Total
29869 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2007-3732 | 1 Linux | 1 Linux Kernel | 2024-11-21 | 1.9 LOW | 5.5 MEDIUM |
|
In Linux 2.6 before 2.6.23, the TRACE_IRQS_ON function in iret_exc calls a C function without ensuring that the segments are set properly. The kernel's %fs needs to be restored before the call in TRACE_IRQS_ON and before enabling interrupts, so that "current" references work. Without this, "current" used in the window between iret_exc and the middle of error_code where %fs is reset, would crash.
|
|||||
| CVE-2004-2776 | 1 Goscript Project | 1 Goscript | 2024-11-20 | 7.5 HIGH | 9.8 CRITICAL |
|
go.cgi in GoScript 2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) query string or (2) artarchive parameter.
|
|||||
| CVE-2024-52428 | 1 Scripteo | 1 Ads Booster By Ads Pro | 2024-11-20 | N/A | 9.8 CRITICAL |
|
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Scripteo Ads Booster by Ads Pro allows PHP Local File Inclusion.This issue affects Ads Booster by Ads Pro: from n/a through 1.12.
|
|||||
| CVE-2024-11308 | 1 Trcore | 1 Dvc | 2024-11-20 | N/A | 5.5 MEDIUM |
|
The DVC from TRCore encrypts files using a hardcoded key. Attackers can use this key to decrypt the files and restore the original content.
|
|||||
| CVE-2024-33027 | 1 Qualcomm | 180 205 Mobile Platform, 205 Mobile Platform Firmware, 215 Mobile Platform and 177 more | 2024-11-20 | N/A | 7.8 HIGH |
|
Memory corruption can occur when arbitrary user-space app gains kernel level privilege to modify DDR memory by corrupting the GPU page table.
|
|||||
| CVE-2024-42392 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 7.5 HIGH |
|
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.
|
|||||
| CVE-2024-42383 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 9.8 CRITICAL |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.
|
|||||
| CVE-2024-42385 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 7.0 HIGH |
|
Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.
|
|||||
| CVE-2024-42386 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 7.5 HIGH |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.
|
|||||
| CVE-2024-42387 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 5.3 MEDIUM |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
|
|||||
| CVE-2024-42388 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 5.3 MEDIUM |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
|
|||||
| CVE-2024-42389 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 5.3 MEDIUM |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
|
|||||
| CVE-2024-42390 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 5.3 MEDIUM |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
|
|||||
| CVE-2024-42391 | 1 Cesanta | 1 Mongoose | 2024-11-19 | N/A | 5.3 MEDIUM |
|
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.
|
|||||
| CVE-2024-10571 | 1 Ays-pro | 1 Chartify | 2024-11-19 | N/A | 9.8 CRITICAL |
|
The Chartify – WordPress Chart Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.5 via the 'source' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and includ ...
Show More |
|||||
| CVE-2024-44760 | 1 Sunmochina | 1 Enterprise Management System | 2024-11-15 | N/A | 7.5 HIGH |
|
Incorrect access control in the component /servlet/SnoopServlet of Shenzhou News Union Enterprise Management System v5.0 through v18.8 allows attackers to access sensitive information regarding the server.
|
|||||
| CVE-2024-47178 | 1 Expressjs | 1 Basic-auth-connect | 2024-11-15 | N/A | 5.3 MEDIUM |
|
basic-auth-connect is Connect's Basic Auth middleware in its own module. basic-auth-connect < 1.1.0 uses a timing-unsafe equality comparison that can leak timing information. This issue has been fixed in basic-auth-connect 1.1.0.
|
|||||
| CVE-2024-47867 | 1 Gradio Project | 1 Gradio | 2024-11-15 | N/A | 7.5 HIGH |
|
Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Any users utilizing the Gradio server's sharing mechanism that downloa ...
Show More |
|||||
| CVE-2024-10381 | 1 Matrixcomsec | 2 Cosec Vega Faxq, Cosec Vega Faxq Firmware | 2024-11-14 | N/A | 9.8 CRITICAL |
|
This vulnerability exists in Matrix Door Controller Cosec Vega FAXQ due to improper implementation of session management at the web-based management interface. A remote attacker could exploit this vulnerability by sending a specially crafted http request on the vulnerable device.
Successful exploitation of this vulnerability could allow remote attacker to gain unauthorized access and take complete control of the targeted device.
|
|||||
| CVE-2024-49579 | 1 Jetbrains | 1 Youtrack | 2024-11-14 | N/A | 6.1 MEDIUM |
|
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
|
|||||
| CVE-2024-40239 | 1 Hitbytes | 1 Life | 2024-11-13 | N/A | 6.8 MEDIUM |
|
An incorrect access control issue in Life: Personal Diary, Journal android app 17.5.0 allows a physically proximate attacker to escalate privileges via the fingerprint authentication function.
|
|||||
| CVE-2024-40240 | 1 Homeserve | 1 Homeserve | 2024-11-13 | N/A | 6.8 MEDIUM |
|
An incorrect access control issue in HomeServe Home Repair' android app - 3.3.4 allows a physically proximate attacker to escalate privileges via the fingerprint authentication function.
|
|||||
| CVE-2024-45764 | 1 Dell | 1 Enterprise Sonic Distribution | 2024-11-13 | N/A | 9.8 CRITICAL |
|
Dell Enterprise SONiC OS, version(s) 4.1.x, 4.2.x, contain(s) a Missing Critical Step in Authentication vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. This is a critical severity vulnerability so Dell recommends customers to upgrade at the earliest opportunity.
|
|||||
| CVE-2024-34680 | 1 Samsung | 1 Android | 2024-11-12 | N/A | 5.5 MEDIUM |
|
Use of implicit intent for sensitive communication in WlanTest prior to SMR Nov-2024 Release 1 allows local attackers to get sensitive information.
|
|||||
| CVE-2024-10916 | 1 Dlink | 8 Dns-320, Dns-320 Firmware, Dns-320lw and 5 more | 2024-11-08 | 5.0 MEDIUM | 5.3 MEDIUM |
|
A vulnerability classified as problematic has been found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. This affects an unknown part of the file /xml/info.xml of the component HTTP GET Request Handler. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2023-29126 | 1 Enelx | 2 Waybox Pro, Waybox Pro Firmware | 2024-11-08 | N/A | 8.8 HIGH |
|
The Waybox Enel X web management application contains a PHP-type juggling vulnerability that may allow a brute force process and under certain conditions bypass authentication.
|
|||||
| CVE-2023-29121 | 1 Enelx | 2 Waybox Pro, Waybox Pro Firmware | 2024-11-08 | N/A | 8.8 HIGH |
|
Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system.
|
|||||
| CVE-2024-0134 | 2 Linux, Nvidia | 3 Linux Kernel, Nvidia Container Toolkit, Nvidia Gpu Operator | 2024-11-08 | N/A | 4.1 MEDIUM |
|
NVIDIA Container Toolkit and NVIDIA GPU Operator for Linux contain a UNIX vulnerability where a specially crafted container image can lead to the creation of unauthorized files on the host. The name and location of the files cannot be controlled by an attacker. A successful exploit of this vulnerability might lead to data tampering.
|
|||||
| CVE-2024-23377 | 1 Qualcomm | 78 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 75 more | 2024-11-07 | N/A | 6.7 MEDIUM |
|
Memory corruption while invoking IOCTL command from user-space, when a user modifies the original packet size of the command after system properties have been already sent to the EVA driver.
|
|||||
| CVE-2024-38422 | 1 Qualcomm | 536 205 Mobile Platform, 205 Mobile Platform Firmware, 215 Mobile Platform and 533 more | 2024-11-07 | N/A | 7.8 HIGH |
|
Memory corruption while processing voice packet with arbitrary data received from ADSP.
|
|||||
| CVE-2024-49964 | 1 Linux | 1 Linux Kernel | 2024-11-07 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
mm/hugetlb: fix memfd_pin_folios free_huge_pages leak
memfd_pin_folios followed by unpin_folios fails to restore free_huge_pages
if the pages were not already faulted in, because the folio refcount for
pages created by memfd_alloc_folio never goes to 0. memfd_pin_folios
needs another folio_put to undo the folio_try_get below:
memfd_alloc_folio()
alloc_hugetlb_folio_nodemask()
dequeue_hugetlb_folio_nodemask()
dequ ...
Show More |
|||||
| CVE-2024-8305 | 1 Mongodb | 1 Mongodb | 2024-11-07 | N/A | 6.5 MEDIUM |
|
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions prior to 7.0.13 and MongoDB Server v7.3 versions prior to 7.3.4
|
|||||
| CVE-2023-5816 | 1 Bowo | 1 Code Explorer | 2024-11-06 | N/A | 4.9 MEDIUM |
|
The Code Explorer plugin for WordPress is vulnerable to arbitrary external file reading in all versions up to, and including, 1.4.5. This is due to the fact that the plugin does not restrict accessing files to those outside of the WordPress instance, though the intention of the plugin is to only access WordPress related files. This makes it possible for authenticated attackers, with administrator-level access, to read files outside of the WordPress instance.
|
|||||
| CVE-2024-49370 | 1 Pimcore | 1 Pimcore | 2024-11-06 | N/A | 4.9 MEDIUM |
|
Pimcore is an open source data and experience management platform. When a PortalUserObject is connected to a PimcoreUser and "Use Pimcore Backend Password" is set to true, the change password function in Portal Profile sets the new password. Prior to Pimcore portal engine versions 4.1.7 and 3.1.16, the password is then set without hashing so it can be read by everyone. Everyone who combines PortalUser to PimcoreUsers and change passwords via profile settings could be affected. Versions 4.1.7 and ...
Show More |
|||||
| CVE-2024-49675 | 1 Vitaliibryl | 1 Switch User | 2024-11-06 | N/A | 8.8 HIGH |
|
Authentication Bypass Using an Alternate Path or Channel vulnerability in Vitalii Bryl iBryl Switch User allows Authentication Bypass.This issue affects iBryl Switch User: from n/a through 1.0.1.
|
|||||
| CVE-2024-49217 | 1 Madirisalmanaashish | 1 Adding Drop Down Roles In Registration | 2024-11-06 | N/A | 9.8 CRITICAL |
|
Incorrect Privilege Assignment vulnerability in Madiri Salman Aashish Adding drop down roles in registration allows Privilege Escalation.This issue affects Adding drop down roles in registration: from n/a through 1.1.
|
|||||
| CVE-2024-49219 | 1 Themexpo | 1 Rs-members | 2024-11-06 | N/A | 8.8 HIGH |
|
Incorrect Privilege Assignment vulnerability in themexpo RS-Members allows Privilege Escalation.This issue affects RS-Members: from n/a through 1.0.3.
|
|||||
| CVE-2024-45785 | 1 Neumann | 1 Musasi | 2024-11-06 | N/A | 7.5 HIGH |
|
MUSASI version 3 contains an issue with use of client-side authentication. If this vulnerability is exploited, other users' credential and sensitive information may be retrieved.
|
|||||
| CVE-2024-50528 | 1 Stacksmarket | 1 Stacks Mobile App Builder | 2024-11-06 | N/A | 7.5 HIGH |
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stacks Stacks Mobile App Builder allows Retrieve Embedded Sensitive Data.This issue affects Stacks Mobile App Builder: from n/a through 5.2.3.
|
|||||
| CVE-2024-51561 | 1 63moons | 2 Aero, Wave 2.0 | 2024-11-06 | N/A | 7.5 HIGH |
|
This vulnerability exists in Aero due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process.
Successful exploitation of this vulnerability could allow the attacker to bypass OTP verification for accessing other user accounts.
|
|||||