Lucene search
K
NvdMost viewed

364305 matches found

NVD
NVD
added 2023/10/25 6:17 p.m.55 views

CVE-2023-26571

Missing authentication in the SetStudentNotes method in IDAttend’s IDWeb application 3.1.052 and earlier allows modification of student data by unauthenticated attackers...

7.5CVSS7.7AI score0.00603EPSS
Exploits0References1
NVD
NVD
added 2023/10/10 11:15 a.m.55 views

CVE-2023-44082

A vulnerability has been identified in Tecnomatix Plant Simulation V2201 All versions V2201.0009, Tecnomatix Plant Simulation V2302 All versions V2302.0003. The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted SPP file. Thi...

7.8CVSS7.8AI score0.00216EPSS
Exploits0References1
NVD
NVD
added 2023/09/18 10:15 p.m.55 views

CVE-2023-42454

SQLpage is a SQL-only webapp builder. Someone using SQLpage versions prior to 0.11.1, whose SQLpage instance is exposed publicly, with a database connection string specified in the sqlpage/sqlpage.json configuration file not in an environment variable, with the webroot is the current working...

10CVSS9.4AI score0.00602EPSS
Exploits1References3
NVD
NVD
added 2023/08/17 2:15 p.m.55 views

CVE-2023-40272

Apache Airflow Spark Provider, versions before 4.1.3, is affected by a vulnerability that allows an attacker to pass in malicious parameters when establishing a connection giving an opportunity to read files on the Airflow server. It is recommended to upgrade to a version that is not affected...

7.5CVSS7.3AI score0.01667EPSS
Exploits0References3
NVD
NVD
added 2023/08/14 8:15 p.m.55 views

CVE-2023-40024

ScanCode.io is a server to script and automate software composition analysis pipelines. In the /license/ endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting XSS vulnerability when attempting to access a detailed license vie...

6.1CVSS5.6AI score0.00438EPSS
Exploits1References2
NVD
NVD
added 2023/08/07 6:15 a.m.55 views

CVE-2023-0425

ABB is aware of vulnerabilities in the product versions listed below. An update is available that resolves the reported vulnerabilities in the product versions under maintenance. An attacker who successfully exploited one or more of these vulnerabilities could cause the product to stop or make th...

8.6CVSS8.8AI score0.004EPSS
Exploits0References1
NVD
NVD
added 2023/07/14 10:15 p.m.55 views

CVE-2023-38336

netkit-rcp in rsh-client 0.17-24 allows command injection via filenames because /bin/sh is used by susystem, a related issue to CVE-2006-0225, CVE-2019-7283, and CVE-2020-15778...

9.8CVSS0.01763EPSS
Exploits1References1
NVD
NVD
added 2023/06/16 5:15 p.m.55 views

CVE-2023-30625

rudder-server is part of RudderStack, an open source Customer Data Platform CDP. Versions of rudder-server prior to 1.3.0-rc.1 are vulnerable to SQL injection. This issue may lead to Remote Code Execution RCE due to the rudder role in PostgresSQL having superuser permissions by default. Version...

8.8CVSS9.3AI score0.85825EPSS
Exploits4References8
NVD
NVD
added 2023/06/14 6:15 p.m.55 views

CVE-2023-2976

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files...

7.1CVSS6.4AI score0.00248EPSS
Exploits0References4
NVD
NVD
added 2023/06/01 2:15 a.m.55 views

CVE-2023-28937

DataSpider Servista version 4.4 and earlier uses a hard-coded cryptographic key. DataSpider Servista is data integration software. ScriptRunner and ScriptRunner for Amazon SQS are used to start the configured processes on DataSpider Servista. The cryptographic key is embedded in ScriptRunner and...

8.8CVSS8.7AI score0.00812EPSS
Exploits0References8
NVD
NVD
added 2023/05/18 10:15 p.m.55 views

CVE-2023-30470

A use-after-free related to unsound inference in the bytecode generation when optimizations are enabled for Hermes prior to commit da8990f737ebb9d9810633502f65ed462b819c09 could have been used by an attacker to achieve remote code execution. Note that this is only exploitable in cases where Herme...

9.8CVSS9.9AI score0.01249EPSS
Exploits0References2
NVD
NVD
added 2023/05/02 1:15 p.m.55 views

CVE-2023-2473

A vulnerability was found in Dreamer CMS up to 4.1.3. It has been declared as problematic. This vulnerability affects the function updatePwd of the file UserController.java of the component Password Hash Calculation. The manipulation leads to inefficient algorithmic complexity. The attack can be...

7.5CVSS5.3AI score0.00929EPSS
Exploits0References3
NVD
NVD
added 2023/04/06 5:15 p.m.55 views

CVE-2023-29008

The SvelteKit framework offers developers an option to create simple REST APIs. This is done by defining a +server.js file, containing endpoint handlers for different HTTP methods. SvelteKit provides out-of-the-box cross-site request forgery CSRF protection to its users. The protection is...

8.8CVSS8.9AI score0.00373EPSS
Exploits1References2
NVD
NVD
added 2023/04/05 4:15 p.m.55 views

CVE-2023-20073

A vulnerability in the web-based management interface of Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to insufficient authorization enforcement...

9.8CVSS7.3AI score0.88874EPSS
Exploits0References1
NVD
NVD
added 2023/03/27 4:15 p.m.55 views

CVE-2023-1088

The WP Plugin Manager WordPress plugin before 1.1.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

4.3CVSS4.6AI score0.00252EPSS
Exploits2References1
NVD
NVD
added 2023/03/21 7:15 a.m.55 views

CVE-2023-27982

A CWE-345: Insufficient Verification of Data Authenticity vulnerability exists in the Data Server that could cause manipulation of dashboard files in the IGSS project report directory, when an attacker sends specific crafted messages to the Data Server TCP port, this could lead to remote code...

8.8CVSS8.9AI score0.00403EPSS
Exploits0References1
NVD
NVD
added 2023/02/07 7:15 p.m.55 views

CVE-2023-24814

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

8.8CVSS8.3AI score0.00831EPSS
Exploits1References7
NVD
NVD
added 2023/01/27 9:15 p.m.55 views

CVE-2022-39380

Wire web-app is part of Wire communications. Versions prior to 2022-11-02 are subject to Improper Handling of Exceptional Conditions. In the wire-webapp, certain combinations of Markdown formatting can trigger an unhandled error in the conversion to HTML representation. The error makes it...

5.3CVSS5AI score0.00623EPSS
Exploits0References1
NVD
NVD
added 2022/12/16 4:15 p.m.55 views

CVE-2021-35252

Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext...

7.5CVSS0.00524EPSS
Exploits0References3
NVD
NVD
added 2022/10/25 7:15 p.m.55 views

CVE-2022-39354

SputnikVM, also called evm, is a Rust implementation of Ethereum Virtual Machine. A custom stateful precompile can use the isstatic parameter to determine if the call is executed in a static context via STATICCALL, and thus decide if stateful operations should be done. Prior to version 0.36.0, th...

7.5CVSS0.00538EPSS
Exploits0References2
NVD
NVD
added 2022/10/14 5:15 p.m.55 views

CVE-2021-27406

An attacker can take leverage on PerFact OpenVPN-Client versions 1.4.1.0 and prior to send the config command from any application running on the local host machine to force the back-end server into initializing a new open-VPN instance with arbitrary open-VPN configuration. This could result in t...

8.8CVSS0.00921EPSS
Exploits0References1
NVD
NVD
added 2022/09/26 2:15 p.m.55 views

CVE-2022-39243

NuProcess is an external process execution implementation for Java. In all the versions of NuProcess where it forks processes by using the JVM's JavajavalangUNIXProcessforkAndExec method 1.2.0+, attackers can use NUL characters in their strings to perform command line injection. Java's...

9.8CVSS0.01177EPSS
Exploits1References3
NVD
NVD
added 2022/07/12 10:15 p.m.55 views

CVE-2022-31102

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Argo CD starting with 2.3.0 and prior to 2.3.6 and 2.4.5 is vulnerable to a cross-site scripting XSS bug which could allow an attacker to inject arbitrary JavaScript in the /auth/callback page in a victim's browser. This...

6.1CVSS0.005EPSS
Exploits0References3
NVD
NVD
added 2022/06/28 12:15 a.m.55 views

CVE-2022-31104

Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime's implementation of the SIMD proposal for WebAssembly on x8664 contained two distinct bugs in the instruction lowerings implemented in Cranelift. The aarch64 implementation of the simd proposal is not affected. The bu...

6.8CVSS0.01625EPSS
Exploits0References6
NVD
NVD
added 2022/04/14 8:15 p.m.55 views

CVE-2021-40425

An out-of-bounds read vulnerability exists in the IOCTL GetProcessCommand and B03 of Webroot Secure Anywhere 21.4. A specially-crafted executable can lead to denial of service. An attacker can issue an ioctl to trigger this vulnerability. An out-of-bounds read vulnerability exists in the IOCTL...

7.1CVSS0.00327EPSS
Exploits1References1
NVD
NVD
added 2022/04/01 11:15 p.m.55 views

CVE-2022-1159

Rockwell Automation Studio 5000 Logix Designer all versions are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user...

7.7CVSS0.03398EPSS
Exploits0References1
NVD
NVD
added 2022/01/26 8:15 p.m.55 views

CVE-2022-21686

PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds...

9.8CVSS0.01786EPSS
Exploits0References3
NVD
NVD
added 2021/09/26 7:15 p.m.55 views

CVE-2021-41617

sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with...

7CVSS0.02367EPSS
Exploits2References15
NVD
NVD
added 2021/08/26 9:15 p.m.55 views

CVE-2021-39165

Cachet is an open source status page. With Cachet prior to and including 2.3.18, there is a SQL injection which is in the SearchableTraitscopeSearch. Attackers without authentication can utilize this vulnerability to exfiltrate sensitive data from the database such as administrator's password and...

8.1CVSS0.09752EPSS
Exploits2References2
NVD
NVD
added 2021/08/08 6:15 a.m.55 views

CVE-2020-36457

An issue was discovered in the lever crate before 0.1.1 for Rust. AtomicBox implements the Send and Sync traits for all types T...

8.1CVSS0.0124EPSS
Exploits1References2
NVD
NVD
added 2021/07/02 8:15 a.m.55 views

CVE-2021-26920

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not a...

6.5CVSS0.09877EPSS
Exploits0References6
NVD
NVD
added 2021/06/24 12:15 p.m.55 views

CVE-2021-33604

URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 Vaadin 14.0.0 through 14.6.1, 3.0.0 through 6.0.9 Vaadin 15.0.0 through 19.0.8 allows local user to execute arbitrary JavaScript code by opening crafted URL in browser...

2.5CVSS0.00286EPSS
Exploits0References2
NVD
NVD
added 2021/05/27 12:15 p.m.55 views

CVE-2021-22892

An information disclosure vulnerability exists in the Rocket.Chat server fixed v3.13, v3.12.2 & v3.11.3 that allowed email addresses to be disclosed by enumeration and validation checks...

7.5CVSS0.01864EPSS
Exploits1References1
NVD
NVD
added 2021/05/17 8:15 p.m.55 views

CVE-2021-32622

Matrix-React-SDK is a react-based SDK for inserting a Matrix chat/voip client into a web page. Before version 3.21.0, when uploading a file, the local file preview can lead to execution of scripts embedded in the uploaded file. This can only occur after several user interactions to open the previ...

7.8CVSS0.00373EPSS
Exploits0References2
NVD
NVD
added 2021/03/08 5:15 p.m.55 views

CVE-2021-21327

GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI before version 9.5.4 non-authenticated user can remotely instantiate object of any class existing in the GLPI environment that can be used to...

7.5CVSS0.02252EPSS
Exploits4References3
NVD
NVD
added 2020/11/20 4:15 a.m.55 views

CVE-2020-5668

Uncontrolled resource consumption vulnerability in MELSEC iQ-R Series modules R00/01/02CPU firmware version '19' and earlier, R04/08/16/32/120 EN CPU firmware version '51' and earlier, R08/16/32/120SFCPU firmware version '22' and earlier, R08/16/32/120PCPU firmware version '25' and earlier,...

7.8CVSS7.5AI score0.04731EPSS
Exploits0References4
NVD
NVD
added 2020/11/09 3:15 p.m.55 views

CVE-2020-8268

Prototype pollution vulnerability in json8-merge-patch npm package 1.0.3 may allow attackers to inject or modify methods and properties of the global object constructor...

7.5CVSS7.4AI score0.01277EPSS
Exploits1References1
NVD
NVD
added 2020/09/09 7:15 p.m.55 views

CVE-2020-1913

An Integer signedness error in the JavaScript Interpreter in Facebook Hermes prior to commit 2c7af7ec481ceffd0d14ce2d7c045e475fd71dc6 allows attackers to cause a denial of service attack or a potential RCE via crafted JavaScript. Note that this is only exploitable if the application using Hermes...

8.1CVSS0.01202EPSS
Exploits0References2
NVD
NVD
added 2020/04/28 2:15 p.m.55 views

CVE-2020-12078

An issue was discovered in Open-AudIT 3.3.1. There is shell metacharacter injection via attributes to an open-audit/configuration/ URI. An attacker can exploit this by adding an excluded IP address to the global discovery settings internally called excludeip. This excludeip value is passed to the...

9CVSS8.7AI score0.09999EPSS
Exploits3References4
NVD
NVD
added 2020/04/22 4:15 p.m.55 views

CVE-2020-10712

A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from...

8.2CVSS7.3AI score0.0097EPSS
Exploits0References1
NVD
NVD
added 2020/03/03 6:15 p.m.55 views

CVE-2020-5404

The HttpClient from Reactor Netty, versions 0.9.x prior to 0.9.5, and versions 0.8.x prior to 0.8.16, may be used incorrectly, leading to a credentials leak during a redirect to a different domain. In order for this to happen, the HttpClient must have been explicitly configured to follow redirect...

6.5CVSS6.1AI score0.00653EPSS
Exploits0References1
NVD
NVD
added 2019/09/30 12:15 p.m.55 views

CVE-2019-16676

Plataformatec Simple Form has Incorrect Access Control in filemethod? in lib/simpleform/formbuilder.rb, because a user-supplied string is invoked as a method call...

9.8CVSS9.5AI score0.034EPSS
Exploits1References3
NVD
NVD
added 2019/09/12 2:15 p.m.55 views

CVE-2019-10400

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts...

4.9CVSS5.1AI score0.01047EPSS
Exploits0References2
NVD
NVD
added 2019/09/05 10:15 p.m.55 views

CVE-2019-2123

In execTransact of Binder.java in Android 7.1.1, 7.1.2, 8.0, 8.1, and 9, there is a possible local execution of arbitrary code in a privileged process due to a memory overwrite. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is no...

7.8CVSS7.8AI score0.00163EPSS
Exploits0References1
NVD
NVD
added 2019/08/09 1:15 p.m.55 views

CVE-2019-14312

Aptana Jaxer 1.0.3.4547 is vulnerable to a local file inclusion vulnerability in the wikilite source code viewer. This vulnerability allows a remote attacker to read internal files on the server via a tools/sourceViewer/index.html?filename=../ URI...

6.5CVSS6.3AI score0.20586EPSS
Exploits5References2
NVD
NVD
added 2018/07/11 12:29 a.m.55 views

CVE-2018-8171

A Security Feature Bypass vulnerability exists in ASP.NET when the number of incorrect login attempts is not validated, aka "ASP.NET Security Feature Bypass Vulnerability." This affects ASP.NET, ASP.NET Core 1.1, ASP.NET Core 1.0, ASP.NET Core 2.0, ASP.NET MVC 5.2...

7.5CVSS7.4AI score0.09832EPSS
Exploits0References3
NVD
NVD
added 2014/02/11 5:55 p.m.55 views

CVE-2014-1459

SQL injection vulnerability in dg-admin/index.php in doorGets CMS 5.2 and earlier allows remote authenticated administrators to execute arbitrary SQL commands via the positiondownid parameter. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands...

6.5CVSS7.9AI score0.02269EPSS
Exploits5References7
NVD
NVD
added 2006/06/05 5:2 p.m.55 views

CVE-2006-2806

The SMTP server in Apache Java Mail Enterprise Server aka Apache James 2.2.0 allows remote attackers to cause a denial of service CPU consumption via a long argument to the MAIL command...

7.8CVSS6.6AI score0.06258EPSS
Exploits1References5
NVD
NVD
added 1999/06/03 4:0 a.m.55 views

CVE-1999-1412

A possible interaction between Apple MacOS X release 1.0 and Apache HTTP server allows remote attackers to cause a denial of service crash via a flood of HTTP GET requests to CGI programs, which generates a large number of processes...

5CVSS6.2AI score0.35342EPSS
Exploits0References2
NVD
NVD
added 2026/05/20 5:16 p.m.54 views

CVE-2026-9087

A flaw was found in Keycloak. The cross-session verification proof is keyed only by local userId, idpAlias and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account...

8.1CVSS0.00312EPSS
Exploits0References6
Total number of security vulnerabilities5000