Lucene search
K

151 matches found

CNNVD
CNNVD
added 2024/10/16 12:0 a.m.7 views

Google Cloud Migrate 安全漏洞

Google Cloud Migrate is a cloud architecture center of Google, Inc USA. A security vulnerability exists in Google Cloud Migrate versions 1.1.0 through 1.2.2 that stems from the presence of insecure default user permissions...

7.8CVSS6.7AI score0.00073EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2024/09/26 9:31 p.m.20 views

Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to...

8.8CVSS6.8AI score0.00269EPSS
Exploits0References8Affected Software2
OSV
OSV
added 2024/09/26 7:52 p.m.4 views

CVE-2024-7594 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to...

7.5CVSS7.1AI score0.00269EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2024/09/26 7:52 p.m.9 views

CVE-2024-7594 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to...

7.5CVSS6.9AI score0.00269EPSS
Exploits0References1
Cvelist
Cvelist
added 2024/09/26 7:52 p.m.16 views

CVE-2024-7594 Vault SSH Secrets Engine Configuration Did Not Restrict Valid Principals By Default

Vault’s SSH secrets engine did not require the validprincipals list to contain a value by default. If the validprincipals and defaultuser fields of the SSH secrets engine configuration are not set, an SSH certificate requested by an authorized user to Vault’s SSH secrets engine could be used to...

7.5CVSS0.00269EPSS
Exploits0References1
OSV
OSV
added 2024/08/17 9:15 a.m.2 views

DEBIAN-CVE-2024-42312

In the Linux kernel, the following vulnerability has been resolved: sysctl: always initialize iuid/igid Always initialize iuid/igid inside the sysfs core so setownership can safely skip setting them. Commit 5ec27ec735ba "fs/proc/procsysctl.c: fix the default values of iuid/igid on /proc/sys...

5.5CVSS5.4AI score0.00216EPSS
Exploits0References1
CNNVD
CNNVD
added 2024/08/15 12:0 a.m.5 views

eLabFTW 安全漏洞

eLabFTW is an open source experimental data hosting platform from eLabFTW Open Source. The platform runs on Linux and supports storing a wide range of objects. A security vulnerability exists in versions prior to eLabFTW 5.0.0 that stems from allowing administrators to create new users by default...

5.4CVSS6.4AI score0.00242EPSS
Exploits0References3
OSV
OSV
added 2024/07/02 11:15 a.m.4 views

CVE-2024-6099

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthenticated bypass to user registration in versions up to, and including, 4.2.6.8.1. This is due to missing checks in the 'checkvalidatefields' function in the checkout. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.0042EPSS
Exploits0References3
OSV
OSV
added 2024/06/10 4:39 p.m.46 views

GO-2024-2784 Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher

Rancher Recreates Default User With Known Password Despite Deletion in github.com/rancher/rancher...

9.8CVSS9.5AI score0.01604EPSS
Exploits0References3
NVD
NVD
added 2024/04/29 7:15 p.m.37 views

CVE-2024-0840

The Grandstream UCM Series IP PBX before firmware version 1.0.20.52 is affected by a parameter injection vulnerability in the HTTP interface. A remote and authenticated attacker can execute arbitrary code by sending a crafted HTTP request. Authentication may be possible using a default user and...

8.8CVSS8.8AI score0.0088EPSS
Exploits0References1
CVE
CVE
added 2024/04/29 6:42 p.m.68 views

CVE-2024-0840

CVE-2024-0840 affects Grandstream UCM Series IP PBX firmwares prior to 1.0.20.52 (UCM6202/6204/6208/6510). A parameter injection vulnerability in the HTTP interface allows a remote, authenticated attacker to execute arbitrary code by sending a crafted HTTP request; authentication may be possible ...

8.8CVSS8AI score0.0088EPSS
Exploits0References1
Prion
Prion
added 2024/03/03 3:15 p.m.21 views

Design/Logic Flaw

As a default user on a multi-user instance of AnythingLLM, you could execute a call to the /export-data endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit acce...

5.5CVSS7.3AI score0.00579EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2024/03/03 2:13 p.m.13 views

CVE-2024-0765 Default user role exporting save state of instance

As a default user on a multi-user instance of AnythingLLM, you could execute a call to the /export-data endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit acce...

9.6CVSS9.2AI score0.00579EPSS
Exploits1References2
Cvelist
Cvelist
added 2024/03/03 2:13 p.m.28 views

CVE-2024-0765 Default user role exporting save state of instance

As a default user on a multi-user instance of AnythingLLM, you could execute a call to the /export-data endpoint of the system and then unzip and read that export that would enable you do exfiltrate data of the system at that save state. This would require the attacked to be granted explicit acce...

9.6CVSS9.4AI score0.00579EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2024/03/03 12:0 a.m.5 views

PT-2024-15802 · Unknown · Anything-Llm

Name of the Vulnerable Software and Affected Versions: AnythingLLM affected versions not specified Description: The issue allows a default user on a multi-user instance to execute a call to the "/export-data" endpoint, enabling them to exfiltrate data of the system at that save state. This requir...

9.6CVSS7.1AI score0.00579EPSS
Exploits1References8
NVD
NVD
added 2024/02/27 2:15 p.m.25 views

CVE-2024-0551

Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for...

7.1CVSS7AI score0.00562EPSS
Exploits1References2
Prion
Prion
added 2024/02/27 2:15 p.m.16 views

Design/Logic Flaw

Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for...

5.5CVSS7.2AI score0.00562EPSS
Exploits1References2
OSV
OSV
added 2024/02/27 2:7 p.m.21 views

CVE-2024-0551 Download and export of file via default user role

Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for...

7.1CVSS7AI score0.00562EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2024/02/27 2:7 p.m.10 views

CVE-2024-0551 Download and export of file via default user role

Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have been granted access to the system prior to the attack. It is worth noting that the deterministic nature of the export name is lower risk as the UI for...

7.1CVSS7AI score0.00562EPSS
Exploits1References2
CVE
CVE
added 2024/02/27 2:7 p.m.117 views

CVE-2024-0551

CVE-2024-0551 describes an access-control error that allows exporting the database and related data via the default user role for users with prior system access. The export mechanism uses a deterministic name, and the download is initiated by the UI before the export is deleted from the system, i...

7.1CVSS7AI score0.00562EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder