Total
27033 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-9924 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
The fix for CVE-2024-26261 was incomplete, and and the specific package for OAKlouds from Hgiga remains at risk. Unauthenticated remote attackers still can download arbitrary system files, which may be deleted subsequently . | |||||
CVE-2024-48033 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
Deserialization of Untrusted Data vulnerability in Elie Burstein, Baptiste Gourdin Talkback allows Object Injection.This issue affects Talkback: from n/a through 1.0. | |||||
CVE-2024-9982 | 2024-10-15 | N/A | 9.8 CRITICAL | ||
AIM LINE Marketing Platform from Esi Technology does not properly validate a specific query parameter. When the LINE Campaign Module is enabled, unauthenticated remote attackers can inject arbitrary FetchXml commands to read, modify, and delete database content. | |||||
CVE-2024-45698 | 1 Dlink | 2 Dir-x4860, Dir-x4860 Firmware | 2024-10-15 | N/A | 9.8 CRITICAL |
Certain models of D-Link wireless routers do not properly validate user input in the telnet service, allowing unauthenticated remote attackers to use hard-coded credentials to log into telnet and inject arbitrary OS commands, which can then be executed on the device. | |||||
CVE-2024-9142 | 2024-10-14 | N/A | 9.8 CRITICAL | ||
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls.This issue affects e-Belediye: before 2.0.642. | |||||
CVE-2024-45746 | 2024-10-11 | N/A | 9.8 CRITICAL | ||
An issue was discovered in Trusted Firmware-M through 2.1.0. User provided (and controlled) mailbox messages contain a pointer to a list of input arguments (in_vec) and output arguments (out_vec). These list pointers are never validated. Each argument list contains a buffer pointer and a buffer length field. After a PSA call, the length of the output arguments behind the unchecked pointer is updated in mailbox_direct_reply, regardless of the call result. This allows an attacker to write anywhere in the secure firmware, which can be used to take over the control flow, leading to remote code execution (RCE). | |||||
CVE-2024-25825 | 2024-10-11 | N/A | 9.8 CRITICAL | ||
FydeOS for PC 17.1 R114, FydeOS for VMware 17.0 R114, FydeOS for You 17.1 R114, and OpenFyde R114 were discovered to be configured with the root password saved as a wildcard. This allows attackers to gain root access without a password. | |||||
CVE-2024-47553 | 1 Siemens | 1 Sinec Security Monitor | 2024-10-11 | N/A | 9.9 CRITICAL |
A vulnerability has been identified in Siemens SINEC Security Monitor (All versions < V4.9.0). The affected application does not properly validate user input to the ```ssmctl-client``` command. This could allow an authenticated, lowly privileged remote attacker to execute arbitrary code with root privileges on the underlying OS. | |||||
CVE-2024-44400 | 1 Dlink | 2 Di-8400, Di-8400 Firmware | 2024-10-11 | N/A | 9.8 CRITICAL |
A vulnerability was discovered in DI_8400-16.07.26A1, which has been classified as critical. This issue affects the upgrade_filter_asp function in the upgrade_filter.asp file. Manipulation of the path parameter can lead to command injection. | |||||
CVE-2024-46446 | 1 Mecha-cms | 1 Mecha | 2024-10-11 | N/A | 9.8 CRITICAL |
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover. | |||||
CVE-2024-45115 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2024-10-10 | N/A | 9.8 CRITICAL |
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction. | |||||
CVE-2024-44349 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
A SQL injection vulnerability in login portal in AnteeoWMS before v4.7.34 allows unauthenticated attackers to execute arbitrary SQL commands via the username parameter and disclosure of some data in the underlying DB. | |||||
CVE-2024-43918 | 1 Woobewoo | 1 Product Table | 2024-10-10 | N/A | 9.8 CRITICAL |
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WBW Product Table PRO allows SQL Injection.This issue affects WBW Product Table PRO: from n/a through 1.9.4. | |||||
CVE-2024-45874 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | |||||
CVE-2024-45873 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | |||||
CVE-2024-8884 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause exposure of credentials when attacker has access to application on network over http | |||||
CVE-2024-3057 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
A flaw exists whereby a user can make a specific call to a FlashArray endpoint allowing privilege escalation. | |||||
CVE-2024-41798 | 2024-10-10 | N/A | 9.8 CRITICAL | ||
A vulnerability has been identified in SENTRON 7KM PAC3200 (All versions). Affected devices only provide a 4-digit PIN to protect from administrative access via Modbus TCP interface. Attackers with access to the Modbus TCP interface could easily bypass this protection by brute-force attacks or by sniffing the Modbus clear text communication. | |||||
CVE-2024-45160 | 2024-10-10 | N/A | 9.1 CRITICAL | ||
Incorrect credential validation in LemonLDAP::NG 2.18.x and 2.19.x before 2.19.2 allows attackers to bypass OAuth2 client authentication via an empty client_password parameter (client secret). | |||||
CVE-2024-43699 | 1 Deltaww | 1 Diaenergie | 2024-10-08 | N/A | 9.8 CRITICAL |
Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. An unauthenticated attacker may be able to exploit this issue to obtain records contained in the targeted product. |