Search Results (362815 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-21514 1 Opencart 1 Opencart 2024-11-21 7.4 High
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
CVE-2024-21513 1 Langchain 2 Langchain-experimental, Langchain Experimental 2024-11-21 8.5 High
Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. Integrity: There is nothing protected by the impacted component inherently. Although anything returned from the component counts as 'information' for which the trustworthiness can be compromised. Availability: The loss of availability isn't caused by the attack itself, but it happens as a result during the attacker's post-exploitation steps. Impact on the Confidentiality, Integrity and Availability of the subsequent system: As a legitimate low-privileged user of the package (PR:L) the attacker does not have more access to data owned by the package as a result of this vulnerability than they did with normal usage (e.g. can query the DB). The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. AT:P: An attacker needs to be able to influence the input prompt, whilst the server is configured with the VectorSQLDatabaseChain plugin.
CVE-2024-21504 2024-11-21 6.1 Medium
Versions of the package livewire/livewire from 3.3.5 and before 3.4.9 are vulnerable to Cross-site Scripting (XSS) when a page uses [Url] for a property. An attacker can inject HTML code in the context of the user's browser session by crafting a malicious link and convincing the user to click on it.
CVE-2024-21493 2024-11-21 5.3 Medium
All versions of the package github.com/greenpau/caddy-security are vulnerable to Improper Validation of Array Index when parsing a Caddyfile. Multiple parsing functions in the affected library do not validate whether their input values are nil before attempting to access elements, which can lead to a panic (index out of range). Panics during the parsing of a configuration file may introduce ambiguity and vulnerabilities, hindering the correct interpretation and configuration of the web server.
CVE-2024-21484 2 Jsrsasign Project, Redhat 2 Jsrsasign, Migration Toolkit Virtualization 2024-11-21 7.5 High
Versions of the package jsrsasign before 11.0.0 are vulnerable to Observable Discrepancy via the RSA PKCS1.5 or RSAOAEP decryption process. An attacker can decrypt ciphertexts by exploiting the Marvin security flaw. Exploiting this vulnerability requires the attacker to have access to a large number of ciphertexts encrypted with the same key. Workaround The vulnerability can be mitigated by finding and replacing RSA and RSAOAEP decryption with another crypto library.
CVE-2024-21482 1 Qualcomm 138 Csr8811, Csr8811 Firmware, Immersive Home 214 Platform and 135 more 2024-11-21 6.8 Medium
Memory corruption during the secure boot process, when the `bootm` command is used, it bypasses the authentication of the kernel/rootfs image.
CVE-2024-21469 1 Qualcomm 450 9205 Lte Modem, 9205 Lte Modem Firmware, Aqt1000 and 447 more 2024-11-21 7.3 High
Memory corruption when an invoke call and a TEE call are bound for the same trusted application.
CVE-2024-21466 1 Qualcomm 128 Fastconnect 7800, Fastconnect 7800 Firmware, Immersive Home 3210 Platform and 125 more 2024-11-21 6.5 Medium
Information disclosure while parsing sub-IE length during new IE generation.
CVE-2024-21465 1 Qualcomm 518 9205 Lte Modem, 9205 Lte Modem Firmware, Aqt1000 and 515 more 2024-11-21 7.8 High
Memory corruption while processing key blob passed by the user.
CVE-2024-21462 1 Qualcomm 622 315 5g Iot Modem, 315 5g Iot Modem Firmware, 9205 Lte Modem and 619 more 2024-11-21 7.1 High
Transient DOS while loading the TA ELF file.
CVE-2024-21461 1 Qualcomm 630 215 Mobile Platform, 215 Mobile Platform Firmware, 315 5g Iot Modem and 627 more 2024-11-21 8.4 High
Memory corruption while performing finish HMAC operation when context is freed by keymaster.
CVE-2024-21460 1 Qualcomm 30 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 27 more 2024-11-21 7.1 High
Information disclosure when ASLR relocates the IMEM and Secure DDR portions as one chunk in virtual address space.
CVE-2024-21458 1 Qualcomm 222 Ar8035, Ar8035 Firmware, Csr8811 and 219 more 2024-11-21 6.5 Medium
Information disclosure while handling SA query action frame.
CVE-2024-21457 1 Qualcomm 222 Ar8035, Ar8035 Firmware, Csr8811 and 219 more 2024-11-21 6.5 Medium
INformation disclosure while handling Multi-link IE in beacon frame.
CVE-2024-21456 1 Qualcomm 84 Ar8035, Ar8035 Firmware, Fastconnect 7800 and 81 more 2024-11-21 6.5 Medium
Information Disclosure while parsing beacon frame in STA.
CVE-2024-21184 1 Oracle 1 Database Server 2024-11-21 7.2 High
Vulnerability in the Oracle Database RDBMS Security component of Oracle Database Server. Supported versions that are affected are 19.3-19.23. Easily exploitable vulnerability allows high privileged attacker having Execute on SYS.XS_DIAG privilege with network access via Oracle Net to compromise Oracle Database RDBMS Security. Successful attacks of this vulnerability can result in takeover of Oracle Database RDBMS Security. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
CVE-2024-21030 1 Oracle 1 Complex Maintenance Repair And Overhaul 2024-11-21 6.1 Medium
Vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul product of Oracle E-Business Suite (component: LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair, and Overhaul. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Complex Maintenance, Repair, and Overhaul, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Complex Maintenance, Repair, and Overhaul accessible data as well as unauthorized read access to a subset of Oracle Complex Maintenance, Repair, and Overhaul accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
CVE-2024-20901 1 Samsung 1 Android 2024-11-21 5.9 Medium
Improper input validation in copying data to buffer cache in libsaped prior to SMR Jul-2024 Release 1 allows local attackers to write out-of-bounds memory.
CVE-2024-20900 1 Samsung 1 Android 2024-11-21 4 Medium
Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication.
CVE-2024-20899 1 Samsung 1 Android 2024-11-21 4 Medium
Use of implicit intent for sensitive communication in RCS function in IMS service prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information.