Total
27084 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-31151 | 1 Level1 | 2 Wbr-6012, Wbr-6012 Firmware | 2024-11-13 | N/A | 9.8 CRITICAL |
| A security flaw involving hard-coded credentials in LevelOne WBR-6012's web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6: 803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan" 73 53 65 72 65 6e 61 43 ... It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below: if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){ ret = 3;} Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor). While there's no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password). | |||||
| CVE-2024-10943 | 2024-11-13 | N/A | 9.1 CRITICAL | ||
| An authentication bypass vulnerability exists in the affected product. The vulnerability exists due to shared secrets across accounts and could allow a threat actor to impersonate a user if the threat actor is able to enumerate additional information required during authentication. | |||||
| CVE-2024-49369 | 2024-11-13 | N/A | 9.8 CRITICAL | ||
| Icinga is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. The TLS certificate validation in all Icinga 2 versions starting from 2.4.0 was flawed, allowing an attacker to impersonate both trusted cluster nodes as well as any API users that use TLS client certificates for authentication (ApiUser objects with the client_cn attribute set). This vulnerability has been fixed in v2.14.3, v2.13.10, v2.12.11, and v2.11.12. | |||||
| CVE-2024-52297 | 2024-11-13 | N/A | 9.8 CRITICAL | ||
| Tolgee is an open-source localization platform. Tolgee 3.81.1 included the all configuration properties in the PublicConfiguratioDTO publicly exposed to users. This vulnerability is fixed in v3.81.2. | |||||
| CVE-2022-45157 | 2024-11-13 | N/A | 9.1 CRITICAL | ||
| A vulnerability has been identified in the way that Rancher stores vSphere's CPI (Cloud Provider Interface) and CSI (Container Storage Interface) credentials used to deploy clusters through the vSphere cloud provider. This issue leads to the vSphere CPI and CSI passwords being stored in a plaintext object inside Rancher. This vulnerability is only applicable to users that deploy clusters in vSphere environments. | |||||
| CVE-2024-43919 | 1 Yarpp | 1 Yet Another Related Posts Plugin | 2024-11-13 | N/A | 9.8 CRITICAL |
| Access Control vulnerability in YARPP YARPP allows . This issue affects YARPP: from n/a through 5.30.10. | |||||
| CVE-2024-6868 | 1 Mudler | 1 Localai | 2024-11-13 | N/A | 9.8 CRITICAL |
| mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction. When model configurations specify additional files as archives (e.g., .tar), these archives are automatically extracted after downloading. This behavior can be exploited to perform a 'tarslip' attack, allowing files to be written to arbitrary locations on the server, bypassing checks that normally restrict files to the models directory. This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server. | |||||
| CVE-2024-50491 | 1 Micahblu | 1 Rsvp Me | 2024-11-13 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Micah Blu RSVP ME allows SQL Injection.This issue affects RSVP ME: from n/a through 1.9.9. | |||||
| CVE-2024-43341 | 1 Cozythemes | 1 Hello Agency | 2024-11-13 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in CozyThemes Hello Agency allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Hello Agency: from n/a through 1.0.5. | |||||
| CVE-2024-43923 | 1 Arraytics | 1 Wp Timetics | 2024-11-13 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Arraytics Timetics allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Timetics: from n/a through 1.0.23. | |||||
| CVE-2024-10998 | 1 Bookstore Management System Project | 1 Bookstore Management System | 2024-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in 1000 Projects Bookstore Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/process_category_add.php. The manipulation of the argument cat leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10997 | 1 Bookstore Management System Project | 1 Bookstore Management System | 2024-11-13 | 6.5 MEDIUM | 9.8 CRITICAL |
| A vulnerability was found in 1000 Projects Bookstore Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /book_list.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10996 | 1 Bookstore Management System Project | 1 Bookstore Management System | 2024-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in 1000 Projects Bookstore Management System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/process_category_edit.php. The manipulation of the argument cat leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10995 | 1 Codezips | 1 Hospital Appointment System | 2024-11-13 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in Codezips Hospital Appointment System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /removeDoctorResult.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-10988 | 1 Anisha | 1 E-health Care System | 2024-11-13 | 7.5 HIGH | 9.1 CRITICAL |
| A vulnerability was found in code-projects E-Health Care System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /Doctor/doctor_login.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | |||||
| CVE-2024-47636 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-12 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data vulnerability in Eyecix JobSearch allows Object Injection.This issue affects JobSearch: from n/a through 2.5.9. | |||||
| CVE-2024-43929 | 1 Eyecix | 1 Jobsearch Wp Job Board | 2024-11-12 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in eyecix JobSearch allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects JobSearch: from n/a through 2.5.4. | |||||
| CVE-2024-47302 | 1 Wpmanageninja | 1 Fluent Support | 2024-11-12 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in WPManageNinja LLC Fluent Support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fluent Support: from n/a through 1.8.0. | |||||
| CVE-2024-47308 | 1 Templately | 1 Templately | 2024-11-12 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Templately allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Templately: from n/a through 3.1.2. | |||||
| CVE-2024-47311 | 1 Kraftplugins | 1 Wheel Of Life | 2024-11-12 | N/A | 9.8 CRITICAL |
| Missing Authorization vulnerability in Kraft Plugins Wheel of Life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through 1.1.8. | |||||