Lucene search

K

Frontend File Manager & Sharing – User Private Files Security Vulnerabilities

thn
thn

Critical RCE Vulnerability Discovered in Ollama AI Infrastructure Tool

Cybersecurity researchers have detailed a now-patched security flaw affecting the Ollama open-source artificial intelligence (AI) infrastructure platform that could be exploited to achieve remote code execution. Tracked as CVE-2024-37032, the vulnerability has been codenamed Probllama by cloud...

10CVSS

8.1AI Score

EPSS

2024-06-24 01:52 PM
17
cve
cve

CVE-2024-37231

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salon Booking System Salon booking system allows File Manipulation.This issue affects Salon booking system: from n/a through...

8.6CVSS

8.6AI Score

0.0004EPSS

2024-06-24 01:15 PM
9
nvd
nvd

CVE-2024-37231

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salon Booking System Salon booking system allows File Manipulation.This issue affects Salon booking system: from n/a through...

8.6CVSS

0.0004EPSS

2024-06-24 01:15 PM
4
nvd
nvd

CVE-2024-37228

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through...

10CVSS

0.0004EPSS

2024-06-24 01:15 PM
2
cve
cve

CVE-2024-37092

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

8.5CVSS

8.5AI Score

0.0004EPSS

2024-06-24 01:15 PM
7
cve
cve

CVE-2024-37228

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through...

10CVSS

9.7AI Score

0.0004EPSS

2024-06-24 01:15 PM
9
nvd
nvd

CVE-2024-37092

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

8.5CVSS

0.0004EPSS

2024-06-24 01:15 PM
cvelist
cvelist

CVE-2024-37231 WordPress Salon booking system plugin <= 9.9 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salon Booking System Salon booking system allows File Manipulation.This issue affects Salon booking system: from n/a through...

8.6CVSS

0.0004EPSS

2024-06-24 12:39 PM
3
vulnrichment
vulnrichment

CVE-2024-37231 WordPress Salon booking system plugin <= 9.9 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salon Booking System Salon booking system allows File Manipulation.This issue affects Salon booking system: from n/a through...

8.6CVSS

6.8AI Score

0.0004EPSS

2024-06-24 12:39 PM
2
cvelist
cvelist

CVE-2024-37228 WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through...

10CVSS

0.0004EPSS

2024-06-24 12:35 PM
3
vulnrichment
vulnrichment

CVE-2024-37228 WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability

Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through...

10CVSS

7.1AI Score

0.0004EPSS

2024-06-24 12:35 PM
cvelist
cvelist

CVE-2024-5862 User Enumeration in Mia Technology's Mia-Med Health Aplication

Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before...

7.5CVSS

0.001EPSS

2024-06-24 12:31 PM
2
vulnrichment
vulnrichment

CVE-2024-5862 User Enumeration in Mia Technology's Mia-Med Health Aplication

Improper Restriction of Excessive Authentication Attempts vulnerability in Mia Technology Inc. Mia-Med Health Aplication allows Interface Manipulation.This issue affects Mia-Med Health Aplication: before...

7.5CVSS

7AI Score

0.001EPSS

2024-06-24 12:31 PM
1
kitploit
kitploit

Hfinger - Fingerprinting HTTP Requests

Tool for Fingerprinting HTTP requests of malware. Based on Tshark and written in Python3. Working prototype stage :-) Its main objective is to provide unique representations (fingerprints) of malware requests, which help in their identification. Unique means here that each fingerprint should be...

7AI Score

2024-06-24 12:30 PM
4
cvelist
cvelist

CVE-2024-37092 WordPress Consulting Elementor Widgets plugin <= 1.3.0 - Local File Inclusion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

8.5CVSS

0.0004EPSS

2024-06-24 12:23 PM
2
cve
cve

CVE-2024-37089

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

9CVSS

9.1AI Score

0.0004EPSS

2024-06-24 12:15 PM
9
nvd
nvd

CVE-2024-37089

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

9CVSS

0.0004EPSS

2024-06-24 12:15 PM
4
cvelist
cvelist

CVE-2024-37089 WordPress Consulting Elementor Widgets plugin <= 1.3.0 - Unauthenticated Local File Inclusion vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in StylemixThemes Consulting Elementor Widgets allows PHP Local File Inclusion.This issue affects Consulting Elementor Widgets: from n/a through...

9CVSS

0.0004EPSS

2024-06-24 12:07 PM
4
hackread
hackread

Mailcow Patches Critical XSS and File Overwrite Flaws – Update NOW

Mailcow email servers faced critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) allowing potential remote code execution. Update to Mailcow 2024-04 (Moopril Update) to patch the security holes and keep your email server...

6.2CVSS

8.4AI Score

0.0004EPSS

2024-06-24 11:35 AM
3
githubexploit
githubexploit

Exploit for Time-of-check Time-of-use (TOCTOU) Race Condition in Microsoft

CVE-2024-30088 Bug: Bug is inside function...

7CVSS

7.4AI Score

0.0004EPSS

2024-06-24 10:37 AM
38
cve
cve

CVE-2024-29868

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue.....

6.7AI Score

0.0004EPSS

2024-06-24 10:15 AM
11
nvd
nvd

CVE-2024-29868

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue.....

0.0004EPSS

2024-06-24 10:15 AM
4
osv
osv

libhibernate3-java vulnerability

It was discovered that Hibernate incorrectly handled certain inputs with unsanitized literals. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain sensitive...

7.4CVSS

7.3AI Score

0.004EPSS

2024-06-24 10:08 AM
1
securelist
securelist

XZ backdoor: Hook analysis

Part 1: XZ backdoor story – Initial analysis Part 2: Assessing the Y, and How, of the XZ Utils incident (social engineering) In our first article on the XZ backdoor, we analyzed its code from initial infection to the function hooking it performs. As we mentioned then, its initial goal was to...

8.6AI Score

2024-06-24 10:00 AM
cvelist
cvelist

CVE-2024-29868 Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue.....

0.0004EPSS

2024-06-24 09:59 AM
10
vulnrichment
vulnrichment

CVE-2024-29868 Apache StreamPipes, Apache StreamPipes: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Recovery Token Generation

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue.....

7.1AI Score

0.0004EPSS

2024-06-24 09:59 AM
1
veracode
veracode

Open Redirect

gradio is vulnerable to Open Redirect. The vulnerability is due to improper validation of user-supplied input, allowing attackers to redirect users to arbitrary...

5.4CVSS

6.9AI Score

0.001EPSS

2024-06-24 09:32 AM
1
github
github

Improper line feed handling in zenml

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

4.3CVSS

6.6AI Score

0.0004EPSS

2024-06-24 09:30 AM
1
osv
osv

Improper line feed handling in zenml

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

4.3CVSS

6.8AI Score

0.0004EPSS

2024-06-24 09:30 AM
nvd
nvd

CVE-2024-36495

The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is:...

0.0004EPSS

2024-06-24 09:15 AM
3
cve
cve

CVE-2024-36495

The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is:...

6.5AI Score

0.0004EPSS

2024-06-24 09:15 AM
9
cve
cve

CVE-2024-36497

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect...

6.7AI Score

0.0004EPSS

2024-06-24 09:15 AM
7
nvd
nvd

CVE-2024-36497

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect...

0.0004EPSS

2024-06-24 09:15 AM
4
nvd
nvd

CVE-2024-36496

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key...

0.0004EPSS

2024-06-24 09:15 AM
3
cve
cve

CVE-2024-36496

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key...

6.7AI Score

0.0004EPSS

2024-06-24 09:15 AM
8
vulnrichment
vulnrichment

CVE-2024-36497 Unhashed Storage of Password

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect...

7AI Score

0.0004EPSS

2024-06-24 09:06 AM
cvelist
cvelist

CVE-2024-36497 Unhashed Storage of Password

The decrypted configuration file contains the password in cleartext which is used to configure WINSelect. It can be used to remove the existing restrictions and disable WINSelect...

0.0004EPSS

2024-06-24 09:06 AM
1
cvelist
cvelist

CVE-2024-36496 Hardcoded Credentials

The configuration file is encrypted with a static key derived from a static five-character password which allows an attacker to decrypt this file. The application hashes this five-character password with the outdated and broken MD5 algorithm (no salt) and uses the first five bytes as the key...

0.0004EPSS

2024-06-24 09:04 AM
cvelist
cvelist

CVE-2024-36495 Read/Write Permissions for Everyone on Configuration File

The application Faronics WINSelect (Standard + Enterprise) saves its configuration in an encrypted file on the file system which "Everyone" has read and write access to, path to file: C:\ProgramData\WINSelect\WINSelect.wsd The path for the affected WINSelect Enterprise configuration file is:...

0.0004EPSS

2024-06-24 08:50 AM
3
veracode
veracode

Cross Site Scripting (XSS)

ezsystems/ezplatform-admin-ui is vulnerable to Cross Site Scripting (XSS). The vulnerability is due to insufficient escaping of user-generated content within parts of the Admin UI, allowing attackers to inject malicious scripts that can then be executed within the context of other users' sessions.....

6.6AI Score

2024-06-24 08:44 AM
1
nvd
nvd

CVE-2024-24554

Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit...

0.0004EPSS

2024-06-24 08:15 AM
4
cve
cve

CVE-2024-24554

Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit...

6.4AI Score

0.0004EPSS

2024-06-24 08:15 AM
20
veracode
veracode

SQL Injection

opencart/opencart is vulnerable to SQL Injection. The vulnerability is due to insufficient validation in the Divido payment extension, allowing an anonymous unauthenticated user to exploit SQL injection to gain unauthorized access to the backend...

8.1CVSS

8AI Score

0.001EPSS

2024-06-24 08:11 AM
10
thn
thn

RedJuliett Cyber Espionage Campaign Hits 75 Taiwanese Organizations

A likely China-linked state-sponsored threat actor has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. Recorded Future's Insikt Group is tracking the activity under the name...

7.8CVSS

8.6AI Score

0.879EPSS

2024-06-24 07:49 AM
27
veracode
veracode

Path Traversal

lollms is vulnerable to Path Traversal. The vulnerability is due to inadequate input sanitization of the data.category and data.folder parameters, allowing attackers to navigate beyond the intended directory structure. The attacker can create a config.yaml file in a controllable path, which can be....

9.8CVSS

7.4AI Score

0.0004EPSS

2024-06-24 07:23 AM
1
nvd
nvd

CVE-2024-4460

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

4.3CVSS

0.0004EPSS

2024-06-24 07:15 AM
5
osv
osv

CVE-2024-4460

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

4.3CVSS

6.8AI Score

0.0004EPSS

2024-06-24 07:15 AM
cve
cve

CVE-2024-4460

A denial of service (DoS) vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed (\n) characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character,....

4.3CVSS

4.5AI Score

0.0004EPSS

2024-06-24 07:15 AM
11
nvd
nvd

CVE-2024-24551

A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP...

0.0004EPSS

2024-06-24 07:15 AM
5
cve
cve

CVE-2024-24552

A session fixation vulnerability in Bludit allows an attacker to bypass the server's authentication if they can trick an administrator or any other user into authorizing a session ID of their...

6.8AI Score

0.0004EPSS

2024-06-24 07:15 AM
8
Total number of security vulnerabilities1034739