Search Results (363801 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-41676 1 Openmage 1 Magento 2024-11-21 4.1 Medium
Magento-lts is a long-term support alternative to Magento Community Edition (CE). This XSS vulnerability affects the design/header/welcome, design/header/logo_src, design/header/logo_src_small, and design/header/logo_alt system configs.They are intended to enable admins to set a text in the two cases, and to define an image url for the other two cases. But because of previously missing escaping allowed to input arbitrary html and as a consequence also arbitrary JavaScript. The problem is patched with Version 20.10.1 or higher.
CVE-2024-41672 1 Duckdb 1 Duckdb 2024-11-21 7.5 High
DuckDB is a SQL database management system. In versions 1.0.0 and prior, content in filesystem is accessible for reading using `sniff_csv`, even with `enable_external_access=false`. This vulnerability provides an attacker with access to filesystem even when access is expected to be disabled and other similar functions do NOT provide access. There seem to be two vectors to this vulnerability. First, access to files that should otherwise not be allowed. Second, the content from a file can be read (e.g. `/etc/hosts`, `proc/self/environ`, etc) even though that doesn't seem to be the intent of the sniff_csv function. A fix for this issue is available in commit c9b7c98aa0e1cd7363fe8bb8543a95f38e980d8a and is expected to be part of version 1.1.0.
CVE-2024-41662 1 Vnote Project 1 Vnote 2024-11-21 8.6 High
VNote is a note-taking platform. A Cross-Site Scripting (XSS) vulnerability has been identified in the Markdown rendering functionality of versions 3.18.1 and prior of the VNote note-taking application. This vulnerability allows the injection and execution of arbitrary JavaScript code through which remote code execution can be achieved. A patch for this issue is available at commit f1af78573a0ef51d6ef6a0bc4080cddc8f30a545. Other mitigation strategies include implementing rigorous input sanitization for all Markdown content and utilizing a secure Markdown parser that appropriately escapes or strips potentially dangerous content.
CVE-2024-41629 2 Texas Instruments, Ti 2 Fusion Digital Power Designer, Fusion Digital Power Designer 2024-11-21 6.6 Medium
An issue in Texas Instruments Fusion Digital Power Designer v.7.10.1 allows a local attacker to obtain sensitive information via the plaintext storage of credentials
CVE-2024-41551 1 Campcodes 1 Supplier Management System 2024-11-21 7.3 High
CampCodes Supplier Management System v1.0 is vulnerable to SQL injection via Supply_Management_System/admin/view_order_items.php?id= .
CVE-2024-41473 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 8 High
Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the mac parameter at ip/goform/WriteFacMac
CVE-2024-41468 2 Tenda, Tendacn 3 Fh1201, Fh1201, Fh1201 Firmware 2024-11-21 9.8 Critical
Tenda FH1201 v1.2.0.14 was discovered to contain a command injection vulnerability via the cmdinput parameter at /goform/exeCommand
CVE-2024-41466 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 7.5 High
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/NatStaticSetting.
CVE-2024-41465 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 7.5 High
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the funcpara1 parameter at ip/goform/setcfm.
CVE-2024-41464 2 Tenda, Tendacn 3 Fh1201, Fh1201, Fh1201 Firmware 2024-11-21 9.8 Critical
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the mitInterface parameter in ip/goform/RouteStatic
CVE-2024-41463 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 4.3 Medium
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/addressNat.
CVE-2024-41462 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 4.3 Medium
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the page parameter at ip/goform/DhcpListClient.
CVE-2024-41461 2 Tenda, Tendacn 3 Fh1201, Fh1201, Fh1201 Firmware 2024-11-21 9.8 Critical
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the list1 parameter at ip/goform/DhcpListClient.
CVE-2024-41460 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 6.5 Medium
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the entrys parameter at ip/goform/RouteStatic.
CVE-2024-41459 2 Tenda, Tendacn 3 Fh1201 Firmware, Fh1201, Fh1201 Firmware 2024-11-21 8.8 High
Tenda FH1201 v1.2.0.14 was discovered to contain a stack-based buffer overflow vulnerability via the PPPOEPassword parameter at ip/goform/QuickIndex.
CVE-2024-41439 1 Dbohdan 1 Hicolor 2024-11-21 5.5 Medium
A heap buffer overflow in the function cp_block() (/vendor/cute_png.h) of hicolor v0.5.0 allows attackers to cause a Denial of Service (DoS) via a crafted PNG file.
CVE-2024-41319 1 Totolink 2 A6000r, A6000r Firmware 2024-11-21 8.8 High
TOTOLINK A6000R V1.0.1-B20201211.2000 was discovered to contain a command injection vulnerability via the cmd parameter in the webcmd function.
CVE-2024-41305 1 Wondercms 1 Wondercms 2024-11-21 7.1 High
A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
CVE-2024-41172 2 Apache, Redhat 3 Cxf, Camel Quarkus, Jboss Enterprise Application Platform 2024-11-21 7.5 High
In versions of Apache CXF before 3.6.4 and 4.0.5 (3.5.x and lower versions are not impacted), a CXF HTTP client conduit may prevent HTTPClient instances from being garbage collected and it is possible that memory consumption will continue to increase, eventually causing the application to run out of memory
CVE-2024-41136 1 Arubanetworks 1 Edgeconnect Sd-wan Orchestrator 2024-11-21 6.8 Medium
An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command Line Interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.