Total
263485 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-36228 | 1 Janusintl | 6 Noke Hd\+ Smart Padlock, Noke Hd\+ Smart Padlock Firmware, Noke Hd Smart Padlock and 3 more | 2024-09-19 | 6.5 Medium |
| Nokelock Smart padlock O1 Version 5.3.0 is vulnerable to Insecure Permissions. By sending a request, you can add any device and set the device password in the Nokelock app. | ||||
| CVE-2024-6086 | 1 Lunary | 1 Lunary | 2024-09-19 | 4.3 Medium |
| In version 1.2.7 of lunary-ai/lunary, any authenticated user, regardless of their role, can change the name of an organization due to improper access control. The function checkAccess() is not implemented, allowing users with the lowest privileges, such as the 'Prompt Editor' role, to modify organization attributes without proper authorization. | ||||
| CVE-2023-39854 | 1 Atx | 1 Ucrypt | 2024-09-19 | 6.5 Medium |
| The web interface of ATX Ucrypt through 3.5 allows authenticated users (or attackers using default credentials for the admin, master, or user account) to include files via a URL in the /hydra/view/get_cc_url url parameter. There can be resultant SSRF. | ||||
| CVE-2023-43271 | 1 70mai | 2 A500s, A500s Firmware | 2024-09-19 | 9.1 Critical |
| Incorrect access control in 70mai a500s v1.2.119 allows attackers to directly access and delete the video files of the driving recorder through ftp and other protocols. | ||||
| CVE-2023-43899 | 1 Hansuncms Project | 1 Hansuncms | 2024-09-19 | 9.8 Critical |
| hansun CMS v1.0 was discovered to contain a SQL injection vulnerability via the component /ajax/ajax_login.ashx. | ||||
| CVE-2024-35118 | 1 Ibm | 2 Maas360, Maas360 Mdm | 2024-09-19 | 4.6 Medium |
| IBM MaaS360 for Android 6.31 through 8.60 is using hard coded credentials that can be obtained by a user with physical access to the device. | ||||
| CVE-2023-43615 | 3 Arm, Fedoraproject, Mbed | 3 Mbed Tls, Fedora, Mbedtls | 2024-09-19 | 7.5 High |
| Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow. | ||||
| CVE-2024-5714 | 1 Lunary | 1 Lunary | 2024-09-19 | 6.8 Medium |
| In lunary-ai/lunary version 1.2.4, an improper access control vulnerability allows members with team management permissions to manipulate project identifiers in requests, enabling them to invite users to projects in other organizations, change members to projects in other organizations with escalated privileges, and change members from other organizations to their own or other projects, also with escalated privileges. This vulnerability is due to the backend's failure to validate project identifiers against the current user's organization ID and projects belonging to it, as well as a misconfiguration in attribute naming (`org_id` should be `orgId`) that prevents proper user organization validation. As a result, attackers can cause inconsistencies on the platform for affected users and organizations, including unauthorized privilege escalation. The issue is present in the backend API endpoints for user invitation and modification, specifically in the handling of project IDs in requests. | ||||
| CVE-2024-5755 | 1 Lunary | 1 Lunary | 2024-09-19 | 5.3 Medium |
| In lunary-ai/lunary versions <=v1.2.11, an attacker can bypass email validation by using a dot character ('.') in the email address. This allows the creation of multiple accounts with essentially the same email address (e.g., 'attacker123@gmail.com' and 'attacker.123@gmail.com'), leading to incorrect synchronization and potential security issues. | ||||
| CVE-2023-45199 | 2 Arm, Mbed | 2 Mbed Tls, Mbedtls | 2024-09-19 | 9.8 Critical |
| Mbed TLS 3.2.x through 3.4.x before 3.5 has a Buffer Overflow that can lead to remote Code execution. | ||||
| CVE-2023-44812 | 1 Moosocial | 1 Moosocial | 2024-09-19 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the admin_redirect_url parameter of the user login function. | ||||
| CVE-2023-40556 | 1 Toolstack | 1 Schedule Posts Calendar | 2024-09-19 | 4.3 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Greg Ross Schedule Posts Calendar plugin <= 5.2 versions. | ||||
| CVE-2023-44813 | 1 Moosocial | 1 Moosocial | 2024-09-19 | 6.1 Medium |
| Cross Site Scripting (XSS) vulnerability in mooSocial v.3.1.8 allows a remote attacker to execute arbitrary code via a crafted payload to the mode parameter of the invite friend login function. | ||||
| CVE-2023-44210 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2024-09-19 | 5.5 Medium |
| Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Agent (Linux, macOS, Windows) before build 29258. | ||||
| CVE-2022-25768 | 2024-09-19 | 7 High | ||
| The logic in place to facilitate the update process via the user interface lacks access control to verify if permission exists to perform the tasks. Prior to this patch being applied it might be possible for an attacker to access the Mautic version number or to execute parts of the upgrade process without permission. As upgrading in the user interface is deprecated, this functionality is no longer required. | ||||
| CVE-2024-47058 | 2024-09-19 | 2.9 Low | ||
| With access to edit a Mautic form, the attacker can add Cross-Site Scripting stored in the html filed. This could be used to steal sensitive information from the user's current session. | ||||
| CVE-2024-6204 | 1 Zohocorp | 1 Manageengine Exchange Reporter Plus | 2024-09-19 | 8.3 High |
| Zohocorp ManageEngine Exchange Reporter Plus versions before 5715 are vulnerable to SQL Injection in the reports module. | ||||
| CVE-2024-47050 | 2024-09-19 | 5.4 Medium | ||
| Prior to this patch being applied, Mautic's tracking was vulnerable to Cross-Site Scripting through the Page URL variable. | ||||
| CVE-2023-40634 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2024-09-19 | 7.8 High |
| In phasechecksercer, there is a possible missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed | ||||
| CVE-2021-27917 | 2024-09-19 | 7.3 High | ||
| Prior to this patch, a stored XSS vulnerability existed in the contact tracking and page hits report. | ||||