Total
28981 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-40850 | 1 Netentsec | 2 Ns-asg, Ns-asg Firmware | 2024-09-26 | N/A | 7.5 HIGH |
netentsec NS-ASG 6.3 is vulnerable to Incorrect Access Control. There is a file leak in the website source code of the application security gateway. | |||||
CVE-2021-35587 | 1 Oracle | 1 Access Manager | 2024-09-26 | 7.5 HIGH | 9.8 CRITICAL |
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: OpenSSO Agent). Supported versions that are affected are 11.1.2.3.0, 12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
CVE-2024-7626 | 1 Wpdelicious | 1 Wp Delicious | 2024-09-25 | N/A | 8.1 HIGH |
The WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file movement and reading due to insufficient file path validation in the save_edit_profile_details() function in all versions up to, and including, 1.6.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). This can also lead to the reading of arbitrary files that may contain sensitive information like wp-config.php. | |||||
CVE-2024-9003 | 1 Jflow Project | 1 Jflow | 2024-09-25 | 4.0 MEDIUM | 5.3 MEDIUM |
A vulnerability was found in Jinan Chicheng Company JFlow 2.0.0. It has been rated as problematic. This issue affects the function AttachmentUploadController of the file /WF/Ath/EntityMutliFile_Load.do of the component Attachment Handler. The manipulation of the argument oid leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
CVE-2007-2534 | 1 Phphoo3 | 1 Phphoo3 | 2024-09-25 | 7.5 HIGH | 9.8 CRITICAL |
Multiple SQL injection vulnerabilities in admin.php in phpHoo3 allow remote attackers to execute arbitrary SQL commands via the (1) ADMIN_USER (USER) and (2) ADMIN_PASS (PASS) parameters during a login. NOTE: CVE disputes this vulnerability, since ADMIN_USER/ADMIN_PASS are initialized before use | |||||
CVE-2024-6153 | 1 Parallels | 1 Parallels Desktop | 2024-09-25 | N/A | 7.8 HIGH |
Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability. The specific flaw exists within the Updater service. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-19481. | |||||
CVE-2023-43141 | 1 Totolink | 4 A3700r, A3700r Firmware, N600r and 1 more | 2024-09-25 | N/A | 9.8 CRITICAL |
TOTOLINK A3700R V9.1.2u.6134_B20201202 and N600R V5.3c.5137 are vulnerable to Incorrect Access Control. | |||||
CVE-2023-31718 | 1 Frangoteam | 1 Fuxa | 2024-09-25 | N/A | 7.5 HIGH |
FUXA <= 1.1.12 is vulnerable to Local via Inclusion via /api/download. | |||||
CVE-2023-31716 | 1 Frangoteam | 1 Fuxa | 2024-09-25 | N/A | 7.5 HIGH |
FUXA <= 1.1.12 has a Local File Inclusion vulnerability via file=fuxa.log | |||||
CVE-2024-37138 | 1 Dell | 1 Data Domain Operating System | 2024-09-23 | N/A | 6.8 MEDIUM |
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system. | |||||
CVE-2024-33848 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 5.5 MEDIUM |
Uncaught exception in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via local access. | |||||
CVE-2024-45833 | 1 Mattermost | 1 Mattermost Mobile | 2024-09-23 | N/A | 6.5 MEDIUM |
Mattermost Mobile Apps versions <=2.18.0 fail to disable autocomplete during login while typing the password and visible password is selected, which allows the password to get saved in the dictionary when the user has Swiftkey as the default keyboard, the masking is off and the password contains a special character.. | |||||
CVE-2024-6128 | 1 Spa-cart | 1 Spa-cartcms | 2024-09-20 | 5.0 MEDIUM | 5.3 MEDIUM |
A vulnerability, which was classified as problematic, has been found in spa-cartcms 1.9.0.6. This issue affects some unknown processing of the file /checkout of the component Checkout Page. The manipulation of the argument quantity with the input -10 leads to enforcement of behavioral workflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-268895. | |||||
CVE-2024-6299 | 1 Conduit | 1 Conduit | 2024-09-20 | N/A | 3.7 LOW |
Lack of consideration of key expiry when validating signatures in Conduit, allowing an attacker which has compromised an expired key to forge requests as the remote server, as well as PDUs with timestamps past the expiry date | |||||
CVE-2024-31197 | 1 Opennetworking | 1 Libfluid Msg | 2024-09-20 | N/A | 7.5 HIGH |
Improper Null Termination vulnerability in Open Networking Foundation (ONF) libfluid (libfluid_msg module). This vulnerability is associated with program routine fluid_msg::of10::Port:unpack. This issue affects libfluid: 0.1.0. | |||||
CVE-2024-6302 | 1 Conduit | 1 Conduit | 2024-09-20 | N/A | 5.5 MEDIUM |
Lack of privilege checking when processing a redaction in Conduit versions v0.6.0 and lower, allowing a local user to redact any message from users on the same server, given that they are able to send redaction events. | |||||
CVE-2024-35154 | 1 Ibm | 1 Websphere Application Server | 2024-09-20 | N/A | 7.2 HIGH |
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641. | |||||
CVE-2023-46389 | 1 Loytec | 4 Linx-151, Linx-151 Firmware, Linx-212 and 1 more | 2024-09-20 | N/A | 7.5 HIGH |
LOYTEC electronics GmbH LINX-212 and LINX-151 devices (all versions) are vulnerable to Incorrect Access Control via registry.xml file. This vulnerability allows remote attackers to disclose sensitive information on LINX configuration. | |||||
CVE-2023-46387 | 1 Loytec | 4 Linx-151, Linx-151 Firmware, Linx-212 and 1 more | 2024-09-20 | N/A | 7.5 HIGH |
LOYTEC electronics GmbH LINX-212 and LINX-151 devices (all versions) are vulnerable to Incorrect Access Control via dpal_config.zml file. This vulnerability allows remote attackers to disclose sensitive information on Loytec device data point configuration. | |||||
CVE-2024-45323 | 1 Fortinet | 1 Fortiedrmanager | 2024-09-20 | N/A | 2.7 LOW |
An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations. |