Total
31934 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45825 | 1 Rockwellautomation | 2 5015-u8ihft, 5015-u8ihft Firmware | 2024-10-02 | N/A | 7.5 HIGH |
| CVE-2024-45825 IMPACT A denial-of-service vulnerability exists in the affected products. The vulnerability occurs when a malformed CIP packet is sent over the network to the device and results in a major nonrecoverable fault causing a denial-of-service. | |||||
| CVE-2023-39136 | 1 Ziparchive Project | 1 Ziparchive | 2024-10-01 | N/A | 5.5 MEDIUM |
| An unhandled edge case in the component _sanitizedPath of ZipArchive v2.5.4 allows attackers to cause a Denial of Service (DoS) via a crafted zip file. | |||||
| CVE-2023-39137 | 1 Archive Project | 1 Archive | 2024-10-01 | N/A | 7.8 HIGH |
| An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing. | |||||
| CVE-2023-4357 | 3 Debian, Fedoraproject, Google | 3 Debian Linux, Fedora, Chrome | 2024-10-01 | N/A | 8.8 HIGH |
| Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium) | |||||
| CVE-2024-41672 | 1 Duckdb | 1 Duckdb | 2024-10-01 | N/A | 7.5 HIGH |
| DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. There seem to be two vectors to this vulnerability. First, access to files that should otherwise not be allowed. Second, the content from a file can be read (e.g. `/etc/hosts`, `proc/self/environ`, etc) even though that doesn't seem to be the intent of the sniff_csv function. A fix for this issue is available in commit c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a and is expected to be part of version 1.1.0. | |||||
| CVE-2020-22612 | 1 Mybb | 1 Mybb | 2024-10-01 | N/A | 9.8 CRITICAL |
| Installer RCE on settings file write in MyBB before 1.8.22. | |||||
| CVE-2023-36100 | 1 Macwk | 1 Icecms | 2024-10-01 | N/A | 9.8 CRITICAL |
| An issue was discovered in IceCMS version 2.0.1, allows attackers to escalate privileges and gain sensitive information via UserID parameter in api/User/ChangeUser. | |||||
| CVE-2023-22503 | 1 Atlassian | 2 Confluence Data Center, Confluence Server | 2024-10-01 | N/A | 5.3 MEDIUM |
| Affected versions of Atlassian Confluence Server and Data Center allow anonymous remote attackers to view the names of attachments and labels in a private Confluence space. This occurs via an Information Disclosure vulnerability in the macro preview feature. This vulnerability was reported by Rojan Rijal of the Tinder Security Engineering team. The affected versions are before version 7.13.15, from version 7.14.0 before 7.19.7, and from version 7.20.0 before 8.2.0. | |||||
| CVE-2024-45373 | 1 Doverfuelingsolutions | 4 Progauge Maglink Lx4 Console, Progauge Maglink Lx4 Console Firmware, Progauge Maglink Lx Console and 1 more | 2024-10-01 | N/A | 8.8 HIGH |
| Once logged in to ProGauge MAGLINK LX4 CONSOLE, a valid user can change their privileges to administrator. | |||||
| CVE-2023-5845 | 1 Wpbrigade | 1 Simple Social Buttons | 2024-10-01 | N/A | 5.3 MEDIUM |
| The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags | |||||
| CVE-2024-43801 | 1 Jellyfin | 1 Jellyfin | 2024-10-01 | N/A | 5.4 MEDIUM |
| Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. This prevents exploitation of the LocalStorage of the browser. This PR has been merged and the relevant code changes are included in release version 10.9.10. All users are advised to upgrade. | |||||
| CVE-2024-9136 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-01 | N/A | 7.5 HIGH |
| Access permission verification vulnerability in the App Multiplier module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2024-47294 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-01 | N/A | 7.5 HIGH |
| Access permission verification vulnerability in the input method framework module Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2024-47290 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-01 | N/A | 5.5 MEDIUM |
| Input validation vulnerability in the USB service module Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2024-47291 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-01 | N/A | 5.5 MEDIUM |
| Permission vulnerability in the ActivityManagerService (AMS) module Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2023-6841 | 1 Redhat | 2 Keycloak, Single Sign-on | 2024-10-01 | N/A | 7.5 HIGH |
| A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values. | |||||
| CVE-2024-9321 | 1 Oretnom23 | 1 Railway Reservation System | 2024-10-01 | N/A | 5.3 MEDIUM |
| A vulnerability was found in SourceCodester Online Railway Reservation System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/inquiries/view_details.php. The manipulation of the argument id leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-42406 | 1 Mattermost | 1 Mattermost Server | 2024-10-01 | N/A | 5.4 MEDIUM |
| Mattermost versions 9.11.x <= 9.11.0, 9.10.x <= 9.10.1, 9.9.x <= 9.9.2 and 9.5.x <= 9.5.8 fail to properly authorize requests when viewing archived channels is disabled, which allows an attacker to retrieve post and file information about archived channels. Examples are flagged or unread posts as well as files. | |||||
| CVE-2024-43391 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-10-01 | N/A | 8.1 HIGH |
| A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_PORTFORWARDING.SRC_IP environment variable which can lead to a DoS. | |||||
| CVE-2024-43392 | 1 Phoenixcontact | 60 Fl Mguard Centerport Vpn-1000, Fl Mguard Centerport Vpn-1000 Firmware, Fl Mguard Core Tx and 57 more | 2024-10-01 | N/A | 8.1 HIGH |
| A low privileged remote attacker can perform configuration changes of the firewall services, including packet filter, packet forwarding, network access control or NAT through the FW_INCOMING.FROM_IP FW_INCOMING.IN_IP FW_OUTGOING.FROM_IP FW_OUTGOING.IN_IP environment variable which can lead to a DoS. | |||||