Lucene search
K
NvdMost viewed

364128 matches found

NVD
NVD
added 2024/07/02 4:15 p.m.42 views

CVE-2024-39316

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service ReDoS vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending...

6.5CVSS0.00856EPSS
Exploits0References3
NVD
NVD
added 2024/07/01 3:15 p.m.42 views

CVE-2024-6376

MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2...

9.8CVSS0.0042EPSS
Exploits0References1
NVD
NVD
added 2024/07/01 3:15 p.m.42 views

CVE-2024-21456

Information Disclosure while parsing beacon frame in STA...

9.1CVSS0.00273EPSS
Exploits0References1
NVD
NVD
added 2024/06/27 8:15 p.m.42 views

CVE-2024-6127

BC Security Empire before 5.9.3 is vulnerable to a path traversal issue that can lead to remote code execution. A remote, unauthenticated attacker can exploit this vulnerability over HTTP by acting as a normal agent, completing all cryptographic handshakes, and then triggering an upload of payloa...

9.8CVSS0.10263EPSS
Exploits1References4
NVD
NVD
added 2024/06/27 7:15 p.m.42 views

CVE-2024-6139

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in...

7.3CVSS0.0052EPSS
Exploits0References1
NVD
NVD
added 2024/06/27 7:15 p.m.42 views

CVE-2023-30998

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254649...

7.8CVSS0.00231EPSS
Exploits1References3
NVD
NVD
added 2024/06/27 7:15 p.m.42 views

CVE-2023-30997

IBM Security Access Manager Docker 10.0.0.0 through 10.0.7.1 could allow a local user to obtain root access due to improper access controls. IBM X-Force ID: 254638...

7.8CVSS0.00231EPSS
Exploits1References3
NVD
NVD
added 2024/06/27 12:15 p.m.42 views

CVE-2024-6369

A vulnerability classified as problematic has been found in LabVantage LIMS 2017. Affected is an unknown function of the file /labvantage/rc?command=page&sdcid=LVReagentLot of the component POST Request Handler. The manipulation of the argument mode leads to cross site scripting. It is possible t...

5.4CVSS0.00412EPSS
Exploits1References4
NVD
NVD
added 2024/06/25 2:15 a.m.42 views

CVE-2024-23143

A maliciously crafted 3DM, MODEL and XB file, when parsed in ASMkern229A.dll and ASMBASE229A.dll through Autodesk applications, can force an Out-of-Bound Read and/or Out-of-Bound Write. A malicious actor can leverage this vulnerability to cause a crash,read sensitive data, or execute arbitrary co...

7.8CVSS0.00415EPSS
Exploits0References1
NVD
NVD
added 2024/06/24 11:15 p.m.42 views

CVE-2024-22168

A Cross-Site Scripting XSS vulnerability on the My Cloud, My Cloud Home, SanDisk ibi, and WD Cloud web apps was found which could allow an attacker to redirect the user to a crafted domain and reset their credentials, or to execute arbitrary client-side code in the user’s browser session to carry...

5.9CVSS0.00324EPSS
Exploits0References1
NVD
NVD
added 2024/06/24 6:15 a.m.42 views

CVE-2024-4900

The SEOPress WordPress plugin before 7.8 does not validate and escape one of its Post settings, which could allow contributor and above role to perform Open redirect attacks against any user viewing a malicious post...

6.1CVSS0.00329EPSS
Exploits2References1
NVD
NVD
added 2024/06/20 12:15 p.m.42 views

CVE-2022-48766

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Wrap dcn301calculatewmanddlg for FPU. Mirrors the logic for dcn30. Cue lots of WARNs and some kernel panics without this fix...

5.5CVSS0.00182EPSS
Exploits0References2
NVD
NVD
added 2024/06/18 6:15 a.m.42 views

CVE-2024-34024

Observable response discrepancy issue exists in ID Link Manager and FUJITSU Software TIME CREATOR. If this vulnerability is exploited, an unauthenticated remote attacker may determine if a username is valid or not...

6.3CVSS0.00359EPSS
Exploits0References2
NVD
NVD
added 2024/06/17 9:15 p.m.42 views

CVE-2024-34833

Sourcecodester Payroll Management System v1.0 is vulnerable to File Upload. Users can upload images via the "savesettings" page. An unauthenticated attacker can leverage this functionality to upload a malicious PHP file instead. Successful exploitation of this vulnerability results in the ability...

9.8CVSS0.01923EPSS
Exploits4References2
NVD
NVD
added 2024/06/16 9:15 p.m.42 views

CVE-2023-27636

Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor...

6.5CVSS0.01302EPSS
Exploits4References2
NVD
NVD
added 2024/06/14 6:15 a.m.42 views

CVE-2024-3965

The Pray For Me WordPress plugin through 1.0.4 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

5.4CVSS0.00198EPSS
Exploits2References1
NVD
NVD
added 2024/06/13 6:15 a.m.42 views

CVE-2024-2098

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to an improper authorization check on the 'protectMediaLibrary' function in all versions up to, and including, 3.2.89. This makes it possible for unauthenticated attackers to download password-protected fil...

7.5CVSS0.00454EPSS
Exploits0References2
NVD
NVD
added 2024/06/12 10:15 a.m.42 views

CVE-2023-51524

Missing Authorization vulnerability in weForms.This issue affects weForms: from n/a through 1.6.18...

8.8CVSS0.00335EPSS
Exploits0References1
NVD
NVD
added 2024/06/12 10:15 a.m.42 views

CVE-2023-38395

Missing Authorization vulnerability in Afzal Multani WP Clone Menu.This issue affects WP Clone Menu: from n/a through 1.0.1...

5.4CVSS0.00256EPSS
Exploits0References1
NVD
NVD
added 2024/06/12 7:15 a.m.42 views

CVE-2024-5739

The in-app browser of LINE client for iOS versions below 14.9.0 contains a Universal XSS UXSS vulnerability. This vulnerability allows for cross-site scripting XSS where arbitrary JavaScript can be executed in the top frame from an embedded iframe on any displayed web site within the in-app...

6.1CVSS0.00269EPSS
Exploits0References1
NVD
NVD
added 2024/06/11 9:15 p.m.42 views

CVE-2024-5830

Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. Chromium security severity: High...

8.8CVSS0.00924EPSS
Exploits0References4
NVD
NVD
added 2024/06/10 12:15 p.m.42 views

CVE-2024-1228

Use of hard-coded password to the patients' database allows an attacker to retrieve sensitive data stored in the database. The password is the same among all Eurosoft Przychodnia installations. This issue affects Eurosoft Przychodnia software before version 20240417.001 from that version...

9.8CVSS0.00409EPSS
Exploits0References3
NVD
NVD
added 2024/06/10 8:15 a.m.42 views

CVE-2024-35721

Missing Authorization vulnerability in A WP Life Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery.This issue affects Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through 1.4.5...

8.8CVSS0.00356EPSS
Exploits0References1
NVD
NVD
added 2024/06/09 7:15 p.m.42 views

CVE-2024-35662

Missing Authorization vulnerability in Andreas Sofantzis Simple COD Fees for WooCommerce.This issue affects Simple COD Fees for WooCommerce: from n/a through 2.0.2...

8.8CVSS0.00351EPSS
Exploits0References1
NVD
NVD
added 2024/06/09 6:15 p.m.42 views

CVE-2024-32703

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in reputeinfosystems ARForms arforms.This issue affects ARForms: from n/a through = 6.4...

8.1CVSS0.00577EPSS
Exploits0References2
NVD
NVD
added 2024/06/06 6:15 p.m.42 views

CVE-2024-3033

An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. This flaw allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and deleting specifi...

9.4CVSS0.00552EPSS
Exploits1References2
NVD
NVD
added 2024/06/06 4:15 p.m.42 views

CVE-2024-36399

Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser. The users permission to add users to a project only get checked on the URL parameter projectid. If the user is authorized to add users to...

8.2CVSS0.00353EPSS
Exploits1References2
NVD
NVD
added 2024/06/06 4:15 p.m.42 views

CVE-2024-35178

The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacker can crack this password to gain access to the Windows...

7.5CVSS0.00699EPSS
Exploits0References2
NVD
NVD
added 2024/06/03 6:15 a.m.42 views

CVE-2024-37031

The Active Admin aka activeadmin framework before 3.2.2 for Ruby on Rails allows stored XSS in certain situations where users can create entities to be later edited in forms with arbitrary names, aka a "dynamic form legends" issue. 4.0.0.beta7 is also a fixed version...

6.1CVSS5.7AI score0.00349EPSS
Exploits0References3
NVD
NVD
added 2024/05/30 4:15 p.m.42 views

CVE-2024-36911

In the Linux kernel, the following vulnerability has been resolved: hvnetvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to cause setmemoryencrypted or setmemorydecrypted to fail such that an error is returned and the resulting memory is shared. Callers need to...

5.5CVSS6.5AI score0.00225EPSS
Exploits0References3
NVD
NVD
added 2024/05/27 7:15 p.m.42 views

CVE-2024-35182

Meshery is an open source, cloud native manager that enables the design and management of Kubernetes-based infrastructure and applications. A SQL injection vulnerability in Meshery prior to version 0.7.22 may lead to arbitrary file write by using a SQL injection stacked queries payload, and the...

8.1CVSS5.9AI score0.01552EPSS
Exploits1References5
NVD
NVD
added 2024/05/22 6:15 a.m.42 views

CVE-2024-4443

The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient...

9.8CVSS9.7AI score0.10272EPSS
Exploits1References3
NVD
NVD
added 2024/05/16 9:16 p.m.42 views

CVE-2024-21835

Insecure inherited permissions in some IntelR XTU software before version 7.14.0.15 may allow an authenticated user to potentially enable escalation of privilege via local access...

7.8CVSS7.1AI score0.00156EPSS
Exploits0References1
NVD
NVD
added 2024/05/15 5:15 p.m.42 views

CVE-2024-3967

Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution unisng unsafe java object deserialization...

9.8CVSS8AI score0.00635EPSS
Exploits0References1
NVD
NVD
added 2024/05/14 4:17 p.m.42 views

CVE-2024-34356

TYPO3 is an enterprise content management system. Starting in version 9.0.0 and prior to versions 9.5.48 ELTS, 10.4.45 ELTS, 11.5.37 LTS, 12.4.15 LTS, and 13.1.1, the form manager backend module is vulnerable to cross-site scripting. Exploiting this vulnerability requires a valid backend user...

5.4CVSS5.1AI score0.00502EPSS
Exploits0References5
NVD
NVD
added 2024/05/14 3:38 p.m.42 views

CVE-2024-34349

Sylius is an open source eCommerce platform. Prior to 1.12.16 and 1.13.1, there is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into Name field in which of the resources: Taxons, Products, Product Options or Product Variants. The co...

4.8CVSS6.1AI score0.0044EPSS
Exploits0References2
NVD
NVD
added 2024/05/14 3:12 p.m.42 views

CVE-2024-27460

A privilege escalation exists in the updater for Plantronics Hub 3.25.1 and below...

6.7CVSS6.8AI score0.01673EPSS
Exploits4References1
NVD
NVD
added 2024/05/07 4:15 p.m.42 views

CVE-2024-33144

J2EEFAST v2.7.0 was discovered to contain a SQL injection vulnerability via the sqlfilter parameter in the findApplyedTasksPage function in BpmTaskMapper.xml...

8.8CVSS7.8AI score0.00536EPSS
Exploits0References1
NVD
NVD
added 2024/05/07 3:15 p.m.42 views

CVE-2024-34342

react-pdf displays PDFs in React apps. If PDF.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true which is the default value, unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. This vulnerability is fixed in...

7.1CVSS6.7AI score0.01064EPSS
Exploits1References6
NVD
NVD
added 2024/05/07 2:15 p.m.42 views

CVE-2024-33783

MP-SPDZ v0.3.8 was discovered to contain a segmentation violation via the function osuCrypto::SilentMultiPprfReceiver::expand in /Tools/SilentPprf.cpp. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted message...

6.5CVSS6.7AI score0.0052EPSS
Exploits1References1
NVD
NVD
added 2024/05/03 3:15 a.m.42 views

CVE-2023-41189

D-Link DAP-1325 HNAP SetAPLanSettings Gateway Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of D-Link DAP-1325 routers. Authentication is not required to exploit this vulnerability. T...

8.8CVSS9.1AI score0.01187EPSS
Exploits0References2
NVD
NVD
added 2024/05/02 7:15 a.m.42 views

CVE-2024-32962

xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuration does not check authorization of the signer, it only checks the validity of the signature per section 3.2.2 of the w3 xmldsig-core-20080610 spec. As such, without additional...

10CVSS9.4AI score0.00833EPSS
Exploits1References7
NVD
NVD
added 2024/05/01 11:15 a.m.42 views

CVE-2024-32979

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL or MySQL database. It was discovered that due to improper handling and escaping of user-provided query parameters, a maliciously crafted Nautobot URL...

7.5CVSS7.2AI score0.00491EPSS
Exploits0References4
NVD
NVD
added 2024/05/01 11:15 a.m.42 views

CVE-2024-32984

Yamux is a stream multiplexer over reliable, ordered connections such as TCP/IP. The Rust implementation of the Yamux stream multiplexer uses a vector for pending frames. This vector is not bounded in length. Every time the Yamux protocol requires sending of a new frame, this frame gets appended ...

7.5CVSS7.4AI score0.00761EPSS
Exploits0References3
NVD
NVD
added 2024/04/23 9:15 p.m.42 views

CVE-2024-32866

Conform, a type-safe form validation library, allows the parsing of nested objects in the form of object.property. Due to an improper implementation of this feature in versions prior to 1.1.1, an attacker can exploit the feature to trigger prototype pollution by passing a crafted input to...

8.6CVSS8.5AI score0.00725EPSS
Exploits0References3
NVD
NVD
added 2024/04/19 5:15 p.m.42 views

CVE-2023-51793

Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavutil/imgutils.c:353:9 in imagecopyplane...

7.8CVSS9.2AI score0.00324EPSS
Exploits0References7
NVD
NVD
added 2024/04/06 9:15 a.m.42 views

CVE-2024-2296

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.8.21 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

5.5CVSS5.1AI score0.00436EPSS
Exploits0References3
NVD
NVD
added 2024/04/04 11:15 p.m.42 views

CVE-2024-31206

dectalk-tts is a Node package to interact with the aeiou Dectalk web API. In [email protected], network requests to the third-party API are sent over HTTP, which is unencrypted. Unencrypted traffic can be easily intercepted and modified by attackers. Anyone who uses the package could be the victi...

8.2CVSS8AI score0.00332EPSS
Exploits0References5
NVD
NVD
added 2024/04/04 6:15 p.m.42 views

CVE-2024-2660

Vault and Vault Enterprise TLS certificates auth method did not correctly validate OCSP responses when one or more OCSP sources were configured. This vulnerability, CVE-2024-2660, affects Vault and Vault Enterprise 1.14.0 and above, and is fixed in Vault 1.16.0 and Vault Enterprise 1.16.1, 1.15.7...

6.8CVSS6.4AI score0.00303EPSS
Exploits0References2
NVD
NVD
added 2024/03/21 10:15 p.m.42 views

CVE-2024-28118

Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages ca...

8.8CVSS9.2AI score0.0122EPSS
Exploits1References2
Total number of security vulnerabilities5000