Total
980 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-21623 | 1 Mehah | 1 Otclient | 2024-11-21 | N/A | 9.8 CRITICAL |
OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue. | |||||
CVE-2024-20429 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
A vulnerability in the web-based management interface of Cisco AsyncOS for Secure Email Gateway could allow an authenticated, remote attacker to execute arbitrary system commands on an affected device. This vulnerability is due to insufficient input validation in certain portions of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected device. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with root privileges. To successfully exploit this vulnerability, an attacker would need at least valid Operator credentials. | |||||
CVE-2024-1619 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
Kaspersky has fixed a security issue in the Kaspersky Security 8.0 for Linux Mail Server. The issue was that an attacker could potentially force an administrator to click on a malicious link to perform unauthorized actions. | |||||
CVE-2024-0552 | 1 Intumit | 2 Smartrobot, Smartrobot Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server. | |||||
CVE-2024-0231 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 2.7 LOW |
A resource misdirection vulnerability in GitLab CE/EE versions 12.0 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows an attacker to craft a repository import in such a way as to misdirect commits. | |||||
CVE-2023-6458 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 7.1 HIGH |
Mattermost webapp fails to validate route parameters in/<TEAM_NAME>/channels/<CHANNEL_NAME> allowing an attacker to perform a client-side path traversal. | |||||
CVE-2023-6174 | 2 Debian, Wireshark | 2 Debian Linux, Wireshark | 2024-11-21 | N/A | 6.3 MEDIUM |
SSH dissector crash in Wireshark 4.0.0 to 4.0.10 allows denial of service via packet injection or crafted capture file | |||||
CVE-2023-6004 | 3 Fedoraproject, Libssh, Redhat | 3 Fedora, Libssh, Enterprise Linux | 2024-11-21 | N/A | 4.8 MEDIUM |
A flaw was found in libssh. By utilizing the ProxyCommand or ProxyJump feature, users can exploit unchecked hostname syntax on the client. This issue may allow an attacker to inject malicious code into the command of the features mentioned through the hostname parameter. | |||||
CVE-2023-5340 | 1 Fivestarplugins | 1 Five Star Restaurant Menu | 2024-11-21 | N/A | 9.8 CRITICAL |
The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to unauthenticated users, allowing them to perform PHP Object Injection when a suitable gadget is present on the blog. | |||||
CVE-2023-5043 | 1 Kubernetes | 1 Ingress-nginx | 2024-11-21 | N/A | 7.6 HIGH |
Ingress nginx annotation injection causes arbitrary command execution. | |||||
CVE-2023-52081 | 1 Ewen-lbh | 1 Firefox Css | 2024-11-21 | N/A | 5.3 MEDIUM |
ffcss is a CLI interface to apply and configure Firefox CSS themes. Prior to 0.2.0, the function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. The `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (﹍), which would result in the omitted U+005F (_), for instance. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low. This vulnerability is fixed in 0.2.0. There are no known workarounds. | |||||
CVE-2023-51939 | 1 Relic Project | 1 Relic | 2024-11-21 | N/A | 8.8 HIGH |
An issue in the cp_bbs_sig function in relic/src/cp/relic_cp_bbs.c of Relic relic-toolkit 0.6.0 allows a remote attacker to obtain sensitive information and escalate privileges via the cp_bbs_sig function. | |||||
CVE-2023-51446 | 1 Glpi-project | 1 Glpi | 2024-11-21 | N/A | 5.9 MEDIUM |
GLPI is a Free Asset and IT Management Software package. When authentication is made against a LDAP, the authentication form can be used to perform LDAP injection. Upgrade to 10.0.12. | |||||
CVE-2023-50093 | 1 Apiida | 1 Api Gateway Manager | 2024-11-21 | N/A | 6.1 MEDIUM |
APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection. | |||||
CVE-2023-4818 | 1 Paxtechnology | 2 A920, Paydroid | 2024-11-21 | N/A | 7.6 HIGH |
PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability. | |||||
CVE-2023-4767 | 1 Zohocorp | 1 Manageengine Desktop Central | 2024-11-21 | N/A | 6.1 MEDIUM |
A CRLF injection vulnerability has been found in ManageEngine Desktop Central affecting version 9.1.0. This vulnerability could allow a remote attacker to inject arbitrary HTTP headers and perform HTTP response splitting attacks via the fileName parameter in /STATE_ID/1613157927228/InvSWMetering.csv. | |||||
CVE-2023-4478 | 1 Mattermost | 1 Mattermost Server | 2024-11-21 | N/A | 4.3 MEDIUM |
Mattermost fails to restrict which parameters' values it takes from the request during signup allowing an attacker to register users as inactive, thus blocking them from later accessing Mattermost without the system admin activating their accounts. | |||||
CVE-2023-4450 | 1 Jeecg | 1 Jimureport | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
A vulnerability was found in jeecgboot JimuReport up to 1.6.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Template Handler. The manipulation leads to injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.6.1 is able to address this issue. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-237571. | |||||
CVE-2023-4393 | 1 Liquidfiles | 1 Liquidfiles | 2024-11-21 | N/A | 5.4 MEDIUM |
HTML and SMTP injections on the registration page of LiquidFiles versions 3.7.13 and below, allow an attacker to perform more advanced phishing attacks against an organization. | |||||
CVE-2023-4197 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | N/A | 7.5 HIGH |
Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code. |