PT-2024-37796 · Unknown · My-Springsecurity-Plus

Name of the Vulnerable Software and Affected Versions: witmy my-springsecurity-plus up to 2024-07-04 Description: A critical issue was found in the software, affecting an unknown functionality of the file "/api/dept/build". The manipulation of the params.dataScope argument leads to SQL injection...

PT-2024-37622 · Devika · Devika

Name of the Vulnerable Software and Affected Versions: devika versions prior to the fixed version Description: The issue allows an attacker to read arbitrary files on the system by providing a crafted path. This can be exploited by sending a request to the application with a malicious snapshot pa...

CVE-2024-27784

Multiple Exposure of sensitive information to an unauthorized actor weaknesses CWE-200 vulnerability in Fortinet FortiAIOps 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files...

CVE-2024-27784

Multiple Exposure of sensitive information to an unauthorized actor weaknesses CWE-200 vulnerability in Fortinet FortiAIOps 2.0.0 may allow an authenticated, remote attacker to retrieve sensitive information from the API endpoint or log files...

CVE-2024-27784

CVE-2024-27784 affects Fortinet FortiAIOps 2.0.0. Affected component: FortiAIOps API endpoints and log files where authenticated users with network access can retrieve sensitive information due to inadequate protection of data. Exploitation status is not documented here; no in-the-wild details pr...

PT-2024-29021 · Netbox · Netbox

Name of the Vulnerable Software and Affected Versions: netbox version 4.0.3 Description: A cross-site scripting XSS issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the circuit ID parameter at the "/circuits/circuits/add" API endpoint...

Cross-Site Scripting

flowise is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper sanitization in the /api/v1/public-chatflows/id endpoint when a chatflow ID is not found, causing its value to be reflected in the 404 page with type text/html. Attackers can exploit this by crafting...

PT-2024-5239 · 1Panel · 1Panel

Name of the Vulnerable Software and Affected Versions: 1Panel versions prior to 1.10.12-tls Description: The issue is related to SQL injections in the 1Panel project, specifically with the orderBy parameter, which can lead to arbitrary file writes and ultimately to remote code execution RCE. The...

CVE-2024-37146

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the /api/v1/credentials/id endpoint. If the default configuration is used unauthenticated, an attacker may be able to craf...

CVE-2024-36420

Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the /api/v1/openai-assistants-file endpoint in index.ts is vulnerable to arbitrary file read due to lack of sanitization of the fileName body parameter. No known patches for this...

Huawei EulerOS: Security Advisory for docker-engine (EulerOS-SA-2024-1852)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2024-37608 · Ingenico · Ingenico Estate Manager

Name of the Vulnerable Software and Affected Versions: Ingenico Estate Manager version 2023 Description: A problematic vulnerability was found in the New Widget Handler component, affecting an unknown functionality of the file /emgui/rest/preferences/PREF HOME PAGE/sponsor/3/. The manipulation of...

CVE-2024-5980

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the pluginserver, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path...

CVE-2024-5980

The CVE-2024-5980 entry describes a path-traversal vulnerability in lightning-ai/pytorch-lightning v2.2.4 exposed via the /v1/runs API endpoint. When the LightningApp runs with the plugin_server, malicious tar.gz plugins can embed arbitrary files using path traversal, allowing writes to arbitrary...

CVE-2024-5980 Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the pluginserver, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path...

CVE-2024-5980 Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the pluginserver, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path...

Denial Of Service (DoS)

ZenML is vulnerable to a Denial Of Service DoS. The vulnerability is due to improper handling of line feed \n characters in component names, allowing an attacker to cause uncontrolled resource consumption by adding a component through an API endpoint api/v1/workspaces/default/components...

PT-2024-28291 · Unknown · Px4-Autopilot

Name of the Vulnerable Software and Affected Versions: PX4-Autopilot version 1.14.3 Description: A buffer overflow issue was discovered in PX4-Autopilot via the topic name parameter at the "/logger/logged topics.cpp" API endpoint. Recommendations: For PX4-Autopilot version 1.14.3, as a temporary...

GHSA-7GJR-HCC3-XFR4 Improper line feed handling in zenml

A denial of service DoS vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed \n characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character, it...

Improper line feed handling in zenml

A denial of service DoS vulnerability exists in zenml-io/zenml version 0.56.3 due to improper handling of line feed \n characters in component names. When a low-privileged user adds a component through the API endpoint api/v1/workspaces/default/components with a name containing a \n character, it...