Total
18194 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-21574 | 2024-12-12 | 10 Critical | ||
The issue stems from a missing validation of the pip field in a POST request sent to the /customnode/install endpoint used to install custom nodes which is added to the server by the extension. This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server. | ||||
CVE-2023-28201 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-12-12 | 9.8 Critical |
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, Safari 16.4, iOS 16.4 and iPadOS 16.4, iOS 15.7.4 and iPadOS 15.7.4, tvOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution. | ||||
CVE-2024-55586 | 2024-12-12 | 9.8 Critical | ||
Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method. NOTE: the vendor's position is that this is intended behavior. | ||||
CVE-2024-53441 | 2024-12-12 | 9.1 Critical | ||
An issue in the index.js decryptCookie function of cookie-encrypter v1.0.1 allows attackers to execute a bit flipping attack. | ||||
CVE-2024-48453 | 2024-12-12 | 9.8 Critical | ||
An issue in INOVANCE AM401_CPU1608TPTN allows a remote attacker to execute arbitrary code via the ExecuteUserProgramUpgrade function | ||||
CVE-2024-46455 | 2024-12-12 | 9.8 Critical | ||
unstructured v.0.14.2 and before is vulnerable to XML External Entity (XXE) via the XMLParser. | ||||
CVE-2023-34159 | 1 Huawei | 1 Emui | 2024-12-12 | 9.8 Critical |
Improper permission control vulnerability in the Notepad app.Successful exploitation of the vulnerability may lead to privilege escalation, which affects availability and confidentiality. | ||||
CVE-2023-2907 | 1 Marksoft | 1 Marksoft | 2024-12-11 | 9.8 Critical |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Marksoft allows SQL Injection.This issue affects Marksoft: through Mobile:v.7.1.7 ; Login:1.4 ; API:20230605. | ||||
CVE-2023-31410 | 1 Sick | 1 Sick Eventcam App | 2024-12-11 | 9.8 Critical |
A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK EventCam App. This lack of encryption in the communication channel can lead to the unauthorized disclosure of sensitive information. The attacker can exploit this weakness to eavesdrop on the communication between the EventCam App and the Client, and potentially manipulate the data being transmitted. | ||||
CVE-2023-32752 | 1 L7-networks | 2 Instantqos, Instantscan | 2024-12-11 | 9.8 Critical |
L7 Networks InstantScan IS-8000 & InstantQoS IQ-8000’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service. | ||||
CVE-2023-32753 | 1 Itpison | 1 Omicard Edm | 2024-12-11 | 9.8 Critical |
OMICARD EDM’s file uploading function does not restrict upload of file with dangerous type. An unauthenticated remote attacker can exploit this vulnerability to upload and run arbitrary executable files to perform arbitrary system commands or disrupt service. | ||||
CVE-2024-21915 | 1 Rockwellautomation | 1 Factorytalk Services Platform | 2024-12-11 | 9 Critical |
A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited, a malicious user with basic user group privileges could potentially sign into the software and receive FTSP Administrator Group privileges. A threat actor could potentially read and modify sensitive data, delete data and render the FTSP system unavailable. | ||||
CVE-2024-25610 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2024-12-11 | 9 Critical |
In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote authenticated users to inject arbitrary web script or HTML (XSS) via a crafted payload injected into a blog entry’s content text field. | ||||
CVE-2024-54926 | 1 Lopalopa | 1 E-learning Management System | 2024-12-11 | 9.8 Critical |
A SQL Injection vulnerability was found in /search_class.php of kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the school_year parameter. | ||||
CVE-2024-37143 | 2024-12-11 | 10 Critical | ||
Dell PowerFlex appliance versions prior to IC 46.381.00 and IC 46.376.00, Dell PowerFlex rack versions prior to RCM 3.8.1.0 (for RCM 3.8.x train) and prior to RCM 3.7.6.0 (for RCM 3.7.x train), Dell PowerFlex custom node using PowerFlex Manager versions prior to 4.6.1.0, Dell InsightIQ versions prior to 5.1.1, and Dell Data Lakehouse versions prior to 1.2.0.0 contain an Improper Link Resolution Before File Access vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability to execute arbitrary code on the system. | ||||
CVE-2024-54745 | 2024-12-11 | 9.8 Critical | ||
WAVLINK WN701AE M01AE_V240305 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. | ||||
CVE-2024-53442 | 2024-12-11 | 9.8 Critical | ||
whapa v1.59 is vulnerable to Command Injection via a crafted filename to the HTML reports component. | ||||
CVE-2024-41579 | 2024-12-11 | 9.8 Critical | ||
DTStack Taier 1.4.0 allows remote attackers to specify the jobName parameter in the console listNames function to cause a SQL injection vulnerability | ||||
CVE-2023-50913 | 2024-12-11 | 9.1 Critical | ||
Oxide control plane software before 5 allows SSRF. | ||||
CVE-2023-48010 | 2024-12-11 | 9.8 Critical | ||
STMicroelectronics SPC58 is vulnerable to Missing Protection Mechanism for Alternate Hardware Interface. Code running as Supervisor on the SPC58 PowerPC microcontrollers may disable the System Memory Protection Unit and gain unabridged read/write access to protected assets. |