Vulnerabilities (CVE)

Total 79903 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-6572 2024-09-09 N/A 7.4 HIGH
Improper host key checking in active check 'Check SFTP Service' and special agent 'VNX quotas and filesystem' in Checkmk before Checkmk 2.3.0p15, 2.2.0p33, 2.1.0p48 and 2.0.0 (EOL) allows man-in-the-middle attackers to intercept traffic
CVE-2024-41160 1 Openatom 1 Openharmony 2024-09-09 N/A 7.8 HIGH
in OpenHarmony v4.1.0 and prior versions allow a local attacker cause the common permission is upgraded to root and sensitive information leak through use after free.
CVE-2024-43804 1 Roxy-wi 1 Roxy-wi 2024-09-06 N/A 8.8 HIGH
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. An OS Command Injection vulnerability allows any authenticated user on the application to execute arbitrary code on the web application server via port scanning functionality. User-supplied input is used without validation when constructing and executing an OS command. User supplied JSON POST data is parsed and if "id" JSON key does not exist, JSON value supplied via "ip" JSON key is assigned to the "ip" variable. Later on, "ip" variable which can be controlled by the attacker is used when constructing the cmd and cmd1 strings without any extra validation. Then, server_mod.subprocess_execute function is called on both cmd1 and cmd2. When the definition of the server_mod.subprocess_execute() function is analyzed, it can be seen that subprocess.Popen() is called on the input parameter with shell=True which results in OS Command Injection. This issue has not yet been patched. Users are advised to contact the Roxy-WI to coordinate a fix.
CVE-2024-41964 1 Getkirby 1 Kirby 2024-09-06 N/A 8.1 HIGH
Kirby is a CMS targeting designers and editors. Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the languages.* wildcard permission for a role could not have prohibited updates to existing language definitions. The missing permission checks allowed attackers with Panel access to manipulate the language definitions. The problem has been patched in Kirby 3.6.6.6, Kirby 3.7.5.5, Kirby 3.8.4.4, Kirby 3.9.8.2, Kirby 3.10.1.1, and Kirby 4.3.1. Please update to one of these or a later version to fix the vulnerability. There are no known workarounds for this vulnerability.
CVE-2024-5991 1 Wolfssl 1 Wolfssl 2024-09-06 N/A 7.5 HIGH
In function MatchDomainName(), input param str is treated as a NULL terminated string despite being user provided and unchecked. Specifically, the function X509_check_host() takes in a pointer and length to check against, with no requirements that it be NULL terminated. If a caller was attempting to do a name check on a non-NULL terminated buffer, the code would read beyond the bounds of the input array until it found a NULL terminator.This issue affects wolfSSL: through 5.7.0.
CVE-2024-8164 1 Beikeshop 1 Beikeshop 2024-09-06 6.5 MEDIUM 8.8 HIGH
A vulnerability, which was classified as critical, has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this issue is the function rename of the file /Admin/Http/Controllers/FileManagerController.php. The manipulation of the argument new_name leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-8163 1 Beikeshop 1 Beikeshop 2024-09-06 5.5 MEDIUM 8.1 HIGH
A vulnerability classified as critical was found in Chengdu Everbrite Network Technology BeikeShop up to 1.5.5. Affected by this vulnerability is the function destroyFiles of the file /admin/file_manager/files. The manipulation of the argument files leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-7570 1 Ivanti 1 Neurons For Itsm 2024-09-06 N/A 8.1 HIGH
Improper certificate validation in Ivanti ITSM on-prem and Neurons for ITSM Versions 2023.4 and earlier allows a remote attacker in a MITM position to craft a token that would allow access to ITSM as any user.
CVE-2024-37901 1 Xwiki 1 Xwiki 2024-09-06 N/A 8.8 HIGH
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
CVE-2024-23499 1 Intel 1 Ethernet 800 Series Controllers Driver 2024-09-06 N/A 7.5 HIGH
Protection mechanism failure in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters E810 Series before version 28.3 may allow an unauthenticated user to potentially enable denial of service via network access.
CVE-2024-23907 1 Intel 3 High Level Synthesis Compiler, Oneapi Dpc\+\+\/c\+\+ Compiler, Quartus Prime 2024-09-06 N/A 7.8 HIGH
Uncontrolled search path in some Intel(R) High Level Synthesis Compiler software before version 23.4 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-23909 1 Intel 1 Field Programmable Gate Array Software Development Kit For Opencl 2024-09-06 N/A 7.8 HIGH
Uncontrolled search path in some Intel(R) FPGA SDK for OpenCL(TM) software technology may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-23981 1 Intel 1 Ethernet 800 Series Controllers Driver 2024-09-06 N/A 8.8 HIGH
Wrap-around error in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-24986 1 Intel 1 Ethernet 800 Series Controllers Driver 2024-09-06 N/A 8.8 HIGH
Improper access control in Linux kernel mode driver for some Intel(R) Ethernet Network Controllers and Adapters before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-25576 1 Intel 1 Agilex 7 Fpga Firmware 2024-09-06 N/A 7.9 HIGH
improper access control in firmware for some Intel(R) FPGA products before version 24.1 may allow a privileged user to enable escalation of privilege via local access.
CVE-2024-26022 1 Intel 1 Aptio V Uefi Firmware Integrator Tools 2024-09-06 N/A 7.8 HIGH
Improper access control in some Intel(R) UEFI Integrator Tools on Aptio V for Intel(R) NUC may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-26025 1 Intel 2 Advisor, Oneapi Base Toolkit 2024-09-06 N/A 7.8 HIGH
Incorrect default permissions for some Intel(R) Advisor software before version 2024.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-26027 1 Intel 1 Simics Package Manager 2024-09-06 N/A 7.8 HIGH
Uncontrolled search path for some Intel(R) Simics Package Manager software before version 1.8.3 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-28046 1 Intel 1 Graphics Performance Analyzers 2024-09-06 N/A 7.8 HIGH
Uncontrolled search path in some Intel(R) GPA software before version 2024.1 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2024-28172 1 Intel 2 Oneapi Hpc Toolkit, Trace Analyzer And Collector 2024-09-06 N/A 7.3 HIGH
Uncontrolled search path for some Intel(R) Trace Analyzer and Collector software before version 2022.1 may allow an authenticated user to potentially enable escalation of privilege via local access.