Search Results (362867 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-24751 1 Derhansen 1 Event Management And Registration 2024-11-21 4.3 Medium
sf_event_mgt is an event management and registration extension for the TYPO3 CMS based on ExtBase and Fluid. In affected versions the existing access control check for events in the backend module got broken during the update of the extension to TYPO3 12.4, because the `RedirectResponse` from the `$this->redirect()` function was never handled. This issue has been addressed in version 7.4.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-24747 1 Minio 1 Minio 2024-11-21 8.8 High
MinIO is a High Performance Object Storage. When someone creates an access key, it inherits the permissions of the parent key. Not only for `s3:*` actions, but also `admin:*` actions. Which means unless somewhere above in the access-key hierarchy, the `admin` rights are denied, access keys will be able to simply override their own `s3` permissions to something more permissive. The vulnerability is fixed in RELEASE.2024-01-31T20-20-33Z.
CVE-2024-24743 1 Sap 1 Netweaver Application Server Java 2024-11-21 8.6 High
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
CVE-2024-24742 1 Sap 1 Crm - Webclient Ui 2024-11-21 4.1 Medium
SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.
CVE-2024-24741 1 Sap 1 Master Data Governance For Material Data 2024-11-21 4.3 Medium
SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.
CVE-2024-24716 1 Getawesomesupport 1 Awesome Support 2024-11-21 5.4 Medium
Missing Authorization vulnerability in Awesome Support Team Awesome Support.This issue affects Awesome Support: from n/a through 6.1.6.
CVE-2024-24704 1 Addonmaster 1 Load More Anything 2024-11-21 5.4 Medium
Missing Authorization vulnerability in AddonMaster Load More Anything.This issue affects Load More Anything: from n/a through 3.3.3.
CVE-2024-24698 1 Zoom 4 Meeting Software Development Kit, Rooms, Vdi Windows Meeting Clients and 1 more 2024-11-21 4.9 Medium
Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.
CVE-2024-24696 1 Zoom 3 Meeting Software Development Kit, Vdi Windows Meeting Clients, Zoom 2024-11-21 6.8 Medium
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.
CVE-2024-24693 1 Zoom 1 Rooms 2024-11-21 7.2 High
Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.
CVE-2024-24692 1 Zoom 1 Rooms 2024-11-21 5.3 Medium
Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.
CVE-2024-24690 1 Zoom 5 Meeting Software Development Kit, Rooms, Vdi Windows Meeting Clients and 2 more 2024-11-21 5.4 Medium
Improper input validation in some Zoom clients may allow an authenticated user to conduct a denial of service via network access.
CVE-2024-24623 1 Softaculous 1 Webuzo 2024-11-21 8.8 High
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
CVE-2024-24622 1 Softaculous 1 Webuzo 2024-11-21 8.8 High
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
CVE-2024-24621 1 Softaculous 1 Webuzo 2024-11-21 9.8 Critical
Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.
CVE-2024-24594 1 Clear 1 Clearml 2024-11-21 9.9 Critical
A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.
CVE-2024-24592 1 Clear 1 Clearml 2024-11-21 9.8 Critical
Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.
CVE-2024-24579 1 Anchore 1 Stereoscope 2024-11-21 5.3 Medium
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
CVE-2024-24572 1 Facilemanager 1 Facilemanager 2024-11-21 6.5 Medium
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable.
CVE-2024-24565 1 Cratedb 1 Cratedb 2024-11-21 5.7 Medium
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.