Total
332 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-49756 | 1 Ash Framework | 1 Ashpostgres | 2024-10-25 | 5.3 Medium |
| AshPostgres is the PostgreSQL data layer for Ash Framework. Starting in version 2.0.0 and prior to version 2.4.10, in certain very specific situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger. To be vulnerable, an affected user must have an update action that is on a resource with no attributes containing an "update default" (updated_at timestamp, for example); can be performed atomically; does not have `require_atomic? false`; has at least one authorizer (typically `Ash.Policy.Authorizer`); and has at least one `change` (on the resource's `changes` block or in the action itself). This is where the side-effects would be performed when they should not have been. This problem has been patched in `2.4.10` of `ash_postgres`. Several workarounds are available. Potentially affected users may determine that none of their actions are vulnerable using a script the maintainers provide in the GitHub Security Advisory, add `require_atomic? false` to any potentially affected update action, replace any usage of `Ash.update` with `Ash.bulk_update` for an affected action, and/or add an update timestamp to their action. | ||||
| CVE-2023-2538 | 1 Tyan | 8 S5552\/s5552gm2nr, S5552\/s5552gm2nr Firmware, S5552\/s5552gm4nr and 5 more | 2024-10-24 | 5.8 Medium |
| A CWE-552 "Files or Directories Accessible to External Parties” in the web interface of the Tyan S5552 BMC version 3.00 allows an unauthenticated remote attacker to retrieve the private key of the TLS certificate in use by the BMC via forced browsing. This can then be abused to perform Man-in-the-Middle (MitM) attacks against victims that access the web interface through HTTPS. | ||||
| CVE-2018-12365 | 4 Canonical, Debian, Mozilla and 1 more | 12 Ubuntu Linux, Debian Linux, Firefox and 9 more | 2024-10-21 | N/A |
| A compromised IPC child process can escape the content sandbox and list the names of arbitrary files on the file system without user consent or interaction. This could result in exposure of private local files. This vulnerability affects Thunderbird < 60, Thunderbird < 52.9, Firefox ESR < 60.1, Firefox ESR < 52.9, and Firefox < 61. | ||||
| CVE-2023-38952 | 1 Zkteco | 1 Biotime | 2024-10-17 | 7.5 High |
| Insecure access control in ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read sensitive backup files and access sensitive information such as user credentials via sending a crafted HTTP request to the static files resources of the system. | ||||
| CVE-2024-45276 | 3 Helmholz, Mb Connect Line, Mbconnectline | 5 Rex 100, Rex 100 Firmware, Mbnet.mini and 2 more | 2024-10-17 | 7.5 High |
| An unauthenticated remote attacker can get read access to files in the "/tmp" directory due to missing authentication. | ||||
| CVE-2023-38948 | 1 Jizhicms | 1 Jizhicms | 2024-10-17 | 7.2 High |
| An arbitrary file download vulnerability in the /c/PluginsController.php component of jizhi CMS 1.9.5 allows attackers to execute arbitrary code via downloading a crafted plugin. | ||||
| CVE-2022-45052 | 3 Axiell, Linux, Microsoft | 3 Iguana, Linux Kernel, Windows | 2024-10-16 | 8.8 High |
| A Local File Inclusion vulnerability has been found in Axiell Iguana CMS. Due to insufficient neutralisation of user input on the url parameter on the Proxy.type.php endpoint, external users are capable of accessing files on the server. | ||||
| CVE-2024-44807 | 1 D-zero | 2 Burgereditor, Burgereditor Limited Edition | 2024-10-15 | 5.3 Medium |
| A directory listing issue in the baserCMS plugin in D-ZERO CO., LTD. BurgerEditor and BurgerEditor Limited Edition before 2.25.1 allows remote attackers to obtain sensitive information by exposing a list of the uploaded files. | ||||
| CVE-2021-3996 | 2 Fedoraproject, Kernel | 2 Fedora, Util-linux | 2024-10-15 | 5.5 Medium |
| A logic error was found in the libmount library of util-linux in the function that allows an unprivileged user to unmount a FUSE filesystem. This flaw allows a local user on a vulnerable system to unmount other users' filesystems that are either world-writable themselves (like /tmp) or mounted in a world-writable directory. An attacker may use this flaw to cause a denial of service to applications that use the affected filesystems. | ||||
| CVE-2023-37551 | 1 Codesys | 16 Control For Beaglebone Sl, Control For Empc-a\/imx6 Sl, Control For Iot2000 Sl and 13 more | 2024-10-11 | 6.5 Medium |
| In multiple Codesys products in multiple versions, after successful authentication as a user, specially crafted network communication requests can utilize the CmpApp component to download files with any file extensions to the controller. In contrast to the regular file download via CmpFileTransfer, no filtering of certain file types is performed here. As a result, the integrity of the CODESYS control runtime system may be compromised by the files loaded onto the controller. | ||||
| CVE-2023-32226 | 1 Sysaid | 1 Sysaid On-premises | 2024-10-11 | 8.3 High |
| Sysaid - CWE-552: Files or Directories Accessible to External Parties - Authenticated users may exfiltrate files from the server via an unspecified method. | ||||
| CVE-2024-2759 | 2024-10-10 | N/A | ||
| Improper access control vulnerability in Apaczka plugin for PrestaShop allows information gathering from saved templates without authentication.This issue affects Apaczka plugin for PrestaShop from v1 through v4. | ||||
| CVE-2023-31064 | 1 Apache | 1 Inlong | 2024-10-09 | 7.5 High |
| Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. the user in InLong could cancel an application that doesn't belongs to it. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7799 https://github.com/apache/inlong/pull/7799 to solve it. | ||||
| CVE-2023-31066 | 1 Apache | 1 Inlong | 2024-10-09 | 9.1 Critical |
| Files or Directories Accessible to External Parties vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Different users in InLong could delete, edit, stop, and start others' sources! Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7775 https://github.com/apache/inlong/pull/7775 to solve it. | ||||
| CVE-2024-21403 | 1 Microsoft | 2 Azure Kubernetes Service, Azure Kubernetes Service Confidential Containers | 2024-10-09 | 9 Critical |
| Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability | ||||
| CVE-2024-7107 | 1 Nationalkeep | 1 Cybermath | 2024-10-03 | 7.5 High |
| Files or Directories Accessible to External Parties vulnerability in National Keep Cyber Security Services CyberMath allows Collect Data from Common Resource Locations.This issue affects CyberMath: before CYBM.240816253. | ||||
| CVE-2023-4475 | 1 Asustor | 1 Data Master | 2024-10-02 | 7.5 High |
| An Arbitrary File Movement vulnerability was found in ASUSTOR Data Master (ADM) allows an attacker to exploit the file renaming feature to move files to unintended directories. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below. | ||||
| CVE-2023-41717 | 1 Zscaler | 1 Zscaler Proxy | 2024-10-01 | 5.5 Medium |
| Inappropriate file type control in Zscaler Proxy versions 3.6.1.25 and prior allows local attackers to bypass file download/upload restrictions. | ||||
| CVE-2023-3712 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2024-09-25 | 6.6 Medium |
| Files or Directories Accessible to External Parties vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Privilege Escalation.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | ||||
| CVE-2023-43856 | 1 Dreamer Cms Project | 1 Dreamer Cms | 2024-09-24 | 7.5 High |
| Dreamer CMS v4.1.3 was discovered to contain an arbitrary file read vulnerability via the component /admin/TemplateController.java. | ||||