Total
277684 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10005 | 1 Hashicorp | 1 Consul | 2025-01-10 | 8.1 High |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using URL paths in L7 traffic intentions could bypass HTTP request path-based access rules. | ||||
| CVE-2024-13204 | 2025-01-10 | 5.5 Medium | ||
| A vulnerability was found in kurniaramadhan E-Commerce-PHP 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /blog-details.php. The manipulation of the argument blog_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-5123 | 2025-01-10 | 8 High | ||
| The JSON datasource plugin ( https://grafana.com/grafana/plugins/marcusolsson-json-datasource/ ) is a Grafana Labs maintained plugin for Grafana that allows for retrieving and processing JSON data from a remote endpoint (including a specific sub-path) configured by an administrator. Due to inadequate sanitization of the dashboard-supplied path parameter, it was possible to include path traversal characters (../) in the path parameter and send requests to paths on the configured endpoint outside the configured sub-path. This means that if the datasource was configured by an administrator to point at some sub-path of a domain (e.g. https://example.com/api/some_safe_api/ ), it was possible for an editor to create a dashboard referencing the datasource which issues queries containing path traversal characters, which would in turn cause the datasource to instead query arbitrary subpaths on the configured domain (e.g. https://example.com/api/admin_api/) . In the rare case that this plugin is configured by an administrator to point back at the Grafana instance itself, this vulnerability becomes considerably more severe, as an administrator browsing a maliciously configured panel could be compelled to make requests to Grafana administrative API endpoints with their credentials, resulting in the potential for privilege escalation, hence the high score for this vulnerability. | ||||
| CVE-2023-23754 | 1 Joomla | 1 Joomla\! | 2025-01-10 | 6.1 Medium |
| An issue was discovered in Joomla! 4.2.0 through 4.3.1. Lack of input validation caused an open redirect and XSS issue within the new mfa selection screen. | ||||
| CVE-2024-27185 | 1 Joomial Project | 1 Joomial Cms | 2025-01-10 | N/A |
| The pagination class includes arbitrary parameters in links, leading to cache poisoning attack vectors. | ||||
| CVE-2023-23755 | 1 Joomla | 1 Joomla\! | 2025-01-10 | 7.5 High |
| An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods. | ||||
| CVE-2024-6606 | 1 Mozilla | 1 Firefox | 2025-01-09 | N/A |
| Clipboard code failed to check the index on an array access. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 128 and Thunderbird < 128. | ||||
| CVE-2024-54664 | 2025-01-09 | N/A | ||
| DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2024-52945. Reason: This candidate is a reservation duplicate of CVE-2024-52945. Notes: All CVE users should reference CVE-2024-52945 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | ||||
| CVE-2024-51163 | 1 Vegam Solutions | 1 Vegam 4i | 2025-01-09 | N/A |
| A Local File Inclusion vulnerability in Vegam Solutions Vegam 4i versions 6.3.47.0 and earlier allows a remote attacker to obtain sensitive information through the print label function. Specifically, the filePathList parameter is susceptible to LFI, enabling a malicious user to include files from the web server, such as web.config or /etc/host, leading to the disclosure of sensitive information. | ||||
| CVE-2024-51162 | 1 Audimex | 1 Audimexee | 2025-01-09 | N/A |
| An issue in Audimex EE versions 15.1.20 and earlier allowing a remote attacker to escalate privileges. Analyzing the offline client code, it was identified that it is possible for any user (with any privilege) of Audimex to dump the whole Audimex database. This gives visibility upon password hashes of any user, ongoing audit data and more. | ||||
| CVE-2024-37372 | 2025-01-09 | 3.6 Low | ||
| The Permission Model assumes that any path starting with two backslashes \ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases. | ||||
| CVE-2024-27980 | 2025-01-09 | N/A | ||
| Due to the improper handling of batch files in child_process.spawn / child_process.spawnSync, a malicious command line argument can inject arbitrary commands and achieve code execution even if the shell option is not enabled. | ||||
| CVE-2023-38037 | 1 Redhat | 3 Logging, Satellite, Satellite Capsule | 2025-01-09 | 3.3 Low |
| ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file's permissions are defaulted to the user's current `umask` settings, meaning that it's possible for other users on the same system to read the contents of the temporary file. Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it. All users running an affected release should either upgrade or use one of the workarounds immediately. | ||||
| CVE-2023-29747 | 1 Story Saver For Instagram - Video Downloader Project | 1 Story Saver For Instagram - Video Downloader | 2025-01-09 | 9.8 Critical |
| Story Saver for Instragram - Video Downloader 1.0.6 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions. | ||||
| CVE-2023-29732 | 1 Loka | 1 Solive | 2025-01-09 | 9.8 Critical |
| SoLive 1.6.14 thru 1.6.20 for Android exists exposed component, the component provides the method to modify the SharedPreference file. The attacker can use the method to modify the data in any SharedPreference file, these data will be loaded into the memory when the application is opened. Depending on how the data is used, this can result in various attack consequences, such as ad display exceptions. | ||||
| CVE-2023-28362 | 1 Redhat | 1 Satellite | 2025-01-09 | 4 Medium |
| The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. | ||||
| CVE-2023-28120 | 1 Redhat | 1 Logging | 2025-01-09 | 5.3 Medium |
| There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. | ||||
| CVE-2023-27539 | 1 Redhat | 5 Enterprise Linux, Logging, Rhel Eus and 2 more | 2025-01-09 | 5.3 Medium |
| There is a denial of service vulnerability in the header parsing component of Rack. | ||||
| CVE-2023-27531 | 2025-01-09 | 5.3 Medium | ||
| There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code | ||||
| CVE-2024-56778 | 1 Linux | 1 Linux Kernel | 2025-01-09 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: drm/sti: avoid potential dereference of error pointers in sti_hqvdp_atomic_check The return value of drm_atomic_get_crtc_state() needs to be checked. To avoid use of error pointer 'crtc_state' in case of the failure. | ||||