Total
264420 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-38045 | 1 Admiror-design-studio | 1 Admiror Gallery | 2024-09-29 | 6.1 Medium |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in advcomsys.com oneVote component for Joomla. It allows XSS Targeting Non-Script Elements. | ||||
CVE-2024-47221 | 1 Rapidscada | 1 Rapid Scada | 2024-09-29 | 7.5 High |
CheckUser in ScadaServerEngine/MainLogic.cs in Rapid SCADA through 5.8.4 allows an empty password. | ||||
CVE-2022-39068 | 1 Zte | 2 Mf296r, Mf296r Firmware | 2024-09-29 | 4.5 Medium |
There is a buffer overflow vulnerability in ZTE MF296R. Due to insufficient validation of the SMS parameter length, an authenticated attacker could use the vulnerability to perform a denial of service attack. | ||||
CVE-2024-39910 | 1 Decidim | 1 Decidim | 2024-09-29 | 5.4 Medium |
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The WYSWYG editor QuillJS is subject to potential XSS attach in case the attacker manages to modify the HTML before being uploaded to the server. The attacker is able to change e.g. to <svg onload=alert('XSS')> if they know how to craft these requests themselves. This issue has been addressed in release version 0.27.7. All users are advised to upgrade. Users unable to upgrade should review the user accounts that have access to the admin panel (i.e. general Administrators, and participatory space's Administrators) and remove access to them if they don't need it. Disable the "Enable rich text editor for participants" setting in the admin dashboard | ||||
CVE-2024-43024 | 1 Rws | 1 Multitrans | 2024-09-29 | 6.1 Medium |
Multiple stored cross-site scripting (XSS) vulnerabilities in RWS MultiTrans v7.0.23324.2 and earlier allow attackers to execute arbitrary web scripts or HTML via a crafted payload. | ||||
CVE-2024-37985 | 1 Microsoft | 4 Windows 11 22h2, Windows 11 22h2, Windows 11 23h2 and 1 more | 2024-09-29 | 5.9 Medium |
Windows Kernel Information Disclosure Vulnerability | ||||
CVE-2024-43188 | 1 Ibm | 1 Business Automation Workflow | 2024-09-29 | 4.9 Medium |
IBM Business Automation Workflow 22.0.2, 23.0.1, 23.0.2, and 24.0.0 could allow a privileged user to perform unauthorized activities due to improper client side validation. | ||||
CVE-2021-27915 | 2 Acquia, Mautic | 2 Mautic, Mautic | 2024-09-29 | 7.6 High |
Prior to the patched version, there is an XSS vulnerability in the description fields within the Mautic application which could be exploited by a logged in user of Mautic with the appropriate permissions. This could lead to the user having elevated access to the system. | ||||
CVE-2024-44162 | 1 Apple | 1 Xcode | 2024-09-29 | 7.8 High |
This issue was addressed by enabling hardened runtime. This issue is fixed in Xcode 16. A malicious application may gain access to a user's Keychain items. | ||||
CVE-2024-32034 | 1 Decidim | 1 Decidim | 2024-09-29 | 6.8 Medium |
decidim is a Free Open-Source participatory democracy, citizen participation and open government for cities and organizations. The admin panel is subject to potential Cross-site scripting (XSS) attach in case an admin assigns a valuator to a proposal, or does any other action that generates an admin activity log where one of the resources has an XSS crafted. This issue has been addressed in release version 0.27.7, 0.28.2, and newer. Users are advised to upgrade. Users unable to upgrade may redirect the pages /admin and /admin/logs to other admin pages to prevent this access (i.e. `/admin/organization/edit`). | ||||
CVE-2024-45300 | 1 Alf | 1 Alf | 2024-09-29 | 7.5 High |
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, a race condition allows the user to bypass the limit on the number of promo codes and use the discount coupon multiple times. In "alf.io", an event organizer can apply price discounts by using promo codes to your events. The organizer can limit the number of promo codes that will be used for this, but the time-gap between checking the number of codes and restricting the use of the codes allows a threat actor to bypass the promo code limit. Version 2.0-M5 fixes this issue. | ||||
CVE-2024-7734 | 1 Phoenixcontact | 72 Fl Mguard 2102, Fl Mguard 2102 Firmware, Fl Mguard 2105 and 69 more | 2024-09-28 | 5.3 Medium |
An unauthenticated remote attacker can exploit the behavior of the pathfinder TCP encapsulation service by establishing a high number of TCP connections to the pathfinder TCP encapsulation service. The impact is limited to blocking of valid IPsec VPN peers. | ||||
CVE-2023-45038 | 1 Qnap | 1 Music Station | 2024-09-28 | 4.3 Medium |
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later | ||||
CVE-2023-47563 | 1 Qnap | 1 Video Station | 2024-09-28 | 7.4 High |
An OS command injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.2 and later | ||||
CVE-2023-50360 | 1 Qnap | 1 Video Station | 2024-09-28 | 8.8 High |
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network. We have already fixed the vulnerability in the following version: Video Station 5.8.1 ( 2024/02/26 ) and later | ||||
CVE-2024-33004 | 1 Sap Se | 1 Sap Business Objects Business Intgelligence Platform | 2024-09-28 | 4.3 Medium |
SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | ||||
CVE-2024-30218 | 2024-09-28 | 6.5 Medium | ||
The ABAP Application Server of SAP NetWeaver as well as ABAP Platform allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service. This leads to a considerable impact on availability. | ||||
CVE-2024-28163 | 1 Sap | 1 Netweaver Process Integration | 2024-09-28 | 5.3 Medium |
Under certain conditions, Support Web Pages of SAP NetWeaver Process Integration (PI) - versions 7.50, allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application. | ||||
CVE-2024-25646 | 2024-09-28 | 7.7 High | ||
Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted document. On successful exploitation there could be a considerable impact on confidentiality of the application. | ||||
CVE-2024-25645 | 2024-09-28 | 5.3 Medium | ||
Under certain condition SAP NetWeaver (Enterprise Portal) - version 7.50 allows an attacker to access information which would otherwise be restricted causing low impact on confidentiality of the application and with no impact on Integrity and Availability of the application. |