Total
1085 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-2980 | 1 Abstrium | 1 Pydio Cells | 2024-08-02 | 6.3 Medium |
| A vulnerability classified as critical was found in Abstrium Pydio Cells 4.2.0. This vulnerability affects unknown code of the component User Creation Handler. The manipulation leads to improper control of resource identifiers. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 4.2.1 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-230212. | ||||
| CVE-2023-2797 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 3.1 Low |
| Mattermost fails to sanitize code permalinks, allowing an attacker to preview code from private repositories by posting a specially crafted permalink on a channel. | ||||
| CVE-2023-1287 | 1 3ds | 1 Enovia Live Collaboration | 2024-08-02 | 9 Critical |
| An XSL template vulnerability in ENOVIA Live Collaboration V6R2013xE allows Remote Code Execution. | ||||
| CVE-2023-0493 | 1 Btcpayserver | 1 Btcpay Server | 2024-08-02 | 5.3 Medium |
| Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.7.5. | ||||
| CVE-2023-0476 | 1 Tenable | 1 Tenable.sc | 2024-08-02 | 6.5 Medium |
| A LDAP injection vulnerability exists in Tenable.sc due to improper validation of user-supplied input before returning it to users. An authenticated attacker could generate data in Active Directory using the application account through blind LDAP injection. | ||||
| CVE-2023-0302 | 1 Radare | 1 Radare2 | 2024-08-02 | 7.8 High |
| Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) in GitHub repository radareorg/radare2 prior to 5.8.2. | ||||
| CVE-2023-0040 | 1 Asynchttpclient Project | 1 Async-http-client | 2024-08-02 | 7.5 High |
| Versions of Async HTTP Client prior to 1.13.2 are vulnerable to a form of targeted request manipulation called CRLF injection. This vulnerability was the result of insufficient validation of HTTP header field values before sending them to the network. Users are vulnerable if they pass untrusted data into HTTP header field values without prior sanitisation. Common use-cases here might be to place usernames from a database into HTTP header fields. This vulnerability allows attackers to inject new HTTP header fields, or entirely new requests, into the data stream. This can cause requests to be understood very differently by the remote server than was intended. In general, this is unlikely to result in data disclosure, but it can result in a number of logical errors and other misbehaviours. | ||||
| CVE-2024-41111 | 2024-08-02 | 7.2 High | ||
| Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user. The exploit is pretty fun as we make the Sliver server pwn itself. As described in a past issue (#65), "there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server." An operator who exploited this vulnerability would be able to view all console logs, kick all other operators, view and modify files stored on the server, and ultimately delete the server. This issue has not yet be addressed but is expected to be resolved before the full release of version 1.6.0. Users of the 1.6.0 prerelease should avoid using Silver in production. | ||||
| CVE-2024-39906 | 2024-08-02 | 8.4 High | ||
| A command injection vulnerability was found in the IndieAuth functionality of the Ruby on Rails based Haven blog web application. The affected functionality requires authentication, but an attacker can craft a link that they can pass to a logged in administrator of the blog software. This leads to the immediate execution of the provided commands when the link is accessed by the authenticated administrator. This issue may lead to Remote Code Execution (RCE) and has been addressed by commit `c52f07c`. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-40637 | 1 Getdbt | 1 Dbt Core | 2024-08-02 | 4.2 Medium |
| dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. When a user installs a package in dbt, it has the ability to override macros, materializations, and other core components of dbt. This is by design, as it allows packages to extend and customize dbt's functionality. However, this also means that a malicious package could potentially override these components with harmful code. This issue has been fixed in versions 1.8.0, 1.6.14 and 1.7.14. Users are advised to upgrade. There are no kn own workarounds for this vulnerability. Users updating to either 1.6.14 or 1.7.14 will need to set `flags.require_explicit_package_overrides_for_builtin_materializations: False` in their configuration in `dbt_project.yml`. | ||||
| CVE-2024-40137 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-08-02 | 5.5 Medium |
| Dolibarr ERP CRM before 19.0.2-php8.2 was discovered to contain a remote code execution (RCE) vulnerability via the Computed field parameter under the Users Module Setup function. | ||||
| CVE-2024-39704 | 1 Unknown-corp | 1 Melty Blood Actress Again Current Code | 2024-08-02 | 9.8 Critical |
| Soft Circle French-Bread Melty Blood: Actress Again: Current Code through 1.07 Rev. 1.4.0 allows a remote attacker to execute arbitrary code on a client's machine via a crafted packet on TCP port 46318. | ||||
| CVE-2024-38700 | 2024-08-02 | 6.5 Medium | ||
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in realmag777 WPCS allows Code Injection.This issue affects WPCS: from n/a through 1.2.0.3. | ||||
| CVE-2024-37759 | 1 Datagear | 1 Datagear | 2024-08-02 | 9.8 Critical |
| DataGear v5.0.0 and earlier was discovered to contain a SpEL (Spring Expression Language) expression injection vulnerability via the Data Viewing interface. | ||||
| CVE-2024-37253 | 2024-08-02 | 2.7 Low | ||
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in WpDirectoryKit WP Directory Kit allows Code Injection.This issue affects WP Directory Kit: from n/a through 1.3.6. | ||||
| CVE-2024-36420 | 1 Flowiseai | 1 Flowise | 2024-08-02 | 7.5 High |
| Flowise is a drag & drop user interface to build a customized large language model flow. In version 1.4.3 of Flowise, the `/api/v1/openai-assistants-file` endpoint in `index.ts` is vulnerable to arbitrary file read due to lack of sanitization of the `fileName` body parameter. No known patches for this issue are available. | ||||
| CVE-2024-36522 | 1 Apache | 1 Wicket | 2024-08-02 | 9.8 Critical |
| The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. | ||||
| CVE-2024-35777 | 2024-08-02 | 3.5 Low | ||
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Automattic WooCommerce allows Content Spoofing.This issue affects WooCommerce: from n/a through 8.9.2. | ||||
| CVE-2024-35728 | 1 Themeisle | 1 Product Addons \& Fields For Woocommerce | 2024-08-02 | 5.3 Medium |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Themeisle PPOM for WooCommerce allows Code Inclusion.This issue affects PPOM for WooCommerce: from n/a through 32.0.20. | ||||
| CVE-2024-35680 | 1 Yithemes | 1 Yith Woocommerce Product Add-ons | 2024-08-02 | 5.3 Medium |
| Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Code Injection.This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.9.2. | ||||