Search Results (363125 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-37038 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 7.5 High
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
CVE-2024-37037 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 8.1 High
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.
CVE-2024-37036 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 9.8 Critical
CWE-787: Out-of-bounds Write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.
CVE-2024-37030 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through use after free.
CVE-2024-37029 1 Fujielectric 1 Tellus Lite V-simulator 2024-11-21 7.8 High
Fuji Electric Tellus Lite V-Simulator is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.
CVE-2024-37022 1 Fujielectric 1 Tellus Lite V-simulator 2024-11-21 7.8 High
Fuji Electric Tellus Lite V-Simulator is vulnerable to an out-of-bounds write, which could allow an attacker to manipulate memory, resulting in execution of arbitrary code.
CVE-2024-37014 1 Langflow 1 Langflow 2024-11-21 8.8 High
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
CVE-2024-36837 1 Crmeb 1 Crmeb 2024-11-21 5.4 Medium
SQL Injection vulnerability in CRMEB v.5.2.2 allows a remote attacker to obtain sensitive information via the getProductList function in the ProductController.php file.
CVE-2024-36821 1 Linksys 2 Velop Whw0101, Velop Whw0101 Firmware 2024-11-21 6.8 Medium
Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root.
CVE-2024-36684 1 Prestashop 1 Pk Customlinks 2024-11-21 9.8 Critical
In the module "Custom links" (pk_customlinks) <= 2.3 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-36678 1 Promokit 1 Pk Themesettings 2024-11-21 9.8 Critical
In the module "Theme settings" (pk_themesettings) <= 1.8.8 from Promokit.eu for PrestaShop, a guest can perform SQL injection. The script ajax.php have a sensitive SQL call that can be executed with a trivial http call and exploited to forge a SQL injection.
CVE-2024-36572 1 Allpro 2 Form-manager, Formmanager Data Handler 2024-11-21 9.8 Critical
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
CVE-2024-36541 1 Kube-logging 2 Logging-operator, Logging Operator 2024-11-21 8.8 High
Insecure permissions in logging-operator v4.6.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token.
CVE-2024-36503 1 Huawei 2 Emui, Harmonyos 2024-11-21 7.3 High
Memory management vulnerability in the Gralloc module Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-36502 1 Huawei 2 Emui, Harmonyos 2024-11-21 7.9 High
Out-of-bounds read vulnerability in the audio module Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-36501 1 Huawei 2 Emui, Harmonyos 2024-11-21 5.6 Medium
Memory management vulnerability in the boottime module Impact: Successful exploitation of this vulnerability can affect integrity.
CVE-2024-36500 1 Huawei 2 Emui, Harmonyos 2024-11-21 7.8 High
Privilege escalation vulnerability in the AMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-36499 1 Huawei 2 Emui, Harmonyos 2024-11-21 6.8 Medium
Vulnerability of unauthorized screenshot capturing in the WMS module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
CVE-2024-36475 1 Centurysys 35 Futurenet Nxr-1200, Futurenet Nxr-1200 Firmware, Futurenet Nxr-120\/c and 32 more 2024-11-21 7.2 High
FutureNet NXR series, VXR series and WXR series provided by Century Systems Co., Ltd. contain an active debug code vulnerability. If a user who knows how to use the debug function logs in to the product, the debug function may be used and an arbitrary OS command may be executed.
CVE-2024-36423 1 Flowiseai 1 Flowise 2024-11-21 6.1 Medium
Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, a reflected cross-site scripting vulnerability occurs in the `/api/v1/public-chatflows/id` endpoint. If the default configuration is used (unauthenticated), an attacker may be able to craft a specially crafted URL that injects Javascript into the user sessions, allowing the attacker to steal information, create false popups, or even redirect the user to other websites without interaction. If the chatflow ID is not found, its value is reflected in the 404 page, which has type text/html. This allows an attacker to attach arbitrary scripts to the page, allowing an attacker to steal sensitive information. This XSS may be chained with the path injection to allow an attacker without direct access to Flowise to read arbitrary files from the Flowise server. As of time of publication, no known patches are available.