Search Results (37275 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-24779 1 Apache 1 Superset 2025-02-13 5 Medium
Apache Superset with custom roles that include `can write on dataset` and without all data access permissions, allows for users to create virtual datasets to data they don't have access to. These users could then use those virtual datasets to get access to unauthorized data. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1 or 3.0.4, which fixes the issue.
CVE-2024-24773 1 Apache 1 Superset 2025-02-13 4.9 Medium
Improper parsing of nested SQL statements on SQLLab would allow authenticated users to surpass their data authorization scope. This issue affects Apache Superset: before 3.0.4, from 3.1.0 before 3.1.1. Users are recommended to upgrade to version 3.1.1, which fixes the issue.
CVE-2024-23539 1 Apache 1 Fineract 2025-02-13 8.3 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
CVE-2024-23538 1 Apache 1 Fineract 2025-02-13 9.9 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Fineract.This issue affects Apache Fineract: <1.8.5. Users are recommended to upgrade to version 1.8.5 or 1.9.0, which fix the issue.
CVE-2023-49736 1 Apache 1 Superset 2025-02-13 6.5 Medium
A where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2, which fixes the issue.
CVE-2023-49734 1 Apache 1 Superset 2025-02-13 7.7 High
An authenticated Gamma user has the ability to create a dashboard and add charts to it, this user would automatically become one of the owners of the charts allowing him to incorrectly have write permissions to these charts.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. Users are recommended to upgrade to version 3.0.2 or 2.1.3, which fixes the issue.
CVE-2023-47804 1 Apache 1 Openoffice 2025-02-13 8.8 High
Apache OpenOffice documents can contain links that call internal macros with arbitrary arguments. Several URI Schemes are defined for this purpose. Links can be activated by clicks, or by automatic document events. The execution of such links must be subject to user approval. In the affected versions of OpenOffice, approval for certain links is not requested; when activated, such links could therefore result in arbitrary script execution. This is a corner case of CVE-2022-47502.
CVE-2023-47037 1 Apache 1 Airflow 2025-02-13 4.3 Medium
We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then.  Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc.  Users should upgrade to version 2.7.3 or later which has removed the vulnerability.
CVE-2023-46724 2 Redhat, Squid-cache 6 Enterprise Linux, Rhel Aus, Rhel E4s and 3 more 2025-02-13 8.6 High
Squid is a caching proxy for the Web. Due to an Improper Validation of Specified Index bug, Squid versions 3.3.0.1 through 5.9 and 6.0 prior to 6.4 compiled using `--with-openssl` are vulnerable to a Denial of Service attack against SSL Certificate validation. This problem allows a remote server to perform Denial of Service against Squid Proxy by initiating a TLS Handshake with a specially crafted SSL Certificate in a server certificate chain. This attack is limited to HTTPS and SSL-Bump. This bug is fixed in Squid version 6.4. In addition, patches addressing this problem for the stable releases can be found in Squid's patch archives. Those who you use a prepackaged version of Squid should refer to the package vendor for availability information on updated packages.
CVE-2024-6100 1 Google 1 Chrome 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CVE-2024-5843 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.8 High
Inappropriate implementation in Downloads in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to obfuscate security UI via a malicious file. (Chromium security severity: Medium)
CVE-2024-5838 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVE-2024-5837 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVE-2024-5833 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)
CVE-2024-5830 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)
CVE-2024-5158 2 Fedoraproject, Google 2 Fedora, Chrome 2025-02-13 8.1 High
Type Confusion in V8 in Google Chrome prior to 125.0.6422.76 allowed a remote attacker to potentially perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High)
CVE-2024-39911 1 Fit2cloud 1 1panel 2025-02-13 10 Critical
1Panel is a web-based linux server management control panel. 1Panel contains an unspecified sql injection via User-Agent handling. This issue has been addressed in version 1.10.12-lts. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-29834 1 Apache 1 Pulsar 2025-02-13 6.4 Medium
This vulnerability allows authenticated users with produce or consume permissions to perform unauthorized operations on partitioned topics, such as unloading topics and triggering compaction. These management operations should be restricted to users with the tenant admin role or superuser role. An authenticated user with produce permission can create subscriptions and update subscription properties on partitioned topics, even though this should be limited to users with consume permissions. This impact analysis assumes that Pulsar has been configured with the default authorization provider. For custom authorization providers, the impact could be slightly different. Additionally, the vulnerability allows an authenticated user to read, create, modify, and delete namespace properties in any namespace in any tenant. In Pulsar, namespace properties are reserved for user provided metadata about the namespace. This issue affects Apache Pulsar versions from 2.7.1 to 2.10.6, from 2.11.0 to 2.11.4, from 3.0.0 to 3.0.3, from 3.1.0 to 3.1.3, and from 3.2.0 to 3.2.1. 3.0 Apache Pulsar users should upgrade to at least 3.0.4. 3.1 and 3.2 Apache Pulsar users should upgrade to at least 3.2.2. Users operating versions prior to those listed above should upgrade to the aforementioned patched versions or newer versions.
CVE-2024-24851 1 Automationdirect 12 P1-540, P1-540 Firmware, P1-550 and 9 more 2025-02-13 7.5 High
A heap-based buffer overflow vulnerability exists in the Programming Software Connection FiBurn functionality of AutomationDirect P3-550E 1.2.10.9. A specially crafted network packet can lead to a buffer overflow. An attacker can send an unauthenticated packet to trigger this vulnerability.
CVE-2024-1939 2 Fedoraproject, Google 3 Fedora, Chrome, V8 2025-02-13 8.8 High
Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)