Total
277439 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-55556 | 2025-01-08 | 9.8 Critical | ||
| A vulnerability in Crater Invoice allows an unauthenticated attacker with knowledge of the APP_KEY to achieve remote command execution on the server by manipulating the laravel_session cookie, exploiting arbitrary deserialization through the encrypted session data. The exploitation vector of this vulnerability relies on an attacker obtaining Laravel's secret APP_KEY, which would allow them to decrypt and manipulate session cookies (laravel_session) containing serialized data. By altering this data and re-encrypting it with the APP_KEY, the attacker could trigger arbitrary deserialization on the server, potentially leading to remote command execution (RCE). The vulnerability is primarily exploited by accessing an exposed cookie and manipulating it using the secret key to gain malicious access to the server. | ||||
| CVE-2024-55517 | 2025-01-08 | 8.8 High | ||
| An issue was discovered in the Interllect Core Search in Polaris FT Intellect Core Banking 9.5. Input passed through the groupType parameter in /SCGController is mishandled before being used in SQL queries, allowing SQL injection in an authenticated session. | ||||
| CVE-2024-55411 | 2025-01-08 | 8.8 High | ||
| An issue in the snxpcamd.sys component of SUNIX Multi I/O Card v10.1.0.0 allows attackers to perform arbitrary read and write actions via supplying crafted IOCTL requests. | ||||
| CVE-2024-55008 | 2025-01-08 | 7.5 High | ||
| JATOS 3.9.4 contains a denial-of-service (DoS) vulnerability in the authentication system, where an attacker can prevent legitimate users from accessing their accounts by repeatedly sending multiple failed login attempts. Specifically, by submitting 3 incorrect login attempts every minute, the attacker can trigger the account lockout mechanism on the account level, effectively locking the user out indefinitely. Since the lockout is applied to the user account and not based on the IP address, any attacker can trigger the lockout on any user account, regardless of their privileges. | ||||
| CVE-2024-54818 | 2025-01-08 | 8.8 High | ||
| SourceCodester Computer Laboratory Management System 1.0 is vulnerable to Incorrect Access Control. via /php-lms/admin/?page=user/list. | ||||
| CVE-2024-51442 | 2025-01-08 | 8.8 High | ||
| Command Injection in Minidlna version v1.3.3 and before allows an attacker to execute arbitrary OS commands via a specially crafted minidlna.conf configuration file. | ||||
| CVE-2024-45345 | 2025-01-08 | N/A | ||
| reserved but not needed | ||||
| CVE-2024-45344 | 2025-01-08 | N/A | ||
| reserved but not needed | ||||
| CVE-2024-45343 | 2025-01-08 | N/A | ||
| reserved but not needed | ||||
| CVE-2024-45342 | 2025-01-08 | N/A | ||
| reserved but not needed | ||||
| CVE-2023-34408 | 1 Dokuwiki | 1 Dokuwiki | 2025-01-08 | 5.4 Medium |
| DokuWiki before 2023-04-04a allows XSS via RSS titles. | ||||
| CVE-2023-33763 | 1 Simpleredak | 1 Simpleredak | 2025-01-08 | 6.1 Medium |
| eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /scheduler/index.php. | ||||
| CVE-2023-33762 | 1 Simpleredak | 1 Simpleredak | 2025-01-08 | 9.8 Critical |
| eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a SQL injection vulnerability via the Activity parameter. | ||||
| CVE-2023-33761 | 1 Simpleredak | 1 Simpleredak | 2025-01-08 | 6.1 Medium |
| eMedia Consulting simpleRedak up to v2.47.23.05 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /view/cb/format_642.php. | ||||
| CVE-2023-33731 | 1 Escanav | 1 Escan Management Console | 2025-01-08 | 6.1 Medium |
| Reflected Cross Site Scripting (XSS) in the view dashboard detail feature in Microworld Technologies eScan management console 14.0.1400.2281 allows remote attacker to inject arbitrary code via the URL directly. | ||||
| CVE-2023-33408 | 1 Minical | 1 Minical | 2025-01-08 | 5.4 Medium |
| Minical 1.0.0 is vulnerable to Cross Site Scripting (XSS). The vulnerability exists due to insufficient input validation in the application's user input handling in the security_helper.php file. | ||||
| CVE-2023-33386 | 1 Marsctf Project | 1 Marsctf | 2025-01-08 | 9.8 Critical |
| MarsCTF 1.2.1 has an arbitrary file upload vulnerability in the interface for uploading attachments in the background. | ||||
| CVE-2020-19028 | 1 Emlog | 1 Emlog | 2025-01-08 | 7.5 High |
| *File Upload vulnerability found in Emlog EmlogCMS v.6.0.0 allows a remote attacker to gain access to sensitive information via the /admin/plugin.php function. | ||||
| CVE-2023-28702 | 1 Asus | 2 Rt-ac86u, Rt-ac86u Firmware | 2025-01-08 | 8.8 High |
| ASUS RT-AC86U does not filter special characters for parameters in specific web URLs. A remote attacker with normal user privileges can exploit this vulnerability to perform command injection attack to execute arbitrary system commands, disrupt system or terminate service. | ||||
| CVE-2024-4378 | 1 Leap13 | 1 Premium Addons For Elementor | 2025-01-08 | 6.4 Medium |
| The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's menu and shape widgets in all versions up to, and including, 4.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||