Total
27069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-8875 | 1 Wcms | 1 Wcms | 2024-09-20 | 5.5 MEDIUM | 9.1 CRITICAL |
| A vulnerability classified as critical was found in vedees wcms up to 0.3.2. Affected by this vulnerability is an unknown functionality of the file /wex/finder.php. The manipulation of the argument p leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-45595 | 1 Man | 1 D-tale | 2024-09-20 | N/A | 9.8 CRITICAL |
| D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Users should upgrade to version 3.14.1 where the "Custom Filter" input is turned off by default. | |||||
| CVE-2024-21416 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2024-09-20 | N/A | 9.8 CRITICAL |
| Windows TCP/IP Remote Code Execution Vulnerability | |||||
| CVE-2024-7098 | 1 Sfs | 1 Winsure | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection.This issue affects ww.Winsure: before 4.6.2. | |||||
| CVE-2024-6401 | 1 Sfs | 1 Insuree Gl | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection.This issue affects InsureE GL: before 4.6.2. | |||||
| CVE-2024-8880 | 1 Playsms | 1 Playsms | 2024-09-20 | 5.1 MEDIUM | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure. | |||||
| CVE-2024-8963 | 1 Ivanti | 1 Endpoint Manager Cloud Services Appliance | 2024-09-20 | N/A | 9.1 CRITICAL |
| Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality. | |||||
| CVE-2024-8862 | 1 H2o | 1 H2o | 2024-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability, which was classified as critical, has been found in h2oai h2o-3 3.46.0.4. This issue affects the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. The manipulation of the argument query leads to deserialization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-44902 | 1 Thinkphp | 1 Thinkphp | 2024-09-20 | N/A | 9.8 CRITICAL |
| A deserialization vulnerability in Thinkphp v6.1.3 to v8.0.4 allows attackers to execute arbitrary code. | |||||
| CVE-2024-6795 | 1 Baxter | 1 Connex Health Portal | 2024-09-20 | N/A | 9.8 CRITICAL |
| In Connex health portal released before8/30/2024, SQL injection vulnerabilities were found that could have allowed an unauthenticated attacker to gain unauthorized access to Connex portal's database. An attacker could have submitted a crafted payload to Connex portal that could have resulted in modification and disclosure of database content and/or perform administrative operations including shutting down the database. | |||||
| CVE-2024-6796 | 1 Baxter | 1 Connex Health Portal | 2024-09-20 | N/A | 9.1 CRITICAL |
| In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. | |||||
| CVE-2024-7104 | 1 Sfs | 1 Winsure | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection.This issue affects ww.Winsure: before 4.6.2. | |||||
| CVE-2024-45523 | 2024-09-20 | N/A | 9.1 CRITICAL | ||
| An issue was discovered in Bravura Security Fabric versions 12.3.x before 12.3.5.32784, 12.4.x before 12.4.3.35110, 12.5.x before 12.5.2.35950, 12.6.x before 12.6.2.37183, and 12.7.x before 12.7.1.38241. An unauthenticated attacker can cause a resource leak by issuing multiple failed login attempts through API SOAP. | |||||
| CVE-2024-45415 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in check_data_integrity function. This function is responsible for validating the checksum of data in post request. The checksum is sent encrypted in the request, the function decrypts it and stores the checksum on the stack without validating it. An unauthenticated attacker can get RCE as root by exploiting this vulnerability. | |||||
| CVE-2024-45414 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| The HTTPD binary in multiple ZTE routers has a stack-based buffer overflow vulnerability in webPrivateDecrypt function. This function is responsible for decrypting RSA encrypted ciphertext, the encrypted data is supplied base64 encoded. The decoded ciphertext is stored on the stack without checking its length. An unauthenticated attacker can get RCE as root by exploiting this vulnerability. | |||||
| CVE-2024-8767 | 2024-09-20 | N/A | 9.9 CRITICAL | ||
| Sensitive data disclosure and manipulation due to unnecessary privileges assignment. The following products are affected: Acronis Backup plugin for cPanel & WHM (Linux) before build 619, Acronis Backup extension for Plesk (Linux) before build 555, Acronis Backup plugin for DirectAdmin (Linux) before build 147. | |||||
| CVE-2024-45798 | 2024-09-20 | N/A | 9.9 CRITICAL | ||
| arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts. | |||||
| CVE-2024-44542 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| SQL Injection vulnerability in todesk v.1.1 allows a remote attacker to execute arbitrary code via the /todesk.com/news.html parameter. | |||||
| CVE-2024-34399 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| **UNSUPPORTED WHEN ASSIGNED** An issue was discovered in BMC Remedy Mid Tier 7.6.04. An unauthenticated remote attacker is able to access any user account without using any password. NOTE: This vulnerability only affects products that are no longer supported by the maintainer and the impacted version for this vulnerability is 7.6.04 only. | |||||
| CVE-2024-35515 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. | |||||