Total
271776 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-53843 | 1 Cloud Native Computing Foundation | 1 Keycloak-connector | 2024-11-26 | 8.1 High |
| @dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application. This issue arises due to improper sanitization of the URL parameters, allowing the URL bar's contents to be injected and reflected into the HTML page. An attacker could craft a malicious URL to execute arbitrary JavaScript in the browser of a victim who visits the link. Any application utilizing this authentication library is vulnerable. Users of the application are at risk if they can be lured into clicking on a crafted malicious link. The vulnerability has been patched in version 2.5.5 by ensuring proper sanitization and escaping of user input in the affected URL parameters. Users are strongly encouraged to upgrade. If upgrading is not immediately possible, users can implement the following workarounds: 1. Employ a Web Application Firewall (WAF) to block malicious requests containing suspicious URL parameters. or 2. Apply input validation and escaping directly within the application’s middleware or reverse proxy layer, specifically targeting the affected parameters. | ||||
| CVE-2024-23353 | 1 Qualcomm | 502 205 Mobile Platform, 205 Mobile Platform Firmware, 215 Mobile Platform and 499 more | 2024-11-26 | 7.5 High |
| Transient DOS while decoding attach reject message received by UE, when IEI is set to ESM_IEI. | ||||
| CVE-2024-49353 | 1 Ibm | 1 Watson Speech Services Cartridge On Cloud Pak For Data | 2024-11-26 | 7.5 High |
| IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data 4.0.0 through 5.0.2 does not properly check inputs to resources that are used concurrently, which might lead to unexpected states, possibly resulting in a crash. | ||||
| CVE-2024-7565 | 1 Smartbear | 1 Soapui | 2024-11-26 | N/A |
| SMARTBEAR SoapUI unpackageAll Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SMARTBEAR SoapUI. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the unpackageAll function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-19060. | ||||
| CVE-2023-43298 | 1 Linecorp | 1 Line | 2024-11-26 | 5.3 Medium |
| An issue in SCOL Members Card mini-app on Line v13.6.1 allows attackers to send crafted malicious notifications via leakage of the channel access token. | ||||
| CVE-2023-48208 | 1 Phpjabbers | 1 Availability Booking Calendar | 2024-11-26 | 6.1 Medium |
| A Cross Site Scripting vulnerability in Availability Booking Calendar 5.0 allows an attacker to inject JavaScript via the name, plugin_sms_api_key, plugin_sms_country_code, uuid, title, or country name parameter to index.php. | ||||
| CVE-2024-8355 | 1 Visteon | 1 Infotainment | 2024-11-26 | N/A |
| Visteon Infotainment System DeviceManager iAP Serial Number SQL Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Visteon Infotainment system. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DeviceManager. When parsing the iAP Serial number, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-20112. | ||||
| CVE-2023-48836 | 1 Phpjabbers | 1 Car Rental Script | 2024-11-26 | 5.4 Medium |
| Car Rental Script 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter. | ||||
| CVE-2024-50367 | 1 Advantech | 3 Eki-6333ac-1gpo Firmware, Eki-6333ac-2g Firmware, Eki-6333ac-2gd Firmware | 2024-11-26 | 7.2 High |
| A CWE-78 "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" was discovered affecting the following devices manufactured by Advantech: EKI-6333AC-2G (<= 1.6.3), EKI-6333AC-2GD (<= v1.6.3) and EKI-6333AC-1GPO (<= v1.2.1). The source of the vulnerability relies on multiple parameters belonging to the "sta_log_htm" API which are not properly sanitized before being concatenated to OS level commands. | ||||
| CVE-2023-48861 | 2 Baidu, Microsoft | 2 Ttplayer, Windows | 2024-11-26 | 7.8 High |
| DLL hijacking vulnerability in TTplayer version 7.0.2, allows local attackers to escalate privileges and execute arbitrary code via urlmon.dll. | ||||
| CVE-2023-49432 | 1 Tenda | 2 Ax9, Ax9 Firmware | 2024-11-26 | 9.8 Critical |
| Tenda AX9 V22.03.01.46 has been found to contain a stack overflow vulnerability in the 'deviceList' parameter at /goform/setMacFilterCfg. | ||||
| CVE-2024-11674 | 1 Codeastro | 1 Hospital Management System | 2024-11-26 | 6.3 Medium |
| A vulnerability, which was classified as critical, was found in CodeAstro Hospital Management System 1.0. Affected is an unknown function of the file /backend/doc/his_doc_update-account.php. The manipulation of the argument doc_dpic leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-11675 | 1 Codeastro | 1 Hospital Management System | 2024-11-26 | 3.5 Low |
| A vulnerability has been found in CodeAstro Hospital Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /backend/admin/his_admin_register_patient.php of the component Add Patient Details Page. The manipulation of the argument pat_fname/pat_ailment/pat_lname/pat_age/pat_dob/pat_number/pat_phone/pat_type/pat_addr leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-11676 | 1 Codeastro | 1 Hospital Management System | 2024-11-26 | 3.5 Low |
| A vulnerability was found in CodeAstro Hospital Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /backend/admin/his_admin_add_lab_equipment.php of the component Add Laboratory Equipment Page. The manipulation of the argument eqp_code/eqp_name/eqp_vendor/eqp_desc/eqp_dept/eqp_status/eqp_qty leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-11662 | 1 Welliamcao | 1 Opsmanage | 2024-11-26 | 6.3 Medium |
| A vulnerability was found in welliamcao OpsManage 3.0.1/3.0.2/3.0.3/3.0.4/3.0.5. It has been rated as critical. This issue affects the function deploy_host_vars of the file /apps/api/views/deploy_api.py of the component API Endpoint. The manipulation leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-23355 | 1 Qualcomm | 286 Ar8035, Ar8035 Firmware, Fastconnect 6200 and 283 more | 2024-11-26 | 7.8 High |
| Memory corruption when keymaster operation imports a shared key. | ||||
| CVE-2023-49999 | 1 Tenda | 2 W30e, W30e Firmware | 2024-11-26 | 9.8 Critical |
| Tenda W30E V16.01.0.12(4843) was discovered to contain a command injection vulnerability via the function setUmountUSBPartition. | ||||
| CVE-2024-34435 | 1 Coderevolution | 1 Aiomatic | 2024-11-26 | 4.3 Medium |
| Missing Authorization vulnerability in CodeRevolution Aiomatic.This issue affects Aiomatic: from n/a through 1.9.3. | ||||
| CVE-2024-11663 | 1 Codezips | 1 Ecommerce Site | 2024-11-26 | 7.3 High |
| A vulnerability classified as critical was found in Codezips E-Commerce Site 1.0. Affected by this vulnerability is an unknown functionality of the file search.php. The manipulation of the argument keywords leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-52899 | 1 Ibm | 1 Data Virtualization Manager For Z-os | 2024-11-26 | 8.5 High |
| IBM Data Virtualization Manager for z/OS 1.1 and 1.2 could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server. | ||||