Total
9656 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-4321 | 2024-05-16 | N/A | 7.5 HIGH | ||
A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application. | |||||
CVE-2024-3488 | 2024-05-15 | N/A | 5.6 MEDIUM | ||
File Upload vulnerability in unauthenticated session found in OpenText™ iManager 3.2.6.0200. The vulnerability could allow ant attacker to upload a file without authentication. | |||||
CVE-2024-20394 | 2024-05-15 | N/A | 5.5 MEDIUM | ||
A vulnerability in Cisco AppDynamics Network Visibility Agent could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the inability to handle unexpected input. An attacker who has local device access could exploit this vulnerability by sending an HTTP request to the targeted service. A successful exploit could allow the attacker to cause a DoS condition by stopping the Network Agent Service on the local device. | |||||
CVE-2024-3968 | 2024-05-15 | N/A | 7.8 HIGH | ||
Remote Code Execution has been discovered in OpenText™ iManager 3.2.6.0200. The vulnerability can trigger remote code execution using custom file upload task. | |||||
CVE-2024-2248 | 2024-05-15 | N/A | 6.4 MEDIUM | ||
A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email. | |||||
CVE-2024-34098 | 2024-05-15 | N/A | 7.8 HIGH | ||
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | |||||
CVE-2024-3044 | 2024-05-15 | N/A | N/A | ||
Unchecked script execution in Graphic on-click binding in affected LibreOffice versions allows an attacker to create a document which without prompt will execute scripts built-into LibreOffice on clicking a graphic. Such scripts were previously deemed trusted but are now deemed untrusted. | |||||
CVE-2024-30040 | 2024-05-15 | N/A | 8.8 HIGH | ||
Windows MSHTML Platform Security Feature Bypass Vulnerability | |||||
CVE-2024-28136 | 2024-05-14 | N/A | 7.8 HIGH | ||
A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service. | |||||
CVE-2024-25970 | 2024-05-14 | N/A | 6.5 MEDIUM | ||
Dell PowerScale OneFS versions 8.2.x through 9.7.0.1 contains an improper input validation vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to loss of integrity. | |||||
CVE-2024-28135 | 2024-05-14 | N/A | 5.0 MEDIUM | ||
A low privileged remote attacker can use a command injection vulnerability in the API which performs remote code execution as the user-app user due to improper input validation. The confidentiality is partly affected. | |||||
CVE-2024-3372 | 2024-05-14 | N/A | 7.5 HIGH | ||
Improper validation of certain metadata input may result in the server not correctly serialising BSON. This can be performed pre-authentication and may cause unexpected application behavior including unavailability of serverStatus responses. This issue affects MongoDB Server v7.0 versions prior to 7.0.6, MongoDB Server v6.0 versions prior to 6.0.14 and MongoDB Server v.5.0 versions prior to 5.0.25. | |||||
CVE-2024-29998 | 2024-05-14 | N/A | 6.8 MEDIUM | ||
Windows Mobile Broadband Driver Remote Code Execution Vulnerability | |||||
CVE-2024-30054 | 2024-05-14 | N/A | 6.5 MEDIUM | ||
Microsoft Power BI Client JavaScript SDK Information Disclosure Vulnerability | |||||
CVE-2024-30002 | 2024-05-14 | N/A | 6.8 MEDIUM | ||
Windows Mobile Broadband Driver Remote Code Execution Vulnerability | |||||
CVE-2024-3676 | 2024-05-14 | N/A | 7.5 HIGH | ||
The Proofpoint Encryption endpoint of Proofpoint Enterprise Protection contains an Improper Input Validation vulnerability that allows an unauthenticated remote attacker with a specially crafted HTTP request to create additional Encryption user accounts under the attacker's control. These accounts are able to send spoofed email to any users within the domains configured by the Administrator. | |||||
CVE-2024-30258 | 2024-05-14 | N/A | 8.2 HIGH | ||
FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue. | |||||
CVE-2024-25581 | 2024-05-14 | N/A | 7.5 HIGH | ||
When incoming DNS over HTTPS support is enabled using the nghttp2 provider, and queries are routed to a tcp-only or DNS over TLS backend, an attacker can trigger an assertion failure in DNSdist by sending a request for a zone transfer (AXFR or IXFR) over DNS over HTTPS, causing the process to stop and thus leading to a Denial of Service. DNS over HTTPS is not enabled by default, and backends are using plain DNS (Do53) by default. | |||||
CVE-2024-25641 | 2024-05-14 | N/A | 9.1 CRITICAL | ||
Cacti provides an operational monitoring and fault management framework. Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. The vulnerability is located within the `import_package()` function defined into the `/lib/import.php` script. The function blindly trusts the filename and file content provided within the XML data, and writes such files into the Cacti base path (or even outside, since path traversal sequences are not filtered). This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. Version 1.2.27 contains a patch for this issue. | |||||
CVE-2024-32669 | 2024-05-14 | N/A | 5.3 MEDIUM | ||
Improper Input Validation vulnerability in Samsung Open Source escargot JavaScript engine allows Overflow Buffers. However, it occurs in the test code and does not include in the release. This issue affects escargot: 4.0.0. |