Total
158 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6618 | 1 Oretnom23 | 1 Simple Student Attendance System | 2024-05-17 | 5.2 MEDIUM | 8.8 HIGH |
| A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file index.php. The manipulation of the argument page leads to file inclusion. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-247255. | |||||
| CVE-2014-125044 | 1 Wing-tight Project | 1 Wing-tight | 2024-05-17 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, was found in soshtolsus wing-tight. This affects an unknown part of the file index.php. The manipulation of the argument p leads to file inclusion. It is possible to initiate the attack remotely. Upgrading to version 1.0.0 is able to address this issue. The patch is named 567bc33e6ed82b0d0179c9add707ac2b257aeaf2. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217515. | |||||
| CVE-2024-32980 | 2024-05-08 | N/A | 9.1 CRITICAL | ||
| Spin is the developer tool for building and running serverless applications powered by WebAssembly. Prior to 2.4.3, some specifically configured Spin applications that use `self` requests without a specified URL authority can be induced to make requests to arbitrary hosts via the `Host` HTTP header. The following conditions need to be met for an application to be vulnerable: 1. The environment Spin is deployed in routes requests to the Spin runtime based on the request URL instead of the `Host` header, and leaves the `Host` header set to its original value; 2. The Spin application's component handling the incoming request is configured with an `allow_outbound_hosts` list containing `"self"`; and 3. In reaction to an incoming request, the component makes an outbound request whose URL doesn't include the hostname/port. Spin 2.4.3 has been released to fix this issue. | |||||
| CVE-2023-30943 | 2 Fedoraproject, Moodle | 3 Extra Packages For Enterprise Linux, Fedora, Moodle | 2024-04-19 | N/A | 5.3 MEDIUM |
| The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system. | |||||
| CVE-2022-43513 | 1 Siemens | 1 Automation License Manager | 2024-04-09 | N/A | 7.5 HIGH |
| A vulnerability has been identified in Automation License Manager V5 (All versions), Automation License Manager V6 (All versions < V6.0 SP9 Upd4), TeleControl Server Basic V3 (All versions < V3.1.2). The affected components allow to rename license files with user chosen input without authentication. This could allow an unauthenticated remote attacker to rename and move files as SYSTEM user. | |||||
| CVE-2020-36772 | 1 Cloudlinux | 1 Cagefs | 2024-03-28 | N/A | 4.4 MEDIUM |
| CloudLinux CageFS 7.0.8-2 or below insufficiently restricts file paths supplied to the sendmail proxy command. This allows local users to read and write arbitrary files of certain file formats outside the CageFS environment. | |||||
| CVE-2024-24818 | 2024-03-21 | N/A | 5.9 MEDIUM | ||
| EspoCRM is an Open Source Customer Relationship Management software. An attacker can inject arbitrary IP or domain in "Password Change" page and redirect victim to malicious page that could lead to credential stealing or another attack. This vulnerability is fixed in 8.1.2. | |||||
| CVE-2023-49863 | 1 Wwbn | 1 Avideo | 2024-02-28 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter. | |||||
| CVE-2023-35985 | 1 Foxitsoftware | 1 Foxit Reader | 2024-02-28 | N/A | 8.8 HIGH |
| An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled. | |||||
| CVE-2023-5247 | 1 Mitsubishielectric | 4 Gx Works3, Melsoft Iq Appportal, Melsoft Navigator and 1 more | 2024-02-28 | N/A | 7.8 HIGH |
| Malicious Code Execution Vulnerability due to External Control of File Name or Path in multiple Mitsubishi Electric FA Engineering Software Products allows a malicious attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service (DoS) condition. | |||||
| CVE-2023-49864 | 1 Wwbn | 1 Avideo | 2024-02-28 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter. | |||||
| CVE-2023-40194 | 1 Foxitsoftware | 1 Foxit Reader | 2024-02-28 | N/A | 8.8 HIGH |
| An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to mistreatment of whitespace characters. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled. | |||||
| CVE-2023-6569 | 1 H2o | 1 H2o | 2024-02-28 | N/A | 8.2 HIGH |
| External Control of File Name or Path in h2oai/h2o-3 | |||||
| CVE-2023-49862 | 1 Wwbn | 1 Avideo | 2024-02-28 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter. | |||||
| CVE-2024-23639 | 1 Objectcomputing | 1 Micronaut | 2024-02-28 | N/A | 7.8 HIGH |
| Micronaut Framework is a modern, JVM-based, full stack Java framework designed for building modular, easily testable JVM applications with support for Java, Kotlin and the Groovy language. Enabled but unsecured management endpoints are susceptible to drive-by localhost attacks. While not typical of a production application, these attacks may have more impact on a development environment where such endpoints may be flipped on without much thought. A malicious/compromised website can make HTTP requests to `localhost`. Normally, such requests would trigger a CORS preflight check which would prevent the request; however, some requests are "simple" and do not require a preflight check. These endpoints, if enabled and not secured, are vulnerable to being triggered. Production environments typically disable unused endpoints and secure/restrict access to needed endpoints. A more likely victim is the developer in their local development host, who has enabled endpoints without security for the sake of easing development. This issue has been addressed in version 3.8.3. Users are advised to upgrade. | |||||
| CVE-2024-24760 | 1 Mailcow | 1 Mailcow\ | 2024-02-28 | N/A | 7.3 HIGH |
| mailcow is a dockerized email package, with multiple containers linked in one bridged network. A security vulnerability has been identified in mailcow affecting versions < 2024-01c. This vulnerability potentially allows attackers on the same subnet to connect to exposed ports of a Docker container, even when the port is bound to 127.0.0.1. The vulnerability has been addressed by implementing additional iptables/nftables rules. These rules drop packets for Docker containers on ports 3306, 6379, 8983, and 12345, where the input interface is not `br-mailcow` and the output interface is `br-mailcow`. | |||||
| CVE-2023-39542 | 1 Foxitsoftware | 1 Foxit Reader | 2024-02-28 | N/A | 8.8 HIGH |
| A code execution vulnerability exists in the Javascript saveAs API of Foxit Reader 12.1.3.15356. A specially crafted malformed file can create arbitrary files, which can lead to remote code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled. | |||||
| CVE-2023-38046 | 1 Paloaltonetworks | 1 Pan-os | 2024-02-28 | N/A | 4.9 MEDIUM |
| A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated administrator with the privilege to commit a specifically created configuration to read local files and resources from the system. | |||||
| CVE-2023-32615 | 1 Openautomationsoftware | 1 Oas Platform | 2024-02-28 | N/A | 8.1 HIGH |
| A file write vulnerability exists in the OAS Engine configuration functionality of Open Automation Software OAS Platform v18.00.0072. A specially crafted series of network requests can lead to arbitrary file creation or overwrite. An attacker can send a sequence of requests to trigger this vulnerability. | |||||
| CVE-2023-37855 | 1 Phoenixcontact | 12 Wp 6070-wvps, Wp 6070-wvps Firmware, Wp 6101-wxps and 9 more | 2024-02-28 | N/A | 4.3 MEDIUM |
| In PHOENIX CONTACTs WP 6xxx series web panels in versions prior to 4.0.10 a remote attacker with low privileges is able to gain limited read-access to the device-filesystem within the embedded Qt browser. | |||||