Total
2927 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-51995 | 2024-11-08 | 7.1 High | ||
| Combodo iTop is a web based IT Service Management tool. An attacker can request any `route` we want as long as we specify an `operation` that is allowed. This issue has been addressed in version 3.2.0 by applying the same access control pattern as in `UI.php` to the `ajax.render.php` page which does not allow arbitrary `routes` to be dispatched. All users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-29121 | 2 Enel X, Enelx | 3 Juicebox Pro3.0 22kw Cellular, Waybox Pro, Waybox Pro Firmware | 2024-11-08 | 9.6 Critical |
| Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system. | ||||
| CVE-2023-29115 | 1 Enelx | 2 Waybox Pro, Waybox Pro Firmware | 2024-11-08 | 6.5 Medium |
| In certain conditions a request directed to the Waybox Enel X Web management application could cause a denial-of-service (e.g. reboot). | ||||
| CVE-2024-7429 | 1 Katieseaborn | 1 Zotpress | 2024-11-08 | 4.3 Medium |
| The Zotpress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Zotpress_process_accounts_AJAX function in all versions up to, and including, 7.3.12. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin's settings. | ||||
| CVE-2024-48932 | 2 Icewhaletech, Zimaspace | 2 Zimaos, Zimaos | 2024-11-06 | 5.3 Medium |
| ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability could be exploited by an attacker to enumerate usernames and leverage them for further attacks, such as brute-force or phishing campaigns. As of time of publication, no known patched versions are available. | ||||
| CVE-2024-10766 | 1 Codezips | 1 Free Exam Hall Seating Management System | 2024-11-06 | 6.3 Medium |
| A vulnerability, which was classified as critical, has been found in Codezips Free Exam Hall Seating Management System 1.0. This issue affects some unknown processing of the file /pages/save_user.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher disclosure contains confusing vulnerability classes and file names. | ||||
| CVE-2024-10765 | 1 Codezips | 1 Online Institute Management System | 2024-11-06 | 6.3 Medium |
| A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. This vulnerability affects unknown code of the file /profile.php. The manipulation of the argument old_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-10764 | 1 Codezips | 1 Online Institute Management System | 2024-11-06 | 6.3 Medium |
| A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. This affects an unknown part of the file /pages/save_user.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-7475 | 2 Lunary, Lunary-ai | 2 Lunary, Lunary-ai\/lunary | 2024-11-04 | 9.1 Critical |
| An improper access control vulnerability in lunary-ai/lunary version 1.3.2 allows an attacker to update the SAML configuration without authorization. This vulnerability can lead to manipulation of authentication processes, fraudulent login requests, and theft of user information. Appropriate access controls should be implemented to ensure that the SAML configuration can only be updated by authorized users. | ||||
| CVE-2024-39772 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-01 | 3.7 Low |
| Mattermost Desktop App versions <=5.8.0 fail to safeguard screen capture functionality which allows an attacker to silently capture high-quality screenshots via JavaScript APIs. | ||||
| CVE-2024-7424 | 2024-11-01 | 5.4 Medium | ||
| The Multiple Page Generator Plugin – MPG plugin for WordPress is vulnerable to unauthorized modification of and access to data due to a missing capability check on several functions in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke those functions intended for admin use resulting in subscribers being able to upload csv files and view the contents of MPG projects. | ||||
| CVE-2024-47481 | 1 Dell | 1 Data Lakehouse | 2024-10-31 | 6.5 Medium |
| Dell Data Lakehouse, version(s) 1.0.0.0, 1.1.0., contain(s) an Improper Access Control vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Denial of service. | ||||
| CVE-2024-10353 | 1 Oretnom23 | 1 Online Exam System | 2024-10-30 | 6.3 Medium |
| A vulnerability classified as critical has been found in SourceCodester Online Exam System 1.0. Affected is an unknown function of the file /admin-dashboard. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This affects a different product and is a different issue than CVE-2024-40480. | ||||
| CVE-2024-7001 | 1 Google | 1 Chrome | 2024-10-30 | 4.3 Medium |
| Inappropriate implementation in HTML in Google Chrome prior to 127.0.6533.72 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2024-10241 | 2024-10-29 | 4.3 Medium | ||
| Mattermost versions 9.5.x <= 9.5.9 fail to properly filter the channel data when ElasticSearch is enabled which allows a user to get private channel names by using cmd+K/ctrl+K. | ||||
| CVE-2024-48925 | 1 Umbraco | 1 Umbraco Cms | 2024-10-25 | 0 Low |
| Umbraco, a free and open source .NET content management system, has an improper access control issue starting in version 14.0.0 and prior to version 14.3.0. The issue allows low-privilege users to access the webhook API and retrieve information that should be restricted to users with access to the settings section. Version 14.3.0 contains a patch. | ||||
| CVE-2024-9692 | 1 Vimesa | 1 Vhf\/fm Transmitter Blue Plus | 2024-10-25 | N/A |
| VIMESA VHF/FM Transmitter Blue Plus is suffering from a Denial-of-Service (DoS) vulnerability. An unauthenticated attacker can issue an unauthorized HTTP GET request to the unprotected endpoint 'doreboot' and restart the transmitter operations. | ||||
| CVE-2024-20465 | 1 Cisco | 1 Ios | 2024-10-24 | 5.8 Medium |
| A vulnerability in the access control list (ACL) programming of Cisco IOS Software running on Cisco Industrial Ethernet 4000, 4010, and 5000 Series Switches could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to the incorrect handling of IPv4 ACLs on switched virtual interfaces when an administrator enables and disables Resilient Ethernet Protocol (REP). An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an ACL on the affected device. | ||||
| CVE-2024-40884 | 1 Mattermost | 1 Mattermost Server | 2024-10-17 | 2.7 Low |
| Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL. | ||||
| CVE-2024-43780 | 1 Mattermost | 1 Mattermost Server | 2024-10-16 | 4.3 Medium |
| Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel. | ||||