Search Results (120735 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-12898 1 1000projects 1 Attendance Tracking Management System 2025-01-08 6.3 Medium
A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/faculty_action.php. The manipulation of the argument faculty_course_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
CVE-2024-12899 1 1000projects 1 Attendance Tracking Management System 2025-01-08 7.3 High
A vulnerability was found in 1000 Projects Attendance Tracking Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/course_action.php. The manipulation of the argument course_code leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2023-28701 1 Elite 1 Webfax 2025-01-08 9.8 Critical
ELITE TECHNOLOGY CORP. Web Fax has a vulnerability of SQL Injection. An unauthenticated remote attacker can inject SQL commands into the input field of the login page to perform arbitrary system commands, disrupt service or terminate service.
CVE-2023-30602 1 Hitrontech 2 Coda-5310, Coda-5310 Firmware 2025-01-08 7.5 High
Hitron Technologies CODA-5310’s Telnet function transfers sensitive data in plaintext. An unauthenticated remote attacker can exploit this vulnerability to access credentials of normal users and administrator.
CVE-2024-2149 1 Codeastro 1 Membership Management System 2025-01-08 4.7 Medium
A vulnerability classified as critical was found in CodeAstro Membership Management System 1.0. This vulnerability affects unknown code of the file settings.php. The manipulation of the argument currency leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-255502 is the identifier assigned to this vulnerability.
CVE-2023-3056 1 Iuok 1 Yfcmf-tp6 2025-01-08 4.3 Medium
A vulnerability was found in YFCMF up to 3.0.4. It has been declared as problematic. This vulnerability affects unknown code of the file index.php. The manipulation leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-230542 is the identifier assigned to this vulnerability.
CVE-2023-28698 1 Wddgroup 1 Fantsy 2025-01-08 9.8 Critical
Wade Graphic Design FANTSY has a vulnerability of insufficient authorization check. An unauthenticated remote user can exploit this vulnerability by modifying URL parameters to gain administrator privileges to perform arbitrary system operation or disrupt service.
CVE-2023-28699 1 Wddgroup 1 Fantasy 2025-01-08 8.8 High
Wade Graphic Design FANTSY has a vulnerability of insufficient filtering for file type in its file update function. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload a PHP file containing a webshell to perform arbitrary system operation or disrupt service.
CVE-2023-3058 1 07fly 1 Customer Relationship Management 2025-01-08 3.5 Low
A vulnerability was found in 07FLY CRM up to 1.2.0. It has been declared as problematic. This vulnerability affects unknown code of the component User Profile Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-230560.
CVE-2023-27989 1 Zyxel 8 Lte7480-m804, Lte7480-m804 Firmware, Lte7490-m904 and 5 more 2025-01-08 6.5 Medium
A buffer overflow vulnerability in the CGI program of the Zyxel NR7101 firmware versions prior to V1.00(ABUV.8)C0 could allow a remote authenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.
CVE-2023-45878 1 Gibbonedu 1 Gibbon 2025-01-08 9.8 Critical
GibbonEdu Gibbon version 25.0.1 and before allows Arbitrary File Write because rubrics_visualise_saveAjax.phps does not require authentication. The endpoint accepts the img, path, and gibbonPersonID parameters. The img parameter is expected to be a base64 encoded image. If the path parameter is set, the defined path is used as the destination folder, concatenated with the absolute path of the installation directory. The content of the img parameter is base64 decoded and written to the defined file path. This allows creation of PHP files that permit Remote Code Execution (unauthenticated).
CVE-2023-47609 1 Oss-calendar 1 Oss Calendar 2025-01-08 8.8 High
SQL injection vulnerability in OSS Calendar versions prior to v.2.0.3 allows a remote authenticated attacker to execute arbitrary code or obtain and/or alter the information stored in the database by sending a specially crafted request.
CVE-2023-34409 1 Percona 1 Monitoring And Management 2025-01-08 9.8 Critical
In Percona Monitoring and Management (PMM) server 2.x before 2.37.1, the authenticate function in auth_server.go does not properly formalize and sanitize URL paths to reject path traversal attempts. This allows an unauthenticated remote user, when a crafted POST request is made against unauthenticated API routes, to access otherwise protected API routes leading to escalation of privileges and information disclosure.
CVE-2023-33653 1 Sitecore 1 Experience Platform 2025-01-08 8.8 High
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
CVE-2023-33477 1 Harmonicinc 2 Nsg 9000-6g, Nsg 9000-6g Firmware 2025-01-08 6.5 Medium
In Harmonic NSG 9000-6G devices, an authenticated remote user can obtain source code by directly requesting a special path.
CVE-2024-28088 1 Langchain 1 Langchain 2025-01-08 8.1 High
LangChain through 0.1.10 allows ../ directory traversal by an actor who is able to control the final part of the path parameter in a load_chain call. This bypasses the intended behavior of loading configurations only from the hwchase17/langchain-hub GitHub repository. The outcome can be disclosure of an API key for a large language model online service, or remote code execution. (A patch is available as of release 0.1.29 of langchain-core.)
CVE-2023-34102 1 Avohq 1 Avo 2025-01-08 8.3 High
Avo is an open source ruby on rails admin panel creation framework. The polymorphic field type stores the classes to operate on when updating a record with user input, and does not validate them in the back end. This can lead to unexpected behavior, remote code execution, or application crashes when viewing a manipulated record. This issue has been addressed in commit `ec117882d` which is expected to be included in subsequent releases. Users are advised to limit access to untrusted users until a new release is made.
CVE-2023-33652 1 Sitecore 1 Experience Platform 2025-01-08 8.8 High
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /sitecore/shell/Invoke.aspx.
CVE-2024-25693 3 Esri, Linux, Microsoft 3 Portal For Arcgis, Linux Kernel, Windows 2025-01-08 9.9 Critical
There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. 
CVE-2023-32628 1 Advantech 1 Webaccess\/scada 2025-01-08 7.2 High
In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file upload vulnerability that could allow an attacker to modify the file extension of a certificate file to ASP when uploading it, which can lead to remote code execution.