Total
277445 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-33199 | 1 Linuxfoundation | 1 Rekor | 2025-01-14 | 5.3 Medium |
| Rekor's goals are to provide an immutable tamper resistant ledger of metadata generated within a software projects supply chain. A malformed proposed entry of the `intoto/v0.0.2` type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This has been fixed in v1.2.0 of Rekor. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-32321 | 1 Okfn | 1 Ckan | 2025-01-14 | 9.8 Critical |
| CKAN is an open-source data management system for powering data hubs and data portals. Multiple vulnerabilities have been discovered in Ckan which may lead to remote code execution. An arbitrary file write in `resource_create` and `package_update` actions, using the `ResourceUploader` object. Also reachable via `package_create`, `package_revise`, and `package_patch` via calls to `package_update`. Remote code execution via unsafe pickle loading, via Beaker's session store when configured to use the file session store backend. Potential DOS due to lack of a length check on the resource id. Information disclosure: A user with permission to create a resource can access any other resource on the system if they know the id, even if they don't have access to it. Resource overwrite: A user with permission to create a resource can overwrite any resource if they know the id, even if they don't have access to it. A user with permissions to create or edit a dataset can upload a resource with a specially crafted id to write the uploaded file in an arbitrary location. This can be leveraged to Remote Code Execution via Beaker's insecure pickle loading. All the above listed vulnerabilities have been fixed in CKAN 2.9.9 and CKAN 2.10.1. Users are advised to upgrade. There are no known workarounds for these issues. | ||||
| CVE-2024-13162 | 2025-01-14 | 7.2 High | ||
| SQL injection in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. This CVE addresses incomplete fixes from CVE-2024-32848. | ||||
| CVE-2025-0463 | 2025-01-14 | 6.3 Medium | ||
| A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.0.0. It has been classified as critical. Affected is an unknown function of the file /crm/weixinmp/index.php?userid=123&module=Users&usid=1&action=UsersAjax&minipro_const_type=1&related_module=Singin. The manipulation of the argument name leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-2946 | 1 Open-emr | 1 Openemr | 2025-01-14 | 8.1 High |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2947 | 1 Open-emr | 1 Openemr | 2025-01-14 | 4.8 Medium |
| Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-32688 | 1 Parseplatform | 1 Parse Server Push Adapter | 2025-01-14 | 4.9 Medium |
| parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version 4.1.3. | ||||
| CVE-2023-32325 | 1 Posthog | 1 Posthog-js | 2025-01-14 | 5.4 Medium |
| PostHog-js is a library to interface with the PostHog analytics tool. Versions prior to 1.57.2 have the potential for cross-site scripting. Problem has been patched in 1.57.2. Users are advised to upgrade. Users unable to upgrade should ensure that their Content Security Policy is in place. | ||||
| CVE-2020-9236 | 1 Huawei | 1 Fusioncompute | 2025-01-14 | 8.8 High |
| There is an improper interface design vulnerability in Huawei product. A module interface of the impated product does not deal with some operations properly. Attackers can exploit this vulnerability to perform malicious operatation to compromise module service. (Vulnerability ID: HWPSIRT-2020-05010) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2020-9236. | ||||
| CVE-2024-54100 | 1 Huawei | 2 Emui, Harmonyos | 2025-01-14 | 6.2 Medium |
| Vulnerability of improper access control in the secure input module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. | ||||
| CVE-2022-48681 | 1 Huawei | 2 Egrt-00, Egrt-00 Firmware | 2025-01-14 | 7.2 High |
| Some Huawei smart speakers have a memory overflow vulnerability. Successful exploitation of this vulnerability may cause certain functions to fail. | ||||
| CVE-2023-2942 | 1 Open-emr | 1 Openemr | 2025-01-14 | 8.1 High |
| Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2943 | 1 Open-emr | 1 Openemr | 2025-01-14 | 8.8 High |
| Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2944 | 1 Open-emr | 1 Openemr | 2025-01-14 | 5.4 Medium |
| Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-2945 | 1 Open-emr | 1 Openemr | 2025-01-14 | 5.4 Medium |
| Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1. | ||||
| CVE-2023-33188 | 1 Omninotes | 1 Omni Notes | 2025-01-14 | 6.3 Medium |
| Omni-notes is an open source note-taking application for Android. The Omni-notes Android app had an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments were not properly validated, allowing malicious or compromised applications in the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they would have become accessible to any component with permission to read the external storage. Updating to the newest version (6.2.7) of Omni-notes Android fixes this vulnerability. | ||||
| CVE-2023-33195 | 1 Craftcms | 1 Craft Cms | 2025-01-14 | 5 Medium |
| Craft is a CMS for creating custom digital experiences on the web. A malformed RSS feed can deliver an XSS payload. This issue was patched in version 4.4.6. | ||||
| CVE-2023-33192 | 1 Tweedegolf | 1 Ntpd-rs | 2025-01-14 | 7.5 High |
| ntpd-rs is an NTP implementation written in Rust. ntpd-rs does not validate the length of NTS cookies in received NTP packets to the server. An attacker can crash the server by sending a specially crafted NTP packet containing a cookie shorter than what the server expects. The server also crashes when it is not configured to handle NTS packets. The issue was caused by improper slice indexing. The indexing operations were replaced by safer alternatives that do not crash the ntpd-rs server process but instead properly handle the error condition. A patch was released in version 0.3.3. | ||||
| CVE-2023-32686 | 1 Kiwitcms | 1 Kiwi Tcms | 2025-01-14 | 8.1 High |
| Kiwi TCMS is an open source test management system for both manual and automated testing. Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded. The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploiting this flaw, a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. This issue has been patched in version 12.3. | ||||
| CVE-2023-33184 | 1 Nextcloud | 1 Mail | 2025-01-14 | 3.5 Low |
| Nextcloud Mail is a mail app in Nextcloud. A blind SSRF attack allowed to send GET requests to services running in the same web server. It is recommended that the Mail app is update to version 3.02, 2.2.5 or 1.15.3. | ||||