Vulnerabilities (CVE)

Total 79513 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-7306 1 Oretnom23 1 Establishment Billing Management System 2024-08-12 6.5 MEDIUM 8.8 HIGH
A vulnerability, which was classified as critical, was found in SourceCodester Establishment Billing Management System 1.0. Affected is an unknown function of the file /manage_block.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. VDB-273198 is the identifier assigned to this vulnerability.
CVE-2024-7528 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-08-12 N/A 8.8 HIGH
Incorrect garbage collection interaction in IndexedDB could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 128.1, and Thunderbird < 128.1.
CVE-2024-7530 1 Mozilla 1 Firefox 2024-08-12 N/A 8.8 HIGH
Incorrect garbage collection interaction could have led to a use-after-free. This vulnerability affects Firefox < 129.
CVE-2024-7525 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-08-12 N/A 8.1 HIGH
It was possible for a web extension with minimal permissions to create a `StreamFilter` which could be used to read and modify the response body of requests on any site. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
CVE-2024-7522 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-08-12 N/A 8.8 HIGH
Editor code failed to check an attribute value. This could have led to an out-of-bounds read. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
CVE-2024-7521 1 Mozilla 3 Firefox, Firefox Esr, Thunderbird 2024-08-12 N/A 8.8 HIGH
Incomplete WebAssembly exception handing could have led to a use-after-free. This vulnerability affects Firefox < 129, Firefox ESR < 115.14, Firefox ESR < 128.1, Thunderbird < 128.1, and Thunderbird < 115.14.
CVE-2024-3659 1 Kaongroup 2 Ar2140, Ar2140 Firmware 2024-08-12 N/A 7.2 HIGH
Firmware in KAON AR2140 routers prior to version 4.2.16 is vulnerable to a shell command injection via sending a crafted request to one of the endpoints. In order to exploit this vulnerability, one has to have access to the administrative portal of the router.
CVE-2024-41942 1 Jupyter 1 Jupyterhub 2024-08-12 N/A 7.2 HIGH
JupyterHub is software that allows one to create a multi-user server for Jupyter notebooks. Prior to versions 4.1.6 and 5.1.0, if a user is granted the `admin:users` scope, they may escalate their own privileges by making themselves a full admin user. The impact is relatively small in that `admin:users` is already an extremely privileged scope only granted to trusted users. In effect, `admin:users` is equivalent to `admin=True`, which is not intended. Note that the change here only prevents escalation to the built-in JupyterHub admin role that has unrestricted permissions. It does not prevent users with e.g. `groups` permissions from granting themselves or other users permissions via group membership, which is intentional. Versions 4.1.6 and 5.1.0 fix this issue.
CVE-2024-42356 1 Shopware 1 Shopware 2024-08-12 N/A 7.2 HIGH
Shopware is an open commerce platform. Prior to versions 6.6.5.1 and 6.5.8.13, the `context` variable is injected into almost any Twig Template and allows to access to current language, currency information. The context object allows also to switch for a short time the scope of the Context as a helper with a callable function. The function can be called also from Twig and as the second parameter allows any callable, it's possible to call from Twig any statically callable PHP function/method. It's not possible as customer to provide any Twig code, the attacker would require access to Administration to exploit it using Mail templates or using App Scripts. Update to Shopware 6.6.5.1 or 6.5.8.13 to receive a patch. For older versions of 6.1, 6.2, 6.3 and 6.4 corresponding security measures are also available via a plugin.
CVE-2024-42010 2024-08-12 N/A 7.5 HIGH
mod_css_styles in Roundcube through 1.5.7 and 1.6.x through 1.6.7 insufficiently filters Cascading Style Sheets (CSS) token sequences in rendered e-mail messages, allowing a remote attacker to obtain sensitive information.
CVE-2024-42370 2024-08-12 N/A 8.3 HIGH
Litestar is an Asynchronous Server Gateway Interface (ASGI) framework. In versions 2.10.0 and prior, Litestar's `docs-preview.yml` workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation. This issue grants a malicious actor the permission to write issues, read metadata, and write pull requests. In addition, the `DOCS_PREVIEW_DEPLOY_TOKEN` is exposed to the attacker. Commit 84d351e96aaa2a1338006d6e7221eded161f517b contains a fix for this issue.
CVE-2024-34623 1 Samsung 1 Notes 2024-08-09 N/A 7.8 HIGH
Out-of-bounds write in applying connected information in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.
CVE-2024-34622 1 Samsung 1 Notes 2024-08-09 N/A 7.8 HIGH
Out-of-bounds write in appending paragraph in Samsung Notes prior to version 4.4.21.62 allows local attackers to potentially execute arbitrary code with Samsung Notes privilege.
CVE-2024-32864 1 Johnsoncontrols 1 Exacqvision Web Service 2024-08-09 N/A 8.1 HIGH
Under certain circumstances exacqVision Web Services will not enforce secure web communications (HTTPS)
CVE-2024-32865 1 Johnsoncontrols 1 Exacqvision Server 2024-08-09 N/A 7.3 HIGH
Under certain circumstances the exacqVision Server will not properly validate TLS certificates provided by connected devices.
CVE-2024-32758 1 Johnsoncontrols 2 Exacqvision Client, Exacqvision Server 2024-08-09 N/A 7.5 HIGH
Under certain circumstances the communication between exacqVision Client and exacqVision Server will use insufficient key length and exchange
CVE-2024-32862 1 Johnsoncontrols 1 Exacqvision Web Service 2024-08-09 N/A 8.1 HIGH
Under certain circumstances the ExacqVision Web Services does not provide sufficient protection from untrusted domains.
CVE-2024-32863 1 Johnsoncontrols 1 Exacqvision Web Service 2024-08-09 N/A 8.8 HIGH
Under certain circumstances the exacqVision Web Services may be susceptible to Cross-Site Request Forgery (CSRF)
CVE-2024-7446 1 Emiloimagtolis 1 Ticket Reservation System 2024-08-09 5.8 MEDIUM 7.2 HIGH
A vulnerability, which was classified as critical, was found in itsourcecode Ticket Reservation System 1.0. This affects an unknown part of the file list_tickets.php. The manipulation of the argument prefSeat_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273531.
CVE-2024-7445 1 Emiloimagtolis 1 Ticket Reservation System 2024-08-09 5.8 MEDIUM 7.2 HIGH
A vulnerability, which was classified as critical, has been found in itsourcecode Ticket Reservation System 1.0. Affected by this issue is some unknown functionality of the file checkout_ticket_save.php. The manipulation of the argument data leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-273530 is the identifier assigned to this vulnerability.