Lucene search
K
NvdMost viewed

363813 matches found

NVD
NVD
added 2024/06/10 5:16 p.m.45 views

CVE-2024-36407

SuiteCRM is an open-source Customer Relationship Management CRM software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is...

6.5CVSS0.00322EPSS
Exploits0References1
NVD
NVD
added 2024/06/10 1:15 p.m.45 views

CVE-2024-36405

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. A control-flow timing lean has been identified in the reference implementation of the Kyber key encapsulation mechanism when it is compiled with Clang 15-18 for -Os, -O1, and other...

7.5CVSS0.00515EPSS
Exploits0References4
NVD
NVD
added 2024/06/09 8:15 p.m.45 views

CVE-2024-37569

An issue was discovered on Mitel 6869i through 4.5.0.41 and 5.x through 5.0.0.1018 devices. A command injection vulnerability exists in the hostname parameter taken in by the provis.html endpoint. The provis.html endpoint performs no sanitization on the hostname parameter sent by an authenticated...

8.8CVSS0.03199EPSS
Exploits3References3
NVD
NVD
added 2024/06/07 5:15 p.m.45 views

CVE-2024-30162

Invision Community through 4.7.16 allows remote code execution via the applications/core/modules/admin/editor/toolbar.php IPS\core\modules\admin\editor\toolbar::addPlugin method. This method handles uploaded ZIP files that are extracted into the...

7.2CVSS0.00701EPSS
Exploits2References2
NVD
NVD
added 2024/06/06 7:15 p.m.45 views

CVE-2024-37153

Evmos is the Ethereum Virtual Machine EVM Hub on the Cosmos Network. There is an issue with how to liquid stake using Safe which itself is a contract. The bug only appears when there is a local state change together with an ICS20 transfer in the same function and uses the contract's balance, that...

7.5CVSS0.00618EPSS
Exploits1References2
NVD
NVD
added 2024/06/06 6:15 p.m.45 views

CVE-2024-5268

Sonos Era 100 SMB2 Message Handling Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Sonos Era 100 smart speakers. Authentication is not required to exploit this...

6.5CVSS0.00458EPSS
Exploits0References1
NVD
NVD
added 2024/06/04 3:15 p.m.45 views

CVE-2024-28999

The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console...

7.5CVSS7AI score0.13913EPSS
Exploits4References2
NVD
NVD
added 2024/05/25 3:15 a.m.45 views

CVE-2024-4858

The Testimonial Carousel For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'savetestimonialsoptioncallback' function in versions up to, and including, 10.2.0. This makes it possible for unauthenticated attackers to updat...

5.3CVSS5.5AI score0.00402EPSS
Exploits0References3
NVD
NVD
added 2024/05/07 11:15 p.m.45 views

CVE-2022-43655

Bentley View FBX File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Bentley View. User interaction is required to exploit this vulnerability in that the target must visit a...

7.8CVSS8AI score0.00285EPSS
Exploits0References1
NVD
NVD
added 2024/05/03 3:16 a.m.45 views

CVE-2023-51619

D-Link DIR-X3260 prog.cgi SetMyDLinkRegistration Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-X3260 routers. Authentication is required to exploit this...

6.8CVSS7.1AI score0.01126EPSS
Exploits0References2
NVD
NVD
added 2024/05/03 3:15 a.m.45 views

CVE-2023-41216

D-Link DIR-3040 prog.cgi SetDynamicDNSSettings Stack-Based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DIR-3040 routers. Authentication is required to exploit this...

6.8CVSS7.1AI score0.00705EPSS
Exploits0References2
NVD
NVD
added 2024/04/25 6:15 p.m.45 views

CVE-2024-32649

Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the sqrt builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the buildIR function of the sqrt builtin doesn't cache the argument to...

5.3CVSS5.3AI score0.00451EPSS
Exploits0References1
NVD
NVD
added 2024/04/25 4:15 p.m.45 views

CVE-2023-6787

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "prompt=login," prompting the user to re-enter...

8.8CVSS6.4AI score0.00744EPSS
Exploits0References5
NVD
NVD
added 2024/04/09 2:15 p.m.45 views

CVE-2024-28234

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

4.7CVSS4.5AI score0.00572EPSS
Exploits0References4
NVD
NVD
added 2024/03/31 7:15 p.m.45 views

CVE-2024-31116

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in 10Web 10Web Map Builder for Google Maps.This issue affects 10Web Map Builder for Google Maps: from n/a through 1.0.74...

7.6CVSS7.9AI score0.00541EPSS
Exploits0References1
NVD
NVD
added 2024/03/21 5:15 p.m.45 views

CVE-2024-27956

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in ValvePress Automatic allows SQL Injection.This issue affects Automatic: from n/a through 3.92.0...

9.9CVSS9.8AI score0.93971EPSS
Exploits16References2
NVD
NVD
added 2024/03/21 2:52 a.m.45 views

CVE-2024-28101

The Apollo Router is a graph router written in Rust to run a federated supergraph that uses Apollo Federation. Versions 0.9.5 until 1.40.2 are subject to a Denial-of-Service DoS type vulnerability. When receiving compressed HTTP payloads, affected versions of the Router evaluate the...

7.5CVSS7.5AI score0.0077EPSS
Exploits0References2
NVD
NVD
added 2024/03/12 5:15 p.m.45 views

CVE-2024-21330

Open Management Infrastructure OMI Elevation of Privilege Vulnerability...

7.8CVSS8.7AI score0.00988EPSS
Exploits0References1
NVD
NVD
added 2024/03/06 7:15 p.m.45 views

CVE-2024-24766

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, the Casa OS Login page disclosed the username enumeration vulnerability in the login page. An attacker can enumerate the CasaOS username using the application response. I...

7.5CVSS6.3AI score0.00758EPSS
Exploits1References4
NVD
NVD
added 2024/03/06 6:15 p.m.45 views

CVE-2024-24767

CasaOS-UserService provides user management functionalities to CasaOS. Starting in version 0.4.4.3 and prior to version 0.4.7, CasaOS doesn't defend against password brute force attacks, which leads to having full access to the server. The web application lacks control over the login attempts. Th...

9.8CVSS9.3AI score0.00977EPSS
Exploits1References3
NVD
NVD
added 2024/02/29 11:15 a.m.45 views

CVE-2024-1953

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request...

4.3CVSS4.5AI score0.00508EPSS
Exploits0References1
NVD
NVD
added 2024/02/29 5:15 a.m.45 views

CVE-2023-51528

Cross-Site Request Forgery CSRF vulnerability in Senol Sahin AI Power: Complete AI Pack – Powered by GPT-4.This issue affects AI Power: Complete AI Pack – Powered by GPT-4: from n/a through 1.8.12...

8.8CVSS4.6AI score0.00241EPSS
Exploits0References1
NVD
NVD
added 2024/02/21 5:15 p.m.45 views

CVE-2024-26138

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document Licenses.Code.LicenseJSON that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information...

5.3CVSS5.1AI score0.00492EPSS
Exploits0References3
NVD
NVD
added 2024/02/21 3:15 a.m.45 views

CVE-2024-26269

Cross-site scripting XSS vulnerability in the Frontend JS module's portlet.js in Liferay Portal 7.2.0 through 7.4.3.37, and Liferay DXP 7.4 before update 38, 7.3 before update 11, 7.2 before fix pack 20, and older unsupported versions allows remote attackers to inject arbitrary web script or HTML...

9.6CVSS7.8AI score0.00555EPSS
Exploits0References1
NVD
NVD
added 2024/02/08 11:15 p.m.45 views

CVE-2024-25107

WikiDiscover is an extension designed for use with a CreateWiki managed farm to display wikis. On Special:WikiDiscover, the Language::date function is used when making the human-readable timestamp for inclusion on the wikicreation column. This function uses interface messages to translate the nam...

6.1CVSS5.2AI score0.00402EPSS
Exploits0References3
NVD
NVD
added 2024/02/06 2:15 a.m.45 views

CVE-2024-22853

D-LINK Go-RT-AC750 GORTAC750A1FWv101b03 has a hardcoded password for the Alphanetworks account, which allows remote attackers to obtain root access via a telnet session...

9.8CVSS9.4AI score0.04834EPSS
Exploits1References2
NVD
NVD
added 2024/02/02 4:15 p.m.45 views

CVE-2024-23824

mailcow is a dockerized email package, with multiple containers linked in one bridged network. The application is vulnerable to pixel flood attack, once the payload has been successfully uploaded in the logo the application goes slow and doesn't respond in the admin page. It is tested on the...

4.7CVSS4.7AI score0.00597EPSS
Exploits1References3
NVD
NVD
added 2024/01/31 5:15 p.m.45 views

CVE-2024-24566

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected deployed with the ACCESSCODE option, it is possible to access plugins without proper authorization without password. This vulnerabili...

5.3CVSS5.1AI score0.00482EPSS
Exploits1References2
NVD
NVD
added 2024/01/25 8:15 p.m.45 views

CVE-2024-23656

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. cmd/dex/serve.go line 425 seemingly sets TLS 1.2 as minimum version, but the whole tlsConfig is ignored after TLS cert reloader was introduced in...

7.5CVSS7.4AI score0.00435EPSS
Exploits1References5
NVD
NVD
added 2024/01/23 11:15 p.m.45 views

CVE-2023-47115

Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting XSS vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary...

7.1CVSS6.3AI score0.01448EPSS
Exploits1References5
NVD
NVD
added 2024/01/19 6:15 p.m.45 views

CVE-2024-22911

A stack-buffer-underflow vulnerability was found in SWFTools v0.9.2, in the function parseExpression at src/swfc.c:2602...

7.8CVSS7.6AI score0.0033EPSS
Exploits1References1
NVD
NVD
added 2024/01/11 8:15 p.m.45 views

CVE-2024-22198

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. While the UI doesn't...

8.8CVSS8AI score0.04088EPSS
Exploits2References7
NVD
NVD
added 2024/01/09 10:15 a.m.45 views

CVE-2023-44120

A vulnerability has been identified in Spectrum Power 7 All versions V23Q4. The affected product's sudo configuration permits the local administrative account to execute several entries as root user. This could allow an authenticated local attacker to inject arbitrary code and gain root access...

7.8CVSS7.7AI score0.00148EPSS
Exploits0References1
NVD
NVD
added 2024/01/09 2:15 a.m.45 views

CVE-2023-39336

An unspecified SQL Injection vulnerability in Ivanti Endpoint Manager released prior to 2022 SU 5 allows an attacker with access to the internal network to execute arbitrary SQL queries and retrieve output without the need for authentication. Under specific circumstances, this may also lead to RC...

9.6CVSS9.2AI score0.0997EPSS
Exploits0References1
NVD
NVD
added 2024/01/03 5:15 p.m.45 views

CVE-2024-21631

Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's vaporurlparserparse function uses uint16t indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact...

6.5CVSS6.5AI score0.00601EPSS
Exploits0References2
NVD
NVD
added 2024/01/03 4:15 p.m.45 views

CVE-2024-21911

TinyMCE versions before 5.6.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser...

6.1CVSS6AI score0.01165EPSS
Exploits1References5
NVD
NVD
added 2024/01/03 4:15 p.m.45 views

CVE-2024-21908

TinyMCE versions before 5.9.0 are affected by a stored cross-site scripting vulnerability. An unauthenticated and remote attacker could insert crafted HTML into the editor resulting in arbitrary JavaScript execution in another user's browser...

6.1CVSS6AI score0.01066EPSS
Exploits1References4
NVD
NVD
added 2023/12/21 9:15 p.m.45 views

CVE-2023-6690

A race condition in GitHub Enterprise Server allowed an existing admin to maintain permissions on transferred repositories by making a GraphQL mutation to alter repository permissions during the transfer. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed i...

3.9CVSS0.00326EPSS
Exploits0References4
NVD
NVD
added 2023/12/15 7:15 p.m.45 views

CVE-2023-50723

XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the...

9.9CVSS0.01188EPSS
Exploits0References8
NVD
NVD
added 2023/12/05 12:15 a.m.45 views

CVE-2023-5808

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative...

7.6CVSS0.00544EPSS
Exploits5References1
NVD
NVD
added 2023/12/05 12:15 a.m.45 views

CVE-2023-49290

lestrrat-go/jwx is a Go module implementing various JWx JWA/JWE/JWK/JWS/JWT, otherwise known as JOSE technologies. A p2c parameter set too high in JWE's algorithm PBES2- could lead to a denial of service. The JWE key management algorithms based on PBKDF2 require a JOSE Header Parameter called p2c...

5.3CVSS0.00723EPSS
Exploits1References2
NVD
NVD
added 2023/12/04 6:15 a.m.45 views

CVE-2023-49287

TinyDir is a lightweight C directory and file reader. Buffer overflows in the tinydirfileopen function. This vulnerability has been patched in version 1.2.6...

9.8CVSS0.01854EPSS
Exploits3References5
NVD
NVD
added 2023/11/29 8:15 p.m.45 views

CVE-2023-44383

October is a Content Management System CMS and web platform to assist with development workflow. A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. This...

5.4CVSS0.0041EPSS
Exploits0References2
NVD
NVD
added 2023/11/24 5:15 p.m.45 views

CVE-2023-48711

google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery SSRF Vulnerability is present in applications utilizing the google-translate-api-browser package and exposing the translateOptions to the end user. An attacker can set ...

3.7CVSS0.00492EPSS
Exploits1References2
NVD
NVD
added 2023/11/22 10:15 a.m.45 views

CVE-2023-37924

Apache Software Foundation Apache Submarine has an SQL injection vulnerability when a user logs in. This issue can result in unauthorized login. Now we have fixed this issue and now user must have the correct login to access workbench. This issue affects Apache Submarine: from 0.7.0 before...

9.8CVSS0.07167EPSS
Exploits0References3
NVD
NVD
added 2023/11/15 8:15 p.m.45 views

CVE-2023-47636

The Pimcore Admin Classic Bundle provides a Backend UI for Pimcore. Full Path Disclosure FPD vulnerabilities enable the attacker to see the path to the webroot/file. e.g.: /home/omg/htdocs/file/. Certain vulnerabilities, such as using the loadfile within a SQL Injection query to view the page...

5.3CVSS0.0066EPSS
Exploits1References3
NVD
NVD
added 2023/11/14 6:15 p.m.45 views

CVE-2023-45585

An insertion of sensitive information into log file vulnerability CWE-532 in FortiSIEM version 7.0.0, version 6.7.6 and below, version 6.6.3 and below, version 6.5.1 and below, version 6.4.2 and below, version 6.3.3 and below, version 6.2.1 and below, version 6.1.2 and below, version 5.4.0, versi...

3.3CVSS0.0021EPSS
Exploits0References1
NVD
NVD
added 2023/11/13 2:15 a.m.45 views

CVE-2023-34378

Cross-Site Request Forgery CSRF vulnerability in scriptburn.Com WP Hide Post plugin = 2.0.10 versions...

8.8CVSS0.00312EPSS
Exploits0References1
NVD
NVD
added 2023/11/10 6:15 p.m.45 views

CVE-2023-46733

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, SessionStrategyListener does not migrate the session after every successful login. It does so only in case the logged in...

6.5CVSS0.00689EPSS
Exploits0References3
NVD
NVD
added 2023/11/06 7:15 p.m.45 views

CVE-2023-46254

capsule-proxy is a reverse proxy for Capsule kubernetes multi-tenancy framework. A bug in the RoleBinding reflector used by capsule-proxy gives ServiceAccount tenant owners the right to list Namespaces of other tenants backed by the same owner kind and name. For example consider two tenants solar...

4.3CVSS4.7AI score0.00415EPSS
Exploits0References2
Total number of security vulnerabilities5000