Search Results (366897 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-34031 1 Deltaww 1 Diaenergie 2025-01-30 8.8 High
Delta Electronics DIAEnergie is vulnerable to an SQL injection vulnerability that exists in the script Handler_CFG.ashx. An authenticated attacker can exploit this issue to potentially compromise the system on which DIAEnergie is deployed.
CVE-2024-4148 2 Lunary, Lunary-ai 2 Lunary, Lunary 2025-01-30 7.5 High
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the application and potentially render it completely non-functional. Specifically, the vulnerability can be triggered by sending a specially crafted request to the application, leading to a denial of service where the application crashes.
CVE-2024-3501 2 Lunary, Lunary-ai 2 Lunary, Lunary-ai\/lunary 2025-01-30 9.1 Critical
In lunary-ai/lunary versions up to and including 1.2.5, an information disclosure vulnerability exists due to the inclusion of single-use tokens in the responses of `GET /v1/users/me` and `GET /v1/users/me/org` API endpoints. These tokens, intended for sensitive operations such as password resets or account verification, are exposed to unauthorized actors, potentially allowing them to perform actions on behalf of the user. This issue was addressed in version 1.2.6, where the exposure of single-use tokens in user-facing queries was mitigated.
CVE-2024-1625 2 Lunary, Lunary-ai 2 Lunary, Lunary 2025-01-30 6.5 Medium
An Insecure Direct Object Reference (IDOR) vulnerability exists in the lunary-ai/lunary application version 0.3.0, allowing unauthorized deletion of any organization's project. The vulnerability is due to insufficient authorization checks in the project deletion endpoint, where the endpoint fails to verify if the project ID provided in the request belongs to the requesting user's organization. As a result, an attacker can delete projects belonging to any organization by sending a crafted DELETE request with the target project's ID. This issue affects the project deletion functionality implemented in the projects.delete route.
CVE-2024-25995 1 Phoenixcontact 12 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 9 more 2025-01-30 9.8 Critical
An unauthenticated remote attacker can modify configurations to perform a remote code execution, gain root rights or perform an DoS due to improper input validation.
CVE-2024-40422 1 Stitionai 1 Devika 2025-01-29 9.1 Critical
The snapshot_path parameter in the /api/get-browser-snapshot endpoint in stitionai devika v1 is susceptible to a path traversal attack. An attacker can manipulate the snapshot_path parameter to traverse directories and access sensitive files on the server. This can potentially lead to unauthorized access to critical system files and compromise the confidentiality and integrity of the system.
CVE-2023-24744 1 Rediker 1 Adminplus 2025-01-29 6.1 Medium
Cross Site Scripting (XSS) vulnerability in Rediker Software AdminPlus 6.1.91.00 allows remote attackers to run arbitrary code via the onload function within the application DOM.
CVE-2022-33973 2 Intel, Microsoft 3 Wlan Authentication And Privacy Infrastructure, Windows 10, Windows 11 2025-01-29 3.3 Low
Improper access control in the Intel(R) WAPI Security software for Windows 10/11 before version 22.2150.0.1 may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2023-1265 1 Gitlab 1 Gitlab 2025-01-29 5.4 Medium
An issue has been discovered in GitLab affecting all versions starting from 11.9 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The condition allows for a privileged attacker, under certain conditions, to obtain session tokens from all users of a GitLab instance.
CVE-2023-1836 1 Gitlab 1 Gitlab 2025-01-29 4.4 Medium
A cross-site scripting issue has been discovered in GitLab affecting all versions starting from 5.1 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. When viewing an XML file in a repository in "raw" mode, it can be made to render as HTML if viewed under specific circumstances
CVE-2023-22372 3 Apple, F5, Microsoft 3 Macos, Big-ip Access Policy Manager, Windows 2025-01-29 5.9 Medium
In the pre connection stage, an improper enforcement of message integrity vulnerability exists in BIG-IP Edge Client for Windows and Mac OS.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2023-37999 1 Hasthemes 2 Ht Mega, Ht Mega - Absolute Addons For Elementor Page Builder 2025-01-29 9.8 Critical
Improper Privilege Management vulnerability in HasThemes HT Mega allows Privilege Escalation.This issue affects HT Mega: from n/a through 2.2.0.
CVE-2024-24934 1 Elementor 1 Website Builder 2025-01-29 8.5 High
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Elementor Elementor Website Builder allows Manipulating Web Input to File System Calls.This issue affects Elementor Website Builder: from n/a through 3.19.0.
CVE-2023-24461 3 Apple, F5, Microsoft 3 Macos, Big-ip Access Policy Manager, Windows 2025-01-29 7.4 High
An improper certificate validation vulnerability exists in the BIG-IP Edge Client for Windows and macOS and may allow an attacker to impersonate a BIG-IP APM system.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
CVE-2023-1965 1 Gitlab 1 Gitlab 2025-01-29 6.8 Medium
An issue has been discovered in GitLab EE affecting all versions starting from 14.2 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. Lack of verification on RelayState parameter allowed a maliciously crafted URL to obtain access tokens granted for 3rd party Group SAML SSO logins. This feature isn't enabled by default.
CVE-2024-22359 1 Ibm 2 Devops Deploy, Urbancode Deploy 2025-01-29 6.1 Medium
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 280897.
CVE-2024-22358 1 Ibm 2 Devops Deploy, Urbancode Deploy 2025-01-29 6.3 Medium
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 280896.
CVE-2024-22339 1 Ibm 2 Devops Deploy, Urbancode Deploy 2025-01-29 4.3 Medium
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 is vulnerable to a sensitive information due to insufficient obfuscation of sensitive values from some log files. IBM X-Force ID: 279979.
CVE-2024-22334 1 Ibm 2 Devops Deploy, Urbancode Deploy 2025-01-29 4.4 Medium
IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.20, 7.1 through 7.1.2.16, 7.2 through 7.2.3.9, 7.3 through 7.3.2.4 and IBM DevOps Deploy 8.0 through 8.0.0.1 could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type. When deleting a custom security type, associated permissions of objects using that type may not be fully revoked. This could lead to incorrect reporting of permission configuration and unexpected privileges being retained. IBM X-Force ID: 279974.
CVE-2023-26282 1 Ibm 1 Watson Cp4d Data Stores 2025-01-29 4.2 Medium
IBM Watson CP4D Data Stores 4.6.0 through 4.6.3 could allow a user with physical access and specific knowledge of the system to modify files or data on the system. IBM X-Force ID: 248415.