Total
17262 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-8643 | 1 Oceanicsoft | 1 Valeapp | 2024-10-04 | 9.8 Critical |
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking.This issue affects ValeApp: before v2.0.0. | ||||
CVE-2024-8607 | 1 Oceanicsoft | 1 Valeapp | 2024-10-04 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Oceanic Software ValeApp allows SQL Injection.This issue affects ValeApp: before v2.0.0. | ||||
CVE-2017-10285 | 4 Debian, Netapp, Oracle and 1 more | 33 Debian Linux, Active Iq Unified Manager, Cloud Backup and 30 more | 2024-10-04 | 9.6 Critical |
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | ||||
CVE-2017-10346 | 4 Debian, Netapp, Oracle and 1 more | 33 Debian Linux, Active Iq Unified Manager, Cloud Backup and 30 more | 2024-10-04 | 9.6 Critical |
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u161, 7u151, 8u144 and 9; Java SE Embedded: 8u144. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.0 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). | ||||
CVE-2023-25914 | 1 Danfoss | 2 Ak-sm 800a, Ak-sm 800a Firmware | 2024-10-04 | 9.9 Critical |
Due to improper restriction, attackers could retrieve and read system files of the underlying server through the XML interface. | ||||
CVE-2023-24941 | 1 Microsoft | 5 Windows Server 2012, Windows Server 2012 R2, Windows Server 2016 and 2 more | 2024-10-04 | 9.8 Critical |
Windows Network File System Remote Code Execution Vulnerability | ||||
CVE-2024-7950 | 1 Wpjobportal | 1 Wp Job Portal | 2024-10-04 | 9.8 Critical |
The WP Job Portal – A Complete Recruitment System for Company or Job Board website plugin for WordPress is vulnerable to Local File Inclusion, Arbitrary Settings Update, and User Creation in all versions up to, and including, 2.1.6 via several functions called by the 'checkFormRequest' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. Attackers can also update arbitrary settings and create user accounts even when registration is disabled, leading to user creation with a default role of Administrator. | ||||
CVE-2024-24691 | 1 Zoom | 4 Meeting Software Development Kit, Rooms, Vdi Windows Meeting Clients and 1 more | 2024-10-04 | 9.6 Critical |
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access. | ||||
CVE-2024-8456 | 2 Planet, Planet Technology Corp | 6 Gs-4210-24p2s, Gs-4210-24p2s Firmware, Gs-4210-24pl4c and 3 more | 2024-10-04 | 9.8 Critical |
Certain switch models from PLANET Technology lack proper access control in firmware upload and download functionality, allowing unauthenticated remote attackers to download and upload firmware and system configurations, ultimately gaining full control of the devices. | ||||
CVE-2023-25280 | 1 Dlink | 2 Dir820la1, Dir820la1 Firmware | 2024-10-04 | 9.8 Critical |
OS Command injection vulnerability in D-Link DIR820LA1_FW105B03 allows attackers to escalate privileges to root via a crafted payload with the ping_addr parameter to ping.ccp. | ||||
CVE-2020-15415 | 1 Draytek | 6 Vigor2960, Vigor2960 Firmware, Vigor300b and 3 more | 2024-10-04 | 9.8 Critical |
On DrayTek Vigor3900, Vigor2960, and Vigor300B devices before 1.5.1, cgi-bin/mainfunction.cgi/cvmcfgupload allows remote command execution via shell metacharacters in a filename when the text/x-python-script content type is used, a different issue than CVE-2020-14472. | ||||
CVE-2019-0344 | 1 Sap | 1 Commerce Cloud | 2024-10-04 | 9.8 Critical |
Due to unsafe deserialization used in SAP Commerce Cloud (virtualjdbc extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, it is possible to execute arbitrary code on a target machine with 'Hybris' user rights, resulting in Code Injection. | ||||
CVE-2024-41925 | 1 Optigo | 1 Ons-s8 Firmware | 2024-10-04 | 9.8 Critical |
The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code. | ||||
CVE-2024-45367 | 1 Optigo | 1 Ons-s8 Firmware | 2024-10-04 | 9.1 Critical |
The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password. | ||||
CVE-2024-43699 | 1 Deltaww | 1 Diaenergie | 2024-10-04 | 9.8 Critical |
Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product. | ||||
CVE-2024-9106 | 1 Xunhuweb | 1 Wechat Social Login | 2024-10-04 | 9.8 Critical |
The Wechat Social login plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.3.0. This is due to insufficient verification on the user being supplied during the social login. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. This is only exploitable if the app secret is not set, so it has a default empty value. | ||||
CVE-2024-9108 | 1 Xunhuweb | 1 Wechat Social Login | 2024-10-04 | 9.8 Critical |
The Wechat Social login plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'convert_remoteimage_to_local' function in versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | ||||
CVE-2024-41276 | 1 Kaiten | 1 Kaiten | 2024-10-04 | 9.8 Critical |
A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application. | ||||
CVE-2024-25660 | 1 Infinera | 1 Tnms | 2024-10-04 | 9 Critical |
The WebDAV service in Infinera TNMS (Transcend Network Management System) 19.10.3 allows a low-privileged remote attacker to conduct unauthorized file operations, because of execution with unnecessary privileges. | ||||
CVE-2024-9392 | 2 Mozilla, Redhat | 7 Firefox, Firefox Esr, Thunderbird and 4 more | 2024-10-04 | 9.8 Critical |
A compromised content process could have allowed for the arbitrary loading of cross-origin pages. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. |