| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| LFI in Ray's /static/ directory allows attackers to read any file on the server without authentication. |
| An attacker can overwrite any file on the server hosting MLflow without any authentication. |
| H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL. |
| An attacker is able to gain remote code execution on a server hosting the H2O dashboard through it's POJO model import feature. |
| MLflow allowed arbitrary files to be PUT onto the server. |
| An attacker is able to arbitrarily create an account in MLflow bypassing any authentication requirment. |
| An improper input validation vulnerability has been found in Lanaccess ONSAFE MonitorHM affecting version 3.7.0. This vulnerability could lead a remote attacker to exploit the checkbox element and perform remote code execution, compromising the entire infrastructure. |
| YugabyteDB is vulnerable to cross site scripting (XSS) via log injection. Writing invalidated user input to log files can allow an unprivileged attacker to forge log entries or inject malicious content into the logs.
|
| Prometheus metrics are available without
authentication. These expose detailed and sensitive information about the YugabyteDB Anywhere environment. |
| Out-of-bounds Read in GitHub repository gpac/gpac prior to 2.3.0-DEV. |
| A flaw in the Windows Installer in Thales SafeNet Authentication Client prior to 10.8 R10 on Windows allows an attacker to escalate their privilege level via local access. |
| The Hotel Booking Lite WordPress plugin before 4.8.5 does not validate file paths provided via user input, as well as does not have proper CSRF and authorisation checks, allowing unauthenticated users to download and delete arbitrary files on the server |
| The Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor WordPress plugin before 3.4.2 does not have CSRF checks on some of its form actions such as deletion and duplication, which could allow attackers to make logged in admin perform such actions via CSRF attacks |
|
A CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
vulnerability that could cause a vulnerability leading to a cross site scripting condition where
attackers can have a victim’s browser run arbitrary JavaScript when they visit a page containing
the injected payload.
|
|
A CWE-79 Improper Neutralization of Input During Web Page Generation vulnerability
exists that could cause compromise of a user’s browser when an attacker with admin privileges
has modified system values.
|
| The eCommerce Product Catalog Plugin for WordPress plugin before 3.3.26 does not have CSRF checks in some of its admin pages, which could allow attackers to make logged-in users perform unwanted actions via CSRF attacks, such as delete all products |
| Improper Access Control in GitHub repository microweber/microweber prior to 2.0. |
| A null pointer dereference flaw was found in the nft_inner.c functionality of netfilter in the Linux kernel. This issue could allow a local user to crash the system or escalate their privileges on the system. |
| Improper authentication in the SMA100 SSL-VPN virtual office portal allows a remote authenticated attacker to create an identical external domain user using accent characters, resulting in an MFA bypass. |
| Mattermost fails to properly sanitize the request to /api/v4/redirect_location allowing an attacker, sending a specially crafted request to /api/v4/redirect_location, to fill up the memory due to caching large items.
|