Total
55 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-5763 | 1 Eclipse | 1 Glassfish | 2024-09-05 | 6.8 Medium |
| In Eclipse Glassfish 5 or 6, running with old versions of JDK (lower than 6u211, or < 7u201, or < 8u191), allows remote attackers to load malicious code on the server via access to insecure ORB listeners. | ||||
| CVE-2023-43177 | 1 Crushftp | 1 Crushftp | 2024-09-04 | 9.8 Critical |
| CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. | ||||
| CVE-2006-7079 | 1 Exv2 | 1 Content Management System | 2024-08-07 | 9.8 Critical |
| Variable extraction vulnerability in include/common.php in exV2 2.0.4.3 and earlier allows remote attackers to overwrite arbitrary program variables and conduct directory traversal attacks to execute arbitrary code by modifying the $xoopsOption['pagetype'] variable. | ||||
| CVE-2012-2055 | 1 Github | 1 Github | 2024-08-06 | 7.5 High |
| GitHub Enterprise before 20120304 does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the public_key[user_id] value via a modified URL for the public-key update form, related to a "mass assignment" vulnerability. | ||||
| CVE-2017-3200 | 1 Graniteds | 1 Graniteds | 2024-08-05 | 8.1 High |
| The Java implementation of AMF3 deserializers used in GraniteDS, version 3.1.1.G, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | ||||
| CVE-2017-3202 | 1 Exadel | 1 Flamingo | 2024-08-05 | N/A |
| The Java implementation of AMF3 deserializers used in Flamingo amf-serializer by Exadel, version 2.2.0, may allow instantiation of arbitrary classes via their public parameter-less constructor and subsequently call arbitrary Java Beans setter methods. The ability to exploit this vulnerability depends on the availability of classes in the class path that make use of deserialization. A remote attacker with the ability to spoof or control information may be able to send serialized Java objects with pre-set properties that result in arbitrary code execution when deserialized. | ||||
| CVE-2018-19836 | 1 Metinfo | 1 Metinfo | 2024-08-05 | N/A |
| In Metinfo 6.1.3, include/interface/applogin.php allows setting arbitrary HTTP headers (including the Cookie header), and common.inc.php allows registering variables from the $_COOKIE value. This issue can, for example, be exploited in conjunction with CVE-2018-19835 to bypass many XSS filters such as the Chrome XSS filter. | ||||
| CVE-2020-15568 | 1 Terra-master | 1 Tos | 2024-08-04 | 9.8 Critical |
| TerraMaster TOS before 4.1.29 has Invalid Parameter Checking that leads to code injection as root. This is a dynamic class method invocation vulnerability in include/exportUser.php, in which an attacker can trigger a call to the exec method with (for example) OS commands in the opt parameter. | ||||
| CVE-2020-15372 | 1 Broadcom | 1 Fabric Operating System | 2024-08-04 | 5.5 Medium |
| A vulnerability in the command-line interface in Brocade Fabric OS before Brocade Fabric OS v8.2.2a1, 8.2.2c, v7.4.2g, v8.2.0_CBN3, v8.2.1e, v8.1.2k, v9.0.0, could allow a local authenticated attacker to modify shell variables, which may lead to an escalation of privileges or bypassing the logging. | ||||
| CVE-2020-4100 | 1 Hcltechsw | 1 Hcl Verse | 2024-08-04 | 4.4 Medium |
| "HCL Verse for Android was found to employ dynamic code loading. This mechanism allows a developer to specify which components of the application should not be loaded by default when the application is started. Typically, core components and additional dependencies are loaded natively at runtime; however, dynamically loaded components are only loaded as they are specifically requested. While this can have a positive impact on performance, or grant additional functionality (for example, a non-invasive update feature), it can also open the application to loading unintended code if not implemented properly." | ||||
| CVE-2021-42809 | 2 Microsoft, Thalesgroup | 2 Windows, Sentinel Protection Installer | 2024-08-04 | 6.5 Medium |
| Improper Access Control of Dynamically-Managed Code Resources (DLL) in Thales Sentinel Protection Installer could allow the execution of arbitrary code. | ||||
| CVE-2021-32813 | 1 Traefik | 1 Traefik | 2024-08-03 | 4.8 Medium |
| Traefik is an HTTP reverse proxy and load balancer. Prior to version 2.4.13, there exists a potential header vulnerability in Traefik's handling of the Connection header. Active exploitation of this issue is unlikely, as it requires that a removed header would lead to a privilege escalation, however, the Traefik team has addressed this issue to prevent any potential abuse. If one has a chain of Traefik middlewares, and one of them sets a request header, then sending a request with a certain Connection header will cause it to be removed before the request is sent. In this case, the backend does not see the request header. A patch is available in version 2.4.13. There are no known workarounds aside from upgrading. | ||||
| CVE-2021-32563 | 1 Xfce | 1 Thunar | 2024-08-03 | 9.8 Critical |
| An issue was discovered in Thunar before 4.16.7 and 4.17.x before 4.17.2. When called with a regular file as a command-line argument, it delegates to a different program (based on the file type) without user confirmation. This could be used to achieve code execution. | ||||
| CVE-2021-26276 | 1 Godaddy | 1 Node-config-shield | 2024-08-03 | 5.3 Medium |
| scripts/cli.js in the GoDaddy node-config-shield (aka Config Shield) package before 0.2.2 for Node.js calls eval when processing a set command. NOTE: the vendor reportedly states that this is not a vulnerability. The set command was not intended for use with untrusted data | ||||
| CVE-2021-22387 | 1 Huawei | 2 Emui, Magic Ui | 2024-08-03 | 9.8 Critical |
| There is an Improper Control of Dynamically Managing Code Resources Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may allow attempts to remotely execute commands. | ||||
| CVE-2021-21413 | 1 Isolated-vm Project | 1 Isolated-vm | 2024-08-03 | 8 High |
| isolated-vm is a library for nodejs which gives you access to v8's Isolate interface. Versions of isolated-vm before v4.0.0 have API pitfalls which may make it easy for implementers to expose supposed secure isolates to the permissions of the main nodejs isolate. Reference objects allow access to the underlying reference's full prototype chain. In an environment where the implementer has exposed a Reference instance to an attacker they would be able to use it to acquire a Reference to the nodejs context's Function object. Similar application-specific attacks could be possible by modifying the local prototype of other API objects. Access to NativeModule objects could allow an attacker to load and run native code from anywhere on the filesystem. If combined with, for example, a file upload API this would allow for arbitrary code execution. This is addressed in v4.0.0 through a series of related changes. | ||||
| CVE-2022-44000 | 1 Backclick | 1 Backclick | 2024-08-03 | 9.8 Critical |
| An issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server. | ||||
| CVE-2022-43441 | 1 Ghost | 1 Sqlite3 | 2024-08-03 | 8.1 High |
| A code execution vulnerability exists in the Statement Bindings functionality of Ghost Foundation node-sqlite3 5.1.1. A specially-crafted Javascript file can lead to arbitrary code execution. An attacker can provide malicious input to trigger this vulnerability. | ||||
| CVE-2022-36067 | 2 Redhat, Vm2 Project | 3 Acm, Multicluster Engine, Vm2 | 2024-08-03 | 10 Critical |
| vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. In versions prior to version 3.9.11, a threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. This vulnerability was patched in the release of version 3.9.11 of vm2. There are no known workarounds. | ||||
| CVE-2022-25355 | 1 Ec-cube | 1 Ec-cube | 2024-08-03 | 5.3 Medium |
| EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users. | ||||