CVE-2024-4718

CVE-2024-4718 affects Campcodes Complete Web-Based School Management System 1.0. The vulnerable component is an unknown function in /model/delete_student_grade_subject.php, where manipulation of the index parameter enables cross-site scripting. Exploitation can be performed remotely, and public d...

CVE-2024-4674

CVE-2024-4674 affects Campcodes Complete Web-Based School Management System 1.0. The vulnerability resides in the /view/show_friend_request.php page, where unsafely handling the my_index parameter enables cross-site scripting. The issue can be triggered remotely and exploit details have been publ...

CVE-2024-4644

CVE-2024-4644 affects SourceCodester Prison Management System 1.0, with a cross-site scripting flaw in the code path that handles /Employee/changepassword.php. The vulnerability allows manipulation of the txtold_password, txtnew_password, and txtconfirm_password fields to trigger XSS. Publicly di...

CVE-2024-4587

A vulnerability was found in DedeCMS 5.7 and classified as problematic. This issue affects some unknown processing of the file /src/dede/tpl.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be use...

CVE-2024-4584

A vulnerability, which was classified as problematic, has been found in Faraday GM8181 and GM828x up to 20240429. Affected by this issue is some unknown functionality of the file /commandport.ini. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit h...

CVE-2024-4507

A vulnerability was found in Ruijie RG-UAC up to 20240428 and classified as critical. This issue affects some unknown processing of the file /view/IPV6/ipv6StaticRoute/staticrouteaddipv6.php. The manipulation of the argument textprefixlen/textgateway/devname leads to os command injection. The...

CVE-2024-4507 Ruijie RG-UAC static_route_add_ipv6.php os command injection

A vulnerability was found in Ruijie RG-UAC up to 20240428 and classified as critical. This issue affects some unknown processing of the file /view/IPV6/ipv6StaticRoute/staticrouteaddipv6.php. The manipulation of the argument textprefixlen/textgateway/devname leads to os command injection. The...

CVE-2024-4507

CVE-2024-4507 affects Ruijie RG-UAC (up to 20240428). The issue is an OS command injection in the web interface, triggered by manipulating parameters text_prefixlen, text_gateway, or devname in the PHP path /view/IPV6/ipv6StaticRoute/static_route_add_ipv6.php. Impact per sources: remote attacker ...

image-optimizer allows PHAR deserialization

image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to fileexists...

CVE-2023-47727 IBM QRadar Suite Software file manipulation

IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.20.0 could allow an authenticated user to modify dashboard parameters due to improper input validation. IBM X-Force ID: 272089...

CVE-2023-47727 IBM QRadar Suite Software file manipulation

IBM Cloud Pak for Security 1.10.0.0 through 1.10.11.0 and IBM QRadar Suite Software 1.10.12.0 through 1.10.20.0 could allow an authenticated user to modify dashboard parameters due to improper input validation. IBM X-Force ID: 272089...

CVE-2024-4172 idcCMS cross-site request forgery

A vulnerability classified as problematic was found in idcCMS 1.35. Affected by this vulnerability is an unknown functionality of the file /admin/admincl.php?mudi=revPwd. The manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed to t...

CVE-2024-3906 Tenda AC500 QuickIndex formQuickIndex stack-based overflow

A vulnerability was found in Tenda AC500 2.0.1.91307. It has been declared as critical. This vulnerability affects the function formQuickIndex of the file /goform/QuickIndex. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack can be initiated remotely...

CVE-2024-1593 Path Traversal via Parameter Smuggling in mlflow/mlflow

A path traversal vulnerability exists in the mlflow/mlflow repository due to improper handling of URL parameters. By smuggling path traversal sequences using the ';' character in URLs, attackers can manipulate the 'params' portion of the URL to gain unauthorized access to files or directories. Th...

PT-2024-3045 · Oracle · Virtualbox

Name of the Vulnerable Software and Affected Versions: Oracle VM VirtualBox versions prior to 7.0.16 Description: The issue is related to errors in processing input data in the Core component of Oracle VM VirtualBox. This can be exploited by an attacker to elevate privileges or execute arbitrary...

CVE-2024-3804

A vulnerability, which was classified as critical, has been found in Vesystem Cloud Desktop up to 20240408. This issue affects some unknown processing of the file /Public/webuploader/0.1.5/server/fileupload2.php. The manipulation of the argument file leads to unrestricted upload. The attack may b...

CVE-2024-3721 TBK DVR-4104/DVR-4216 os command injection

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing of the file /device.rsp?opt=sys&cmd=SOSTREAMAX. The manipulation of the argument mdb/mdc leads to os command injection. The attack may be initiated remotely...

CVE-2024-3721

CVE-2024-3721 is an OS command injection affecting TBK DVR-4104 and DVR-4216 (firmware up to 20240412). The flaw stems from unsanitized parameters mdb/mdc in HTTP requests to /device.rsp?opt=sys&cmd=S_O_S_T_R_E_A_MAX . Successful exploitation allows unauthenticated remote command execution and ha...

Mautic SQL Injection in dynamic Reports

Impact Prior to the patched version, logged in users of Mautic are vulnerable to an SQL injection vulnerability in the Reports bundle. The user could retrieve and alter data like sensitive data, login, and depending on database permission the attacker can manipulate file systems. Patches Update t...

CVE-2024-3620

A vulnerability was found in SourceCodester Kortex Lite Advocate Office Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /control/adds.php. The manipulation of the argument name/gender/dob/email/mobile/address leads to sql injectio...