Total
262742 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-45846 | 1 Mindsdb | 1 Mindsdb | 2024-09-12 | 8.8 High |
An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server. | ||||
CVE-2024-6700 | 2024-09-12 | 5.5 Medium | ||
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with App name. | ||||
CVE-2024-6701 | 2024-09-12 | 5.5 Medium | ||
Pega Platform versions 8.1 to Infinity 24.1.2 are affected by an XSS issue with case type. | ||||
CVE-2024-45826 | 1 Rockwellautomation | 1 Thinmanager | 2024-09-12 | 6.8 Medium |
CVE-2024-45826 IMPACT Due to improper input validation, a path traversal and remote code execution vulnerability exists when the ThinManager® processes a crafted POST request. If exploited, a user can install an executable file. | ||||
CVE-2024-42484 | 1 Espressif | 1 Esp-now | 2024-09-12 | 6.5 Medium |
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound (OOB) vulnerability was discovered in the implementation of the ESP-NOW group type message because there is no check for the addrs_num field of the group type message. This can result in memory corruption related attacks. Normally there are two fields in the group information that need to be checked, i.e., the addrs_num field and the addrs_list fileld. Since we only checked the addrs_list field, an attacker can send a group type message with an invalid addrs_num field, which will cause the message handled by the firmware to be much larger than the current buffer, thus causing a memory corruption issue that goes beyond the payload length. | ||||
CVE-2024-45824 | 1 Rockwellautomation | 1 Factorytalk View | 2024-09-12 | 9.8 Critical |
CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. | ||||
CVE-2024-6658 | 1 Kemptechnologies | 2 Loadmaster, Loadmaster Mt | 2024-09-12 | 8.4 High |
Improper Input Validation vulnerability of Authenticated User in Progress LoadMaster allows OS Command Injection.This issue affects: Product Affected Versions LoadMaster From 7.2.55.0 to 7.2.60.0 (inclusive) From 7.2.49.0 to 7.2.54.11 (inclusive) 7.2.48.12 and all prior versions Multi-Tenant Hypervisor 7.1.35.11 and all prior versions ECS All prior versions to 7.2.60.0 (inclusive) | ||||
CVE-2024-4660 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 6.5 Medium |
An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. | ||||
CVE-2024-6389 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 4.3 Medium |
An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. | ||||
CVE-2024-8635 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 7.7 High |
A server-side request forgery issue has been discovered in GitLab EE affecting all versions starting from 16.8 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. It was possible for an attacker to make requests to internal resources using a custom Maven Dependency Proxy URL | ||||
CVE-2024-8754 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 6.4 Medium |
An issue has been discovered in GitLab EE/CE affecting all versions from 16.9.7 prior to 17.1.7, 17.2 prior to 17.2.5, and 17.3 prior to 17.3.2. An improper input validation error allows attacker to squat on accounts via linking arbitrary unclaimed provider identities when JWT authentication is configured. | ||||
CVE-2024-4612 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 6.4 Medium |
An issue has been discovered in GitLab EE affecting all versions starting from 12.9 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. Under certain conditions an open redirect vulnerability could allow for an account takeover by breaking the OAuth flow. | ||||
CVE-2024-8631 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 5.5 Medium |
A privilege escalation issue has been discovered in GitLab EE affecting all versions starting from 16.6 prior to 17.1.7, from 17.2 prior to 17.2.5, and from 17.3 prior to 17.3.2. A user assigned the Admin Group Member custom role could have escalated their privileges to include other custom roles. | ||||
CVE-2024-40457 | 1 No-ip | 1 Duc | 2024-09-12 | 9.1 Critical |
No-IP Dynamic Update Client (DUC) v3.x uses cleartext credentials that may occur on a command line or in a file. NOTE: the vendor's position is that cleartext in /etc/default/noip-duc is recommended and is the intentional behavior. | ||||
CVE-2024-2743 | 1 Gitlab | 1 Gitlab | 2024-09-12 | 5.3 Medium |
An issue was discovered in GitLab-EE starting with version 13.3 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2 that would allow an attacker to modify an on-demand DAST scan without permissions and leak variables. | ||||
CVE-2024-42483 | 2024-09-12 | 6.5 Medium | ||
ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An replay attacks vulnerability was discovered in the implementation of the ESP-NOW because the caches is not differentiated by message types, it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are ciphertext or plaintext. This can result an attacker to clear the cache of its legitimate entries, there by creating an opportunity to re-inject previously captured packets. This vulnerability is fixed in 2.5.2. | ||||
CVE-2024-45823 | 1 Rockwellautomation | 1 Factorytalk Batch View | 2024-09-12 | 8.1 High |
CVE-2024-45823 IMPACT An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication. | ||||
CVE-2024-45848 | 1 Mindsdb | 1 Mindsdb | 2024-09-12 | 8.8 High |
An arbitrary code execution vulnerability exists in versions 23.12.4.0 up to 24.7.4.1 of the MindsDB platform, when the ChromaDB integration is installed on the server. If a specially crafted ‘INSERT’ query containing Python code is run against a database created with the ChromaDB engine, the code will be passed to an eval function and executed on the server. | ||||
CVE-2024-45850 | 1 Mindsdb | 1 Mindsdb | 2024-09-12 | 8.8 High |
An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for site column creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server. | ||||
CVE-2024-45855 | 1 Mindsdb | 1 Mindsdb | 2024-09-12 | 7.1 High |
Deserialization of untrusted data can occur in versions 23.10.2.0 and newer of the MindsDB platform, enabling a maliciously uploaded ‘inhouse’ model to run arbitrary code on the server when using ‘finetune’ on it. |