Total 18193 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-42784 2 Kashipara, Lopalopa 2 Music Management System, Music Management System 2024-08-26 9.8 Critical
A SQL injection vulnerability in "/music/controller.php?page=view_music" in Kashipara Music Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "id" parameter.
CVE-2024-45258 1 Imroc 1 Req 2024-08-26 9.8 Critical
The req package before 3.43.4 for Go may send an unintended request when a malformed URL is provided, because cleanHost in http.go intentionally uses a "garbage in, garbage out" design.
CVE-2024-45256 1 Malwared 1 Byob 2024-08-26 9.8 Critical
An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py.
CVE-2024-20454 1 Cisco 22 Spa 301 1 Line Ip Phone, Spa 301 Firmware, Spa 303 3 Line Ip Phone and 19 more 2024-08-25 9.8 Critical
Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.
CVE-2024-33853 1 Centreon 1 Centreon Web 2024-08-23 9.1 Critical
A SQL Injection vulnerability exists in the Timeperiod component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.
CVE-2024-33852 1 Centreon 1 Centreon Web 2024-08-23 9.1 Critical
A SQL Injection vulnerability exists in the Downtime component in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23.
CVE-2024-7954 1 Spip 1 Spip 2024-08-23 9.8 Critical
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request.
CVE-2024-20450 1 Cisco 23 Small Business Ip Phone Firmware, Spa 301 1 Line Ip Phone, Spa 301 Firmware and 20 more 2024-08-23 9.8 Critical
Multiple vulnerabilities in the web-based management interface of Cisco Small Business SPA300 Series IP Phones and Cisco Small Business SPA500 Series IP Phones could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges. These vulnerabilities exist because incoming HTTP packets are not properly checked for errors, which could result in a buffer overflow. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to overflow an internal buffer and execute arbitrary commands at the root privilege level.
CVE-2024-21876 1 Enphase 3 Envoy, Iq Gateway, Iq Gateway Firmware 2024-08-23 9.1 Critical
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability via a URL parameter in Enphase IQ Gateway (formerly known as Envoy) allows an unautheticated attacker to access or create arbitratry files.This issue affects Envoy: from 4.x to 8.x and < 8.2.4225.
CVE-2024-21878 1 Enphase 3 Envoy, Iq Gateway, Iq Gateway Firmware 2024-08-23 9.8 Critical
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Enphase IQ Gateway (formerly known as Envoy) allows OS Command Injection. This vulnerability is present in an internal script.This issue affects Envoy: from 4.x up to and including 8.x and is currently unpatched.
CVE-2024-40453 1 Squirrelly 1 Squirrelly 2024-08-23 9.8 Critical
squirrellyjs squirrelly v9.0.0 and fixed in v.9.0.1 was discovered to contain a code injection vulnerability via the component options.varName.
CVE-2024-42775 1 Kashipara 1 Hotel Management System 2024-08-23 9.1 Critical
An Incorrect Access Control vulnerability was found in /admin/add_room_controller.php in Kashipara Hotel Management System v1.0, which allows an unauthenticated attacker to add the valid hotel room entries in the administrator section via the direct URL access.
CVE-2024-42765 1 Kashipara 1 Bus Ticket Reservation System 2024-08-23 9.8 Critical
A SQL injection vulnerability in "/login.php" of the Kashipara Bus Ticket Reservation System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the "email" or "password" Login page parameters.
CVE-2023-6452 1 Forcepoint 1 Web Security 2024-08-23 9.6 Critical
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Forcepoint Web Security (Transaction Viewer) allows Stored XSS. The Forcepoint Web Security portal allows administrators to generate detailed reports on user requests made through the Web proxy. It has been determined that the "user agent" field in the Transaction Viewer is vulnerable to a persistent Cross-Site Scripting (XSS) vulnerability, which can be exploited by any user who can route traffic through the Forcepoint Web proxy. This vulnerability enables unauthorized attackers to execute JavaScript within the browser context of a Forcepoint administrator, thereby allowing them to perform actions on the administrator's behalf. Such a breach could lead to unauthorized access or modifications, posing a significant security risk. This issue affects Web Security: before 8.5.6.
CVE-2024-42764 1 Kashipara 1 Bus Ticket Reservation System 2024-08-23 9.4 Critical
Kashipara Bus Ticket Reservation System v1.0 is vulnerable to Cross Site Request Forgery (CSRF) via /deleteTicket.php.
CVE-2024-42781 2 Kashipara, Lopalopa 2 Music Management System, Music Management System 2024-08-23 9.8 Critical
A SQL injection vulnerability in "/music/ajax.php?action=login" of Kashipara Music Management System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the email parameter.
CVE-2024-42777 2 Kashipara, Lopalopa 2 Music Management System, Music Management System 2024-08-23 9.8 Critical
An Unrestricted file upload vulnerability was found in "/music/ajax.php?action=signup" of Kashipara Music Management System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file.
CVE-2024-41623 2 D3dsecurity, Ezviz 3 D8801, D8801 Firmware, Internet Pt Camera 2024-08-23 9.8 Critical
An issue in D3D Security D3D IP Camera (D8801) v.V9.1.17.1.4-20180428 allows a local attacker to execute arbitrary code via a crafted payload
CVE-2024-45167 1 Uci 1 Idol 2 2024-08-22 9.8 Critical
An issue was discovered in UCI IDOL 2 (aka uciIDOL or IDOL2) through 2.12. Due to improper input validation, improper deserialization, and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to Denial-of-Service (DoS) attacks and possibly remote code execution. A certain XmlMessage document causes 100% CPU consumption.
CVE-2024-37099 1 Liquidweb 1 Givewp 2024-08-22 10 Critical
Deserialization of Untrusted Data vulnerability in Liquid Web GiveWP allows Object Injection.This issue affects GiveWP: from n/a through 3.14.1.