CVE-2024-10307 Allocation of Resources Without Limits or Throttling in GitLab

An issue has been discovered in GitLab EE/CE affecting all versions from 12.10 before 17.8.6, 17.9 before 17.9.3, and 17.10 before 17.10.1. A maliciously crafted file can cause uncontrolled CPU consumption when viewing the associated merge request...

CVE-2024-9056

CVE-2024-9056 affects BentoML v1.3.4post1 and is a Denial of Service (DoS) caused by improper handling of multipart boundaries. An attacker can append characters to the end of a multipart boundary in HTTP requests, causing the server to repeatedly process input and exhaust resources, leading to s...

CVE-2024-8984

The CVE-2024-8984 entry describes a Denial of Service vulnerability in berriai/litellm v1.44.5 caused by improper handling of multipart HTTP boundaries. An attacker can append characters to the boundary, triggering unbounded resource consumption and service unavailability. The issue is unauthenti...

CVE-2024-41338

CVE-2024-41338 describes a NULL pointer dereference in DrayTek Vigor devices that allows a Denial of Service (DoS) when handling crafted DHCP requests. Affected devices and minimum vulnerable/patch versions include: Vigor 165/166 prior to 4.2.6; 2620/LTE200 prior to 3.9.8.8; 2860/2925 prior to 3....

CVE-2024-54959

Nagios XI 2024R1.2.2 is vulnerable to a Cross-Site Request Forgery CSRF attack through the Favorites component, enabling POST-based Cross-Site Scripting XSS...

Q-Free MAXTIME Suite 访问控制错误漏洞

Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. An access control error vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions, which stems from a lack of authentication for critical functions in maxprofile/menu/routes.lua. An...

Q-Free MAXTIME Suite 访问控制错误漏洞

Q-Free MAXTIME Suite is a software suite for local traffic signal management from Q-Free. An access control error vulnerability exists in Q-Free MAXTIME Suite version 2.11.0 and prior versions, which stems from a lack of authentication for critical functions in maxprofile/setup/routes.lua. An...

CVE-2025-1108

Insufficient data authenticity verification vulnerability in Janto, versions prior to r12. This allows an unauthenticated attacker to modify the content of emails sent to reset the password. To exploit the vulnerability, the attacker must create a POST request by injecting malicious content into...

CVE-2024-56901

A Cross-Site Request Forgery CSRF vulnerability in Geovision GV-ASWeb application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Administrator accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF...

CVE-2025-1107

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoi...

CVE-2025-1107 Unverified password change vulnerability in Janto

Unverified password change vulnerability in Janto, versions prior to r12. This could allow an unauthenticated attacker to change another user's password without knowing their current password. To exploit the vulnerability, the attacker must create a specific POST request and send it to the endpoi...

CVE-2021-44385

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.13620121102. A specially-crafted HTTP request can lead to a reboot. SetPtzSerial param is not object. An attacker can send an HTTP request to trigger this vulnerability...

CVE-2021-44372

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.13620121102. A specially-crafted HTTP request can lead to a reboot. SetLocalLink param is not object. An attacker can send an HTTP request to trigger this vulnerability...

CVE-2021-44409

A denial of service vulnerability exists in the cgiserver.cgi JSON command parser functionality of reolink RLC-410W v3.0.0.13620121102. A specially-crafted HTTP request can lead to a reboot. TestWifi param is not object. An attacker can send an HTTP request to trigger this vulnerability...

CVE-2022-24822

Podium is a library for building micro frontends. @podium/layout is a module for building a Podium layout server, and @podium/proxy is a module for proxying HTTP requests from a layout server to a podlet server. In @podium/layout prior to version 4.6.110 and @podium/proxy prior to version 4.2.74,...

CVE-2024-41163

A directory traversal vulnerability exists in the archive functionality of Veertu Anka Build 1.42.0. A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability...

CVE-2024-28027

Three OS command injection vulnerabilities exist in the web interface I/O configuration functionality of MC Technologies MC LR Router 2.10.5. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these...

Four-Faith F3x36 安全漏洞

The Four-Faith F3x36 is a portable wireless mobile router from Four-Faith China. A security vulnerability exists in Four-Faith F3x36 version v2.0.0, which stems from the use of hard-coded credentials. An attacker could exploit the vulnerability to gain administrative access via a specially crafte...

CVE-2024-53582

An issue found in the Copy and View functions in the File Manager component of OpenPanel v0.3.4 allows attackers to execute a directory traversal via a crafted HTTP request...

CVE-2024-39800

Multiple external config control vulnerabilities exists in the openvpn.cgi openvpnserversetup functionality of Wavlink AC3000 M33A8.V5030.210505. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger these...