Search Results (26956 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-42575 1 Arajajyothibabu 1 School Management System 2024-08-21 9.8 Critical
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the medium parameter at substaff.php.
CVE-2024-42581 2 Oswapp, Siamonhasan 2 Warehouse Inventory System, Warehouse Inventory System 2024-08-21 9.6 Critical
A Cross-Site Request Forgery (CSRF) in the component delete_group.php of Warehouse Inventory System v2.0 allows attackers to escalate privileges.
CVE-2024-44076 1 Microcks 1 Microcks 2024-08-21 9.8 Critical
In Microcks before 1.10.0, the POST /api/import and POST /api/export endpoints allow non-administrator access.
CVE-2024-5914 1 Paloaltonetworks 1 Cortex Xsoar Commonscripts 2024-08-20 9.8 Critical
A command injection issue in Palo Alto Networks Cortex XSOAR CommonScripts Pack allows an unauthenticated attacker to execute arbitrary commands within the context of an integration container.
CVE-2024-38887 1 Horizoncloud 1 Caterease 2024-08-20 9.8 Critical
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges.
CVE-2024-42843 1 Projectworlds 1 Online Examination System 2024-08-19 9.8 Critical
Projectworlds Online Examination System v1.0 is vulnerable to SQL Injection via the subject parameter in feed.php.
CVE-2024-42360 1 Wurmlab 1 Sequenceserver 2024-08-16 9.8 Critical
SequenceServer lets you rapidly set up a BLAST+ server with an intuitive user interface for personal or group use. Several HTTP endpoints did not properly sanitize user input and/or query parameters. This could be exploited to inject and run unwanted shell commands. This vulnerability has been fixed in 3.1.2.
CVE-2024-38652 1 Ivanti 1 Avalanche 2024-08-15 9.1 Critical
Path traversal in the skin management component of Ivanti Avalanche 6.3.1 allows a remote unauthenticated attacker to achieve denial of service via arbitrary file deletion.
CVE-2024-33958 1 Janobe 2 Enegosyo System, Young Entrepreneur E-negosyo System 2024-08-15 9.8 Critical
SQL injection vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in 'phonenumber' in '/passwordrecover.php' parameter.
CVE-2024-33957 1 Janobe 2 Enegosyo System, Young Entrepreneur E-negosyo System 2024-08-15 9.8 Critical
SQL injection vulnerability in E-Negosyo System affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in 'id' in '/admin/orders/controller.php' parameter
CVE-2024-42546 1 Totolink 2 A3100r, A3100r Firmware 2024-08-15 9.8 Critical
TOTOLINK A3100R V4.1.2cu.5050_B20200504 has a buffer overflow vulnerability in the password parameter in the loginauth function.
CVE-2024-39228 1 Gl-inet 57 A1300, A1300 Firmware, Ap1300 and 54 more 2024-08-15 9.8 Critical
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config and check_config.
CVE-2024-39227 1 Gl-inet 77 A1300, A1300 Firmware, Ap1300 and 74 more 2024-08-15 9.8 Critical
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.
CVE-2024-39225 1 Gl-inet 56 A1300, A1300 Firmware, Ap1300 and 53 more 2024-08-15 9.8 Critical
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a remote code execution (RCE) vulnerability.
CVE-2024-33960 1 Janobe 6 Credit Card, Debit Card Payment, Janobe Credit Card and 3 more 2024-08-15 9.8 Critical
SQL injection vulnerability in PayPal, Credit Card and Debit Card Payment affecting version 1.0. An attacker could exploit this vulnerability by sending a specially crafted query to the server and retrieve all the information stored in it through the following 'end' in '/admin/mod_reports/printreport.php' parameter.
CVE-2024-41940 1 Siemens 1 Sinec Nms 2024-08-14 9.1 Critical
A vulnerability has been identified in SINEC NMS (All versions < V3.0). The affected application does not properly validate user input to a privileged command queue. This could allow an authenticated attacker to execute OS commands with elevated privileges.
CVE-2024-42737 1 Totolink 2 X5000r, X5000r Firmware 2024-08-13 9.8 Critical
In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in delBlacklist. Authenticated Attackers can send malicious packet to execute arbitrary commands.
CVE-2024-38530 2 Gunet, Openeclass 2 Open Eclass Platform, Openeclass 2024-08-13 9.8 Critical
The Open eClass platform (formerly known as GUnet eClass) is a complete Course Management System. An arbitrary file upload vulnerability in the "save" functionality of the H5P module enables unauthenticated users to upload arbitrary files on the server's filesystem. This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. This vulnerability is fixed in 3.16.
CVE-2023-7249 1 Opentext 1 Directory Services 2024-08-13 9.8 Critical
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText OpenText Directory Services allows Path Traversal.This issue affects OpenText Directory Services: from 16.4.2 before 24.1.
CVE-2024-42745 1 Totolink 2 X5000r, X5000r Firmware 2024-08-13 9.8 Critical
In TOTOLINK X5000r v9.1.0cu.2350_b20230313, the file /cgi-bin/cstecgi.cgi contains an OS command injection vulnerability in setUPnPCfg. Authenticated Attackers can send malicious packet to execute arbitrary commands.