Total
2799 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-39337 | 1 Apache | 1 Hertzbeat | 2024-08-28 | 7.5 High |
Hertzbeat is an open source, real-time monitoring system with custom-monitoring, high performance cluster, prometheus-like and agentless. Hertzbeat versions 1.20 and prior have a permission bypass vulnerability. System authentication can be bypassed and invoke interfaces without authorization. Version 1.2.1 contains a patch for this issue. | ||||
CVE-2024-26310 | 2024-08-28 | 4.3 Medium | ||
Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an improper access control vulnerability. A remote authenticated malicious user could potentially exploit this to gain access to API information that should only be accessible with extra privileges. | ||||
CVE-2023-47579 | 1 Relyum | 2 Rely-pcie, Rely-pcie Firmware | 2024-08-28 | 7.5 High |
Relyum RELY-PCIe 22.2.1 devices suffer from a system group misconfiguration, allowing read access to the central password hash file of the operating system. | ||||
CVE-2023-45744 | 2024-08-28 | 8.3 High | ||
A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to configuration modification. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||||
CVE-2023-43491 | 2024-08-28 | 5.3 Medium | ||
An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | ||||
CVE-2024-5814 | 1 Wolfssl | 1 Wolfssl | 2024-08-28 | N/A |
A malicious TLS1.2 server can force a TLS1.3 client with downgrade capability to use a ciphersuite that it did not agree to and achieve a successful connection. This is because, aside from the extensions, the client was skipping fully parsing the server hello. https://doi.org/10.46586/tches.v2024.i1.457-500 | ||||
CVE-2023-51786 | 2024-08-27 | 9.1 Critical | ||
An issue was discovered in Lustre versions 2.13.x, 2.14.x, and 2.15.x before 2.15.4, allows attackers to escalate privileges and obtain sensitive information via Incorrect Access Control. | ||||
CVE-2024-20325 | 2024-08-27 | 5.1 Medium | ||
A vulnerability in the Live Data server of Cisco Unified Intelligence Center could allow an unauthenticated, local attacker to read and modify data in a repository that belongs to an internal service on an affected device. This vulnerability is due to insufficient access control implementations on cluster configuration CLI requests. An attacker could exploit this vulnerability by sending a cluster configuration CLI request to specific directories on an affected device. A successful exploit could allow the attacker to read and modify data that is handled by an internal service on the affected device. | ||||
CVE-2023-36644 | 2024-08-27 | 7.5 High | ||
Incorrect Access Control in ITB-GmbH TradePro v9.5, allows remote attackers to receive all order confirmations from the online shop via the printmail plugin. | ||||
CVE-2022-47036 | 2024-08-27 | 9.8 Critical | ||
Siklu TG Terragraph devices before approximately 2.1.1 have a hardcoded root password that has been revealed via a brute force attack on an MD5 hash. It can be used for "debug login" by an admin. NOTE: the vulnerability is not fixed by the 2.1.1 firmware; instead, it is fixed in newer hardware, which would typically be used with firmware 2.1.1 or later. | ||||
CVE-2023-52114 | 1 Huawei | 2 Emui, Harmonyos | 2024-08-27 | 7.5 High |
Data confidentiality vulnerability in the ScreenReader module. Successful exploitation of this vulnerability may affect service integrity. | ||||
CVE-2023-52105 | 1 Huawei | 1 Harmonyos | 2024-08-27 | 7.5 High |
The nearby module has a privilege escalation vulnerability. Successful exploitation of this vulnerability may affect availability. | ||||
CVE-2024-3270 | 2024-08-27 | 3.8 Low | ||
A vulnerability classified as problematic was found in ThingsBoard up to 3.6.2. This vulnerability affects unknown code of the component AdvancedFeature. The manipulation leads to improper access controls. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-259282 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure and replied to be planning to fix this issue in version 3.7. | ||||
CVE-2023-51774 | 2024-08-26 | 8.4 High | ||
The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. For example, JWE can sometimes be used to bypass JSON::JWT.decode. | ||||
CVE-2023-49545 | 2024-08-26 | 7.5 High | ||
A directory listing vulnerability in Customer Support System v1 allows attackers to list directories and sensitive files within the application without requiring authorization. | ||||
CVE-2023-38946 | 2024-08-26 | 8.8 High | ||
An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01 allows attackers to bypass the access control and gain complete access to the application via supplying a crafted cookie. | ||||
CVE-2024-31815 | 2024-08-26 | 9.1 Critical | ||
In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | ||||
CVE-2023-44031 | 1 Reprise | 1 License Manager | 2024-08-26 | 7.5 High |
Incorrect access control in Reprise License Management Software Reprise License Manager v15.1 allows attackers to arbitrarily save sensitive files in insecure locations via a crafted POST request. | ||||
CVE-2024-43397 | 1 Apolloconfig | 1 Apollo | 2024-08-26 | 4.3 Medium |
Apollo is a configuration management system. A vulnerability exists in the synchronization configuration feature that allows users to craft specific requests to bypass permission checks. This exploit enables them to modify a namespace without the necessary permissions. The issue was addressed with an input parameter check which was released in version 2.3.0. | ||||
CVE-2024-0712 | 1 Byzoro | 2 Smart S150, Smart S150 Firmware | 2024-08-26 | 7.3 High |
A vulnerability was found in Byzoro Smart S150 Management Platform V31R02B15. It has been classified as critical. Affected is an unknown function of the file /useratte/inc/userattea.php. The manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-251538 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. |