt artifact to the steps.pr_num_reader.outputs.content WorkFlow variable. It is not validated that the variable is actually a number and later it is interpolated into a JS script allowing an attacker to change the code to be executed. This issue leads to pull-requests write access. This vulnerability is fixed in 24.30.0. | |||||
| CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-09-10 | N/A | 7.2 HIGH |
| A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-29014 | 1 Sonicwall | 1 Netextender | 2024-09-10 | N/A | 8.8 HIGH |
| Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. | |||||
| CVE-2023-49001 | 1 Indibrowser | 1 Indi Browser | 2024-09-09 | N/A | 9.8 CRITICAL |
| An issue in Indi Browser (aka kvbrowser) v.12.11.23 allows an attacker to bypass intended access restrictions via interaction with the com.example.gurry.kvbrowswer.webview component. | |||||
| CVE-2023-5623 | 1 Tenable | 1 Nessus Network Monitor | 2024-09-09 | N/A | 7.8 HIGH |
| NNM failed to properly set ACLs on its installation directory, which could allow a low privileged user to run arbitrary code with SYSTEM privileges where NNM is installed to a non-standard location | |||||
| CVE-2024-37901 | 1 Xwiki | 1 Xwiki | 2024-09-06 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. | |||||
| CVE-2024-45053 | 1 Ethyca | 1 Fides | 2024-09-06 | N/A | 7.2 HIGH |
| Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default `Owner` or `Contributor` role, who can escalate their access and execute code on the underlying Fides Webserver container where the Jinja template rendering function is executed. The vulnerability has been patched in Fides version `2.44.0`. Users are advised to upgrade to this version or later to secure their systems against this threat. There are no workarounds. | |||||
| CVE-2023-46947 | 1 Intelliants | 1 Subrion | 2024-09-06 | N/A | 8.8 HIGH |
| Subrion 4.2.1 has a remote command execution vulnerability in the backend. | |||||
| CVE-2024-45507 | 1 Apache | 1 Ofbiz | 2024-09-05 | N/A | 9.8 CRITICAL |
| Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. | |||||
| CVE-2024-6947 | 1 Flute-cms | 1 Flute | 2024-09-05 | N/A | 8.8 HIGH |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability. | |||||
| CVE-2024-6946 | 1 Flute-cms | 1 Flute | 2024-09-05 | N/A | 8.8 HIGH |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068. | |||||
| CVE-2024-7345 | 1 Progress | 1 Openedge | 2024-09-05 | N/A | 9.6 CRITICAL |
| Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms | |||||
| CVE-2023-7224 | 1 Openvpn | 1 Connect | 2024-09-04 | N/A | 7.8 HIGH |
| OpenVPN Connect version 3.0 through 3.4.6 on macOS allows local users to execute code in external third party libraries using the DYLD_INSERT_LIBRARIES environment variable | |||||
| CVE-2024-41366 | 1 Sourcefabric | 1 Phoniebox | 2024-09-04 | N/A | 9.8 CRITICAL |
| RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\userScripts.php | |||||
| CVE-2024-41367 | 1 Sourcefabric | 1 Phoniebox | 2024-09-04 | N/A | 9.8 CRITICAL |
| RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\api\playlist\appendFileToPlaylist.php | |||||
| CVE-2024-41364 | 1 Sourcefabric | 1 Phoniebox | 2024-09-04 | N/A | 9.8 CRITICAL |
| RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\trackEdit.php | |||||
| CVE-2024-41361 | 1 Sourcefabric | 1 Phoniebox | 2024-09-04 | N/A | 9.8 CRITICAL |
| RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\manageFilesFolders.php | |||||