CVE-2024-0006

CVE-2024-0006 affects Yugabyte Platform’s logging system, where sensitive database credentials can be exposed in log files. The issue enables local attackers with access to application logs to obtain DB user credentials, potentially granting unauthorized database access. The available documents d...

ThinkSAAS SQL Injection Vulnerability (CNVD-2024-35182)

ThinkSAAS is ThinkSAAS open source a code completely open source , flexible and open building system program . ThinkSAAS version 3.7.0 SQL injection vulnerability exists , the vulnerability stems from the name parameter in the systemactionupdate.php lack of validation of external input SQL...

CVE-2023-40704

The product does not require unique and complex passwords to be created during installation. Using Philips's default password could jeopardize the PACS system if the password was hacked or leaked. An attacker could gain access to the database impacting system availability and data integrity...

CVE-2024-40628 Arbitrary File Read in Ansible Playbooks in Jumpserver

JumpServer is an open-source Privileged Access Management PAM tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery...

CVE-2024-40628 Arbitrary File Read in Ansible Playbooks in Jumpserver

JumpServer is an open-source Privileged Access Management PAM tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the ansible playbook to read arbitrary files in the celery...

CVE-2024-40628

CVE-2024-40628—JumpServer arbitrary file read : The vulnerability arises from exploiting an ansible playbook to read files inside the celery container, which runs as root and has database access. This can lead to sensitive data disclosure, theft of host secrets, creation of admin JumpServer accou...

CVE-2024-40629 Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver

JumpServer is an open-source Privileged Access Management PAM tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to...

CVE-2024-40629 Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver

JumpServer is an open-source Privileged Access Management PAM tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser. An attacker can exploit the Ansible playbook to write arbitrary files, leading to...

PT-2024-5028 · Unknown +2 · Jumpserver +2

Name of the Vulnerable Software and Affected Versions: JumpServer versions prior to 3.10.12 JumpServer versions prior to 4.0.0 Description: The issue is related to the JumpServer Privileged Access Management PAM tool, which provides secure access to various endpoints through a web browser. An...

SQL Injection Vulnerability in Qingdao Hezheng Information Technology Co.

Qingdao Hezheng Information Technology Co., Ltd. is an enterprise mainly engaged in software and information technology service industry. A SQL injection vulnerability exists in Qingdao Hezheng Information Technology Co., Ltd's Jindouyun HKMP, which can be exploited by attackers to obtain sensiti...

CVE-2024-22280

VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database...

PT-2024-27308 · Unknown · Wishlist Member

Name of the Vulnerable Software and Affected Versions: WishList Member X versions prior to 3.26.7 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for potential exploitation, but specific...

SQL Injection Vulnerability in Active Security Monitoring Cloud Platform of Dongguan Tongtianxing Software Technology Company Limited (CNVD-2024-33117)

Dongguan Tongtianxing Software Technology Co., Ltd. is a video security service provider. Dongguan Tongtianxing Software Technology Co., Ltd. active security monitoring cloud platform there is a SQL injection vulnerability, the attacker can use the vulnerability to obtain sensitive information fr...

PT-2024-4324 · Fortra · Filecatalyst Workflow

Name of the Vulnerable Software and Affected Versions: Fortra FileCatalyst Workflow versions 5.1.6 Build 135 and earlier Description: The issue is related to a SQL injection vulnerability that allows an attacker to modify application data. This can likely result in the creation of administrative...

PT-2024-37331 · WordPress · Quiz Maker

Name of the Vulnerable Software and Affected Versions: Quiz Maker plugin for WordPress versions up to, and including, 6.5.8.3 Description: The issue is related to time-based SQL Injection via the ays questions parameter due to insufficient escaping on the user-supplied parameter and lack of...

PT-2024-18927 · Unknown +1 · Divido Payment Extension +1

Name of the Vulnerable Software and Affected Versions: opencart/opencart versions 0.0.0 through 3.0.3.9 Description: An SQL Injection issue was identified in the Divido payment extension for OpenCart. As an anonymous unauthenticated user, if the Divido payment module is installed, it is possible ...

Fujitsu ID Link Manager and Fujitsu TIME CREATOR Security Vulnerability

Fujitsu ID Link Manager and Fujitsu TIME CREATOR are both products of Fujitsu, Japan.Fujitsu ID Link Manager is an ID manager.Fujitsu TIME CREATOR is a business content management software. A security vulnerability exists in FUJITSU ID Link Manager and FUJITSU Software TIME CREATOR. An attacker...

CVE-2024-28968

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the executio...

CVE-2024-28969

Dell SCG prior to version 5.24.00.00 contains an Improper Access Control vulnerability in an internal update REST API that is only accessible if enabled by an Admin from the UI. A remote low-privileged attacker could potentially trigger this API and cause execution of certain admin-only APIs agai...

CVE-2024-28968

Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs if enabled by Admin user from UI. A remote low privileged attacker could potentially exploit this vulnerability, leading to the executio...