Weekly Vulnerabilities Reports > January 22 to 28, 2024
Overview
489 new vulnerabilities reported during this period, including 96 critical vulnerabilities and 144 high severity vulnerabilities. This weekly summary report vulnerabilities in 415 products from 204 vendors including Ajaysharma, Trendmicro, Apple, Linecorp, and Mozilla. Vulnerabilities are notably categorized as "Cross-site Scripting", "Command Injection", "Out-of-bounds Write", "Path Traversal", and "SQL Injection".
- 400 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 190 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 318 reported vulnerabilities are exploitable by an anonymous user.
- Ajaysharma has the most reported vulnerabilities, with 41 reported vulnerabilities.
- Tendacn has the most reported critical vulnerabilities, with 10 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
96 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-26 | CVE-2024-20253 | Cisco | Unspecified vulnerability in Cisco products A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. | 10.0 |
2024-01-26 | CVE-2024-0402 | Gitlab | Path Traversal vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 16.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 which allows an authenticated user to write files to arbitrary locations on the GitLab server while creating a workspace. | 9.9 |
2024-01-28 | CVE-2024-23740 | Getkap | Unspecified vulnerability in Getkap KAP An issue in Kap for macOS version 3.6.0 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | 9.8 |
2024-01-28 | CVE-2024-23739 | Discord | Unspecified vulnerability in Discord 0.0.291 An issue in Discord for macOS version 0.0.291 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | 9.8 |
2024-01-28 | CVE-2024-23741 | Hyper | Unspecified vulnerability in Hyper 3.4.1 An issue in Hyper on macOS version 3.4.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | 9.8 |
2024-01-28 | CVE-2024-23742 | Loom | Unspecified vulnerability in Loom 0.196.1 An issue in Loom on macOS version 0.196.1 and before, allows remote attackers to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | 9.8 |
2024-01-28 | CVE-2024-23738 | Postman | Unspecified vulnerability in Postman An issue in Postman version 10.22 and before on macOS allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments settings. | 9.8 |
2024-01-27 | CVE-2024-0960 | Flink Extended | Deserialization of Untrusted Data vulnerability in Flink-Extended Aiflow 0.3.1 A vulnerability was found in flink-extended ai-flow 0.3.1. | 9.8 |
2024-01-27 | CVE-2024-0959 | Standford | Deserialization of Untrusted Data vulnerability in Standford Gibsonenv 0.3.1 A vulnerability was found in StanfordVL GibsonEnv 0.3.1. | 9.8 |
2024-01-27 | CVE-2024-22860 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the jpegxl_anim_read_packet component in the JPEG XL Animation decoder. | 9.8 |
2024-01-27 | CVE-2024-22862 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg Integer overflow vulnerability in FFmpeg before n6.1, allows remote attackers to execute arbitrary code via the JJPEG XL Parser. | 9.8 |
2024-01-27 | CVE-2023-52389 | Pocoproject | Integer Overflow or Wraparound vulnerability in Pocoproject Poco UTF32Encoding.cpp in POCO has a Poco::UTF32Encoding integer overflow and resultant stack buffer overflow because Poco::UTF32Encoding::convert() and Poco::UTF32::queryConvert() may return a negative integer if a UTF-32 byte sequence evaluates to a value of 0x80000000 or higher. | 9.8 |
2024-01-26 | CVE-2024-0945 | 60Indexpage Project | Server-Side Request Forgery (SSRF) vulnerability in 60Indexpage Project 60Indexpage A vulnerability classified as critical has been found in 60IndexPage up to 1.8.5. | 9.8 |
2024-01-26 | CVE-2024-0946 | 60Indexpage Project | Server-Side Request Forgery (SSRF) vulnerability in 60Indexpage Project 60Indexpage A vulnerability classified as critical was found in 60IndexPage up to 1.8.5. | 9.8 |
2024-01-26 | CVE-2024-0939 | Byzoro | Unrestricted Upload of File with Dangerous Type vulnerability in Byzoro Smart S210 Firmware 20231121 A vulnerability has been found in Byzoro Smart S210 Management Platform up to 20240117 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0941 | Xxyopen | SQL Injection vulnerability in Xxyopen Novel-Plus 4.3.0 A vulnerability was found in Novel-Plus 4.3.0-RC1 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0937 | Vanderschaarlab | Deserialization of Untrusted Data vulnerability in Vanderschaarlab Temporai 0.2.9 A vulnerability, which was classified as critical, has been found in van_der_Schaar LAB synthcity 0.2.9. | 9.8 |
2024-01-26 | CVE-2024-0938 | Tongda2000 | SQL Injection vulnerability in Tongda2000 Office Anywhere 2017 11.9 A vulnerability, which was classified as critical, was found in Tongda OA 2017 up to 11.9. | 9.8 |
2024-01-26 | CVE-2024-0931 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0932 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0933 | Niushop | Unrestricted Upload of File with Dangerous Type vulnerability in Niushop B2B2C Multi-Business 5.0 A vulnerability was found in Niushop B2B2C V5 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0928 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0929 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0930 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability classified as critical has been found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0924 | Tenda | Stack-based Buffer Overflow vulnerability in Tenda Ac10U Firmware 15.03.06.49Multitde01 A vulnerability, which was classified as critical, was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0925 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability has been found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0926 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0927 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0921 | Dlink | OS Command Injection vulnerability in Dlink Dir-816 A2 Firmware 1.10Cnb04 A vulnerability has been found in D-Link DIR-816 A2 1.10CNB04 and classified as critical. | 9.8 |
2024-01-26 | CVE-2024-0922 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability classified as critical was found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2024-0923 | Tendacn | Stack-based Buffer Overflow vulnerability in Tendacn Ac10U Firmware 15.03.06.49Multitde01 A vulnerability, which was classified as critical, has been found in Tenda AC10U 15.03.06.49_multi_TDE01. | 9.8 |
2024-01-26 | CVE-2023-38317 | Opennds | OS Command Injection vulnerability in Opennds An issue was discovered in OpenNDS before 10.1.3. | 9.8 |
2024-01-26 | CVE-2023-38318 | Opennds | OS Command Injection vulnerability in Opennds An issue was discovered in OpenNDS before 10.1.3. | 9.8 |
2024-01-26 | CVE-2023-38319 | Opennds | OS Command Injection vulnerability in Opennds An issue was discovered in OpenNDS before 10.1.3. | 9.8 |
2024-01-26 | CVE-2023-38323 | Opennds | OS Command Injection vulnerability in Opennds An issue was discovered in OpenNDS before 10.1.3. | 9.8 |
2024-01-26 | CVE-2024-23613 | Broadcom | Classic Buffer Overflow vulnerability in Broadcom Symantec Deployment Solutions 7.9 A buffer overflow vulnerability exists in Symantec Deployment Solution version 7.9 when parsing UpdateComputer tokens. | 9.8 |
2024-01-26 | CVE-2024-23614 | Broadcom | Classic Buffer Overflow vulnerability in Broadcom Symantec Messaging Gateway 9.5 A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 9.5 and before. | 9.8 |
2024-01-26 | CVE-2024-23615 | Broadcom | Classic Buffer Overflow vulnerability in Broadcom Symantec Messaging Gateway 10.5/9.5 A buffer overflow vulnerability exists in Symantec Messaging Gateway versions 10.5 and before. | 9.8 |
2024-01-26 | CVE-2024-23616 | Broadcom | Classic Buffer Overflow vulnerability in Broadcom Symantec Server Management Suite 7.9 A buffer overflow vulnerability exists in Symantec Server Management Suite version 7.9 and before. | 9.8 |
2024-01-26 | CVE-2024-23618 | Commscope | Missing Authentication for Critical Function vulnerability in Commscope Arris Surfboard Sbg6950Ac2 Firmware An arbitrary code execution vulnerability exists in Arris SURFboard SGB6950AC2 devices. | 9.8 |
2024-01-26 | CVE-2024-23619 | IBM | Use of Hard-coded Credentials vulnerability in IBM Merge Efilm Workstation 4.2 A hardcoded credential vulnerability exists in IBM Merge Healthcare eFilm Workstation. | 9.8 |
2024-01-26 | CVE-2024-23621 | IBM | Classic Buffer Overflow vulnerability in IBM Merge Efilm Workstation 4.2 A buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. | 9.8 |
2024-01-26 | CVE-2024-23622 | IBM | Out-of-bounds Write vulnerability in IBM Merge Efilm Workstation 4.2 A stack-based buffer overflow exists in IBM Merge Healthcare eFilm Workstation license server. | 9.8 |
2024-01-26 | CVE-2024-23624 | Dlink | Command Injection vulnerability in Dlink Dap-1650 Firmware A command injection vulnerability exists in the gena.cgi module of D-Link DAP-1650 devices. | 9.8 |
2024-01-26 | CVE-2024-23625 | Dlink | Command Injection vulnerability in Dlink Dap-1650 Firmware A command injection vulnerability exists in D-Link DAP-1650 devices when handling UPnP SUBSCRIBE messages. | 9.8 |
2024-01-25 | CVE-2024-0890 | Hongmaple | SQL Injection vulnerability in Hongmaple Octopus 1.0 A vulnerability was found in hongmaple octopus 1.0. | 9.8 |
2024-01-25 | CVE-2024-22922 | Projectworlds | Improper Privilege Management vulnerability in Projectworlds Visitor Management System in PHP 1.0 An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php | 9.8 |
2024-01-25 | CVE-2024-0884 | Mayurik | SQL Injection vulnerability in Mayurik Online Tours &Travels Management System 1.0 A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. | 9.8 |
2024-01-25 | CVE-2024-22638 | Livesite | Unspecified vulnerability in Livesite 2019.1 liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php or /livesite/add_email_campaign.php. | 9.8 |
2024-01-25 | CVE-2023-6267 | Quarkus | Improper Handling of Exceptional Conditions vulnerability in Quarkus A flaw was found in the json payload. | 9.8 |
2024-01-25 | CVE-2023-7227 | Systemk Corp | Command Injection vulnerability in Systemk-Corp products SystemK NVR 504/508/516 versions 2.3.5SK.30084998 and prior are vulnerable to a command injection vulnerability in the dynamic domain name system (DDNS) settings that could allow an attacker to execute arbitrary commands with root privileges. | 9.8 |
2024-01-25 | CVE-2024-0883 | Mayurik | SQL Injection vulnerability in Mayurik Online Tours & Travels Management System 1.0 A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. | 9.8 |
2024-01-25 | CVE-2024-22529 | Totolink | Command Injection vulnerability in Totolink X2000R Firmware 2.0.0B20230727.10434 TOTOLINK X2000R_V2 V2.0.0-B20230727.10434 has a command injection vulnerability in the sub_449040 (handle function of formUploadFile) of /bin/boa. | 9.8 |
2024-01-25 | CVE-2024-22729 | Netis Systems | Command Injection vulnerability in Netis-Systems Mw5360 Firmware 1.0.1.3031 NETIS SYSTEMS MW5360 V1.0.1.3031 was discovered to contain a command injection vulnerability via the password parameter on the login page. | 9.8 |
2024-01-25 | CVE-2023-33759 | Splicecom | Improper Restriction of Excessive Authentication Attempts vulnerability in Splicecom Maximiser Soft PBX SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack. | 9.8 |
2024-01-24 | CVE-2024-22751 | Dlink | Out-of-bounds Write vulnerability in Dlink Dir-882 A1 Firmware 1.30B06 D-Link DIR-882 DIR882A1_FW130B06 was discovered to contain a stack overflow via the sub_477AA0 function. | 9.8 |
2024-01-24 | CVE-2021-42144 | Contiki NG | Out-of-bounds Read vulnerability in Contiki-Ng Tinydtls Buffer over-read vulnerability in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers obtain sensitive information via crafted input to dtls_ccm_decrypt_message(). | 9.8 |
2024-01-24 | CVE-2023-51889 | Ctan | Out-of-bounds Write vulnerability in Ctan Mathtex Stack Overflow vulnerability in the validate() function in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in the application URL. | 9.8 |
2024-01-24 | CVE-2023-52038 | Totolink | Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415C80 function. | 9.8 |
2024-01-24 | CVE-2023-52039 | Totolink | Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_415AA4 function. | 9.8 |
2024-01-24 | CVE-2023-52040 | Totolink | Command Injection vulnerability in Totolink X6000R Firmware 9.4.0Cu.852B20230719 An issue discovered in TOTOLINK X6000R v9.4.0cu.852_B20230719 allows attackers to run arbitrary commands via the sub_41284C function. | 9.8 |
2024-01-24 | CVE-2024-23897 | Jenkins | Path Traversal vulnerability in Jenkins Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system. | 9.8 |
2024-01-24 | CVE-2023-51885 | Ctan | Classic Buffer Overflow vulnerability in Ctan Mathtex Buffer Overflow vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via the length of the LaTeX string component. | 9.8 |
2024-01-24 | CVE-2023-51887 | Ctan | Command Injection vulnerability in Ctan Mathtex Command Injection vulnerability in Mathtex v.1.05 and before allows a remote attacker to execute arbitrary code via crafted string in application URL. | 9.8 |
2024-01-24 | CVE-2024-22651 | Dlink | Command Injection vulnerability in Dlink Dir-815 Firmware 1.0.1/1.01Ssb08.Bin/1.04 There is a command injection vulnerability in the ssdpcgi_main function of cgibin binary in D-Link DIR-815 router firmware v1.04. | 9.8 |
2024-01-24 | CVE-2023-52221 | Ukrsolution | Unrestricted Upload of File with Dangerous Type vulnerability in Ukrsolution Barcode Scanner and Inventory Manager Unrestricted Upload of File with Dangerous Type vulnerability in UkrSolution Barcode Scanner and Inventory manager.This issue affects Barcode Scanner and Inventory manager: from n/a through 1.5.1. | 9.8 |
2024-01-24 | CVE-2024-22284 | Asgaros | Deserialization of Untrusted Data vulnerability in Asgaros Forum Deserialization of Untrusted Data vulnerability in Thomas Belser Asgaros Forum.This issue affects Asgaros Forum: from n/a through 2.7.2. | 9.8 |
2024-01-24 | CVE-2024-22309 | Quantumcloud | Deserialization of Untrusted Data vulnerability in Quantumcloud AI Chatbot Deserialization of Untrusted Data vulnerability in QuantumCloud ChatBot with AI.This issue affects ChatBot with AI: from n/a through 5.1.0. | 9.8 |
2024-01-24 | CVE-2024-0808 | Google Fedoraproject | Integer Underflow (Wrap or Wraparound) vulnerability in multiple products Integer underflow in WebUI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a malicious file. | 9.8 |
2024-01-23 | CVE-2023-35835 | Solax | Unspecified vulnerability in Solax Pocket Wifi 3 Firmware An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. | 9.8 |
2024-01-23 | CVE-2023-35837 | Solax | Unspecified vulnerability in Solax Pocket Wifi 3 Firmware An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. | 9.8 |
2024-01-23 | CVE-2021-42142 | Contiki NG | Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830 An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. | 9.8 |
2024-01-23 | CVE-2023-31654 | Redis | Unspecified vulnerability in Redis Redisraft Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR violation via the component hiredisAllocFns at /opt/fs/redisraft/deps/hiredis/alloc.c. | 9.8 |
2024-01-23 | CVE-2023-36177 | Badaix | Unspecified vulnerability in Badaix Snapcast 0.27.0 An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API. | 9.8 |
2024-01-23 | CVE-2023-51210 | Webkul | SQL Injection vulnerability in Webkul Bundle Product 6.0.1 SQL injection vulnerability in Webkul Bundle Product 6.0.1 allows a remote attacker to execute arbitrary code via the id_product parameters in the UpdateProductQuantity function. | 9.8 |
2024-01-23 | CVE-2024-22203 | Benbusby | Server-Side Request Forgery (SSRF) vulnerability in Benbusby Whoogle Search Whoogle Search is a self-hosted metasearch engine. | 9.8 |
2024-01-23 | CVE-2024-22205 | Benbusby | Server-Side Request Forgery (SSRF) vulnerability in Benbusby Whoogle Search Whoogle Search is a self-hosted metasearch engine. | 9.8 |
2024-01-23 | CVE-2024-23636 | Sofastack | Deserialization of Untrusted Data vulnerability in Sofastack Sofarpc SOFARPC is a Java RPC framework. | 9.8 |
2024-01-23 | CVE-2024-22660 | Totolink | Out-of-bounds Write vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012 TOTOLINK_A3700R_V9.1.2u.6165_20211012has a stack overflow vulnerability via setLanguageCfg | 9.8 |
2024-01-23 | CVE-2024-22662 | Totolink | Out-of-bounds Write vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012 TOTOLINK A3700R_V9.1.2u.6165_20211012 has a stack overflow vulnerability via setParentalRules | 9.8 |
2024-01-23 | CVE-2024-22663 | Totolink | Command Injection vulnerability in Totolink A3700R Firmware 9.1.2U.616520211012 TOTOLINK_A3700R_V9.1.2u.6165_20211012has a command Injection vulnerability via setOpModeCfg | 9.8 |
2024-01-23 | CVE-2024-22076 | MYQ Solution | Unspecified vulnerability in Myq-Solution Print Server 8.2 MyQ Print Server before 8.2 patch 43 allows remote authenticated administrators to execute arbitrary code via PHP scripts that are reached through the administrative interface. | 9.8 |
2024-01-22 | CVE-2021-42141 | Contiki NG | Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830 An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. | 9.8 |
2024-01-22 | CVE-2023-48118 | Quest Analytics | SQL Injection vulnerability in Quest-Analytics Iqcrm 2023.9.5 SQL Injection vulnerability in Quest Analytics LLC IQCRM v.2023.9.5 allows a remote attacker to execute arbitrary code via a crafted request to the Common.svc WSDL page. | 9.8 |
2024-01-22 | CVE-2024-0204 | Fortra | Forced Browsing vulnerability in Fortra Goanywhere Managed File Transfer Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal. | 9.8 |
2024-01-22 | CVE-2024-0783 | Online Admission System Project | Unrestricted Upload of File with Dangerous Type vulnerability in Online Admission System Project Online Admission System 1.0 A vulnerability was found in Project Worlds Online Admission System 1.0 and classified as critical. | 9.8 |
2024-01-22 | CVE-2024-0784 | Hongmaple | SQL Injection vulnerability in Hongmaple Octopus 1.0 A vulnerability was found in hongmaple octopus 1.0. | 9.8 |
2024-01-22 | CVE-2024-0778 | Uniview | OS Command Injection vulnerability in Uniview ISC 2500-S Firmware 20210930 ** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, has been found in Uniview ISC 2500-S up to 20210930. | 9.8 |
2024-01-22 | CVE-2017-20189 | Clojure | Deserialization of Untrusted Data vulnerability in Clojure In Clojure before 1.9.0, classes can be used to construct a serialized object that executes arbitrary code upon deserialization. | 9.8 |
2024-01-22 | CVE-2024-23771 | Unix4Lyfe | Information Exposure Through Discrepancy vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131/1.14 darkhttpd before 1.15 uses strcmp (which is not constant time) to verify authentication, which makes it easier for remote attackers to bypass authentication via a timing side channel. | 9.8 |
2024-01-22 | CVE-2024-23751 | Llamaindex | SQL Injection vulnerability in Llamaindex LlamaIndex (aka llama_index) through 0.9.34 allows SQL injection via the Text-to-SQL feature in NLSQLTableQueryEngine, SQLTableRetrieverQueryEngine, NLSQLRetriever, RetrieverQueryEngine, and PGVectorSQLQueryEngine. | 9.8 |
2024-01-22 | CVE-2024-23752 | Gabrieleventuri | Missing Authorization vulnerability in Gabrieleventuri Pandasai GenerateSDFPipeline in synthetic_dataframe in PandasAI (aka pandas-ai) through 1.5.17 allows attackers to trigger the generation of arbitrary Python code that is executed by SDFCodeExecutor. | 9.8 |
2024-01-26 | CVE-2024-21326 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 9.6 |
2024-01-24 | CVE-2021-42147 | Contiki NG | Out-of-bounds Read vulnerability in Contiki-Ng Tinydtls 20180830 Buffer over-read vulnerability in the dtls_sha256_update function in Contiki-NG tinyDTLS through master branch 53a0d97 allows remote attackers to cause a denial of service via crafted data packet. | 9.1 |
2024-01-24 | CVE-2021-42143 | Contiki NG | Infinite Loop vulnerability in Contiki-Ng Tinydtls 20180830 An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. | 9.1 |
2024-01-22 | CVE-2022-45790 | Omron | Improper Restriction of Excessive Authentication Attempts vulnerability in Omron products The Omron FINS protocol has an authenticated feature to prevent access to memory regions. | 9.1 |
144 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-27 | CVE-2024-22283 | Delhivery | SQL Injection vulnerability in Delhivery Logistics Courier 1.0.107 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Delhivery Delhivery Logistics Courier.This issue affects Delhivery Logistics Courier: from n/a through 1.0.107. | 8.8 |
2024-01-26 | CVE-2024-0936 | Vanderschaarlab | Deserialization of Untrusted Data vulnerability in Vanderschaarlab Temporai 0.0.3 A vulnerability classified as critical was found in van_der_Schaar LAB TemporAI 0.0.3. | 8.8 |
2024-01-26 | CVE-2024-23617 | Broadcom | Classic Buffer Overflow vulnerability in Broadcom Symantec Data Center Security Server 14.0.2/6.5.0/6.6.0 A buffer overflow vulnerability exists in Symantec Data Loss Prevention version 14.0.2 and before. | 8.8 |
2024-01-26 | CVE-2024-23626 | Motorola | Command Injection vulnerability in Motorola Mr2600 Firmware A command injection vulnerability exists in the ‘SaveSysLogParams’ parameter of the Motorola MR2600. | 8.8 |
2024-01-26 | CVE-2024-23627 | Motorola | Command Injection vulnerability in Motorola Mr2600 Firmware A command injection vulnerability exists in the 'SaveStaticRouteIPv4Params' parameter of the Motorola MR2600. | 8.8 |
2024-01-26 | CVE-2024-23628 | Motorola | Command Injection vulnerability in Motorola Mr2600 Firmware A command injection vulnerability exists in the 'SaveStaticRouteIPv6Params' parameter of the Motorola MR2600. | 8.8 |
2024-01-26 | CVE-2024-23630 | Motorola | Unrestricted Upload of File with Dangerous Type vulnerability in Motorola Mr2600 Firmware An arbitrary firmware upload vulnerability exists in the Motorola MR2600. | 8.8 |
2024-01-25 | CVE-2023-52251 | Provectus | Code Injection vulnerability in Provectus UI An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages. | 8.8 |
2024-01-25 | CVE-2024-22636 | Pluxml | Unspecified vulnerability in Pluxml 5.8.9 PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. | 8.8 |
2024-01-25 | CVE-2024-0880 | 100296 | Cross-Site Request Forgery (CSRF) vulnerability in 100296 Qdbcrm 1.1.0 A vulnerability was found in Qidianbang qdbcrm 1.1.0 and classified as problematic. | 8.8 |
2024-01-24 | CVE-2024-23646 | Pimcore | SQL Injection vulnerability in Pimcore Admin Classic Bundle Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. | 8.8 |
2024-01-24 | CVE-2024-23648 | Pimcore | Injection vulnerability in Pimcore Admin Classic Bundle Pimcore's Admin Classic Bundle provides a backend user interface for Pimcore. | 8.8 |
2024-01-24 | CVE-2024-23898 | Jenkins | Origin Validation Error vulnerability in Jenkins Jenkins 2.217 through 2.441 (both inclusive), LTS 2.222.1 through 2.426.2 (both inclusive) does not perform origin validation of requests made through the CLI WebSocket endpoint, resulting in a cross-site WebSocket hijacking (CSWSH) vulnerability, allowing attackers to execute CLI commands on the Jenkins controller. | 8.8 |
2024-01-24 | CVE-2023-43317 | Coign | Unspecified vulnerability in Coign 06.06 An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component. | 8.8 |
2024-01-24 | CVE-2024-0806 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Passwords in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via specific UI interaction. | 8.8 |
2024-01-24 | CVE-2024-0807 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Web Audio in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2024-01-24 | CVE-2024-0812 | Google Fedoraproject | Inappropriate implementation in Accessibility in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. | 8.8 |
2024-01-24 | CVE-2024-0813 | Google Fedoraproject | Use After Free vulnerability in multiple products Use after free in Reading Mode in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via specific UI interaction. | 8.8 |
2024-01-23 | CVE-2023-46892 | Meross | Authentication Bypass by Capture-replay vulnerability in Meross Msh30Q Firmware 4.5.23 The radio frequency communication protocol being used by Meross MSH30Q 4.5.23 is vulnerable to replay attacks, allowing attackers to record and replay previously captured communication to execute unauthorized commands or actions (e.g., thermostat's temperature). | 8.8 |
2024-01-23 | CVE-2023-52324 | Trendmicro | Unrestricted Upload of File with Dangerous Type vulnerability in Trendmicro Apex Central 2019 An unrestricted file upload vulnerability in Trend Micro Apex Central could allow a remote attacker to create arbitrary files on affected installations. Please note: although authentication is required to exploit this vulnerability, this vulnerability could be exploited when the attacker has any valid set of credentials. | 8.8 |
2024-01-23 | CVE-2024-0745 | Mozilla | Out-of-bounds Write vulnerability in Mozilla Firefox The WebAudio `OscillatorNode` object was susceptible to a stack buffer overflow. | 8.8 |
2024-01-23 | CVE-2024-0750 | Mozilla Debian | A bug in popup notifications delay calculation could have made it possible for an attacker to trick a user into granting permissions. | 8.8 |
2024-01-23 | CVE-2024-0751 | Mozilla Debian | Improper Privilege Management vulnerability in multiple products A malicious devtools extension could have been used to escalate privileges. | 8.8 |
2024-01-23 | CVE-2024-0755 | Mozilla Debian | Memory safety bugs present in Firefox 121, Firefox ESR 115.6, and Thunderbird 115.6. | 8.8 |
2024-01-23 | CVE-2024-23180 | Appleple | Unspecified vulnerability in Appleple A-Blog CMS Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary code by uploading a specially crafted SVG file. | 8.8 |
2024-01-23 | CVE-2024-23348 | Appleple | Unspecified vulnerability in Appleple A-Blog CMS Improper input validation vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute arbitrary JavaScript code by uploading a specially crafted SVG file. | 8.8 |
2024-01-23 | CVE-2024-23209 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved memory handling. | 8.8 |
2024-01-23 | CVE-2024-23213 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 8.8 |
2024-01-23 | CVE-2024-23214 | Apple | Out-of-bounds Write vulnerability in Apple Ipados, Iphone OS and Macos Multiple memory corruption issues were addressed with improved memory handling. | 8.8 |
2024-01-23 | CVE-2024-23222 | Apple | Type Confusion vulnerability in Apple products A type confusion issue was addressed with improved checks. | 8.8 |
2024-01-22 | CVE-2024-23678 | Splunk | Unspecified vulnerability in Splunk In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. | 8.8 |
2024-01-22 | CVE-2024-22895 | Dedecms | Unrestricted Upload of File with Dangerous Type vulnerability in Dedecms 5.7.112 DedeCMS 5.7.112 has a File Upload vulnerability via uploads/dede/module_upload.php. | 8.8 |
2024-01-22 | CVE-2023-47352 | Technicolor | Unspecified vulnerability in Technicolor Tc8715D Firmware Technicolor TC8715D devices have predictable default WPA2 security passwords. | 8.8 |
2024-01-22 | CVE-2024-23768 | Dremio | Path Traversal vulnerability in Dremio Dremio before 24.3.1 allows path traversal. | 8.8 |
2024-01-22 | CVE-2024-23750 | Deepwisdom | Code Injection vulnerability in Deepwisdom Metagpt MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell metacharacters to subprocess.Popen. | 8.8 |
2024-01-26 | CVE-2024-21385 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | 8.3 |
2024-01-25 | CVE-2023-40547 | Redhat | Out-of-bounds Write vulnerability in Redhat Enterprise Linux and Shim A remote code execution vulnerability was found in Shim. | 8.3 |
2024-01-25 | CVE-2023-51833 | Trendnet | Command Injection vulnerability in Trendnet Tew-411Brpplus Firmware 2.07Eu A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page. | 8.1 |
2024-01-24 | CVE-2024-23644 | Trillium | Interpretation Conflict vulnerability in Trillium and Trillium-Http Trillium is a composable toolkit for building internet applications with async rust. | 8.1 |
2024-01-23 | CVE-2024-23182 | Appleple | Path Traversal vulnerability in Appleple A-Blog CMS Relative path traversal vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to delete arbitrary files on the server. | 8.1 |
2024-01-28 | CVE-2024-0841 | Linux Redhat | NULL Pointer Dereference vulnerability in multiple products A null pointer dereference flaw was found in the hugetlbfs_fill_super function in the Linux kernel hugetlbfs (HugeTLB pages) functionality. | 7.8 |
2024-01-27 | CVE-2024-0962 | Libcoap | Out-of-bounds Write vulnerability in Libcoap 4.3.4 A vulnerability was found in obgm libcoap 4.3.4. | 7.8 |
2024-01-26 | CVE-2022-48622 | Gnome | Out-of-bounds Write vulnerability in Gnome Gdkpixbuf In GNOME GdkPixbuf (aka gdk-pixbuf) through 2.42.10, the ANI (Windows animated cursor) decoder encounters heap memory corruption (in ani_load_chunk in io-ani.c) when parsing chunks in a crafted .ani file. | 7.8 |
2024-01-26 | CVE-2024-22545 | Trendnet | Command Injection vulnerability in Trendnet Tew-824Dru Firmware 1.04B01 An issue was discovered in TRENDnet TEW-824DRU version 1.04b01, allows unauthenticated attackers to execute arbitrary code via the system.ntp.server parameter in the sub_420AE0() function. | 7.8 |
2024-01-26 | CVE-2024-23620 | IBM | Improper Privilege Management vulnerability in IBM Merge Efilm Workstation 4.2 An improper privilege management vulnerability exists in IBM Merge Healthcare eFilm Workstation. | 7.8 |
2024-01-25 | CVE-2023-3181 | Splashtop | Unspecified vulnerability in Splashtop Software Updater 1.5.6.16/1.5.6.21 The C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe process creates a folder at C:\Windows\Temp~nsu.tmp and copies itself to it as Au_.exe. | 7.8 |
2024-01-25 | CVE-2023-52076 | Mate Desktop | Path Traversal vulnerability in Mate-Desktop Atril Atril Document Viewer is the default document reader of the MATE desktop environment for Linux. | 7.8 |
2024-01-25 | CVE-2024-22749 | Gpac | Classic Buffer Overflow vulnerability in Gpac 2.3 GPAC v2.3 was detected to contain a buffer overflow via the function gf_isom_new_generic_sample_description function in the isomedia/isom_write.c:4577 | 7.8 |
2024-01-25 | CVE-2024-23307 | Linux | Integer Overflow or Wraparound vulnerability in Linux Kernel Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow. | 7.8 |
2024-01-24 | CVE-2023-51711 | Regify | Uncontrolled Search Path Element vulnerability in Regify Regipay 4.5.1.0 An issue was discovered in Regify Regipay Client for Windows version 4.5.1.0 allows DLL hijacking: a user can trigger the execution of arbitrary code every time the product is executed. | 7.8 |
2024-01-23 | CVE-2023-47192 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE 2019 An agent link vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-47193 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47194. | 7.8 |
2024-01-23 | CVE-2023-47194 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47195. | 7.8 |
2024-01-23 | CVE-2023-47195 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47196. | 7.8 |
2024-01-23 | CVE-2023-47196 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47197. | 7.8 |
2024-01-23 | CVE-2023-47197 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47198. | 7.8 |
2024-01-23 | CVE-2023-47198 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47199. | 7.8 |
2024-01-23 | CVE-2023-47199 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE 2019 An origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47193. | 7.8 |
2024-01-23 | CVE-2023-47200 | Trendmicro | Origin Validation Error vulnerability in Trendmicro Apex ONE A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47201. | 7.8 |
2024-01-23 | CVE-2023-47201 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE A plug-in manager origin validation vulnerability in the Trend Micro Apex One security agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This vulnerability is similar to, but not identical to, CVE-2023-47200. | 7.8 |
2024-01-23 | CVE-2023-47202 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE A local file inclusion vulnerability on the Trend Micro Apex One management server could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52090 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52091 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE An anti-spyware engine link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52092 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE A security agent link following vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52093 | Trendmicro | Unspecified vulnerability in Trendmicro Apex ONE An exposed dangerous function vulnerability in the Trend Micro Apex One agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52094 | Trendmicro | Link Following vulnerability in Trendmicro Apex ONE An updater link following vulnerability in the Trend Micro Apex One agent could allow a local attacker to abuse the updater to delete an arbitrary folder, leading for a local privilege escalation on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52337 | Trendmicro | Unspecified vulnerability in Trendmicro Deep Security and Deep Security Agent An improper access control vulnerability in Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-52338 | Trendmicro | Link Following vulnerability in Trendmicro Deep Security and Deep Security Agent A link following vulnerability in the Trend Micro Deep Security 20.0 and Trend Micro Cloud One - Endpoint and Workload Security Agent could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.8 |
2024-01-23 | CVE-2023-6926 | Crestron | OS Command Injection vulnerability in Crestron Am-300 Firmware 1.4499.00018 There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access. | 7.8 |
2024-01-23 | CVE-2023-50274 | HP | Command Injection vulnerability in HP Oneview HPE OneView may allow command injection with local privilege escalation. | 7.8 |
2024-01-23 | CVE-2023-51042 | Linux | Use After Free vulnerability in Linux Kernel In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free. | 7.8 |
2024-01-23 | CVE-2024-22705 | Linux | Out-of-bounds Read vulnerability in Linux Kernel An issue was discovered in ksmbd in the Linux kernel before 6.6.10. | 7.8 |
2024-01-23 | CVE-2023-42881 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved memory handling. | 7.8 |
2024-01-23 | CVE-2024-23208 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 7.8 |
2024-01-23 | CVE-2024-23212 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved memory handling. | 7.8 |
2024-01-22 | CVE-2023-24135 | Jensenofscandinavia | Command Injection vulnerability in Jensenofscandinavia Eagle 1200Ac Firmware 15.03.06.33En Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. | 7.8 |
2024-01-22 | CVE-2022-45792 | Omron | Path Traversal vulnerability in Omron Sysmac Studio Project files may contain malicious contents which the software will use to create files on the filesystem. | 7.8 |
2024-01-22 | CVE-2020-36771 | Cloudlinux | Unspecified vulnerability in Cloudlinux Cagefs 7.1.11 CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a command line argument. | 7.8 |
2024-01-26 | CVE-2024-21985 | Netapp | Unspecified vulnerability in Netapp Clustered Data Ontap ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege. | 7.6 |
2024-01-28 | CVE-2023-6200 | Linux | Race Condition vulnerability in Linux Kernel A race condition was found in the Linux Kernel. | 7.5 |
2024-01-27 | CVE-2024-22861 | Ffmpeg | Integer Overflow or Wraparound vulnerability in Ffmpeg Integer overflow vulnerability in FFmpeg before n6.1, allows attackers to cause a denial of service (DoS) via the avcodec/osq module. | 7.5 |
2024-01-27 | CVE-2023-52187 | Imagesourcecontrol | Unspecified vulnerability in Imagesourcecontrol Image Source Control Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Thomas Maier Image Source Control Lite – Show Image Credits and Captions.This issue affects Image Source Control Lite – Show Image Credits and Captions: from n/a through 2.17.0. | 7.5 |
2024-01-26 | CVE-2023-6919 | Biges | Path Traversal: '/../filedir' vulnerability in Biges products Path Traversal: '/../filedir' vulnerability in Biges Safe Life Technologies Electronics Inc. | 7.5 |
2024-01-26 | CVE-2024-23629 | Motorola | Improper Authentication vulnerability in Motorola Mr2600 Firmware An authentication bypass vulnerability exists in the web component of the Motorola MR2600. | 7.5 |
2024-01-25 | CVE-2024-0889 | Kmint21 | Improper Resource Shutdown or Release vulnerability in Kmint21 Golden FTP Server 2.02B A vulnerability was found in Kmint21 Golden FTP Server 2.02b and classified as problematic. | 7.5 |
2024-01-25 | CVE-2024-21619 | Juniper | Information Exposure Through an Error Message vulnerability in Juniper Junos A Missing Authentication for Critical Function vulnerability combined with a Generation of Error Message Containing Sensitive Information vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an unauthenticated, network-based attacker to access sensitive system information. When a user logs in, a temporary file which contains the configuration of the device (as visible to that user) is created in the /cache folder. | 7.5 |
2024-01-25 | CVE-2024-0887 | Mafiatic | Improper Resource Shutdown or Release vulnerability in Mafiatic Blue Server 1.1 A vulnerability, which was classified as problematic, has been found in Mafiatic Blue Server 1.1. | 7.5 |
2024-01-25 | CVE-2024-0888 | 10N | Improper Resource Shutdown or Release vulnerability in 10N Borgchat 1.0.0 A vulnerability, which was classified as problematic, was found in BORGChat 1.0.0 Build 438. | 7.5 |
2024-01-25 | CVE-2024-0885 | Spycamlizard | Improper Resource Shutdown or Release vulnerability in Spycamlizard 1.230 A vulnerability classified as problematic has been found in SpyCamLizard 1.230. | 7.5 |
2024-01-25 | CVE-2023-52355 | Libtiff Redhat | Out-of-bounds Write vulnerability in multiple products An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. | 7.5 |
2024-01-25 | CVE-2023-52356 | Libtiff Redhat | Out-of-bounds Write vulnerability in multiple products A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. | 7.5 |
2024-01-25 | CVE-2024-23656 | Linuxfoundation | Inadequate Encryption Strength vulnerability in Linuxfoundation DEX 2.37.0 Dex is an identity service that uses OpenID Connect to drive authentication for other apps. | 7.5 |
2024-01-25 | CVE-2024-0882 | Linkwechat | Path Traversal vulnerability in Linkwechat 5.1.0 A vulnerability was found in qwdigital LinkWechat 5.1.0. | 7.5 |
2024-01-25 | CVE-2024-0822 | Ovirt | Improper Authentication vulnerability in Ovirt Ovirt-Engine An authentication bypass vulnerability was found in overt-engine. | 7.5 |
2024-01-25 | CVE-2024-23985 | Ezhometech | Unspecified vulnerability in Ezhometech Ezserver 6.4.017 EzServer 6.4.017 allows a denial of service (daemon crash) via a long string, such as one for the RNTO command. | 7.5 |
2024-01-24 | CVE-2021-42145 | Contiki NG | Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830 An assertion failure discovered in in check_certificate_request() in Contiki-NG tinyDTLS through master branch 53a0d97 allows attackers to cause a denial of service. | 7.5 |
2024-01-24 | CVE-2021-42146 | Contiki NG | Improper Handling of Exceptional Conditions vulnerability in Contiki-Ng Tinydtls 20180830 An issue was discovered in Contiki-NG tinyDTLS through master branch 53a0d97. | 7.5 |
2024-01-24 | CVE-2023-51888 | Ctan | Classic Buffer Overflow vulnerability in Ctan Mathtex Buffer Overflow vulnerability in the nomath() function in Mathtex v.1.05 and before allows a remote attacker to cause a denial of service via a crafted string in the application URL. | 7.5 |
2024-01-24 | CVE-2023-51890 | Ctan | Infinite Loop vulnerability in Ctan Mathtex An infinite loop issue discovered in Mathtex 1.05 and before allows a remote attackers to consume CPU resources via crafted string in the application URL. | 7.5 |
2024-01-24 | CVE-2024-23904 | Jenkins | Unspecified vulnerability in Jenkins LOG Command Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. | 7.5 |
2024-01-24 | CVE-2023-51886 | Ctan | Classic Buffer Overflow vulnerability in Ctan Mathtex Buffer Overflow vulnerability in the main() function in Mathtex 1.05 and before allows a remote attacker to cause a denial of service when using \convertpath. | 7.5 |
2024-01-24 | CVE-2024-23641 | Svelte | Unspecified vulnerability in Svelte Adapter-Node and KIT SvelteKit is a web development kit. | 7.5 |
2024-01-24 | CVE-2024-22141 | Cozmoslabs | Information Exposure vulnerability in Cozmoslabs Profile Builder Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0. | 7.5 |
2024-01-24 | CVE-2023-50943 | Apache | Deserialization of Untrusted Data vulnerability in Apache Airflow Apache Airflow, versions before 2.8.1, have a vulnerability that allows a potential attacker to poison the XCom data by bypassing the protection of "enable_xcom_pickling=False" configuration setting resulting in poisoned data after XCom deserialization. | 7.5 |
2024-01-24 | CVE-2024-22154 | Snpdigital | Information Exposure vulnerability in Snpdigital Salesking Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15. | 7.5 |
2024-01-24 | CVE-2024-22294 | Ip2Location | Information Exposure vulnerability in Ip2Location Country Blocker Exposure of Sensitive Information to an Unauthorized Actor vulnerability in IP2Location IP2Location Country Blocker.This issue affects IP2Location Country Blocker: from n/a through 2.33.3. | 7.5 |
2024-01-24 | CVE-2024-22301 | Eduva | Information Exposure vulnerability in Eduva Albo Pretorio Online Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6. | 7.5 |
2024-01-24 | CVE-2024-0804 | Google Fedoraproject | Insufficient policy enforcement in iOS Security UI in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to leak cross-origin data via a crafted HTML page. | 7.5 |
2024-01-23 | CVE-2023-7237 | Lantronix | Inadequate Encryption Strength vulnerability in Lantronix Xport Edge Firmware 2.0.0.13 Lantronix XPort sends weakly encoded credentials within web request headers. | 7.5 |
2024-01-23 | CVE-2023-52325 | Trendmicro | Unspecified vulnerability in Trendmicro Apex Central 2019 A local file inclusion vulnerability in one of Trend Micro Apex Central's widgets could allow a remote attacker to execute arbitrary code on affected installations. Please note: this vulnerability must be used in conjunction with another one to exploit an affected system. | 7.5 |
2024-01-23 | CVE-2023-50275 | HP | Improper Authentication vulnerability in HP Oneview HPE OneView may allow clusterService Authentication Bypass resulting in denial of service. | 7.5 |
2024-01-23 | CVE-2024-0743 | Mozilla | Unchecked Return Value vulnerability in Mozilla Firefox An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. | 7.5 |
2024-01-23 | CVE-2024-0744 | Mozilla | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Mozilla Firefox In some circumstances, JIT compiled code could have dereferenced a wild pointer value. | 7.5 |
2024-01-23 | CVE-2024-22768 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR HVR-4781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2024-22769 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR HVR-8781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2024-22770 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR HVR-16781 1.03~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2024-22771 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR LGUVR-4H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2024-22772 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR LGUVR-8H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2024-23842 | Hitron Systems | Use of Hard-coded Credentials vulnerability in Hitron Systems DVR Hvr-4781 Firmware Improper Input Validation in Hitron Systems DVR LGUVR-16H 1.02~4.02 allows an attacker to cause network attack in case of using defalut admin ID/PW. | 7.5 |
2024-01-23 | CVE-2023-39197 | Linux Fedoraproject | Out-of-bounds Read vulnerability in multiple products An out-of-bounds read vulnerability was found in Netfilter Connection Tracking (conntrack) in the Linux kernel. | 7.5 |
2024-01-23 | CVE-2024-23203 | Apple | Unspecified vulnerability in Apple Ipados, Iphone OS and Macos The issue was addressed with additional permissions checks. | 7.5 |
2024-01-23 | CVE-2024-23204 | Apple | Unspecified vulnerability in Apple products The issue was addressed with additional permissions checks. | 7.5 |
2024-01-22 | CVE-2023-47152 | IBM | Information Exposure Through an Error Message vulnerability in IBM DB2 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 is vulnerable to an insecure cryptographic algorithm and to information disclosure in stack trace under exceptional conditions. | 7.5 |
2024-01-22 | CVE-2023-45193 | IBM | Unspecified vulnerability in IBM DB2 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 federated server is vulnerable to a denial of service when a specially crafted cursor is used. | 7.5 |
2024-01-22 | CVE-2024-0605 | Mozilla | Race Condition vulnerability in Mozilla Firefox Focus Using a javascript: URI with a setTimeout race condition, an attacker can execute unauthorized scripts on top origin sites in urlbar. | 7.5 |
2024-01-22 | CVE-2024-22233 | Vmware | Unspecified vulnerability in VMWare Spring Framework 6.0.15/6.1.2 In Spring Framework versions 6.0.15 and 6.1.2, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition. Specifically, an application is vulnerable when all of the following are true: * the application uses Spring MVC * Spring Security 6.1.6+ or 6.2.1+ is on the classpath Typically, Spring Boot applications need the org.springframework.boot:spring-boot-starter-web and org.springframework.boot:spring-boot-starter-security dependencies to meet all conditions. | 7.5 |
2024-01-22 | CVE-2023-52354 | Blitiri | HTTP Request Smuggling vulnerability in Blitiri Chasquid chasquid before 1.13 allows SMTP smuggling because LF-terminated lines are accepted. | 7.5 |
2024-01-23 | CVE-2024-23342 | Tlsfuzzer | Covert Timing Channel vulnerability in Tlsfuzzer Ecdsa The `ecdsa` PyPI package is a pure Python implementation of ECC (Elliptic Curve Cryptography) with support for ECDSA (Elliptic Curve Digital Signature Algorithm), EdDSA (Edwards-curve Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman). | 7.4 |
2024-01-27 | CVE-2024-22147 | Wpovernight | SQL Injection vulnerability in Wpovernight Woocommerce PDF Invoices& Packing Slips Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Overnight PDF Invoices & Packing Slips for WooCommerce.This issue affects PDF Invoices & Packing Slips for WooCommerce: from n/a through 3.7.5. | 7.2 |
2024-01-26 | CVE-2024-20263 | Cisco | Unspecified vulnerability in Cisco products A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. | 7.2 |
2024-01-26 | CVE-2024-0918 | Trendnet | OS Command Injection vulnerability in Trendnet Tew-800Mb Firmware 1.0.1.0 A vulnerability was found in TRENDnet TEW-800MB 1.0.1.0 and classified as critical. | 7.2 |
2024-01-26 | CVE-2024-0919 | Trendnet | Command Injection vulnerability in Trendnet Tew-815Dap Firmware 1.0.2.0 A vulnerability was found in TRENDnet TEW-815DAP 1.0.2.0. | 7.2 |
2024-01-26 | CVE-2024-0920 | Trendnet | Command Injection vulnerability in Trendnet Tew-822Dre Firmware 1.03B02 A vulnerability was found in TRENDnet TEW-822DRE 1.03B02. | 7.2 |
2024-01-25 | CVE-2024-24399 | Lepton CMS | Unrestricted Upload of File with Dangerous Type vulnerability in Lepton-Cms Leptoncms 7.0.0 An arbitrary file upload vulnerability in LEPTON v7.0.0 allows authenticated attackers to execute arbitrary PHP code by uploading this code to the backend/languages/index.php languages area. | 7.2 |
2024-01-24 | CVE-2023-24676 | Processwire | Unspecified vulnerability in Processwire 3.0.210 An issue found in ProcessWire 3.0.210 allows attackers to execute arbitrary code and install a reverse shell via the download_zip_url parameter when installing a new module. | 7.2 |
2024-01-24 | CVE-2024-22135 | Webtoffee | Unrestricted Upload of File with Dangerous Type vulnerability in Webtoffee Order Export & Order Import for Woocommerce Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Order Export & Order Import for WooCommerce.This issue affects Order Export & Order Import for WooCommerce: from n/a through 2.4.3. | 7.2 |
2024-01-24 | CVE-2024-22152 | Webtoffee | Unrestricted Upload of File with Dangerous Type vulnerability in Webtoffee Product Import Export for Woocommerce Unrestricted Upload of File with Dangerous Type vulnerability in WebToffee Product Import Export for WooCommerce.This issue affects Product Import Export for WooCommerce: from n/a through 2.3.7. | 7.2 |
2024-01-24 | CVE-2023-31037 | Nvidia | OS Command Injection vulnerability in Nvidia Bluefield BMC NVIDIA Bluefield 2 and Bluefield 3 DPU BMC contains a vulnerability in ipmitool, where a root user may cause code injection by a network call. | 7.2 |
2024-01-22 | CVE-2023-7082 | Soflyy | Unspecified vulnerability in Soflyy Export ANY Wordpress Data to Xml/Csv The Import any XML or CSV File to WordPress plugin before 3.7.3 accepts all zip files and automatically extracts the zip file into a publicly accessible directory without sufficiently validating the extracted file type. | 7.2 |
2024-01-26 | CVE-2023-6291 | Redhat | Open Redirect vulnerability in Redhat products A flaw was found in the redirect_uri validation logic in Keycloak. | 7.1 |
2024-01-24 | CVE-2023-44281 | Dell | Unspecified vulnerability in Dell Pair Dell Pair Installer version prior to 1.2.1 contains an elevation of privilege vulnerability. | 7.1 |
2024-01-23 | CVE-2023-52331 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019 A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | 7.1 |
2024-01-22 | CVE-2024-0775 | Linux Redhat | Use After Free vulnerability in multiple products A use-after-free flaw was found in the __ext4_remount in fs/ext4/super.c in ext4 in the Linux kernel. | 7.1 |
2024-01-23 | CVE-2023-51043 | Linux | Use After Free vulnerability in Linux Kernel In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload. | 7.0 |
241 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-24 | CVE-2024-22366 | Yamaha | OS Command Injection vulnerability in Yamaha products Active debug code exists in Yamaha wireless LAN access point devices. | 6.8 |
2024-01-24 | CVE-2024-22372 | Elecom | OS Command Injection vulnerability in Elecom products OS command injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent attacker with an administrative privilege to execute arbitrary OS commands by sending a specially crafted request to the product. | 6.8 |
2024-01-27 | CVE-2024-23506 | Instawp | Unspecified vulnerability in Instawp Connect Exposure of Sensitive Information to an Unauthorized Actor vulnerability in InstaWP Team InstaWP Connect – 1-click WP Staging & Migration.This issue affects InstaWP Connect – 1-click WP Staging & Migration: from n/a through 0.1.0.9. | 6.5 |
2024-01-26 | CVE-2024-23820 | Openfga | Memory Leak vulnerability in Openfga OpenFGA, an authorization/permission engine, is vulnerable to a denial of service attack in versions prior to 1.4.3. | 6.5 |
2024-01-26 | CVE-2023-6159 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. | 6.5 |
2024-01-25 | CVE-2023-41474 | Ivanti | Path Traversal vulnerability in Ivanti Avalanche 6.3.4.153 Directory Traversal vulnerability in Ivanti Avalanche 6.3.4.153 allows a remote authenticated attacker to obtain sensitive information via the javax.faces.resource component. | 6.5 |
2024-01-25 | CVE-2024-22432 | Dell | Insufficiently Protected Credentials vulnerability in Dell Networker Networker 19.9 and all prior versions contains a Plain-text Password stored in temporary config file during backup duration in NMDA MySQL Database backups. | 6.5 |
2024-01-24 | CVE-2024-23649 | Join Lemmy | Unspecified vulnerability in Join-Lemmy Lemmy Lemmy is a link aggregator and forum for the fediverse. | 6.5 |
2024-01-24 | CVE-2024-23899 | Jenkins | Unspecified vulnerability in Jenkins GIT Server 99.Va0826Abcdfad Jenkins Git server Plugin 99.va_0826a_b_cdfa_d and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing attackers with Overall/Read permission to read content from arbitrary files on the Jenkins controller file system. | 6.5 |
2024-01-24 | CVE-2024-23901 | Jenkins | Unspecified vulnerability in Jenkins Github Branch Source Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier unconditionally discovers projects that are shared with the configured owner group, allowing attackers to configure and share a project, resulting in a crafted Pipeline being built by Jenkins during the next scan of the group. | 6.5 |
2024-01-24 | CVE-2023-50944 | Apache | Missing Authorization vulnerability in Apache Airflow Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. | 6.5 |
2024-01-24 | CVE-2023-51702 | Apache | Cleartext Storage of Sensitive Information vulnerability in Apache Airflow and Airflow Cncf Kubernetes Since version 5.2.0, when using deferrable mode with the path of a Kubernetes configuration file for authentication, the Airflow worker serializes this configuration file as a dictionary and sends it to the triggerer by storing it in metadata without any encryption. | 6.5 |
2024-01-24 | CVE-2024-22134 | Renzojohnson | Server-Side Request Forgery (SSRF) vulnerability in Renzojohnson Contact Form 7 Extension for Mailchimp 0.5.70 Server-Side Request Forgery (SSRF) vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through 0.5.70. | 6.5 |
2024-01-24 | CVE-2024-0814 | Google Fedoraproject | Origin Validation Error vulnerability in multiple products Incorrect security UI in Payments in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to potentially spoof security UI via a crafted HTML page. | 6.5 |
2024-01-24 | CVE-2024-23638 | Squid Cache | Operation on a Resource after Expiration or Release vulnerability in Squid-Cache Squid Squid is a caching proxy for the Web. | 6.5 |
2024-01-23 | CVE-2023-35836 | Solax | Unspecified vulnerability in Solax Pocket Wifi 3 Firmware 3.0.0/3.009.0320230504 An issue was discovered in SolaX Pocket WiFi 3 through 3.001.02. | 6.5 |
2024-01-23 | CVE-2024-0741 | Mozilla Debian | Out-of-bounds Write vulnerability in multiple products An out of bounds write in ANGLE could have allowed an attacker to corrupt memory leading to a potentially exploitable crash. | 6.5 |
2024-01-23 | CVE-2024-0746 | Mozilla Debian | A Linux user opening the print preview dialog could have caused the browser to crash. | 6.5 |
2024-01-23 | CVE-2024-0747 | Mozilla Debian | When a parent page loaded a child in an iframe with `unsafe-inline`, the parent Content Security Policy could have overridden the child Content Security Policy. | 6.5 |
2024-01-23 | CVE-2024-0752 | Mozilla | Use After Free vulnerability in Mozilla Firefox A use-after-free crash could have occurred on macOS if a Firefox update were being applied on a very busy system. | 6.5 |
2024-01-23 | CVE-2024-0753 | Mozilla Debian | In specific HSTS configurations an attacker could have bypassed HSTS on a subdomain. | 6.5 |
2024-01-23 | CVE-2024-0754 | Mozilla | Unspecified vulnerability in Mozilla Firefox Some WASM source files could have caused a crash when loaded in devtools. | 6.5 |
2024-01-23 | CVE-2024-23206 | Apple | Unspecified vulnerability in Apple products An access issue was addressed with improved access restrictions. | 6.5 |
2024-01-22 | CVE-2024-23339 | Elijahharry | Unspecified vulnerability in Elijahharry Hoolock 2.0.0/2.1.0/2.2.0 hoolock is a suite of lightweight utilities designed to maintain a small footprint when bundled. | 6.5 |
2024-01-22 | CVE-2023-47141 | IBM | Unspecified vulnerability in IBM DB2 IIBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. | 6.5 |
2024-01-22 | CVE-2024-23675 | Splunk | Incorrect Authorization vulnerability in Splunk Cloud and Splunk In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store (KV Store) improperly handles permissions for users that use the REST application programming interface (API). | 6.5 |
2024-01-22 | CVE-2023-27859 | IBM | Unspecified vulnerability in IBM DB2 IBM Db2 10.1, 10.5, and 11.1 could allow a remote user to execute arbitrary code caused by installing like named jar files across multiple databases. | 6.5 |
2024-01-22 | CVE-2023-47158 | IBM | Unspecified vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1 and 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. | 6.5 |
2024-01-22 | CVE-2023-47747 | IBM | Unspecified vulnerability in IBM DB2 IBM DB2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.1, 10.5, and 11.1 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. | 6.5 |
2024-01-22 | CVE-2023-47746 | IBM | Unspecified vulnerability in IBM DB2 IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5, 11.1, and 11.5 could allow an authenticated user with CONNECT privileges to cause a denial of service using a specially crafted query. | 6.5 |
2024-01-22 | CVE-2023-50308 | IBM | Unspecified vulnerability in IBM DB2 IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5 under certain circumstances could allow an authenticated user to the database to cause a denial of service when a statement is run on columnar tables. | 6.5 |
2024-01-22 | CVE-2023-44395 | Autolabproject | Path Traversal vulnerability in Autolabproject Autolab Autolab is a course management service that enables instructors to offer autograded programming assignments to their students over the Web. | 6.5 |
2024-01-27 | CVE-2024-0667 | 10Web | Cross-Site Request Forgery (CSRF) vulnerability in 10Web Form Maker The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.15.21. | 6.3 |
2024-01-23 | CVE-2023-42887 | Apple | Unspecified vulnerability in Apple Macos An access issue was addressed with additional sandbox restrictions. | 6.3 |
2024-01-23 | CVE-2024-23219 | Apple | Improper Authentication vulnerability in Apple Ipados The issue was addressed with improved authentication. | 6.2 |
2024-01-23 | CVE-2024-23223 | Apple | Unspecified vulnerability in Apple products A privacy issue was addressed with improved handling of files. | 6.2 |
2024-01-26 | CVE-2024-0948 | Netbox | Cross-site Scripting vulnerability in Netbox ** DISPUTED ** A vulnerability, which was classified as problematic, has been found in NetBox up to 3.7.0. | 6.1 |
2024-01-26 | CVE-2024-22550 | Shopsite | Unrestricted Upload of File with Dangerous Type vulnerability in Shopsite 14.0 An arbitrary file upload vulnerability in the component /alsdemo/ss/mediam.cgi of ShopSite v14.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | 6.1 |
2024-01-26 | CVE-2024-22551 | Ushainformatique | Cross-site Scripting vulnerability in Ushainformatique Whatacart 2.0.7 WhatACart v2.0.7 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /site/default/search. | 6.1 |
2024-01-26 | CVE-2024-23890 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itempopup.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23891 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemcreate.php, in the itemid parameter. | 6.1 |
2024-01-26 | CVE-2024-23892 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentercreate.php, in the costcenterid parameter. | 6.1 |
2024-01-26 | CVE-2024-23893 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/costcentermodify.php, in the costcenterid parameter. | 6.1 |
2024-01-26 | CVE-2024-23894 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancecreate.php, in the issuancedate parameter. | 6.1 |
2024-01-26 | CVE-2024-23896 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stock.php, in the batchno parameter. | 6.1 |
2024-01-26 | CVE-2024-23863 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuredisplay.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23864 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrylist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23865 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23866 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrycreate.php, in the countryid parameter. | 6.1 |
2024-01-26 | CVE-2024-23867 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statecreate.php, in the stateid parameter. | 6.1 |
2024-01-26 | CVE-2024-23868 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlist.php, in the deleted parameter. | 6.1 |
2024-01-26 | CVE-2024-23869 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuanceprint.php, in the issuanceno parameter. | 6.1 |
2024-01-26 | CVE-2024-23870 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelist.php, in the delete parameter. | 6.1 |
2024-01-26 | CVE-2024-23871 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementmodify.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23872 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/locationmodify.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23873 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencymodify.php, in the currencyid parameter. | 6.1 |
2024-01-26 | CVE-2024-23874 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/companymodify.php, in the address1 parameter. | 6.1 |
2024-01-26 | CVE-2024-23875 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancedisplay.php, in the issuanceno parameter. | 6.1 |
2024-01-26 | CVE-2024-23876 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurecreate.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23877 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencycreate.php, in the currencyid parameter. | 6.1 |
2024-01-26 | CVE-2024-23878 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnprint.php, in the grnno parameter. | 6.1 |
2024-01-26 | CVE-2024-23879 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statemodify.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23880 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodelist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23881 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/statelist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23882 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodecreate.php, in the taxcodeid parameter. | 6.1 |
2024-01-26 | CVE-2024-23883 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructuremodify.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23884 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnmodify.php, in the grndate parameter. | 6.1 |
2024-01-26 | CVE-2024-23885 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/countrymodify.php, in the countryid parameter. | 6.1 |
2024-01-26 | CVE-2024-23886 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemmodify.php, in the bincardinfo parameter. | 6.1 |
2024-01-26 | CVE-2024-23887 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grncreate.php, in the grndate parameter. | 6.1 |
2024-01-26 | CVE-2024-23888 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stocktransactionslist.php, in the itemidy parameter. | 6.1 |
2024-01-26 | CVE-2024-23889 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemgroupcreate.php, in the itemgroupid parameter. | 6.1 |
2024-01-26 | CVE-2024-23856 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/itemlist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23857 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grnlinecreate.php, in the batchno parameter. | 6.1 |
2024-01-26 | CVE-2024-23858 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/stockissuancelinecreate.php, in the batchno parameter. | 6.1 |
2024-01-26 | CVE-2024-23859 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxstructurelinecreate.php, in the flatamount parameter. | 6.1 |
2024-01-26 | CVE-2024-23860 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/currencylist.php, in the description parameter. | 6.1 |
2024-01-26 | CVE-2024-23861 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/unitofmeasurementcreate.php, in the unitofmeasurementid parameter. | 6.1 |
2024-01-26 | CVE-2024-23862 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/grndisplay.php, in the grnno parameter. | 6.1 |
2024-01-26 | CVE-2024-23388 | Mercari | Missing Authorization vulnerability in Mercari 3.51.0/3.52.0/4.49.1 Improper authorization in handler for custom URL scheme issue in "Mercari" App for Android prior to version 5.78.0 allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App. | 6.1 |
2024-01-25 | CVE-2024-21620 | Juniper | Cross-site Scripting vulnerability in Juniper Junos An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in J-Web of Juniper Networks Junos OS on SRX Series and EX Series allows an attacker to construct a URL that when visited by another user enables the attacker to execute commands with the target's permissions, including an administrator. A specific invocation of the emit_debug_note method in webauth_operation.php will echo back the data it receives. This issue affects Juniper Networks Junos OS on SRX Series and EX Series: * All versions earlier than 20.4R3-S10; * 21.2 versions earlier than 21.2R3-S8; * 21.4 versions earlier than 21.4R3-S6; * 22.1 versions earlier than 22.1R3-S5; * 22.2 versions earlier than 22.2R3-S3; * 22.3 versions earlier than 22.3R3-S2; * 22.4 versions earlier than 22.4R3-S1; * 23.2 versions earlier than 23.2R2; * 23.4 versions earlier than 23.4R2. | 6.1 |
2024-01-25 | CVE-2024-23055 | Plone | Unspecified vulnerability in Plone Docker Official Image 5.2.13 An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers. | 6.1 |
2024-01-25 | CVE-2024-22635 | Webcalendar Project | Cross-site Scripting vulnerability in Webcalendar Project Webcalendar 1.3.0 WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php. | 6.1 |
2024-01-25 | CVE-2024-22637 | Formtools | Cross-site Scripting vulnerability in Formtools Form Tools 3.1.1 Form Tools v3.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /form_builder/preview.php?form_id=2. | 6.1 |
2024-01-25 | CVE-2024-22639 | Igalerie | Cross-site Scripting vulnerability in Igalerie 3.0.22 iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface. | 6.1 |
2024-01-25 | CVE-2024-23817 | Dolibarr | Cross-site Scripting vulnerability in Dolibarr Erp/Crm 18.0.4 Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. | 6.1 |
2024-01-25 | CVE-2024-23855 | Ajaysharma | Cross-site Scripting vulnerability in Ajaysharma Cups Easy 1.0 A vulnerability has been reported in Cups Easy (Purchase & Inventory), version 1.0, whereby user-controlled inputs are not sufficiently encoded, resulting in a Cross-Site Scripting (XSS) vulnerability via /cupseasylive/taxcodemodify.php, in multiple parameters. | 6.1 |
2024-01-25 | CVE-2023-6282 | Icehrm | Cross-site Scripting vulnerability in Icehrm 23.0.0.Os IceHrm 23.0.0.OS does not sufficiently encode user-controlled input, which creates a Cross-Site Scripting (XSS) vulnerability via /icehrm/app/fileupload_page.php, in multiple parameters. | 6.1 |
2024-01-25 | CVE-2023-33758 | Splicecom | Cross-site Scripting vulnerability in Splicecom Maximiser Soft PBX Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerability via the CLIENT_NAME and DEVICE_GUID fields in the login component. | 6.1 |
2024-01-24 | CVE-2024-22725 | Orthanc Server | Cross-site Scripting vulnerability in Orthanc-Server Orthanc Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. | 6.1 |
2024-01-24 | CVE-2023-6697 | Wpgmaps | Cross-site Scripting vulnerability in Wpgmaps WP GO Maps The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the map id parameter in all versions up to, and including, 9.0.28 due to insufficient input sanitization and output escaping. | 6.1 |
2024-01-24 | CVE-2024-22308 | Simple Membership Plugin | Open Redirect vulnerability in Simple-Membership-Plugin Simple Membership URL Redirection to Untrusted Site ('Open Redirect') vulnerability in smp7, wp.Insider Simple Membership.This issue affects Simple Membership: from n/a through 4.4.1. | 6.1 |
2024-01-24 | CVE-2024-0665 | Marvinlabs | Cross-site Scripting vulnerability in Marvinlabs WP Customer Area The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. | 6.1 |
2024-01-24 | CVE-2024-23633 | Humansignal | Cross-site Scripting vulnerability in Humansignal Label Studio Label Studio, an open source data labeling tool had a remote import feature allowed users to import data from a remote web source, that was downloaded and could be viewed on the website. | 6.1 |
2024-01-23 | CVE-2023-41176 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8 Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41177. | 6.1 |
2024-01-23 | CVE-2023-41177 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8 Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41178. | 6.1 |
2024-01-23 | CVE-2023-41178 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Mobile Security 9.8 Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker. Please note, this vulnerability is similar to, but not identical to, CVE-2023-41176. | 6.1 |
2024-01-23 | CVE-2023-52326 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Apex Central 2019 Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52327. | 6.1 |
2024-01-23 | CVE-2023-52327 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Apex Central 2019 Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52328. | 6.1 |
2024-01-23 | CVE-2023-52328 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Apex Central 2019 Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52329. | 6.1 |
2024-01-23 | CVE-2023-52329 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Apex Central 2019 Certain dashboard widgets on Trend Micro Apex Central (on-premise) are vulnerable to cross-site scripting (XSS) attacks that may allow an attacker to achieve remote code execution on affected servers. Please note this vulnerability is similar, but not identical to CVE-2023-52326. | 6.1 |
2024-01-23 | CVE-2023-52330 | Trendmicro | Cross-site Scripting vulnerability in Trendmicro Apex ONE A cross-site scripting vulnerability in Trend Micro Apex Central could allow a remote attacker to execute arbitrary code on affected installations of Trend Micro Apex Central. Please note: user interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. | 6.1 |
2024-01-23 | CVE-2023-7238 | Orthanc Server | Cross-site Scripting vulnerability in Orthanc-Server Osimis web Viewer 1.4.2.09D9Eff4 A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. | 6.1 |
2024-01-23 | CVE-2024-22497 | Jfinalcms Project | Cross-site Scripting vulnerability in Jfinalcms Project Jfinalcms 5.0.0 Cross Site Scripting (XSS) vulnerability in /admin/login password parameter in JFinalcms 5.0.0 allows attackers to run arbitrary code via crafted URL. | 6.1 |
2024-01-23 | CVE-2023-45889 | Classlink | Cross-site Scripting vulnerability in Classlink Oneclick 10.7/10.8 A Universal Cross Site Scripting (UXSS) vulnerability in ClassLink OneClick Extension through 10.8 allows remote attackers to inject JavaScript into any webpage. | 6.1 |
2024-01-23 | CVE-2024-22417 | Benbusby | Cross-site Scripting vulnerability in Benbusby Whoogle Search Whoogle Search is a self-hosted metasearch engine. | 6.1 |
2024-01-23 | CVE-2024-23341 | Ithuan | Cross-site Scripting vulnerability in Ithuan Tuitse-Tsusin TuiTse-TsuSin is a package for organizing the comparative corpus of Taiwanese Chinese characters and Roman characters, and extracting sentences of the Taiwanese Chinese characters and the Roman characters. | 6.1 |
2024-01-23 | CVE-2024-22490 | Beetl BBS Project | Cross-site Scripting vulnerability in Beetl-Bbs Project Beetl-Bbs 2.0 Cross Site Scripting (XSS) vulnerability in beetl-bbs 2.0 allows attackers to run arbitrary code via the /index keyword parameter. | 6.1 |
2024-01-23 | CVE-2024-22496 | Jfinalcms Project | Cross-site Scripting vulnerability in Jfinalcms Project Jfinalcms 5.0.0 Cross Site Scripting (XSS) vulnerability in JFinalcms 5.0.0 allows attackers to run arbitrary code via the /admin/login username parameter. | 6.1 |
2024-01-23 | CVE-2024-23181 | Appleple | Cross-site Scripting vulnerability in Appleple A-Blog CMS Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the logged-in user's web browser. | 6.1 |
2024-01-23 | CVE-2024-0587 | Ampforwp | Cross-site Scripting vulnerability in Ampforwp Accelerated Mobile Pages The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'disqus_name' parameter in all versions up to, and including, 1.0.92.1 due to insufficient input sanitization and output escaping on the executed JS file. | 6.1 |
2024-01-22 | CVE-2023-7170 | Myeventon | Cross-site Scripting vulnerability in Myeventon Rsvp Events The EventON-RSVP WordPress plugin before 2.9.5 does not sanitise and escape some parameters before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
2024-01-22 | CVE-2023-7194 | Meris WP Theme Project | Cross-site Scripting vulnerability in Meris WP Theme Project Meris WP Theme The Meris WordPress theme through 1.1.2 does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
2024-01-22 | CVE-2024-0606 | Mozilla | Cross-site Scripting vulnerability in Mozilla Firefox Focus An attacker could execute unauthorized script on a legitimate site through UXSS using window.open() by opening a javascript URI leading to unauthorized actions within the user's loaded webpage. | 6.1 |
2024-01-22 | CVE-2024-0782 | Online Railway Reservation System Project | Cross-site Scripting vulnerability in Online Railway Reservation System Project Online Railway Reservation System 1.0 A vulnerability has been found in CodeAstro Online Railway Reservation System 1.0 and classified as problematic. | 6.1 |
2024-01-22 | CVE-2024-0781 | Martmbithi | Open Redirect vulnerability in Martmbithi Internet Banking System 1.0 A vulnerability, which was classified as problematic, was found in CodeAstro Internet Banking System 1.0. | 6.1 |
2024-01-22 | CVE-2024-22113 | Anglers NET | Open Redirect vulnerability in Anglers-Net CGI An-Anlyzer 20190624/20231231 Open redirect vulnerability in Access analysis CGI An-Analyzer released in 2023 December 31 and earlier allows a remote unauthenticated attacker to redirect users to arbitrary websites and conduct phishing attacks via a specially crafted URL. | 6.1 |
2024-01-25 | CVE-2023-33757 | Splicecom | Improper Certificate Validation vulnerability in Splicecom Ipcs and Ipcs2 A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and iPCS (Android App) v1.8.5 and before allows attackers to eavesdrop on communications via a man-in-the-middle attack. | 5.9 |
2024-01-23 | CVE-2024-23218 | Apple | Information Exposure Through Discrepancy vulnerability in Apple products A timing side-channel issue was addressed with improvements to constant-time computation in cryptographic functions. | 5.9 |
2024-01-22 | CVE-2024-21484 | Jsrsasign Project | Information Exposure Through Discrepancy vulnerability in Jsrsasign Project Jsrsasign Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. | 5.9 |
2024-01-23 | CVE-2023-46889 | Meross | Cleartext Transmission of Sensitive Information vulnerability in Meross Msh30Q Firmware 4.5.23 Meross MSH30Q 4.5.23 is vulnerable to Cleartext Transmission of Sensitive Information. | 5.7 |
2024-01-26 | CVE-2023-29081 | Flexera | Incorrect Default Permissions vulnerability in Flexera Installshield A vulnerability has been reported in Suite Setups built with versions prior to InstallShield 2023 R2. | 5.5 |
2024-01-26 | CVE-2024-0727 | Openssl | Unspecified vulnerability in Openssl Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. | 5.5 |
2024-01-25 | CVE-2024-0886 | Poikosoft | Improper Resource Shutdown or Release vulnerability in Poikosoft EZ CD Audio Converter 8.0.7 A vulnerability classified as problematic was found in Poikosoft EZ CD Audio Converter 8.0.7. | 5.5 |
2024-01-25 | CVE-2024-22099 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel 2.6.12 NULL Pointer Dereference vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (net, bluetooth modules) allows Overflow Buffers. | 5.5 |
2024-01-24 | CVE-2024-21765 | Cals ED | XXE vulnerability in Cals-Ed products Electronic Delivery Check System (Doboku) Ver.18.1.0 and earlier, Electronic Delivery Check System (Dentsu) Ver.12.1.0 and earlier, Electronic Delivery Check System (Kikai) Ver.10.1.0 and earlier, and Electronic delivery item Inspection Support SystemVer.4.0.31 and earlier improperly restrict XML external entity references (XXE). | 5.5 |
2024-01-24 | CVE-2024-21796 | Dfeg | XXE vulnerability in Dfeg Electronic Deliverables Creation Support Tool Electronic Deliverables Creation Support Tool (Construction Edition) prior to Ver1.0.4 and Electronic Deliverables Creation Support Tool (Design & Survey Edition) prior to Ver1.0.4 improperly restrict XML external entity references (XXE). | 5.5 |
2024-01-24 | CVE-2024-22380 | Maff | XXE vulnerability in Maff Electronic Delivery Check System 14.0.001.002 Electronic Delivery Check System (Ministry of Agriculture, Forestry and Fisheries The Agriculture and Rural Development Project Version) March, Heisei 31 era edition Ver.14.0.001.002 and earlier improperly restricts XML external entity references (XXE). | 5.5 |
2024-01-24 | CVE-2022-4964 | Canonical | Incorrect Default Permissions vulnerability in Canonical Ubuntu Pipewire-Pulse Ubuntu's pipewire-pulse in snap grants microphone access even when the snap interface for audio-record is not set. | 5.5 |
2024-01-24 | CVE-2024-23453 | Spooncast | Use of Hard-coded Credentials vulnerability in Spooncast Spoon 7.11.1/8.6.0 Android Spoon application version 7.11.1 to 8.6.0 uses hard-coded credentials, which may allow a local attacker to retrieve the hard-coded API key when the application binary is reverse-engineered. | 5.5 |
2024-01-23 | CVE-2023-42144 | Shelly | Cleartext Transmission of Sensitive Information vulnerability in Shelly TRV Firmware 2.1.8 Cleartext Transmission during initial setup in Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password. | 5.5 |
2024-01-23 | CVE-2023-6573 | HP | Unspecified vulnerability in HP Oneview HPE OneView may have a missing passphrase during restore. | 5.5 |
2024-01-23 | CVE-2023-46343 | Linux | NULL Pointer Dereference vulnerability in Linux Kernel In the Linux kernel before 6.5.9, there is a NULL pointer dereference in send_acknowledge in net/nfc/nci/spi.c. | 5.5 |
2024-01-23 | CVE-2024-23848 | Linux | Use After Free vulnerability in Linux Kernel In the Linux kernel through 6.7.1, there is a use-after-free in cec_queue_msg_fh, related to drivers/media/cec/core/cec-adap.c and drivers/media/cec/core/cec-api.c. | 5.5 |
2024-01-23 | CVE-2024-23849 | Linux | Off-by-one Error vulnerability in Linux Kernel In rds_recv_track_latency in net/rds/af_rds.c in the Linux kernel through 6.7.1, there is an off-by-one error for an RDS_MSG_RX_DGRAM_TRACE_MAX comparison, resulting in out-of-bounds access. | 5.5 |
2024-01-23 | CVE-2024-23850 | Linux | Unspecified vulnerability in Linux Kernel In btrfs_get_root_ref in fs/btrfs/disk-io.c in the Linux kernel through 6.7.1, there can be an assertion failure and crash because a subvolume can be read out too soon after its root item is inserted upon subvolume creation. | 5.5 |
2024-01-23 | CVE-2024-23851 | Linux | Unspecified vulnerability in Linux Kernel copy_params in drivers/md/dm-ioctl.c in the Linux kernel through 6.7.1 can attempt to allocate more than INT_MAX bytes, and crash, because of a missing param_kernel->data_size check. | 5.5 |
2024-01-23 | CVE-2023-40528 | Apple | Unspecified vulnerability in Apple products This issue was addressed by removing the vulnerable code. | 5.5 |
2024-01-23 | CVE-2023-42888 | Apple | Unspecified vulnerability in Apple products The issue was addressed with improved checks. | 5.5 |
2024-01-23 | CVE-2023-42935 | Apple | Unspecified vulnerability in Apple Macos An authentication issue was addressed with improved state management. | 5.5 |
2024-01-23 | CVE-2023-42937 | Apple | Unspecified vulnerability in Apple products A privacy issue was addressed with improved private data redaction for log entries. | 5.5 |
2024-01-23 | CVE-2024-23207 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved redaction of sensitive information. | 5.5 |
2024-01-23 | CVE-2024-23215 | Apple | Unspecified vulnerability in Apple products An issue was addressed with improved handling of temporary files. | 5.5 |
2024-01-23 | CVE-2024-23224 | Apple | Unspecified vulnerability in Apple Macos The issue was addressed with improved checks. | 5.5 |
2024-01-22 | CVE-2024-0430 | Iobit | NULL Pointer Dereference vulnerability in Iobit Malware Fighter 11.0.0.1274 IObit Malware Fighter v11.0.0.1274 is vulnerable to a Denial of Service vulnerability by triggering the 0x8001E00C IOCTL code of the ImfHpRegFilter.sys driver. | 5.5 |
2024-01-22 | CVE-2024-23770 | Unix4Lyfe | Unspecified vulnerability in Unix4Lyfe Darkhttpd 1.13/1.131/1.14 darkhttpd through 1.15 allows local users to discover credentials (for --auth) by listing processes and their arguments. | 5.5 |
2024-01-22 | CVE-2024-0774 | Taurisoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Taurisoft ANY Sound Recorder 2.93 A vulnerability was found in Any-Capture Any Sound Recorder 2.93. | 5.5 |
2024-01-22 | CVE-2024-0772 | Nsasoft | Out-of-bounds Write vulnerability in Nsasoft Sharealarmpro 2.1.4 A vulnerability was found in Nsasoft ShareAlarmPro 2.1.4 and classified as problematic. | 5.5 |
2024-01-28 | CVE-2024-23782 | Appleple | Cross-site Scripting vulnerability in Appleple A-Blog CMS Cross-site scripting vulnerability exists in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier versions. | 5.4 |
2024-01-27 | CVE-2023-48201 | Sunlight CMS | Cross-site Scripting vulnerability in Sunlight-Cms Sunlight CMS 8.0.1 Cross Site Scripting (XSS) vulnerability in Sunlight CMS v.8.0.1, allows remote authenticated attackers to execute arbitrary code and escalate privileges via a crafted script to the Content text editor component. | 5.4 |
2024-01-27 | CVE-2023-48202 | Sunlight CMS | Cross-site Scripting vulnerability in Sunlight-Cms Sunlight CMS 8.0.1 Cross-Site Scripting (XSS) vulnerability in Sunlight CMS 8.0.1 allows an authenticated low-privileged user to escalate privileges via a crafted SVG file in the File Manager component. | 5.4 |
2024-01-27 | CVE-2024-0958 | Swapnilsahu | Cross-site Scripting vulnerability in Swapnilsahu Stock Management System 1.0 A vulnerability was found in CodeAstro Stock Management System 1.0 and classified as problematic. | 5.4 |
2024-01-27 | CVE-2024-0824 | Devscred | Cross-site Scripting vulnerability in Devscred Exclusive Addons for Elementor The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Link Anything functionality in all versions up to, and including, 2.6.8 due to insufficient input sanitization and output escaping. | 5.4 |
2024-01-26 | CVE-2023-48129 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in kimono-oldnew mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48126 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Luxe Beauty Clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48127 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in myGAKUYA mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48128 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in UNITED BOXING GYM mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48130 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in GINZA CAFE mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48131 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in CHIGASAKI BAKERY mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48132 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in kosei entertainment esportsstudioLegends mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48133 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in angel coffee mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-48135 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in mimasaka_farm mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-26 | CVE-2023-5933 | Gitlab | Cross-site Scripting vulnerability in Gitlab An issue has been discovered in GitLab CE/EE affecting all versions after 13.7 before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. | 5.4 |
2024-01-25 | CVE-2024-0891 | Hongmaple | Cross-site Scripting vulnerability in Hongmaple Octopus 1.0 A vulnerability was found in hongmaple octopus 1.0. | 5.4 |
2024-01-24 | CVE-2024-23905 | Jenkins | Cross-site Scripting vulnerability in Jenkins RED HAT Dependency Analytics 0.7.0/0.7.1 Jenkins Red Hat Dependency Analytics Plugin 0.7.1 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. | 5.4 |
2024-01-24 | CVE-2023-43988 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in nature fitness saijo mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43989 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in mokumoku chohu mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43990 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in cherub-hair mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43991 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in PRIMA CLINIC mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43992 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in STOCKMAN GROUP mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43993 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in smaregi_app_market mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43994 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Cleaning_makotoya mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43995 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in picot.golf mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43996 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Q co ltd mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43997 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Yoruichi hobby base mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43998 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Books-futaba mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-43999 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in COLORFUL_laundry mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-44000 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Otakara lapis totuka mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2023-44001 | Linecorp | Unspecified vulnerability in Linecorp Line 13.6.1 An issue in Ailand clinic mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | 5.4 |
2024-01-24 | CVE-2024-0854 | Synology | Open Redirect vulnerability in Synology Diskstation Manager URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors. | 5.4 |
2024-01-23 | CVE-2023-47115 | Humansignal | Cross-site Scripting vulnerability in Humansignal Label Studio Label Studio is an a popular open source data labeling tool. | 5.4 |
2024-01-23 | CVE-2023-38624 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019 A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625 through CVE-2023-38627. | 5.4 |
2024-01-23 | CVE-2023-38625 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019 A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38624. | 5.4 |
2024-01-23 | CVE-2023-38626 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019 A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38625. | 5.4 |
2024-01-23 | CVE-2023-38627 | Trendmicro | Server-Side Request Forgery (SSRF) vulnerability in Trendmicro Apex Central 2019 A post-authenticated server-side request forgery (SSRF) vulnerability in Trend Micro Apex Central 2019 (lower than build 6481) could allow an attacker to interact with internal or local services directly. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-38626. | 5.4 |
2024-01-23 | CVE-2023-42143 | Shelly | Improper Validation of Integrity Check Value vulnerability in Shelly TRV Firmware 2.1.8 Missing Integrity Check in Shelly TRV 20220811-152343/v2.1.8@5afc928c allows malicious users to create a backdoor by redirecting the device to an attacker-controlled machine which serves the manipulated firmware file. | 5.4 |
2024-01-23 | CVE-2023-49657 | Apache | Cross-site Scripting vulnerability in Apache Superset A stored cross-site scripting (XSS) vulnerability exists in Apache Superset before 3.0.3. An authenticated attacker with create/update permissions on charts or dashboards could store a script or add a specific HTML snippet that would act as a stored XSS. For 2.X versions, users should change their config to include: TALISMAN_CONFIG = { "content_security_policy": { "base-uri": ["'self'"], "default-src": ["'self'"], "img-src": ["'self'", "blob:", "data:"], "worker-src": ["'self'", "blob:"], "connect-src": [ "'self'", " https://api.mapbox.com" https://api.mapbox.com" ;, " https://events.mapbox.com" https://events.mapbox.com" ;, ], "object-src": "'none'", "style-src": [ "'self'", "'unsafe-inline'", ], "script-src": ["'self'", "'strict-dynamic'"], }, "content_security_policy_nonce_in": ["script-src"], "force_https": False, "session_cookie_secure": False, } | 5.4 |
2024-01-23 | CVE-2024-23183 | Appleple | Cross-site Scripting vulnerability in Appleple A-Blog CMS Cross-site scripting vulnerability in a-blog cms Ver.3.1.x series versions prior to Ver.3.1.7, Ver.3.0.x series versions prior to Ver.3.0.29, Ver.2.11.x series versions prior to Ver.2.11.58, Ver.2.10.x series versions prior to Ver.2.10.50, and Ver.2.9.0 and earlier allows a remote authenticated attacker to execute an arbitrary script on the logged-in user's web browser. | 5.4 |
2024-01-23 | CVE-2024-23345 | Networktocode | Cross-site Scripting vulnerability in Networktocode Nautobot Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. | 5.4 |
2024-01-22 | CVE-2024-0776 | PB CMS Project | Cross-site Scripting vulnerability in Pb-Cms Project Pb-Cms 2.0 A vulnerability, which was classified as problematic, has been found in LinZhaoguan pb-cms 2.0. | 5.4 |
2024-01-22 | CVE-2024-0773 | Martinmbithi | Cross-site Scripting vulnerability in Martinmbithi Internet Banking System 1.0 A vulnerability classified as problematic was found in CodeAstro Internet Banking System 1.0. | 5.4 |
2024-01-26 | CVE-2024-0943 | Totolink | Insufficient Session Expiration vulnerability in Totolink N350Rt Firmware 9.3.5U.6255 A vulnerability was found in Totolink N350RT 9.3.5u.6255. | 5.3 |
2024-01-26 | CVE-2024-0944 | Totolink | Insufficient Session Expiration vulnerability in Totolink T8 Firmware 4.1.5Cu.83320220905 A vulnerability was found in Totolink T8 4.1.5cu.833_20220905. | 5.3 |
2024-01-26 | CVE-2023-5612 | Gitlab | Unspecified vulnerability in Gitlab An issue has been discovered in GitLab affecting all versions before 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. | 5.3 |
2024-01-26 | CVE-2024-21387 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge for Android Spoofing Vulnerability | 5.3 |
2024-01-25 | CVE-2024-23655 | Tuta | Unspecified vulnerability in Tuta Tutanota Tuta is an encrypted email service. | 5.3 |
2024-01-25 | CVE-2023-33760 | Splicecom | Improper Certificate Validation vulnerability in Splicecom Maximiser Soft PBX SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. | 5.3 |
2024-01-25 | CVE-2024-0617 | Quanticedgesolutions | Missing Authorization vulnerability in Quanticedgesolutions Category Discount Woocommerce The Category Discount Woocommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpcd_save_discount() function in all versions up to, and including, 4.12. | 5.3 |
2024-01-25 | CVE-2024-0624 | Strangerstudios | Cross-Site Request Forgery (CSRF) vulnerability in Strangerstudios Paid Memberships PRO The Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.12.7. | 5.3 |
2024-01-24 | CVE-2024-23903 | Jenkins | Incorrect Comparison vulnerability in Jenkins Github Branch Source Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token. | 5.3 |
2024-01-23 | CVE-2024-22204 | Benbusby | Path Traversal vulnerability in Benbusby Whoogle Search Whoogle Search is a self-hosted metasearch engine. | 5.3 |
2024-01-23 | CVE-2024-23330 | Tuta | Server-Side Request Forgery (SSRF) vulnerability in Tuta Tutanota Tuta is an encrypted email service. | 5.3 |
2024-01-23 | CVE-2023-44401 | Silverstripe | Incorrect Authorization vulnerability in Silverstripe Graphql The Silverstripe CMS GraphQL Server serves Silverstripe data as GraphQL representations. | 5.3 |
2024-01-22 | CVE-2024-23340 | Hono | Path Traversal vulnerability in Hono Node-Server @hono/node-server is an adapter that allows users to run Hono applications on Node.js. | 5.3 |
2024-01-22 | CVE-2024-23677 | Splunk | Information Exposure Through Log Files vulnerability in Splunk Cloud and Splunk In Splunk Enterprise versions below 9.0.8, the Splunk RapidDiag utility discloses server responses from external applications in a log file. | 5.3 |
2024-01-22 | CVE-2023-6447 | Metagauss | Unspecified vulnerability in Metagauss Eventprime The EventPrime WordPress plugin before 3.3.6 lacks authentication and authorization, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id/event name. | 5.3 |
2024-01-27 | CVE-2023-6482 | Synaptics | Use of Hard-coded Credentials vulnerability in Synaptics Fingerprint Driver 6.0.00.1111 Use of encryption key derived from static information in Synaptics Fingerprint Driver allows an attacker to set up a TLS session with the fingerprint sensor and send restricted commands to the fingerprint sensor. This may allow an attacker, who has physical access to the sensor, to enroll a fingerprint into the template database. | 5.2 |
2024-01-27 | CVE-2024-0697 | Softaculous | Path Traversal vulnerability in Softaculous Backuply The Backuply – Backup, Restore, Migrate and Clone plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.2.3 via the node_id parameter in the backuply_get_jstree function. | 4.9 |
2024-01-27 | CVE-2024-0618 | Fluentforms | Cross-site Scripting vulnerability in Fluentforms Contact Form The Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via imported form titles in all versions up to, and including, 5.1.5 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-27 | CVE-2023-6497 | Tipsandtricks HQ | Cross-site Scripting vulnerability in Tipsandtricks-Hq Wordpress Simple Paypal Shopping Cart The WordPress Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automatic redirect URL setting in all versions up to and including 4.7.1 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-27 | CVE-2024-0664 | Mekshq | Cross-site Scripting vulnerability in Mekshq Meks Smart Social Widget The Meks Smart Social Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Meks Smart Social Widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-26 | CVE-2024-20305 | Cisco | Cross-site Scripting vulnerability in Cisco Unity Connection A vulnerability in the web-based management interface of Cisco Unity Connection could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. | 4.8 |
2024-01-25 | CVE-2023-52046 | Webmin | Cross-site Scripting vulnerability in Webmin Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field. | 4.8 |
2024-01-25 | CVE-2024-0625 | Wpfront | Cross-site Scripting vulnerability in Wpfront Notification BAR The WPFront Notification Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpfront-notification-bar-options[custom_class]’ parameter in all versions up to, and including, 3.3.2 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-25 | CVE-2024-0688 | Pubsubhubbub | Cross-site Scripting vulnerability in Pubsubhubbub Websub The "WebSub (FKA. | 4.8 |
2024-01-24 | CVE-2021-43584 | Nagios | Cross-site Scripting vulnerability in Nagios Cross Platform Agent DOM-based Cross Site Scripting (XSS vulnerability in 'Tail Event Logs' functionality in Nagios Nagios Cross-Platform Agent (NCPA) before 2.4.0 allows attackers to run arbitrary code via the name element when filtering for a log. | 4.8 |
2024-01-24 | CVE-2024-22720 | Kanboard | Cross-site Scripting vulnerability in Kanboard 1.2.34 Kanboard 1.2.34 is vulnerable to Html Injection in the group management feature. | 4.8 |
2024-01-23 | CVE-2024-0703 | WOW Company | Cross-site Scripting vulnerability in Wow-Company Sticky Buttons The Sticky Buttons – floating buttons builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via sticky URLs in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. | 4.8 |
2024-01-22 | CVE-2023-6290 | Seopress | Cross-site Scripting vulnerability in Seopress The SEOPress WordPress plugin before 7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed | 4.8 |
2024-01-22 | CVE-2023-6456 | Ljapps | Cross-site Scripting vulnerability in Ljapps WP Review Slider The WP Review Slider WordPress plugin before 13.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-01-22 | CVE-2023-6626 | Gravitymaster | Cross-site Scripting vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0 The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | 4.8 |
2024-01-22 | CVE-2020-36772 | Cloudlinux | Externally Controlled Reference to a Resource in Another Sphere vulnerability in Cloudlinux Cagefs CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. | 4.4 |
2024-01-26 | CVE-2024-0942 | Totolink | Insufficient Session Expiration vulnerability in Totolink N200Re-V5 Firmware 9.3.5U.6255B20211224 A vulnerability was found in Totolink N200RE V5 9.3.5u.6255_B20211224. | 4.3 |
2024-01-26 | CVE-2024-0456 | Gitlab | Unspecified vulnerability in Gitlab An authorization vulnerability exists in GitLab versions 14.0 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1. | 4.3 |
2024-01-26 | CVE-2024-21382 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge for Android Information Disclosure Vulnerability | 4.3 |
2024-01-25 | CVE-2024-21630 | Zulip | Missing Authorization vulnerability in Zulip Server Zulip is an open-source team collaboration tool. | 4.3 |
2024-01-25 | CVE-2024-0879 | Mintplexlabs | Improper Authentication vulnerability in Mintplexlabs Vector Admin Authentication bypass in vector-admin allows a user to register to a vector-admin server while “domain restriction” is active, even when not owning an authorized email address. | 4.3 |
2024-01-24 | CVE-2024-23900 | Jenkins | Unspecified vulnerability in Jenkins Matrix Project Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. | 4.3 |
2024-01-24 | CVE-2024-23902 | Jenkins | Cross-Site Request Forgery (CSRF) vulnerability in Jenkins Github Branch Source A cross-site request forgery (CSRF) vulnerability in Jenkins GitLab Branch Source Plugin 684.vea_fa_7c1e2fe3 and earlier allows attackers to connect to an attacker-specified URL. | 4.3 |
2024-01-24 | CVE-2024-22229 | Dell | Improper Encoding or Escaping of Output vulnerability in Dell products Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. | 4.3 |
2024-01-24 | CVE-2024-0805 | Google Fedoraproject | Inappropriate implementation in Downloads in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to perform domain spoofing via a crafted domain name. | 4.3 |
2024-01-24 | CVE-2024-0809 | Google Fedoraproject | Inappropriate implementation in Autofill in Google Chrome prior to 121.0.6167.85 allowed a remote attacker to bypass Autofill restrictions via a crafted HTML page. | 4.3 |
2024-01-24 | CVE-2024-0810 | Unspecified vulnerability in Google Chrome Insufficient policy enforcement in DevTools in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. | 4.3 | |
2024-01-24 | CVE-2024-0811 | Google Fedoraproject | Inappropriate implementation in Extensions API in Google Chrome prior to 121.0.6167.85 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. | 4.3 |
2024-01-23 | CVE-2023-48714 | Silverstripe | Incorrect Permission Assignment for Critical Resource vulnerability in Silverstripe Framework Silverstripe Framework is the framework that forms the base of the Silverstripe content management system. | 4.3 |
2024-01-23 | CVE-2023-49783 | Silverstripe | Incorrect Authorization vulnerability in Silverstripe Admin Silverstripe Admin provides a basic management interface for the Silverstripe Framework. | 4.3 |
2024-01-23 | CVE-2024-0742 | Mozilla Debian | It was possible for certain browser prompts and dialogs to be activated or dismissed unintentionally by the user due to an incorrect timestamp used to prevent input after page load. | 4.3 |
2024-01-23 | CVE-2024-0748 | Mozilla | Unspecified vulnerability in Mozilla Firefox A compromised content process could have updated the document URI. | 4.3 |
2024-01-23 | CVE-2024-0749 | Mozilla Debian | Origin Validation Error vulnerability in multiple products A phishing site could have repurposed an `about:` dialog to show phishing content with an incorrect origin in the address bar. | 4.3 |
2024-01-22 | CVE-2023-6384 | WP Eventmanager | Authorization Bypass Through User-Controlled Key vulnerability in Wp-Eventmanager User Profile Avatar The WP User Profile Avatar WordPress plugin before 1.0.1 does not properly check for authorisation, allowing authors to delete and update arbitrary avatar | 4.3 |
2024-01-22 | CVE-2023-6625 | Gravitymaster | Cross-Site Request Forgery (CSRF) vulnerability in Gravitymaster Product Enquiry for Woocommerce 3.0 The Product Enquiry for WooCommerce WordPress plugin before 3.1 does not have a CSRF check in place when deleting inquiries, which could allow attackers to make a logged in admin delete them via a CSRF attack | 4.3 |
8 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2024-01-22 | CVE-2024-23676 | Splunk | Unspecified vulnerability in Splunk Cloud and Splunk In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. | 3.5 |
2024-01-28 | CVE-2024-23743 | Notion | Unspecified vulnerability in Notion 3.1.0 Notion through 3.1.0 on macOS might allow code execution because of RunAsNode and enableNodeClilnspectArguments. | 3.3 |
2024-01-26 | CVE-2024-21383 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Spoofing Vulnerability | 3.3 |
2024-01-23 | CVE-2024-23210 | Apple | Unspecified vulnerability in Apple products This issue was addressed with improved redaction of sensitive information. | 3.3 |
2024-01-23 | CVE-2024-23211 | Apple | Unspecified vulnerability in Apple products A privacy issue was addressed with improved handling of user preferences. | 3.3 |
2024-01-23 | CVE-2024-23217 | Apple | Unspecified vulnerability in Apple products A privacy issue was addressed with improved handling of temporary files. | 3.3 |
2024-01-25 | CVE-2023-50785 | Zohocorp | Path Traversal vulnerability in Zohocorp Manageengine Adaudit Plus 7.2 Zoho ManageEngine ADAudit Plus before 7270 allows admin users to view names of arbitrary directories via path traversal. | 2.7 |
2024-01-26 | CVE-2024-21336 | Microsoft | Unspecified vulnerability in Microsoft Edge Chromium Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2.5 |