Lucene search
K

436 matches found

Github Security Blog
Github Security Blog
added 2025/03/05 7:3 p.m.17 views

REDAXO allows Authenticated Reflected Cross Site Scripting - packages installation

Summary Reflected cross-site scripting XSS is a type of web vulnerability that occurs when a web application fails to properly sanitize user input, allowing an attacker to inject malicious code into the application's response to a user's request. When the user's browser receives the response, the...

6.1CVSS6AI score0.00266EPSS
Exploits1References3Affected Software1
RedhatCVE
RedhatCVE
added 2025/02/13 7:35 p.m.12 views

CVE-2023-42457

plone.rest allows users to use HTTP verbs such as GET, POST, PUT, DELETE, etc. in Plone. Starting in the 2.x branch and prior to versions 2.0.1 and 3.0.1, when the ++api++ traverser is accidentally used multiple times in a url, handling it takes increasingly longer, making the server less...

7.5CVSS6.5AI score0.00822EPSS
Exploits0References6
NVD
NVD
added 2025/01/31 8:15 a.m.17 views

CVE-2024-53007

Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call...

6.4CVSS0.00126EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/01/31 12:0 a.m.16 views

CVE-2024-53007

Bentley Systems ProjectWise Integration Server before 10.00.03.288 allows unintended SQL query execution by an authenticated user via an API call...

6.4CVSS0.00126EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/12/17 5:28 p.m.9 views

CVE-2024-42194 HCL BigFix Inventory is affected by an access control vulnerability

An improper handling of insufficient permissions or privileges affects HCL BigFix Inventory. An attacker having access via a read-only account can possibly change certain configuration parameters by crafting a specific REST API call...

3.1CVSS7.2AI score0.00257EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/12/02 10:18 a.m.35 views

CVE-2024-43048 Stack-based Buffer Overflow in Performance

Memory corruption when invalid input is passed to invoke GPU Headroom API call...

7.8CVSS0.00103EPSS
Exploits0References1
NVD
NVD
added 2024/09/13 6:15 p.m.32 views

CVE-2024-45104

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call...

6.5CVSS0.00202EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/09/13 5:28 p.m.23 views

CVE-2024-45104

A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call...

6.3CVSS6.6AI score0.00202EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2024/09/02 4:26 p.m.19 views

CVE-2024-43801 Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

4.6CVSS5.9AI score0.00346EPSS
Exploits0References2
CVE
CVE
added 2024/09/02 4:26 p.m.325 views

CVE-2024-43801

CVE-2024-43801 affects Jellyfin (self-hosted media server). The vulnerability arises from accepting SVG uploads for user profiles, enabling a stored XSS that could let an admin load a crafted SVG outside Jellyfin’s Web UI, interact with the browser LocalStorage, and exfiltrate an AccessToken to e...

5.4CVSS4.6AI score0.00346EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2024/09/02 4:26 p.m.49 views

CVE-2024-43801 Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

4.6CVSS0.00346EPSS
Exploits0References2
OSV
OSV
added 2024/09/02 4:26 p.m.10 views

CVE-2024-43801 Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI e.g. via "view image" in a...

4.6CVSS6.1AI score0.00346EPSS
Exploits0References5
Cvelist
Cvelist
added 2024/08/28 4:30 p.m.30 views

CVE-2024-7744 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Progress WS_FTP Server

In WSFTP Server versions before 8.8.8 2022.0.8, an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in the Web Transfer Module allows File Discovery, Probe System Files, User-Controlled Filename, Path Traversal. An authenticated file download flaw has...

6.5CVSS0.00688EPSS
Exploits0References2
CVE
CVE
added 2024/08/28 4:30 p.m.79 views

CVE-2024-7744

CVE-2024-7744 affects Progress WS_FTP Server prior to 8.8.8 (2022.0.8). The flaw is a Path Traversal in the Web Transfer Module that enables file discovery, probing system files, and user-controlled filename manipulation; additionally, an authenticated API call can download a file from an arbitra...

6.5CVSS6.7AI score0.00688EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2024/08/21 3:11 p.m.8 views

GO-2022-0540 Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server

Mattermost users could access some sensitive information via API call in github.com/mattermost/mattermost-server...

6.5CVSS6.2AI score0.00768EPSS
Exploits0References3
OSV
OSV
added 2024/08/12 1:38 p.m.7 views

AZL-47771 CVE-2024-43167 affecting package unbound for versions less than 1.19.1-4

DISPUTE NOTE: this issue does not pose a security risk as it according to analysis by the original software developer, NLnet Labs falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet...

2.8CVSS5.7AI score0.00363EPSS
Exploits0References1
OSV
OSV
added 2024/08/12 1:38 p.m.9 views

AZL-47779 CVE-2024-43167 affecting package unbound for versions less than 1.19.1-3

DISPUTE NOTE: this issue does not pose a security risk as it according to analysis by the original software developer, NLnet Labs falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet...

2.8CVSS5.7AI score0.00363EPSS
Exploits0References1
OSV
OSV
added 2024/06/20 6:34 p.m.29 views

GHSA-H95X-26F3-88HR js2py allows remote code execution

An issue in the component js2py.disablepyimport of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call...

8.8CVSS6AI score0.04548EPSS
Exploits22References5
Github Security Blog
Github Security Blog
added 2024/06/20 6:34 p.m.38 views

js2py allows remote code execution

An issue in the component js2py.disablepyimport of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call...

5.3CVSS7.3AI score0.04548EPSS
Exploits22References5Affected Software1
NVD
NVD
added 2024/06/20 5:15 p.m.20 views

CVE-2024-28397

An issue in the component js2py.disablepyimport of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call...

5.3CVSS0.04548EPSS
Exploits22References2
Rows per page
Query Builder