Total
10018 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2008-5186 | 1 Geshi | 1 Geshi | 2024-08-07 | 7.5 HIGH | N/A |
** DISPUTED ** The set_language_path function in geshi.php in Generic Syntax Highlighter (GeSHi) before 1.0.8.1 might allow remote attackers to conduct file inclusion attacks via crafted inputs that influence the default language path ($path variable). NOTE: this issue has been disputed by a vendor, stating that only a static value is used, so this is not a vulnerability in GeSHi. Separate CVE identifiers would be created for web applications that integrate GeSHi in a way that allows control of the default language path. | |||||
CVE-2009-4488 | 1 Varnish.projects.linpro | 1 Varnish | 2024-08-07 | 5.0 MEDIUM | N/A |
** DISPUTED ** Varnish 2.0.6 writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. NOTE: the vendor disputes the significance of this report, stating that "This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely." | |||||
CVE-2012-5786 | 1 Apache | 1 Cxf | 2024-08-06 | 5.8 MEDIUM | N/A |
** DISPUTED ** The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. NOTE: The vendor states that the sample had specifically used a flag to bypass the DN check. | |||||
CVE-2013-3735 | 1 Php | 1 Php | 2024-08-06 | 5.0 MEDIUM | N/A |
** DISPUTED ** The Zend Engine in PHP before 5.4.16 RC1, and 5.5.0 before RC2, does not properly determine whether a parser error occurred, which allows context-dependent attackers to cause a denial of service (memory consumption and application crash) via a crafted function definition, as demonstrated by an attack within a shared web-hosting environment. NOTE: the vendor's http://php.net/security-note.php page says "for critical security situations you should be using OS-level security by running multiple web servers each as their own user id." | |||||
CVE-2024-6915 | 2024-08-06 | N/A | 9.3 CRITICAL | ||
JFrog Artifactory versions below 7.90.6, 7.84.20, 7.77.14, 7.71.23, 7.68.22, 7.63.22, 7.59.23, 7.55.18 are vulnerable to Improper Input Validation that could potentially lead to cache poisoning. | |||||
CVE-2024-21978 | 2024-08-06 | N/A | 6.0 MEDIUM | ||
Improper input validation in SEV-SNP could allow a malicious hypervisor to read or overwrite guest memory potentially leading to data leakage or data corruption. | |||||
CVE-2013-2185 | 2 Apache, Redhat | 3 Tomcat, Jboss Enterprise Application Platform, Jboss Enterprise Portal Platform | 2024-08-06 | 7.5 HIGH | N/A |
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue. | |||||
CVE-2024-35212 | 1 Siemens | 1 Sinec Traffic Analyzer | 2024-08-06 | N/A | 7.5 HIGH |
A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected application lacks input validation due to which an attacker can gain access to the Database entries. | |||||
CVE-2024-5913 | 2024-08-06 | N/A | 6.1 MEDIUM | ||
An improper input validation vulnerability in Palo Alto Networks PAN-OS software enables an attacker with the ability to tamper with the physical file system to elevate privileges. | |||||
CVE-2016-6877 | 1 Citrix | 1 Xenmobile Server | 2024-08-06 | 2.6 LOW | 5.3 MEDIUM |
** DISPUTED ** Citrix XenMobile Server before 10.5.0.24 allows man-in-the-middle attackers to trigger HTTP 302 redirections via vectors involving the HTTP Host header and a cached page. NOTE: the vendor reports "our internal analysis of this issue concluded that this was not a valid vulnerability" because an exploitation scenario would involve a man-in-the-middle attack against a TLS session. | |||||
CVE-2017-10955 | 1 Emc | 1 Data Protection Advisor | 2024-08-05 | 9.0 HIGH | 8.8 HIGH |
** DISPUTED ** This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of EMC Data Protection Advisor 6.3.0. Authentication is required to exploit this vulnerability. The specific flaw exists within the EMC DPA Application service, which listens on TCP port 9002 by default. When parsing the preScript parameter, the process does not properly validate a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM. Was ZDI-CAN-4697. NOTE: Dell EMC disputes that this is a vulnerability. | |||||
CVE-2024-27447 | 2024-08-05 | N/A | 9.8 CRITICAL | ||
pretix before 2024.1.1 mishandles file validation. | |||||
CVE-2018-20225 | 1 Pypa | 1 Pip | 2024-08-05 | 6.8 MEDIUM | 7.8 HIGH |
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely. | |||||
CVE-2018-19556 | 1 Zblogcn | 1 Z-blogphp | 2024-08-05 | 4.3 MEDIUM | 4.3 MEDIUM |
** DISPUTED ** zb_system/admin/index.php?act=UploadMng in Z-BlogPHP 1.5 mishandles file preview, leading to content spoofing. NOTE: the software maintainer disputes that this is a vulnerability. | |||||
CVE-2018-10054 | 2 Cognitect, H2database | 2 Datomic, H2 | 2024-08-05 | 6.5 MEDIUM | 8.8 HIGH |
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code. | |||||
CVE-2018-5279 | 1 Malwarebytes | 1 Malwarebytes | 2024-08-05 | 6.1 MEDIUM | 7.8 HIGH |
** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e02c. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." | |||||
CVE-2018-5278 | 1 Malwarebytes | 1 Malwarebytes | 2024-08-05 | 6.1 MEDIUM | 3.3 LOW |
** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e00c. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." | |||||
CVE-2018-5277 | 1 Malwarebytes | 1 Malwarebytes | 2024-08-05 | 6.1 MEDIUM | 7.8 HIGH |
** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e000. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." | |||||
CVE-2018-5276 | 1 Malwarebytes | 1 Malwarebytes | 2024-08-05 | 6.1 MEDIUM | 7.8 HIGH |
** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9c40e018. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." | |||||
CVE-2018-5275 | 1 Malwarebytes | 1 Malwarebytes | 2024-08-05 | 6.1 MEDIUM | 7.8 HIGH |
** DISPUTED ** In Malwarebytes Premium 3.3.1.2183, the driver file (FARFLT.SYS) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of not validating input values from IOCtl 0x9C40E020. NOTE: the vendor reported that they "have not been able to reproduce the issue on any Windows operating system version (32-bit or 64-bit)." |