LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's...
0.0004EPSS
Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without...
0.0004EPSS
LB-LINK BL-W1210M v2.0 was discovered to store user credentials in plaintext within the router's...
7.2AI Score
0.0004EPSS
In MintHCM 4.0.3, a registered user can execute arbitrary JavaScript code and achieve a reflected Cross-site Scripting (XSS)...
0.0004EPSS
Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged...
0.0004EPSS
Hardcoded credentials in TerraMaster TOS firmware through 5.1 allow a remote attacker to successfully login to the mail or webmail server. These credentials can also be used to login to the administration panel and to perform privileged...
6.8AI Score
0.0004EPSS
LB-LINK BL-W1210M v2.0 was discovered to contain a clickjacking vulnerability via the Administrator login page. Attackers can cause victim users to perform arbitrary operations via interaction with crafted elements on the web...
7.4AI Score
0.0004EPSS
LNbits is a Lightning wallet and accounts system. Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. This vulnerability can lead to a total loss of funds for the node backend....
8.1CVSS
0.0004EPSS
Incorrect access control in the UART/Serial interface on the LB-LINK BL-W1210M v2.0 router allows attackers to access the root terminal without...
7.2AI Score
0.0004EPSS
LNbits is a Lightning wallet and accounts system. Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. This vulnerability can lead to a total loss of funds for the node backend....
8.1CVSS
7.9AI Score
0.0004EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
0.001EPSS
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.2AI Score
0.001EPSS
CVE-2024-37315 Nextcloud Server's read-only users can restore old versions
Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud...
3.5CVSS
0.0004EPSS
CVE-2024-37314 Nextcloud Photos' shared albums have no restriction on photo removal
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or...
3.5CVSS
0.0004EPSS
CVE-2024-37313 Nextcloud server allows the by-pass the second factor
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise...
7.3CVSS
7.1AI Score
0.0004EPSS
CVE-2024-37313 Nextcloud server allows the by-pass the second factor
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise...
7.3CVSS
0.0004EPSS
CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...
6.3CVSS
0.0004EPSS
CVE-2024-37312 Nextcloud user_oidc app's ID4me feature is available even when disabled
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to...
6.3CVSS
6.9AI Score
0.0004EPSS
Can reshare read&share only folder with more permissions
Description Impact A recipient of a share with read&share permissions could reshare the item with more permissions. Patches It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 It is recommended that the Nextcloud Enterprise Server is upgraded to 23.0.12.17 or...
8.1CVSS
6.5AI Score
0.0004EPSS
Events information leaked with shared calendars on recurrence exceptions
Description Impact Private shared calendar events' recurrence exceptions can be read by sharees. Patches It is recommended that the Nextcloud Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1 It is recommended that the Nextcloud Enterprise Server is upgraded to 27.1.10 or 28.0.6 or 29.0.1...
3.5CVSS
6.5AI Score
0.0004EPSS
ID4me does not validate signature or expiration
Description Impact An attacker could potentially trick the app into accepting a request that is not signed by the correct server Patches It is recommended that the Nextcloud user_oidc app is upgraded to 1.3.5, 2.0.0, 3.0.0, 4.0.0 or 5.0.0 Workarounds No workaround available References HackerOne...
5.4CVSS
6.5AI Score
0.0004EPSS
Code injection in Nextcloud Desktop Client for macOS
Description Impact A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. Patches It is recommended that the Nextcloud Desktop client is upgraded to 3.12.0 Workarounds No workaround...
3.8CVSS
7.3AI Score
0.0004EPSS
Users can delete old versions of read-only shared files
Description Impact A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. Patches It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 It is recommended that the Nextcloud Enterprise Server is...
3.5CVSS
6.5AI Score
0.0004EPSS
Can access comments and attachments of deleted cards
Description Impact A user with access to a deck board was able to access comments and attachments of already deleted cards. Patches It is recommended that the Nextcloud Deck app is upgraded to 1.6.6 or 1.7.5 or 1.8.7 or 1.9.6 or 1.11.3 or 1.12.1 Workarounds Disable Deck app References HackerOne...
4.3CVSS
6.6AI Score
0.0004EPSS
Notes app can be tricked into using a received share created before the user logged in
Description Impact If an attacker managed to share a folder called Notes/ with a newly created user before they logged in, the Notes app would use that folder store the personal notes. Patches It is recommended that the Nextcloud Notes app is upgraded to 4.9.3 Workarounds Disable Notes app ...
4.6CVSS
6.5AI Score
0.0004EPSS
LNbits is a Lightning wallet and accounts system. Paying invoices in Eclair that do not get settled within the internal timeout (about 30s) lead to a payment being considered failed, even though it may still be in flight. This vulnerability can lead to a total loss of funds for the node backend....
8.1CVSS
0.0004EPSS
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. Due to the lack of proper authentication, this action is allowed without...
0.0004EPSS
Event create can create attachments that link to other websites
Description Impact Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. Patches It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or 4.7.2 Workarounds Disable the calendar app References ...
4.6CVSS
6.6AI Score
0.0004EPSS
Read-only users can restore old versions
Description Impact An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. Patches It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 It is recommended that the Nextcloud Enterprise Server....
3.5CVSS
6.5AI Score
0.0004EPSS
Missing permission check when removing a photo from an album
Description Impact Users can remove photos from the album of registered users Patches It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 It is recommended that the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2 Workarounds No workaround available References ...
3.5CVSS
6.6AI Score
0.0004EPSS
CVE-2024-23442 Kibana open redirect issue
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
6.9AI Score
0.001EPSS
CVE-2024-23442 Kibana open redirect issue
An open redirect issue was discovered in Kibana that could lead to a user being redirected to an arbitrary website if they use a maliciously crafted Kibana...
6.1CVSS
0.001EPSS
Ability to by-pass second factor
Description Impact Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. Patches It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 It is recommended that the Nextcloud Enterprise Server is...
7.3CVSS
6.6AI Score
0.0004EPSS
ID4me feature of OpenID connect app available even when disabled
Description Impact Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. Patches It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0...
6.3CVSS
6.5AI Score
0.0004EPSS
restobarguide.com Cross Site Scripting vulnerability OBB-3935262
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE v12. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication...
0.0004EPSS
Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS...
9.8CVSS
0.0004EPSS
Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS...
9.8CVSS
8.1AI Score
0.0004EPSS
A vulnerability in the IPS Manager, Central Manager, and Local Manager communication workflow allows an attacker to control the destination of a request by manipulating the parameter, thereby leveraging sensitive...
6.8CVSS
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function...
7.9AI Score
0.0004EPSS
A vulnerability in the IPS Manager, Central Manager, and Local Manager communication workflow allows an attacker to control the destination of a request by manipulating the parameter, thereby leveraging sensitive...
6.8CVSS
6.8AI Score
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function...
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function...
7.9AI Score
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via eport in the function...
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid5g in the function...
0.0004EPSS
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via eport in the function...
7.9AI Score
0.0004EPSS
yoweby.com Cross Site Scripting vulnerability OBB-3935261
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
acoc.group Cross Site Scripting vulnerability OBB-3935260
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently...
6.2AI Score
Important: booth security update
The Booth cluster ticket manager is a component to bridge high availability clusters spanning multiple sites, in particular, to provide decision inputs to local Pacemaker cluster resource managers. It operates as a distributed consensus-based service, presumably on a separate physical network....
7.4CVSS
6.7AI Score
0.001EPSS
An update is available for booth. This update affects Rocky Linux 9. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list The Booth cluster ticket manager is a component to bridge high availability...
7.4CVSS
7.2AI Score
0.001EPSS