Search Results (37090 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-24002 1 Jishenghua 1 Jsherp 2024-11-21 9.8 Critical
jshERP v3.3 is vulnerable to SQL Injection. The com.jsh.erp.controller.MaterialController: com.jsh.erp.utils.BaseResponseInfo getListWithStock() function of jshERP does not filter `column` and `order` parameters well enough, and an attacker can construct malicious payload to bypass jshERP's protection mechanism in `safeSqlParse` method for sql injection.
CVE-2024-23669 1 Fortinet 2 Fortiweb Manager, Fortiwebmanager 2024-11-21 6.4 Medium
An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
CVE-2024-23653 1 Mobyproject 1 Buildkit 2024-11-21 9.8 Critical
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
CVE-2024-23629 1 Motorola 2 Mr2600, Mr2600 Firmware 2024-11-21 9.6 Critical
An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information.
CVE-2024-23524 1 Ontraport 1 Pilotpress 2024-11-21 5.3 Medium
Missing Authorization vulnerability in ONTRAPORT Inc. PilotPress.This issue affects PilotPress: from n/a through 2.0.30.
CVE-2024-23521 1 Happyforms 1 Happyforms 2024-11-21 5.3 Medium
Missing Authorization vulnerability in Happyforms.This issue affects Happyforms: from n/a through 1.25.10.
CVE-2024-23504 1 Wpmanageninja 1 Ninja Tables 2024-11-21 5.3 Medium
Missing Authorization vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.5.
CVE-2024-23503 1 Wpmanageninja 1 Ninja Tables 2024-11-21 4.3 Medium
Missing Authorization vulnerability in WPManageNinja LLC Ninja Tables.This issue affects Ninja Tables: from n/a through 5.0.6.
CVE-2024-22221 1 Dell 1 Unity Operating Environment 2024-11-21 4.5 Medium
Dell Unity, versions prior to 5.4, contains SQL Injection vulnerability. An authenticated attacker could potentially exploit this vulnerability, leading to exposure of sensitive information.
CVE-2024-21901 1 Qnap 2 Myqnapcloud, Qts 2024-11-21 4.7 Medium
A SQL injection vulnerability has been reported to affect myQNAPcloud. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: myQNAPcloud 1.0.52 ( 2023/11/24 ) and later QTS 4.5.4.2627 build 20231225 and later
CVE-2024-21751 1 Yoginetwork 1 Rabbitloader 2024-11-21 5.4 Medium
Missing Authorization vulnerability in RabbitLoader.This issue affects RabbitLoader: from n/a through 2.19.13.
CVE-2024-21748 1 Icegram 1 Icegram Express 2024-11-21 4.3 Medium
Missing Authorization vulnerability in Icegram.This issue affects Icegram: from n/a through 3.1.21.
CVE-2024-21514 1 Opencart 1 Opencart 2024-11-21 7.4 High
This affects versions of the package opencart/opencart from 0.0.0. An SQL Injection issue was identified in the Divido payment extension for OpenCart, which is included by default in version 3.0.3.9. As an anonymous unauthenticated user, if the Divido payment module is installed (it does not have to be enabled), it is possible to exploit SQL injection to gain unauthorised access to the backend database. For any site which is vulnerable, any unauthenticated user could exploit this to dump the entire OpenCart database, including customer PII data.
CVE-2024-20828 1 Samsung 1 Internet 2024-11-21 2.4 Low
Improper authorization verification vulnerability in Samsung Internet prior to version 24.0 allows physical attackers to access files downloaded in SecretMode without proper authentication.
CVE-2024-1847 2024-11-21 7.8 High
Heap-based Buffer Overflow, Memory Corruption, Out-Of-Bounds Read, Out-Of-Bounds Write, Stack-based Buffer Overflow, Type Confusion, Uninitialized Variable, Use-After-Free vulnerabilities exist in the file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024. These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted CATPART, IPT, JT, SAT, STL, STP, X_B or X_T file. NOTE: CVE-2024-3298 and CVE-2024-3299 were SPLIT from this ID.
CVE-2024-1576 1 Megabip 1 Megabip 2024-11-21 9.8 Critical
SQL Injection vulnerability in MegaBIP software allows attacker to obtain site administrator privileges, including access to the administration panel and the ability to change the administrator password. This issue affects MegaBIP software versions through 5.09.
CVE-2024-1530 1 Shopex 1 Ecshop 2024-11-21 6.3 Medium
A vulnerability, which was classified as critical, has been found in ECshop 4.1.8. Affected by this issue is some unknown functionality of the file /admin/view_sendlist.php. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-250562 is the identifier assigned to this vulnerability.
CVE-2024-1254 1 Byzoro 2 Smart S20, Smart S20 Firmware 2024-11-21 4.7 Medium
A vulnerability, which was classified as critical, was found in Byzoro Smart S20 Management Platform up to 20231120. This affects an unknown part of the file /sysmanage/sysmanageajax.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-252993 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-1061 1 Bplugins 1 Html5 Video Player 2024-11-21 8.6 High
The 'HTML5 Video Player' WordPress Plugin, version < 2.5.25 is affected by an unauthenticated SQL injection vulnerability in the 'id' parameter in the  'get_view' function.
CVE-2024-1007 1 Razormist 1 Employee Management System 2024-11-21 6.3 Medium
A vulnerability was found in SourceCodester Employee Management System 1.0. It has been classified as critical. Affected is an unknown function of the file edit_profile.php. The manipulation of the argument txtfullname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252276.