Search Results (366291 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-28117 1 Getgrav 1 Grav 2025-01-02 8.8 High
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.
CVE-2024-28116 1 Getgrav 1 Grav 2025-01-02 8.8 High
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
CVE-2024-32645 1 Vyperlang 1 Vyper 2025-01-02 5.3 Medium
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available.
CVE-2024-32646 1 Vyperlang 1 Vyper 2025-01-02 5.3 Medium
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.
CVE-2024-32647 1 Vyperlang 1 Vyper 2025-01-02 5.3 Medium
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `create_from_blueprint` builtin can result in a double eval vulnerability when `raw_args=True` and the `args` argument has side-effects. It can be seen that the `_build_create_IR` function of the `create_from_blueprint` builtin doesn't cache the mentioned `args` argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions exist.
CVE-2024-32648 1 Vyperlang 1 Vyper 2025-01-02 5.3 Medium
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. Prior to version 0.3.0, default functions don't respect nonreentrancy keys and the lock isn't emitted. No vulnerable production contracts were found. Additionally, using a lock on a `default` function is a very sparsely used pattern. As such, the impact is low. Version 0.3.0 contains a patch for the issue.
CVE-2024-32649 1 Vyperlang 1 Vyper 2025-01-02 5.3 Medium
Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `sqrt` builtin can result in double eval vulnerability when the argument has side-effects. It can be seen that the `build_IR` function of the `sqrt` builtin doesn't cache the argument to the stack. As such, it can be evaluated multiple times (instead of retrieving the value from the stack). No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available.
CVE-2022-41083 1 Microsoft 1 Jupyter 2025-01-02 7.8 High
Visual Studio Code Elevation of Privilege Vulnerability
CVE-2022-41081 1 Microsoft 21 Windows 10, Windows 10 1507, Windows 10 1607 and 18 more 2025-01-02 8.1 High
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-41064 1 Microsoft 13 .net, .net Framework, Nuget and 10 more 2025-01-02 5.8 Medium
.NET Framework Information Disclosure Vulnerability
CVE-2022-41043 1 Microsoft 2 Office, Office Long Term Servicing Channel 2025-01-02 3.3 Low
Microsoft Office Information Disclosure Vulnerability
CVE-2022-41042 1 Microsoft 1 Visual Studio Code 2025-01-02 7.4 High
Visual Studio Code Information Disclosure Vulnerability
CVE-2022-41038 1 Microsoft 2 Sharepoint Foundation, Sharepoint Server 2025-01-02 8.8 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-41037 1 Microsoft 2 Sharepoint Foundation, Sharepoint Server 2025-01-02 8.8 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-41036 1 Microsoft 2 Sharepoint Foundation, Sharepoint Server 2025-01-02 8.8 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-41035 1 Microsoft 1 Edge Chromium 2025-01-02 5.3 Medium
Microsoft Edge (Chromium-based) Spoofing Vulnerability
CVE-2022-41034 1 Microsoft 1 Visual Studio Code 2025-01-02 7.8 High
Visual Studio Code Remote Code Execution Vulnerability
CVE-2022-41031 1 Microsoft 3 365 Apps, Office, Office Long Term Servicing Channel 2025-01-02 7.8 High
Microsoft Word Remote Code Execution Vulnerability
CVE-2022-38053 1 Microsoft 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server 2025-01-02 8.8 High
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2022-38051 1 Microsoft 21 Windows 10, Windows 10 1507, Windows 10 1607 and 18 more 2025-01-02 7.8 High
Windows Graphics Component Elevation of Privilege Vulnerability