Search Results (367179 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-36410 1 Salesagility 1 Suitecrm 2024-11-21 9.6 Critical
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in EmailUIAjax messages count controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVE-2024-36409 1 Salesagility 1 Suitecrm 2024-11-21 9.6 Critical
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in Tree data entry point. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVE-2024-36408 1 Salesagility 1 Suitecrm 2024-11-21 9.6 Critical
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, poor input validation allows for SQL Injection in the `Alerts` controller. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVE-2024-36407 1 Salesagility 1 Suitecrm 2024-11-21 3.7 Low
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. In versions prior to 7.14.4 and 8.6.1, a user password can be reset from an unauthenticated attacker. The attacker does not get access to the new password. But this can be annoying for the user. This attack is also dependent on some password reset functionalities being enabled. It also requires the system using php 7, which is not an officially supported version. Versions 7.14.4 and 8.6.1 contain a fix for this issue.
CVE-2024-36400 1 Viz 1 Nano Id 2024-11-21 9.4 Critical
nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.
CVE-2024-36399 1 Kanboard 1 Kanboard 2024-11-21 8.2 High
Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37.
CVE-2024-36397 1 Vantiva 2 Mediaaccess Dga2232, Mediaaccess Dga2232 Firmware 2024-11-21 6.1 Medium
Vantiva - MediaAccess DGA2232 v19.4 - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-36396 1 Verint 1 Workforce Optimization 2024-11-21 8.8 High
Verint - CWE-434: Unrestricted Upload of File with Dangerous Type
CVE-2024-36395 1 Verint 1 Workforce Optimization 2024-11-21 6.1 Medium
Verint - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-36394 1 Sysaid 1 Sysaid 2024-11-21 9.1 Critical
SysAid - CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2024-36393 1 Sysaid 1 Sysaid 2024-11-21 9.9 Critical
SysAid - CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2024-36388 2024-11-21 10 Critical
MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
CVE-2024-36287 2 Apple, Mattermost 2 Macos, Mattermost Desktop 2024-11-21 3.8 Low
Mattermost Desktop App versions <=5.7.0 fail to disable certain Electron debug flags which allows for bypassing TCC restrictions on macOS.
CVE-2024-36278 1 Openatom 1 Openharmony 2024-11-21 3.3 Low
in OpenHarmony v4.0.0 and prior versions allow a local attacker cause apps crash through type confusion.
CVE-2024-36268 1 Apache 1 Inlong 2024-11-21 9.8 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/10251
CVE-2024-36260 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds write.
CVE-2024-36257 1 Mattermost 1 Mattermost 2024-11-21 2.7 Low
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A.
CVE-2024-36243 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds read and write.
CVE-2024-36239 1 Adobe 1 Experience Manager 2024-11-21 5.4 Medium
Adobe Experience Manager versions 6.5.20 and earlier Answer: are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. Exploitation of this issue requires user interaction, such as convincing a victim to click on a specially crafted link.
CVE-2024-36238 1 Adobe 2 Experience Manager, Experience Manager Cloud Service 2024-11-21 5.4 Medium
Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. This vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser session. Exploitation of this issue typically requires user interaction, such as convincing a user to click on a malicious link or to interact with a maliciously crafted web page.