Search Results (367102 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2023-26843 1 Churchcrm 1 Churchcrm 2025-02-04 5.4 Medium
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
CVE-2023-26839 1 Churchcrm 1 Churchcrm 2025-02-04 4.3 Medium
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.
CVE-2024-23449 1 Elastic 1 Elasticsearch 2025-02-04 4.3 Medium
An uncaught exception in Elasticsearch >= 8.4.0 and < 8.11.1 occurs when an encrypted PDF is passed to an attachment processor through the REST API. The Elasticsearch ingest node that attempts to parse the PDF file will crash. This does not happen with password-protected PDF files or with unencrypted PDF files.
CVE-2024-26133 1 Kurrent 1 Eventstoredb 2025-02-04 5.5 Medium
EventStoreDB (ESDB) is an operational database built to store events. A vulnerability has been identified in the projections subsystem in versions 20 prior to 20.10.6, 21 prior to 21.10.11, 22 prior to 22.10.5, and 23 prior to 23.10.1. Only database instances that use custom projections are affected by this vulnerability. User passwords may become accessible to those who have access to the chunk files on disk, and users who have read access to system streams. Only users in the `$admins` group can access system streams by default. ESDB 23.10.1, 22.10.5, 21.10.11, and 20.10.6 contain a patch for this issue. Users should upgrade EventStoreDB, reset the passwords for current and previous members of `$admins` and `$ops` groups, and, if a password was reused in any other system, reset it in those systems to a unique password to follow best practices. If an upgrade cannot be done immediately, reset the passwords for current and previous members of `$admins` and `$ops` groups. Avoid creating custom projections until the patch has been applied.
CVE-2024-23451 1 Elastic 1 Elasticsearch 2025-02-04 4.4 Medium
Incorrect Authorization issue exists in the API key based security model for Remote Cluster Security, which is currently in Beta, in Elasticsearch 8.10.0 and before 8.13.0. This allows a malicious user with a valid API key for a remote cluster configured to use the new Remote Cluster Security to read arbitrary documents from any index on the remote cluster, and only if they use the Elasticsearch custom transport protocol to issue requests with the target index ID, the shard ID and the document ID. None of Elasticsearch REST API endpoints are affected by this issue.
CVE-2022-23721 1 Pingidentity 1 Pingid Integration For Windows Login 2025-02-04 3.8 Low
PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times.
CVE-2022-40722 1 Pingidentity 3 Pingfederate, Pingid Adapter For Pingfederate, Pingid Integration Kit 2025-02-04 7.7 High
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
CVE-2022-40723 1 Pingidentity 3 Pingfederate, Pingid Integration Kit, Radius Pcv 2025-02-04 6.5 Medium
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
CVE-2022-40724 1 Pingidentity 1 Pingfederate 2025-02-04 6.4 Medium
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
CVE-2022-40725 1 Pingidentity 1 Desktop 2025-02-04 7.3 High
PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated.
CVE-2023-23839 1 Solarwinds 1 Solarwinds Platform 2025-02-04 6.5 Medium
The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.
CVE-2024-48886 1 Fortinet 6 Fortianalyzer, Fortianalyzer Cloud, Fortimanager and 3 more 2025-02-03 8 High
A weak authentication in Fortinet FortiOS versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.8, 7.0.0 through 7.0.15, 6.4.0 through 6.4.15, FortiProxy versions 7.4.0 through 7.4.4, 7.2.0 through 7.2.10, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, FortiManager versions 7.6.0 through 7.6.1, 7.4.1 through 7.4.3, FortiManager Cloud versions 7.4.1 through 7.4.3, FortiAnalyzer Cloud versions 7.4.1 through 7.4.3 allows attacker to execute unauthorized code or commands via a brute-force attack.
CVE-2023-26841 1 Churchcrm 1 Churchcrm 2025-02-03 6.5 Medium
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.
CVE-2024-48890 1 Fortinet 2 Fortisoar, Fortisoar Imap Connector 2025-02-03 6.3 Medium
An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSOAR IMAP connector version 3.5.7 and below may allow an authenticated attacker to execute unauthorized code or commands via a specifically crafted playbook
CVE-2024-48893 1 Fortinet 1 Fortisoar 2025-02-03 6.4 Medium
An improper neutralization of input during web page generation vulnerability [CWE-79] in FortiSOAR 7.3.0 through 7.3.3, 7.2.1 through 7.2.2 may allow an authenticated attacker to perform a stored cross site scripting (XSS) attack via the creation of malicious playbook.
CVE-2024-55593 1 Fortinet 1 Fortiweb 2025-02-03 2.6 Low
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiWeb versions 6.3.17 through 7.6.1 allows attacker to gain information disclosure via crafted SQL queries
CVE-2024-52969 1 Fortinet 1 Fortisiem 2025-02-03 3.7 Low
An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiSIEM ersion 7.1.7 and below, version 7.1.0, version 7.0.3 and below, version 6.7.9 and below, 6.7.8, version 6.6.5 and below, version 6.5.3 and below, version 6.4.4 and below Update/Create Case feature may allow an authenticated attacker to extract database information via crafted requests.
CVE-2024-52967 1 Fortinet 1 Fortiportal 2025-02-03 3.3 Low
An improper neutralization of script-related html tags in a web page (basic xss) in Fortinet FortiPortal 6.0.0 through 6.0.14 allows attacker to execute unauthorized code or commands via html injection.
CVE-2024-3544 1 Progress 1 Loadmaster 2025-02-03 7.5 High
Unauthenticated attackers can perform actions, using SSH private keys, by knowing the IP address and having access to the same network of one of the machines in the HA or Cluster group. This vulnerability has been closed by enhancing LoadMaster partner communications to require a shared secret that must be exchanged between the partners before communication can proceed.
CVE-2024-0740 1 Eclipse 1 Target Management 2025-02-03 9.8 Critical
Eclipse Target Management: Terminal and Remote System Explorer (RSE) version <= 4.5.400 has a remote code execution vulnerability that does not require authentication. The fixed version is included in Eclipse IDE 2024-03