Lucene search
K
NvdMost viewed

363767 matches found

NVD
NVD
added 2023/09/18 10:15 p.m.55 views

CVE-2023-42454

SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the sqlpage/sqlpage.json configuration file not in an environment variable, with the webroot is the current working...

10CVSS9.4AI score0.00602EPSS
Exploits1References3
NVD
NVD
added 2023/08/31 6:15 p.m.55 views

CVE-2023-41034

Eclipse Leshan is a device management server and client Java implementation. In affected versions DDFFileParser and DefaultDDFFileValidator and so ObjectLoader are vulnerable to XXE Attacks. A DDF file is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if the...

9.8CVSS7.1AI score0.00568EPSS
Exploits0References5
NVD
NVD
added 2023/08/29 5:15 p.m.55 views

CVE-2023-41037

OpenPGP.js is a JavaScript implementation of the OpenPGP protocol. In affected versions OpenPGP Cleartext Signed Messages are cryptographically signed messages where the signed text is readable without special tools. These messages typically contain a "Hash: ..." header declaring the hash algorit...

4.3CVSS4.4AI score0.00309EPSS
Exploits1References2
NVD
NVD
added 2023/08/17 2:15 p.m.55 views

CVE-2023-40272

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected...

7.5CVSS7.3AI score0.01667EPSS
Exploits0References3
NVD
NVD
added 2023/08/14 8:15 p.m.55 views

CVE-2023-40024

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

6.1CVSS5.6AI score0.00438EPSS
Exploits1References2
NVD
NVD
added 2023/08/07 6:15 a.m.55 views

CVE-2023-0425

ABB is aware of vulnerabilities in the product versions listed below. An update is available that resolves the reported vulnerabilities in the product versions under maintenance. An attacker who successfully exploited one or more of these vulnerabilities could cause the product to stop or make th...

8.6CVSS8.8AI score0.004EPSS
Exploits0References1
NVD
NVD
added 2023/07/14 10:15 p.m.55 views

CVE-2023-38336

netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778...

9.8CVSS0.01763EPSS
Exploits1References1
NVD
NVD
added 2023/06/16 5:15 p.m.55 views

CVE-2023-30625

rudder-server is part of RudderStack, an open source Customer Data Platform CDP. Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution RCE due to the rudder role in PostgresSQL having superuser permissions by default. Version...

8.8CVSS9.3AI score0.85825EPSS
Exploits4References8
NVD
NVD
added 2023/06/14 6:15 p.m.55 views

CVE-2023-2976

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files...

7.1CVSS6.4AI score0.00248EPSS
Exploits0References4
NVD
NVD
added 2023/06/01 2:15 a.m.55 views

CVE-2023-28937

DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and...

8.8CVSS8.7AI score0.00812EPSS
Exploits0References8
NVD
NVD
added 2023/05/18 10:15 p.m.55 views

CVE-2023-30470

A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Herme...

9.8CVSS9.9AI score0.01249EPSS
Exploits0References2
NVD
NVD
added 2023/05/08 2:15 p.m.55 views

CVE-2023-0268

The Mega Addons For WPBakery Page Builder WordPress plugin before 4.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site...

5.4CVSS5.3AI score0.00444EPSS
Exploits2References1
NVD
NVD
added 2023/04/06 5:15 p.m.55 views

CVE-2023-29008

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery CSRF protection to its users. The protection is...

8.8CVSS8.9AI score0.00373EPSS
Exploits1References2
NVD
NVD
added 2023/04/05 4:15 p.m.55 views

CVE-2023-20073

A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement...

9.8CVSS7.3AI score0.88874EPSS
Exploits0References1
NVD
NVD
added 2023/03/21 7:15 a.m.55 views

CVE-2023-27982

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code...

8.8CVSS8.9AI score0.00403EPSS
Exploits0References1
NVD
NVD
added 2023/02/07 7:15 p.m.55 views

CVE-2023-24814

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

8.8CVSS8.3AI score0.00831EPSS
Exploits1References7
NVD
NVD
added 2023/01/31 6:15 a.m.55 views

CVE-2022-45789

A CWE-294: Authentication Bypass by Capture-replay vulnerability exists that could cause execution of unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. Affected Products: EcoStruxure Control Expert All Versions, EcoStruxure Process Expert All Versions...

9.8CVSS9AI score0.01443EPSS
Exploits0References1
NVD
NVD
added 2023/01/27 9:15 p.m.55 views

CVE-2022-39380

Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of Exceptional Conditions. In the wire-webapp, certain combinations of Markdown formatting can trigger an unhandled error in the conversion to HTML representation. The error makes it...

5.3CVSS5AI score0.00623EPSS
Exploits0References1
NVD
NVD
added 2022/10/25 7:15 p.m.55 views

CVE-2022-39354

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the isstatic parameter to determine if the call is executed in a static context via STATICCALL, and thus decide if stateful operations should be done. Prior to version 0.36.0, th...

7.5CVSS0.00538EPSS
Exploits0References2
NVD
NVD
added 2022/10/14 5:15 p.m.55 views

CVE-2021-27406

An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN configuration. This could result in t...

8.8CVSS0.00921EPSS
Exploits0References1
NVD
NVD
added 2022/09/26 2:15 p.m.55 views

CVE-2022-39243

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's JavajavalangUNIXProcessforkAndExec method 1.2.0+, attackers can use NUL characters in their strings to perform command line injection. Java's...

9.8CVSS0.01177EPSS
Exploits1References3
NVD
NVD
added 2022/07/14 3:15 p.m.55 views

CVE-2022-29593

relaycgi.cgi on Dingtian DT-R002 2CH relay devices with firmware 3.1.276A allows an attacker to replay HTTP post requests without the need for authentication or a valid signed/authorized request...

5.9CVSS0.10436EPSS
Exploits5References3
NVD
NVD
added 2022/07/12 10:15 p.m.55 views

CVE-2022-31102

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...

6.1CVSS0.005EPSS
Exploits0References3
NVD
NVD
added 2022/06/28 12:15 a.m.55 views

CVE-2022-31104

Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x8664 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bu...

6.8CVSS0.01625EPSS
Exploits0References6
NVD
NVD
added 2022/04/01 11:15 p.m.55 views

CVE-2022-1159

Rockwell Automation Studio 5000 Logix Designer all versions are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user...

7.7CVSS0.03398EPSS
Exploits0References1
NVD
NVD
added 2022/01/26 8:15 p.m.55 views

CVE-2022-21686

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds...

9.8CVSS0.01786EPSS
Exploits0References3
NVD
NVD
added 2021/09/26 7:15 p.m.55 views

CVE-2021-41617

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with...

7CVSS0.02367EPSS
Exploits2References15
NVD
NVD
added 2021/08/26 9:15 p.m.55 views

CVE-2021-39165

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTraitscopeSearch. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and...

8.1CVSS0.09752EPSS
Exploits2References2
NVD
NVD
added 2021/08/08 6:15 a.m.55 views

CVE-2020-36457

An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T...

8.1CVSS0.0124EPSS
Exploits1References2
NVD
NVD
added 2021/06/24 12:15 p.m.55 views

CVE-2021-33604

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser...

2.5CVSS0.00286EPSS
Exploits0References2
NVD
NVD
added 2021/06/10 5:15 p.m.55 views

CVE-2021-31839

Improper privilege management vulnerability in McAfee Agent for Windows prior to 5.7.3 allows a local user to modify event information in the MA event folder. This allows a local user to either add false events or remove events from the event logs prior to them being sent to the ePO server...

4.8CVSS0.00182EPSS
Exploits0References1
NVD
NVD
added 2021/05/27 12:15 p.m.55 views

CVE-2021-22892

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks...

7.5CVSS0.01864EPSS
Exploits1References1
NVD
NVD
added 2021/05/17 8:15 p.m.55 views

CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

7.8CVSS0.00373EPSS
Exploits0References2
NVD
NVD
added 2021/03/09 1:15 a.m.55 views

CVE-2021-24033

react-dev-utils prior to v11.0.4 exposes a function, getProcessForPort, where an input argument is concatenated into a command string to be executed. This function is typically used from react-scripts in Create React App projects, where the usage is safe. Only when this function is manually invok...

6.8CVSS0.03289EPSS
Exploits1References2
NVD
NVD
added 2021/03/08 5:15 p.m.55 views

CVE-2021-21327

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...

7.5CVSS0.02252EPSS
Exploits4References3
NVD
NVD
added 2020/11/20 4:15 a.m.55 views

CVE-2020-5668

Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series modules R00/01/02CPU firmware version '19' and earlier, R04/08/16/32/120 EN CPU firmware version '51' and earlier, R08/16/32/120SFCPU firmware version '22' and earlier, R08/16/32/120PCPU firmware version '25' and earlier,...

7.8CVSS7.5AI score0.04731EPSS
Exploits0References4
NVD
NVD
added 2020/11/09 3:15 p.m.55 views

CVE-2020-8268

Prototype pollution vulnerability in json8-merge-patch npm package 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor...

7.5CVSS7.4AI score0.01277EPSS
Exploits1References1
NVD
NVD
added 2020/09/09 7:15 p.m.55 views

CVE-2020-1913

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes...

8.1CVSS0.01202EPSS
Exploits0References2
NVD
NVD
added 2020/04/28 2:15 p.m.55 views

CVE-2020-12078

An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings internally called excludeip. This excludeip value is passed to the...

9CVSS8.7AI score0.09999EPSS
Exploits3References4
NVD
NVD
added 2020/03/03 6:15 p.m.55 views

CVE-2020-5404

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirect...

6.5CVSS6.1AI score0.00653EPSS
Exploits0References1
NVD
NVD
added 2020/02/04 8:15 p.m.55 views

CVE-2019-15624

Improper Input Validation in Nextcloud Server 15.0.7 allows group admins to create users with IDs of system folders...

4.9CVSS5.9AI score0.01472EPSS
Exploits1References4
NVD
NVD
added 2019/09/30 12:15 p.m.55 views

CVE-2019-16676

Plataformatec Simple Form has Incorrect Access Control in filemethod? in lib/simpleform/formbuilder.rb, because a user-supplied string is invoked as a method call...

9.8CVSS9.5AI score0.034EPSS
Exploits1References3
NVD
NVD
added 2019/09/12 2:15 p.m.55 views

CVE-2019-10400

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts...

4.9CVSS5.1AI score0.01047EPSS
Exploits0References2
NVD
NVD
added 2019/09/05 10:15 p.m.55 views

CVE-2019-2123

In execTransact of Binder.java in Android 7.1.1, 7.1.2, 8.0, 8.1, and 9, there is a possible local execution of arbitrary code in a privileged process due to a memory overwrite. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is no...

7.8CVSS7.8AI score0.00163EPSS
Exploits0References1
NVD
NVD
added 2019/08/09 1:15 p.m.55 views

CVE-2019-14312

Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI...

6.5CVSS6.3AI score0.20586EPSS
Exploits5References2
NVD
NVD
added 2019/02/28 6:29 p.m.55 views

CVE-2018-18494

A same-origin policy violation allowing the theft of cross-origin URL entries when using the Javascript location property to cause a redirection to another site using performance.getEntries. This is a same-origin policy violation and could allow for data theft. This vulnerability affects...

6.5CVSS7.1AI score0.01549EPSS
Exploits0References15
NVD
NVD
added 2018/07/11 12:29 a.m.55 views

CVE-2018-8171

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2...

7.5CVSS7.4AI score0.09832EPSS
Exploits0References3
NVD
NVD
added 2018/02/09 11:29 p.m.55 views

CVE-2018-1000049

Nanopool Claymore Dual Miner version 7.3 and earlier contains a remote code execution vulnerability by abusing the miner API. The flaw can be exploited only if the software is executed with read/write mode enabled...

7.5CVSS7.9AI score0.77297EPSS
Exploits7References9
NVD
NVD
added 2017/12/12 6:29 p.m.55 views

CVE-2017-17561

SeaCMS 6.56 allows remote authenticated administrators to execute arbitrary PHP code via a crafted token field to admin/adminping.php, which interacts with data/admin/ping.php...

7.2CVSS7.1AI score0.01409EPSS
Exploits4References2
NVD
NVD
added 2014/02/11 5:55 p.m.55 views

CVE-2014-1459

SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the positiondownid parameter. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands...

6.5CVSS7.9AI score0.02269EPSS
Exploits5References7
Total number of security vulnerabilities5000