Total
1095 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2022-45801 | 1 Apache | 1 Streampark | 2024-10-15 | 5.4 Medium |
| Apache StreamPark 1.0.0 to 2.0.0 have a LDAP injection vulnerability. LDAP Injection is an attack used to exploit web based applications that construct LDAP statements based on user input. When an application fails to properly sanitize user input, it's possible to modify LDAP statements through techniques similar to SQL Injection. LDAP injection attacks could result in the granting of permissions to unauthorized queries, and content modification inside the LDAP tree. This risk may only occur when the user logs in with ldap, and the user name and password login will not be affected, Users of the affected versions should upgrade to Apache StreamPark 2.0.0 or later. | ||||
| CVE-2024-0552 | 1 Intumit | 2 Smartrobot, Smartrobot Firmware | 2024-10-14 | 9.8 Critical |
| Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server. | ||||
| CVE-2023-39213 | 1 Zoom | 2 Virtual Desktop Infrastructure, Zoom | 2024-10-10 | 9.6 Critical |
| Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client before 5.15.2 may allow an unauthenticated user to enable an escalation of privilege via network access. | ||||
| CVE-2023-4818 | 1 Paxtechnology | 2 A920, Paydroid | 2024-10-10 | 7.6 High |
| PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability. | ||||
| CVE-2023-42136 | 1 Paxtechnology | 9 A50, A6650, A77 and 6 more | 2024-10-10 | 7.8 High |
| PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word. The attacker must have shell access to the device in order to exploit this vulnerability. | ||||
| CVE-2023-42135 | 1 Paxtechnology | 3 A50, A920 Pro, Paydroid | 2024-10-10 | 6.8 Medium |
| PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition. The attacker must have physical USB access to the device in order to exploit this vulnerability. | ||||
| CVE-2023-33234 | 1 Apache | 1 Airflow Cncf Kubernetes | 2024-10-10 | 7.2 High |
| Arbitrary code execution in Apache Airflow CNCF Kubernetes provider version 5.0.0 allows user to change xcom sidecar image and resources via Airflow connection. In order to exploit this weakness, a user would already need elevated permissions (Op or Admin) to change the connection object in this manner. Operators should upgrade to provider version 7.0.0 which has removed the vulnerability. | ||||
| CVE-2023-33241 | 2 Gg18 Project, Gg20 Project | 2 Gg18, Gg20 | 2024-10-10 | 9.6 Critical |
| Crypto wallets implementing the GG18 or GG20 TSS protocol might allow an attacker to extract a full ECDSA private key by injecting a malicious pallier key and cheating in the range proof. Depending on the Beta parameters chosen in the protocol implementation, the attack might require 16 signatures or more fully exfiltrate the other parties' private key shares. | ||||
| CVE-2023-33242 | 1 Lindell17 Project | 1 Lindell17 | 2024-10-10 | 9.6 Critical |
| Crypto wallets implementing the Lindell17 TSS protocol might allow an attacker to extract the full ECDSA private key by exfiltrating a single bit in every signature attempt (256 in total) because of not adhering to the paper's security proof's assumption regarding handling aborts after a failed signature. | ||||
| CVE-2023-4157 | 1 Omeka | 2 Omeka, Omeka S | 2024-10-09 | 5.2 Medium |
| CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in GitHub repository omeka/omeka-s prior to version 4.0.3. | ||||
| CVE-2020-28848 | 1 Churchcrm | 1 Churchcrm | 2024-10-09 | 8.8 High |
| CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. | ||||
| CVE-2023-48841 | 1 Phpjabbers | 1 Appointment Scheduler | 2024-10-09 | 8.8 High |
| Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action. | ||||
| CVE-2023-43364 | 1 Arjunsharda | 1 Searchor | 2024-10-09 | 9.8 Critical |
| main.py in Searchor before 2.4.2 uses eval on CLI input, which may cause unexpected code execution. | ||||
| CVE-2023-38896 | 1 Langchain | 1 Langchain | 2024-10-09 | 9.8 Critical |
| An issue in Harrison Chase langchain v.0.0.194 and before allows a remote attacker to execute arbitrary code via the from_math_prompt and from_colored_object_prompt functions. | ||||
| CVE-2023-39659 | 1 Langchain | 1 Langchain | 2024-10-08 | 9.8 Critical |
| An issue in langchain langchain-ai v.0.0.232 and before allows a remote attacker to execute arbitrary code via a crafted script to the PythonAstREPLTool._run component. | ||||
| CVE-2023-39661 | 1 Gabrieleventuri | 1 Pandasai | 2024-10-08 | 9.8 Critical |
| An issue in pandas-ai v.0.9.1 and before allows a remote attacker to execute arbitrary code via the _is_jailbreak function. | ||||
| CVE-2023-39662 | 1 Llamaindex Project | 1 Llamaindex | 2024-10-08 | 9.8 Critical |
| An issue in llama_index v.0.7.13 and before allows a remote attacker to execute arbitrary code via the `exec` parameter in PandasQueryEngine function. | ||||
| CVE-2022-24989 | 1 Terra-master | 30 F2-210, F2-221, F2-223 and 27 more | 2024-10-08 | 9.8 Critical |
| TerraMaster NAS through 4.2.30 allows remote WAN attackers to execute arbitrary code as root via the raidtype and diskstring parameters for PHP Object Instantiation to the api.php?mobile/createRaid URI. (Shell metacharacters can be placed in raidtype because popen is used without any sanitization.) The credentials from CVE-2022-24990 exploitation can be used. | ||||
| CVE-2024-47764 | 2024-10-07 | 3.7 Low | ||
| cookie is a basic HTTP cookie parser and serializer for HTTP servers. The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie. Upgrade to 0.7.0, which updates the validation for name, path, and domain. | ||||
| CVE-2024-46997 | 1 Dataease | 1 Dataease | 2024-10-07 | 9.8 Critical |
| DataEase is an open source data visualization analysis tool. Prior to version 2.10.1, an attacker can achieve remote command execution by adding a carefully constructed h2 data source connection string. The vulnerability has been fixed in v2.10.1. | ||||