Total
18198 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-8584 | 1 Learningdigital | 1 Orca Hcm | 2024-09-13 | 9.8 Critical |
| Orca HCM from LEARNING DIGITAL does not properly restrict access to a specific functionality, allowing unauthenticated remote attacker to exploit this functionality to create an account with administrator privilege and subsequently use it to log in. ( The vendor is currently addressing the vulnerability. Once the fix is completed, we will provide information on the affected versions.) | ||||
| CVE-2024-8073 | 1 Hillstonenet | 1 Web Application Firewall | 2024-09-12 | 9.8 Critical |
| Improper Input Validation vulnerability in Hillstone Networks Hillstone Networks Web Application Firewall on 5.5R6 allows Command Injection.This issue affects Hillstone Networks Web Application Firewall: from 5.5R6-2.6.7 through 5.5R6-2.8.13. | ||||
| CVE-2024-45824 | 1 Rockwellautomation | 1 Factorytalk View | 2024-09-12 | 9.8 Critical |
| CVE-2024-45824 IMPACT A remote code vulnerability exists in the affected products. The vulnerability occurs when chained with Path Traversal, Command Injection, and XSS Vulnerabilities and allows for full unauthenticated remote code execution. The link in the mitigations section below contains patches to fix this issue. | ||||
| CVE-2024-8463 | 1 Phpgurukul | 1 Job Portal | 2024-09-12 | 9.9 Critical |
| File upload restriction bypass vulnerability in PHPGurukul Job Portal 1.0, the exploitation of which could allow an authenticated user to execute an RCE via webshell. | ||||
| CVE-2024-44401 | 2 D-link, Dlink | 3 Di-8100, Di-8100g, Di-8100g Firmware | 2024-09-12 | 9.8 Critical |
| D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via sub47A60C function in the upgrade_filter.asp file | ||||
| CVE-2024-42469 | 1 Openhab | 1 Openhab | 2024-09-12 | 9.8 Critical |
| openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, CometVisu's file system endpoints don't require authentication and additionally the endpoint to update an existing file is susceptible to path traversal. This makes it possible for an attacker to overwrite existing files on the openHAB instance. If the overwritten file is a shell script that is executed at a later time, this vulnerability can allow remote code execution by an attacker. Users should upgrade to version 4.2.1 to receive a patch. | ||||
| CVE-2024-43040 | 1 Renwoxing | 1 Intelligent Management System | 2024-09-12 | 9.1 Critical |
| Renwoxing Enterprise Intelligent Management System before v3.0 was discovered to contain a SQL injection vulnerability via the parid parameter at /fx/baseinfo/SearchInfo. | ||||
| CVE-2024-41730 | 2 Sap, Sap Se | 2 Business Objects Business Intelligence Platform, Sap Business Objects Business Intgelligence Platform | 2024-09-12 | 9.8 Critical |
| In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability. | ||||
| CVE-2024-8292 | 1 Plechevandrey | 1 Wp-recall | 2024-09-12 | 9.8 Critical |
| The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to privilege escalation/account takeover in all versions up to, and including, 16.26.8. This is due to to plugin not properly verifying a user's identity during new order creation. This makes it possible for unauthenticated attackers to supply any email through the user_email field and update the password for that user during new order creation. This requires the commerce addon to be enabled in order to exploit. | ||||
| CVE-2024-44541 | 1 Evilnapsis | 1 Inventio-lite | 2024-09-12 | 9.8 Critical |
| evilnapsis Inventio Lite Versions v4 and before is vulnerable to SQL Injection via the "username" parameter in "/?action=processlogin." | ||||
| CVE-2024-6924 | 1 Themetechmount | 2 Truebooker, Truebooker-appointment-booking | 2024-09-11 | 9.8 Critical |
| The TrueBooker WordPress plugin before 1.0.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. | ||||
| CVE-2024-42638 | 1 H3c | 2 Magic B1st, Magic B1st Firmware | 2024-09-11 | 9.8 Critical |
| H3C Magic B1ST v100R012 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. | ||||
| CVE-2024-44893 | 1 Jeecg | 1 Jimureport | 2024-09-10 | 9.8 Critical |
| An issue in the component /jeecg-boot/jmreport/dict/list of JimuReport v1.7.8 allows attacker to escalate privileges via a crafted GET request. | ||||
| CVE-2024-44410 | 2 D-link, Dlink | 3 Di-8300, Di-8300, Di-8300 Firmware | 2024-09-10 | 9.8 Critical |
| D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the upgrade_filter_asp function. | ||||
| CVE-2023-37231 | 1 Loftware | 1 Spectrum | 2024-09-10 | 9.8 Critical |
| Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password. | ||||
| CVE-2023-37227 | 1 Loftware | 1 Spectrum | 2024-09-10 | 9.8 Critical |
| Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | ||||
| CVE-2024-44402 | 2 D-link, Dlink | 3 Di-8100g, Di-8100g, Di-8100g Firmware | 2024-09-10 | 9.8 Critical |
| D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_info.htm. | ||||
| CVE-2024-42348 | 1 Fogproject | 1 Fogproject | 2024-09-10 | 9.3 Critical |
| FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in 1.5.10.41.3 and 1.6.0-beta.1395. | ||||
| CVE-2024-38886 | 1 Horizoncloud | 1 Caterease | 2024-09-10 | 9.8 Critical |
| An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack due to improper verification of the source of a communication channel. | ||||
| CVE-2024-38889 | 1 Horizoncloud | 1 Caterease | 2024-09-10 | 9.6 Critical |
| An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command. | ||||