Total
277570 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7578 | 1 Alientechnology | 2 Alr-f800, Alr-f800 Firmware | 2024-08-28 | 7.3 High |
| A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been classified as critical. Affected is an unknown function of the file /var/www/cmd.php. The manipulation of the argument cmd leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7579 | 1 Alientechnology | 2 Alr-f800, Alr-f800 Firmware | 2024-08-28 | 6.3 Medium |
| A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been declared as critical. Affected by this vulnerability is the function popen of the file /var/www/cgi-bin/upgrade.cgi of the component File Name Handler. The manipulation of the argument uploadedFile leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7061 | 1 Okta | 1 Verify | 2024-08-28 | 5.5 Medium |
| Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking. The vulnerability is fixed in Okta Verify for Windows version 5.0.2. To remediate this vulnerability, upgrade to 5.0.2 or greater. | ||||
| CVE-2024-43915 | 1 Zephyr-one | 1 Zephyr Project Manager | 2024-08-28 | 5.5 Medium |
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through .3.102. | ||||
| CVE-2024-41310 | 1 Yanzhenjie | 1 Andserver | 2024-08-28 | 7.5 High |
| AndServer 2.1.12 is vulnerable to Directory Traversal. | ||||
| CVE-2024-42845 | 1 Invesalius | 1 Invesalius | 2024-08-28 | 8 High |
| An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file. | ||||
| CVE-2024-34087 | 1 G8bpq | 1 Bpq32 | 2024-08-28 | 9.8 Critical |
| An SEH-based buffer overflow in the BPQ32 HTTP Server in BPQ32 6.0.24.1 allows remote attackers with access to the Web Terminal to achieve remote code execution via an HTTP POST /TermInput request. | ||||
| CVE-2024-7940 | 1 Hitachienergy | 1 Microscada X Sys600 | 2024-08-28 | 8.3 High |
| The product exposes a service that is intended for local only to all network interfaces without any authentication. | ||||
| CVE-2024-7986 | 2024-08-28 | N/A | ||
| A vulnerability exists in the Rockwell Automation ThinManager® ThinServer that allows a threat actor to disclose sensitive information. A threat actor can exploit this vulnerability by abusing the ThinServer™ service to read arbitrary files by creating a junction that points to the target directory. | ||||
| CVE-2024-45236 | 2 Fort Validator Project, Nicmx | 2 Fort Validator, Fort-validator | 2024-08-28 | 7.5 High |
| An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) a signed object containing an empty signedAttributes field. Fort accesses the set's elements without sanitizing it first. Because Fort is an RPKI Relying Party, a crash can lead to Route Origin Validation unavailability, which can lead to compromised routing. | ||||
| CVE-2024-35329 | 2024-08-28 | 0.0 Low | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||
| CVE-2024-35328 | 2024-08-28 | 7.5 High | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||
| CVE-2024-35326 | 2024-08-28 | 6.5 Medium | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||
| CVE-2024-35325 | 2024-08-28 | 6.5 Medium | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | ||||
| CVE-2024-45234 | 1 Nicmx | 1 Fort-validator | 2024-08-28 | 7.5 High |
| An issue was discovered in Fort before 1.6.3. A malicious RPKI repository that descends from a (trusted) Trust Anchor can serve (via rsync or RRDP) an ROA or a Manifest containing a signedAttrs encoded in non-canonical form. This bypasses Fort's BER decoder, reaching a point in the code that panics when faced with data not encoded in DER. Because Fort is an RPKI Relying Party, a panic can lead to Route Origin Validation unavailability, which can lead to compromised routing. | ||||
| CVE-2024-41657 | 1 Casbin | 1 Casdoor | 2024-08-28 | 8.1 High |
| Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, a logic vulnerability exists in the beego filter CorsFilter that allows any website to make cross domain requests to Casdoor as the logged in user. Due to the a logic error in checking only for a prefix when authenticating the Origin header, any domain can create a valid subdomain with a valid subdomain prefix (Ex: localhost.example.com), allowing the website to make requests to Casdoor as the current signed-in user. | ||||
| CVE-2024-41658 | 1 Casbin | 1 Casdoor | 2024-08-28 | 6.1 Medium |
| Casdoor is a UI-first Identity and Access Management (IAM) / Single-Sign-On (SSO) platform. In Casdoor 1.577.0 and earlier, he purchase URL that is created to generate a WechatPay QR code is vulnerable to reflected XSS. When purchasing an item through casdoor, the product page allows you to pay via wechat pay. When using wechat pay, a QR code with the wechat pay link is displayed on the payment page, hosted on the domain of casdoor. This page takes a query parameter from the url successUrl, and redirects the user to that url after a successful purchase. Because the user has no reason to think that the payment page contains sensitive information, they may share it with other or can be social engineered into sending it to others. An attacker can then craft the casdoor link with a special url and send it back to the user, and once payment has gone though an XSS attack occurs. | ||||
| CVE-2024-6879 | 1 Expresstech | 1 Quiz And Survey Master | 2024-08-28 | 4.7 Medium |
| The Quiz and Survey Master (QSM) WordPress plugin before 9.1.1 fails to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is embedded, which could allows contributor and above roles to perform Stored Cross-Site Scripting (XSS) attacks. | ||||
| CVE-2022-39997 | 1 Teldat | 2 Rs123 Firmware, Rs123w Firmware | 2024-08-28 | 8 High |
| A weak password requirement issue was discovered in Teldats Router RS123, RS123w allows a remote attacker to escalate privileges | ||||
| CVE-2024-8172 | 2 Rems, Sourcecodester | 2 Qr Code Attendance System, Qr Code Attendance System | 2024-08-28 | 3.5 Low |
| A vulnerability, which was classified as problematic, has been found in SourceCodester QR Code Attendance System 1.0. This issue affects some unknown processing of the file /endpoint/delete-student.php. The manipulation of the argument student/attendance leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||