Total
18193 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-37847 | 2 Radix Iot, Radixiot | 4 Mango Api, Mango Os, Mango and 1 more | 2024-11-05 | 9.8 Critical |
An arbitrary file upload vulnerability in MangoOS before 5.1.4 and Mango API before 4.5.5 allows attackers to execute arbitrary code via a crafted file. | ||||
CVE-2024-20412 | 1 Cisco | 23 Firepower 1000, Firepower 1010, Firepower 1020 and 20 more | 2024-11-05 | 9.3 Critical |
A vulnerability in Cisco Firepower Threat Defense (FTD) Software for Cisco Firepower 1000, 2100, 3100, and 4200 Series could allow an unauthenticated, local attacker to access an affected system using static credentials. This vulnerability is due to the presence of static accounts with hard-coded passwords on an affected system. An attacker could exploit this vulnerability by logging in to the CLI of an affected device with these credentials. A successful exploit could allow the attacker to access the affected system and retrieve sensitive information, perform limited troubleshooting actions, modify some configuration options, or render the device unable to boot to the operating system, requiring a reimage of the device. | ||||
CVE-2024-8956 | 1 Ptzoptics | 4 Pt30x-ndi-xx-g2, Pt30x-ndi-xx-g2 Firmware, Pt30x-sdi and 1 more | 2024-11-05 | 9.1 Critical |
PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file. | ||||
CVE-2024-7475 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2024-11-04 | 9.1 Critical |
An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. | ||||
CVE-2024-10474 | 1 Mozilla | 2 Firefox Focus, Focus For Ios | 2024-11-04 | 9.1 Critical |
Focus was incorrectly allowing internal links to utilize the app scheme used for deeplinking, which could result in links potentially circumventing some URL safety checks This vulnerability affects Focus for iOS < 132. | ||||
CVE-2024-10468 | 1 Mozilla | 2 Firefox, Thunderbird | 2024-11-04 | 9.8 Critical |
Potential race conditions in IndexedDB could have caused memory corruption, leading to a potentially exploitable crash. This vulnerability affects Firefox < 132 and Thunderbird < 132. | ||||
CVE-2024-10467 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Thunderbird and 6 more | 2024-11-04 | 9.8 Critical |
Memory safety bugs present in Firefox 131, Firefox ESR 128.3, and Thunderbird 128.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 132, Firefox ESR < 128.4, Thunderbird < 128.4, and Thunderbird < 132. | ||||
CVE-2024-51427 | 1 Ethereum | 1 Ethereum | 2024-11-04 | 9.8 Critical |
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the mint function. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||||
CVE-2024-51424 | 1 Ethereum | 1 Ethereum | 2024-11-04 | 9.8 Critical |
An issue in the PepeGxng smart contract (which can be run on the Ethereum blockchain) allows remote attackers to have an unspecified impact via the Owned.setOwner function. NOTE: this is disputed by third parties because the impact is limited to function calls. | ||||
CVE-2024-45656 | 1 Ibm | 1 Power9 System Firmware | 2024-11-02 | 9.8 Critical |
IBM Flexible Service Processor (FSP) FW860.00 through FW860.B3, FW950.00 through FW950.C0, FW1030.00 through FW1030.61, FW1050.00 through FW1050.21, and FW1060.00 through FW1060.10 has static credentials which may allow network users to gain service privileges to the FSP. | ||||
CVE-2024-48359 | 1 Qualitor | 1 Qualitor | 2024-11-01 | 9.8 Critical |
Qualitor v8.24 was discovered to contain a remote code execution (RCE) vulnerability via the gridValoresPopHidden parameter. | ||||
CVE-2024-6581 | 2 Lollms, Parisneo | 2 Lord Of Large Language Models, Lollms | 2024-11-01 | 9.0 Critical |
A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file. | ||||
CVE-2024-49400 | 1 Facebook | 1 Tacquito | 2024-11-01 | 9.8 Critical |
Tacquito prior to commit 07b49d1358e6ec0b5aa482fcd284f509191119e2 was not properly performing regex matches on authorized commands and arguments. Configured allowed commands/arguments were intended to require a match on the entire string, but instead only enforced a match on a sub-string. That would have potentially allowed unauthorized commands to be executed. | ||||
CVE-2024-8309 | 2 Langchain, Langchain-ai | 2 Langchain, Langchain | 2024-11-01 | 9.8 Critical |
A vulnerability in the GraphCypherQAChain class of langchain-ai/langchain version 0.2.5 allows for SQL injection through prompt injection. This vulnerability can lead to unauthorized data manipulation, data exfiltration, denial of service (DoS) by deleting all data, breaches in multi-tenant security environments, and data integrity issues. Attackers can create, update, or delete nodes and relationships without proper authorization, extract sensitive data, disrupt services, access data across different tenants, and compromise the integrity of the database. | ||||
CVE-2024-10119 | 2 Secom, Zte | 3 Wrtm326 Firmware, Wrtm326, Wrtm326 Firmware | 2024-11-01 | 9.8 Critical |
The wireless router WRTM326 from SECOM does not properly validate a specific parameter. An unauthenticated remote attacker could execute arbitrary system commands by sending crafted requests. | ||||
CVE-2024-9264 | 1 Grafana | 1 Grafana | 2024-11-01 | 9.9 Critical |
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. | ||||
CVE-2024-20424 | 1 Cisco | 2 Firepower Management Center, Secure Firewall Management Center | 2024-11-01 | 9.9 Critical |
A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software, formerly Firepower Management Center Software, could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient input validation of certain HTTP requests. An attacker could exploit this vulnerability by authenticating to the web-based management interface of an affected device and then sending a crafted HTTP request to the device. A successful exploit could allow the attacker to execute arbitrary commands with root permissions on the underlying operating system of the Cisco FMC device or to execute commands on managed Cisco Firepower Threat Defense (FTD) devices. To exploit this vulnerability, the attacker would need valid credentials for a user account with at least the role of Security Analyst (Read Only). | ||||
CVE-2024-51063 | 1 Phpgurukul | 1 Teachers Record Management System | 2024-11-01 | 9.1 Critical |
Phpgurukul Teachers Record Management System v2.1 is vulnerable to SQL Injection in add-teacher.php via the mobile number or email parameter. | ||||
CVE-2024-51060 | 1 Online Admission System Project | 1 Online Admission System | 2024-11-01 | 9.1 Critical |
Projectworlds Online Admission System v1 is vulnerable to SQL Injection in index.php via the 'a_id' parameter. | ||||
CVE-2024-51065 | 1 Phpgurukul | 1 Beauty Parlour Management System | 2024-11-01 | 9.8 Critical |
Phpgurukul Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in admin/index.php via the the username parameter. |