Search Results (363502 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-24690 1 Zoom 5 Meeting Software Development Kit, Rooms, Vdi Windows Meeting Clients and 2 more 2024-11-21 5.4 Medium
Improper input validation in some Zoom clients may allow an authenticated user to conduct a denial of service via network access.
CVE-2024-24623 1 Softaculous 1 Webuzo 2024-11-21 8.8 High
Softaculous Webuzo contains a command injection vulnerability in the FTP management functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
CVE-2024-24622 1 Softaculous 1 Webuzo 2024-11-21 8.8 High
Softaculous Webuzo contains a command injection in the password reset functionality. A remote, authenticated attacker can exploit this vulnerability to gain code execution on the system.
CVE-2024-24621 1 Softaculous 1 Webuzo 2024-11-21 9.8 Critical
Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote, anonymous attackers can exploit this vulnerability to gain full server access as the root user.
CVE-2024-24594 1 Clear 1 Clearml 2024-11-21 9.9 Critical
A cross-site scripting (XSS) vulnerability in all versions of the web server component of Allegro AI’s ClearML platform allows a remote attacker to execute a JavaScript payload when a user views the Debug Samples tab in the web UI.
CVE-2024-24592 1 Clear 1 Clearml 2024-11-21 9.8 Critical
Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files.
CVE-2024-24579 1 Anchore 1 Stereoscope 2024-11-21 5.3 Medium
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
CVE-2024-24572 1 Facilemanager 1 Facilemanager 2024-11-21 6.5 Medium
facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, the $_REQUEST global array was unsafely called inside an extract() function in admin-logs.php. The PHP file fm-init.php prevents arbitrary manipulation of $_SESSION via the GET/POST parameters. However, it does not prevent manipulation of any other sensitive variables such as $search_sql. Knowing this, an authenticated user with privileges to view site logs can manipulate the search_sql variable by appending a GET parameter search_sql in the URL. The information above means that the checks and SQL injection prevention attempts were rendered unusable.
CVE-2024-24565 1 Cratedb 1 Cratedb 2024-11-21 5.7 Medium
CrateDB is a distributed SQL database that makes it simple to store and analyze massive amounts of data in real-time. There is a COPY FROM function in the CrateDB database that is used to import file data into database tables. This function has a flaw, and authenticated attackers can use the COPY FROM function to import arbitrary file content into database tables, resulting in information leakage. This vulnerability is patched in 5.3.9, 5.4.8, 5.5.4, and 5.6.1.
CVE-2024-24560 1 Vyperlang 1 Vyper 2024-11-21 3.7 Low
Vyper is a Pythonic Smart Contract Language for the Ethereum Virtual Machine. When calls to external contracts are made, we write the input buffer starting at byte 28, and allocate the return buffer to start at byte 0 (overlapping with the input buffer). When checking RETURNDATASIZE for dynamic types, the size is compared only to the minimum allowed size for that type, and not to the returned value's length. As a result, malformed return data can cause the contract to mistake data from the input buffer for returndata. When the called contract returns invalid ABIv2 encoded data, the calling contract can read different invalid data (from the dirty buffer) than the called contract returned.
CVE-2024-24559 1 Vyperlang 1 Vyper 2024-11-21 3.7 Low
Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot be triggered from regular vyper code). `sha3_64` is used for retrieval in mappings. No flow that would cache the `key` was found so the issue shouldn't be possible to trigger when compiling the compiler-generated `IR`. This issue isn't triggered during normal compilation of vyper code so the impact is low. At the time of publication there is no patch available.
CVE-2024-24558 1 Tanstack 1 React-query-next-experimental 2024-11-21 8.2 High
TanStack Query supplies asynchronous state management, server-state utilities and data fetching for the web. The `@tanstack/react-query-next-experimental` NPM package is vulnerable to a cross-site scripting vulnerability. To exploit this, an attacker would need to either inject malicious input or arrange to have malicious input be returned from an endpoint. To fix this issue, please update to version 5.18.0 or later.
CVE-2024-24548 1 Estore-wss 1 Payment Ex 2024-11-21 6.5 Medium
Payment EX Ver1.1.5b and earlier allows a remote unauthenticated attacker to obtain the information of the user who purchases merchandise using Payment EX.
CVE-2024-24524 1 Flusity 1 Flusity 2024-11-21 8.8 High
Cross Site Request Forgery (CSRF) vulnerability in flusity-CMS v.2.33, allows remote attackers to execute arbitrary code via the add_menu.php component.
CVE-2024-24496 1 Remyandrade 1 Daily Habit Tracker 2024-11-21 9.8 Critical
An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.
CVE-2024-24482 2 Apktool, Microsoft 2 Apktool, Windows 2024-11-21 9.8 Critical
Aprktool before 2.9.3 on Windows allows ../ and /.. directory traversal.
CVE-2024-24469 2 Flushcms, Flusity 2 Flushcms, Flusity 2024-11-21 8.8 High
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php.
CVE-2024-24396 1 Stimulsoft 2 Dashboard.js, Dashboards.js 2024-11-21 6.1 Medium
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.
CVE-2024-24328 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the enable parameter in the setMacFilterRules function.
CVE-2024-24326 1 Totolink 2 A3300r, A3300r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3300R V17.0.0cu.557_B20221024 was discovered to contain a command injection vulnerability via the arpEnable parameter in the setStaticDhcpRules function.