Vulnerabilities (CVE)

Total 79924 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-37728 2024-09-11 N/A 7.5 HIGH
Arbitrary File Read vulnerability in Xi'an Daxi Information Technology Co., Ltd OfficeWeb365 v.7.18.23.0 and v8.6.1.0 allows a remote attacker to obtain sensitive information via the "Pic/Indexes" interface
CVE-2024-28298 1 E-bmsoft 1 Bmplanning 2024-09-11 N/A 8.8 HIGH
SQL injection vulnerability in BM SOFT BMPlanning 1.0.0.1 allows authenticated users to execute arbitrary SQL commands via the SEC_IDF, LIE_IDF, PLANF_IDF, CLI_IDF, DOS_IDF, and possibly other parameters to /BMServerR.dll/BMRest.
CVE-2024-7436 1 Dlink 2 Di-8100, Di-8100 Firmware 2024-09-11 6.5 MEDIUM 8.8 HIGH
A vulnerability, which was classified as critical, has been found in D-Link DI-8100 16.07. This issue affects the function msp_info_htm of the file msp_info.htm. The manipulation of the argument cmd leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273521 was assigned to this vulnerability.
CVE-2024-21898 1 Qnap 2 Qts, Quts Hero 2024-09-11 N/A 8.8 HIGH
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
CVE-2023-51367 1 Qnap 2 Qts, Quts Hero 2024-09-11 N/A 8.8 HIGH
A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.6.2722 build 20240402 and later QuTS hero h5.1.6.2734 build 20240414 and later
CVE-2024-7868 1 Xpdfreader 1 Xpdf 2024-09-11 N/A 8.2 HIGH
In Xpdf 4.05 (and earlier), invalid header info in a DCT (JPEG) stream can lead to an uninitialized variable in the DCT decoder. The proof-of-concept PDF file causes a segfault attempting to read from an invalid address.
CVE-2024-43275 1 Xyzscripts 1 Insert Php Code Snippet 2024-09-11 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in xyzscripts.Com Insert PHP Code Snippet.This issue affects Insert PHP Code Snippet: from n/a through 1.3.6.
CVE-2024-42280 1 Linux 1 Linux Kernel 2024-09-10 N/A 7.8 HIGH
In the Linux kernel, the following vulnerability has been resolved: mISDN: Fix a use after free in hfcmulti_tx() Don't dereference *sp after calling dev_kfree_skb(*sp).
CVE-2023-37230 2024-09-10 N/A 8.8 HIGH
Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF.
CVE-2023-37229 2024-09-10 N/A 8.8 HIGH
Loftware Spectrum before 5.1 allows SSRF.
CVE-2024-44408 1 Dlink 2 Dir-823g, Dir-823g Firmware 2024-09-10 N/A 7.5 HIGH
D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords.
CVE-2024-44983 1 Linux 1 Linux Kernel 2024-09-10 N/A 7.1 HIGH
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate vlan header Ensure there is sufficient room to access the protocol field of the VLAN header, validate it once before the flowtable lookup. ===================================================== BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32 nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5440 [inline]
CVE-2024-44978 1 Linux 1 Linux Kernel 2024-09-10 N/A 7.8 HIGH
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Free job before xe_exec_queue_put Free job depends on job->vm being valid, the last xe_exec_queue_put can destroy the VM. Prevent UAF by freeing job before xe_exec_queue_put. (cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f)
CVE-2024-42348 1 Fogproject 1 Fogproject 2024-09-10 N/A 8.6 HIGH
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in 1.5.10.41.3 and 1.6.0-beta.1395.
CVE-2024-44867 2024-09-10 N/A 7.5 HIGH
phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php.
CVE-2024-45044 2024-09-10 N/A 8.8 HIGH
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur.
CVE-2024-8580 1 Totolink 2 T8, T8 Firmware 2024-09-10 7.6 HIGH 8.1 HIGH
A vulnerability classified as critical was found in TOTOLINK AC1200 T8 4.1.5cu.861_B20230220. This vulnerability affects unknown code of the file /etc/shadow.sample. The manipulation leads to use of hard-coded password. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-8564 1 Rems 1 Php Crud 2024-09-10 6.5 MEDIUM 8.8 HIGH
A vulnerability was found in SourceCodester PHP CRUD 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /endpoint/update.php. The manipulation of the argument tbl_person_id/first_name/middle_name/last_name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-8560 1 Oretnom23 1 Simple Invoice Generator System 2024-09-10 6.5 MEDIUM 8.8 HIGH
A vulnerability, which was classified as critical, was found in SourceCodester Simple Invoice Generator System 1.0. Affected is an unknown function of the file /save_invoice.php. The manipulation of the argument invoice_code/customer/cashier/total_amount/discount_percentage/discount_amount/tendered_amount leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-8559 1 Remyandrade 1 Online Food Menu 2024-09-10 5.8 MEDIUM 7.2 HIGH
A vulnerability, which was classified as critical, has been found in SourceCodester Online Food Menu 1.0. This issue affects some unknown processing of the file /endpoint/delete-menu.php. The manipulation of the argument menu leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.