Total
1631 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-41617 | 2024-10-29 | N/A | 9.8 CRITICAL | ||
Money Manager EX WebApp (web-money-manager-ex) 1.2.2 is vulnerable to Incorrect Access Control. The `redirect_if_not_loggedin` function in `functions_security.php` fails to terminate script execution after redirecting unauthenticated users. This flaw allows an unauthenticated attacker to upload arbitrary files, potentially leading to Remote Code Execution. | |||||
CVE-2024-44667 | 2024-10-29 | N/A | 8.0 HIGH | ||
Shenzhen Haichangxing Technology Co., Ltd HCX H822 4G LTE Router M7628NNxISPxUIv2_v1.0.1557.15.35_P0 is vulnerable to Incorrect Access Control. Unauthenticated factory mode reset and command injection leads to information exposure and root shell access. | |||||
CVE-2024-9825 | 2024-10-29 | N/A | 5.4 MEDIUM | ||
The Chef Habitat builder-api on-prem-builder package with any version lower than habitat/builder-api/10315/20240913162802 is vulnerable to indirect object reference (IDOR) by un-authorized deletion of personal token. Habitat builder consumes builder-api habitat package as a dependency and the vulnerability was specifically due to builder-api habitat package. The fix was made available in habitat/builder-api/10315/20240913162802 and all the subsequent versions after that. We would recommend user to always use on-prem stable channel. | |||||
CVE-2024-45261 | 2024-10-28 | N/A | 8.0 HIGH | ||
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. The SID generated for a specific user is not tied to that user itself, which allows other users to potentially use it for authentication. Once an attacker bypasses the application's authentication procedures, they can generate a valid SID, escalate privileges, and gain full control. | |||||
CVE-2024-45260 | 2024-10-28 | N/A | 8.0 HIGH | ||
An issue was discovered on certain GL-iNet devices, including MT6000, MT3000, MT2500, AXT1800, and AX1800 4.6.2. Users who belong to unauthorized groups can invoke any interface of the device, thereby gaining complete control over it. | |||||
CVE-2024-47025 | 1 Google | 1 Android | 2024-10-28 | N/A | 5.5 MEDIUM |
In ppmp_protect_buf of drm_fw.c, there is a possible information disclosure due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2024-44099 | 1 Google | 1 Android | 2024-10-28 | N/A | 5.5 MEDIUM |
There is a possible Local bypass of user interaction due to an insecure default value. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2024-49208 | 1 Archerirm | 1 Archer | 2024-10-25 | N/A | 3.1 LOW |
Archer Platform 2024.03 before version 2024.08 is affected by an authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and delete system icons. | |||||
CVE-2024-49209 | 1 Archerirm | 1 Archer | 2024-10-25 | N/A | 4.3 MEDIUM |
Archer Platform 2024.03 before version 2024.09 is affected by an API authorization bypass vulnerability related to supporting application files. A remote unprivileged attacker could potentially exploit this vulnerability to elevate their privileges and upload additional system icons. | |||||
CVE-2024-48540 | 2024-10-25 | N/A | 6.2 MEDIUM | ||
Incorrect access control in XIAO HE Smart 4.3.1 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48925 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | N/A | 6.5 MEDIUM |
Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. | |||||
CVE-2024-48548 | 2024-10-25 | N/A | 9.3 CRITICAL | ||
The APK file in Cloud Smart Lock v2.0.1 has a leaked a URL that can call an API for binding physical devices. This vulnerability allows attackers to arbitrarily construct a request to use the app to bind to unknown devices by finding a valid serial number via a bruteforce attack. | |||||
CVE-2024-48545 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of IVY Smart v4.5.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48544 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of Sylvania Smart Home v3.0.3 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48546 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of Wear Sync v1.2.0 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48547 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of DreamCatcher Life v1.8.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48541 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of Ruochan Smart v4.4.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-48542 | 2024-10-25 | N/A | 8.4 HIGH | ||
Incorrect access control in the firmware update and download processes of Yamaha Headphones Controller v1.6.7 allows attackers to access sensitive information by analyzing the code and data within the APK file. | |||||
CVE-2024-42966 | 1 Totolink | 2 N350rt, N350rt Firmware | 2024-10-24 | N/A | 9.8 CRITICAL |
Incorrect access control in TOTOLINK N350RT V9.3.5u.6139_B20201216 allows attackers to obtain the apmib configuration file, which contains the username and the password, via a crafted request to /cgi-bin/ExportSettings.sh. | |||||
CVE-2024-10173 | 1 Didiglobal | 1 Ddmq | 2024-10-22 | 7.5 HIGH | 7.5 HIGH |
A vulnerability has been found in didi DDMQ 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the component Console Module. The manipulation with the input /;login leads to improper authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. |