Total
17262 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-24113 | 1 Yealink | 2 W60b, W60b Firmware | 2024-10-03 | 9.1 Critical |
Directory Traversal vulnerability in Contacts File Upload Interface in Yealink W60B version 77.83.0.85, allows attackers to gain sensitive information and cause a denial of service (DoS). | ||||
CVE-2022-35744 | 1 Microsoft | 23 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 20 more | 2024-10-03 | 9.8 Critical |
Windows Point-to-Point Protocol (PPP) Remote Code Execution Vulnerability | ||||
CVE-2023-25915 | 1 Danfoss | 2 Ak-sm 800a, Ak-sm 800a Firmware | 2024-10-03 | 9.9 Critical |
Due to improper input validation, a remote attacker could execute arbitrary commands on the target system. | ||||
CVE-2024-7732 | 1 Secom | 1 Dr.id Attendance System | 2024-10-03 | 9.8 Critical |
Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents. | ||||
CVE-2024-46256 | 1 Nginxproxymanager | 1 Nginx Proxy Manager | 2024-10-03 | 9.8 Critical |
A Command injection vulnerability in requestLetsEncryptSsl in NginxProxyManager 2.11.3 allows an attacker to RCE via Add Let's Encrypt Certificate. | ||||
CVE-2023-4373 | 1 Devolutions | 1 Remote Desktop Manager | 2024-10-03 | 9.8 Critical |
Inadequate validation of permissions when employing remote tools and macros within Devolutions Remote Desktop Manager versions 2023.2.19 and earlier permits a user to initiate a connection without proper execution rights via the remote tools feature. | ||||
CVE-2021-33388 | 1 Dpic Project | 1 Dpic | 2024-10-03 | 9.8 Critical |
dpic 2021.04.10 has a Heap Buffer Overflow in themakevar() function in dpic.y | ||||
CVE-2021-33390 | 1 Dpic Project | 1 Dpic | 2024-10-03 | 9.8 Critical |
dpic 2021.04.10 has a use-after-free in thedeletestringbox() function in dpic.y. A different vulnerablility than CVE-2021-32421. | ||||
CVE-2023-38699 | 1 Mindsdb | 1 Mindsdb | 2024-10-03 | 9.1 Critical |
MindsDB's AI Virtual Database allows developers to connect any AI/ML model to any datasource. Prior to version 23.7.4.0, a call to requests with `verify=False` disables SSL certificate checks. This rule enforces always verifying SSL certificates for methods in the Requests library. In version 23.7.4.0, certificates are validated by default, which is the desired behavior. | ||||
CVE-2021-32292 | 1 Json-c Project | 1 Json-c | 2024-10-03 | 9.8 Critical |
An issue was discovered in json-c from 20200420 (post 0.14 unreleased code) through 0.15-20200726. A stack-buffer-overflow exists in the auxiliary sample program json_parse which is located in the function parseit. | ||||
CVE-2022-48565 | 3 Debian, Python, Redhat | 3 Debian Linux, Python, Enterprise Linux | 2024-10-03 | 9.8 Critical |
An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. | ||||
CVE-2022-26136 | 1 Atlassian | 11 Bamboo, Bitbucket, Confluence Data Center and 8 more | 2024-10-03 | 9.8 Critical |
A vulnerability in multiple Atlassian products allows a remote, unauthenticated attacker to bypass Servlet Filters used by first and third party apps. The impact depends on which filters are used by each app, and how the filters are used. This vulnerability can result in authentication bypass and cross-site scripting. Atlassian has released updates that fix the root cause of this vulnerability, but has not exhaustively enumerated all potential consequences of this vulnerability. Atlassian Bamboo versions are affected before 8.0.9, from 8.1.0 before 8.1.8, and from 8.2.0 before 8.2.4. Atlassian Bitbucket versions are affected before 7.6.16, from 7.7.0 before 7.17.8, from 7.18.0 before 7.19.5, from 7.20.0 before 7.20.2, from 7.21.0 before 7.21.2, and versions 8.0.0 and 8.1.0. Atlassian Confluence versions are affected before 7.4.17, from 7.5.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and version 7.21.0. Atlassian Crowd versions are affected before 4.3.8, from 4.4.0 before 4.4.2, and version 5.0.0. Atlassian Fisheye and Crucible versions before 4.8.10 are affected. Atlassian Jira versions are affected before 8.13.22, from 8.14.0 before 8.20.10, and from 8.21.0 before 8.22.4. Atlassian Jira Service Management versions are affected before 4.13.22, from 4.14.0 before 4.20.10, and from 4.21.0 before 4.22.4. | ||||
CVE-2022-36648 | 1 Qemu | 1 Qemu | 2024-10-03 | 10.0 Critical |
The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. | ||||
CVE-2024-38281 | 1 Motorola | 2 Vigilant Fixed Lpr Coms Box, Vigilant Fixed Lpr Coms Box Firmware | 2024-10-03 | 9.8 Critical |
An attacker can access the maintenance console using hard coded credentials for a hidden wireless network on the device. | ||||
CVE-2023-40573 | 1 Xwiki | 2 Xwiki, Xwiki-platform | 2024-10-03 | 9.1 Critical |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. If the attack is successful, an error log entry with "Job content executed" will be produced. This vulnerability has been patched in XWiki 14.10.9 and 15.4RC1. | ||||
CVE-2023-38029 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2024-10-03 | 9.8 Critical |
Saho’s attendance devices ADM100 and ADM-100FP has insufficient filtering for special characters and file type within their file uploading function. A unauthenticate remote attacker authenticated can upload and execute arbitrary files to perform arbitrary system commands or disrupt service. | ||||
CVE-2023-38028 | 1 Saho | 4 Adm-100, Adm-100 Firmware, Adm-100fp and 1 more | 2024-10-03 | 9.1 Critical |
Saho’s attendance devices ADM100 and ADM-100FP have insufficient authentication. An unauthenticated remote attacker can exploit this vulnerability to bypass authentication to read system information and operate user's data, but can’t control system or disrupt service. | ||||
CVE-2022-26133 | 1 Atlassian | 1 Bitbucket Data Center | 2024-10-03 | 9.8 Critical |
SharedSecretClusterAuthenticator in Atlassian Bitbucket Data Center versions 5.14.0 and later before 7.6.14, 7.7.0 and later prior to 7.17.6, 7.18.0 and later prior to 7.18.4, 7.19.0 and later prior to 7.19.4, and 7.20.0 allow a remote, unauthenticated attacker to execute arbitrary code via Java deserialization. | ||||
CVE-2023-39969 | 1 Trailofbits | 1 Uthenticode | 2024-10-03 | 9.1 Critical |
uthenticode is a small cross-platform library for partially verifying Authenticode digital signatures. Version 1.0.9 of uthenticode hashed the entire file rather than hashing sections by virtual address, in violation of the Authenticode specification. As a result, an attacker could modify code within a binary without changing its Authenticode hash, making it appear valid from uthenticode's perspective. Versions of uthenticode prior to 1.0.9 are not vulnerable to this attack, nor are versions in the 2.x series. By design, uthenticode does not perform full-chain validation. However, the malleability of signature verification introduced in 1.0.9 was an unintended oversight. The 2.x series addresses the vulnerability. Versions prior to 1.0.9 are also not vulnerable, but users are encouraged to upgrade rather than downgrade. There are no workarounds to this vulnerability. | ||||
CVE-2022-4920 | 1 Google | 1 Chrome | 2024-10-03 | 9.6 Critical |
Heap buffer overflow in Blink in Google Chrome prior to 101.0.4951.41 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) |