5284 matches found
Drupal 10.2.x < 10.2.10 Drupal Vulnerability (SA-CORE-2024-002)
According to its self-reported version, the instance of Drupal running on the remote web server is 10.2.x prior to 10.2.10. It is, therefore, affected by a vulnerability. - A vulnerability in Drupal Core allows File Manipulation.This issue affects Drupal Core: from 10.0.0 before 10.2.10...
CVE-2024-47071 OSS Endpoint Manager allows unauthorized access to read system files
OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4...
CVE-2024-47071 OSS Endpoint Manager allows unauthorized access to read system files
OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4...
CVE-2024-47071 OSS Endpoint Manager allows unauthorized access to read system files
OSS Endpoint Manager is an endpoint manager module for FreePBX. OSS Endpoint Manager module activation can allow authenticated web users unauthorized access to read system files with the permissions of the webserver process. This vulnerability is fixed in 14.0.4...
CVE-2024-47071
CVE-2024-47071 concerns the OSS Endpoint Manager module for FreePBX. The vulnerability arises when the module’s activation allows authenticated web users to read system files with the webserver process permissions. This issue is addressed in version 14.0.4 of OSS Endpoint Manager. The connected d...
PT-2024-32389 · Unknown · Oss Endpoint Manager
Name of the Vulnerable Software and Affected Versions: OSS Endpoint Manager versions prior to 14.0.4 Description: The OSS Endpoint Manager module for FreePBX has an issue where its activation can allow authenticated web users to read system files without permission, using the permissions of the...
Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Summary The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or...
GHSA-C34R-238X-F7QX Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Summary The Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code Execution to privileged users. A privileged user refers to an Admin UI user with the default Owner or...
Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication
A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy ...
GHSA-2H46-8GF5-FMXV Timing-Based Username Enumeration Vulnerability in Fides Webserver Authentication
A timing-based username enumeration vulnerability has been identified in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it takes for the server to respond to login requests. The discrepancy ...
CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
CVE-2024-45053 Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code...
CVE-2024-45053 Remote Code Execution Vulnerability via SSTI in Fides Webserver Jinja Email Templating Engine
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code...
CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
CVE-2024-45052 Fides Webserver Authentication Timing-Based Username Enumeration Vulnerability
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
PT-2024-31404 · Fides · Fides
Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.44.0 Description: A timing-based username enumeration vulnerability exists in Fides Webserver authentication, allowing an unauthenticated attacker to determine the existence of valid usernames by analyzing the time i...
Schneider Electric Modicon M340, BMXNOE0100, and BMXNOE0110 Files or Directories Accessible to External Parties (CVE-2024-5056)
CWE-552: Files or Directories Accessible to External Parties vulnerability exists which may prevent user to update the device firmware and prevent proper behavior of the webserver when specific files or directories are removed from the filesystem. This plugin only works with Tenable.ot. Please...
CVE-2024-42364 homepage DNS rebinding vulnerability (GHSL-2024-096)
Homepage is a highly customizable homepage with Docker and service API integrations. The default setup of homepage 0.9.1 is vulnerable to DNS rebinding. Homepage is setup without certificate and authentication by default, leaving it to vulnerable to DNS rebinding. In this attack, an attacker will...
Filament Excel Vulnerable to Path Traversal Attack on Export Download Endpoint
Impact The export download route /filament-excel/path allowed downloading any file without login when the webserver allows ../ in the URL. Patches Patched with Version v2.3.3 Credits Thanks to Kevin Pohl for reporting this...