Total
1254 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34068 | 2024-05-03 | N/A | 6.4 MEDIUM | ||
| Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. | |||||
| CVE-2024-28978 | 2024-05-01 | N/A | 5.2 MEDIUM | ||
| Dell OpenManage Enterprise, versions 3.10 and 4.0, contains an Improper Access Control vulnerability. A high privileged remote attacker could potentially exploit this vulnerability, leading to unauthorized access to resources. | |||||
| CVE-2024-3746 | 2024-05-01 | N/A | 5.5 MEDIUM | ||
| The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow user, including unprivileged users, to write or overwrite files. | |||||
| CVE-2024-32973 | 2024-05-01 | N/A | 4.8 MEDIUM | ||
| Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected. This issue has been patched in pull request #851 which has been included in version 0.9.3. Users are advised to upgrade. there are no known workarounds for this vulnerability. | |||||
| CVE-2024-4225 | 2024-04-30 | N/A | 7.6 HIGH | ||
| Multiple security vulnerabilities has been discovered in web interface of NetGuardian DIN Remote Telemetry Unit (RTU), by DPS Telecom. Attackers can exploit those security vulnerabilities to perform critical actions such as escalate user's privilege, steal user's credential, Cross Site Scripting (XSS) and Cross-Site Request Forgery (CSRF). | |||||
| CVE-2024-29054 | 1 Microsoft | 1 Defender For Iot | 2024-04-26 | N/A | 7.2 HIGH |
| Microsoft Defender for IoT Elevation of Privilege Vulnerability | |||||
| CVE-2024-29055 | 1 Microsoft | 1 Defender For Iot | 2024-04-26 | N/A | 7.2 HIGH |
| Microsoft Defender for IoT Elevation of Privilege Vulnerability | |||||
| CVE-2024-4198 | 2024-04-26 | N/A | 2.7 LOW | ||
| Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes which allows an attacker authenticated as team admin to demote users to guest via crafted HTTP requests. | |||||
| CVE-2024-4195 | 2024-04-26 | N/A | 2.7 LOW | ||
| Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests. | |||||
| CVE-2024-30261 | 2024-04-19 | N/A | 2.6 LOW | ||
| Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1. | |||||
| CVE-2023-45744 | 2024-04-17 | N/A | 8.3 HIGH | ||
| A data integrity vulnerability exists in the web interface /cgi-bin/upload_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to configuration modification. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2023-45209 | 2024-04-17 | N/A | 5.3 MEDIUM | ||
| An information disclosure vulnerability exists in the web interface /cgi-bin/download_config.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2023-43491 | 2024-04-17 | N/A | 5.3 MEDIUM | ||
| An information disclosure vulnerability exists in the web interface /cgi-bin/debug_dump.cgi functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to a disclosure of sensitive information. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-29840 | 2024-04-15 | N/A | 7.5 HIGH | ||
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_PIN_FIELDS, allowing for an unauthenticated attacker to return the pin value of any user | |||||
| CVE-2024-29839 | 2024-04-15 | N/A | 7.5 HIGH | ||
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_CARD, allowing for an unauthenticated attacker to return the card value data of any user | |||||
| CVE-2024-3777 | 2024-04-15 | N/A | 9.8 CRITICAL | ||
| The password reset feature of Ai3 QbiBot lacks proper access control, allowing unauthenticated remote attackers to reset any user's password. | |||||
| CVE-2024-29843 | 2024-04-15 | N/A | 7.5 HIGH | ||
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on MOBILE_GET_USERS_LIST, allowing for an unauthenticated attacker to enumerate all users and their access levels | |||||
| CVE-2024-29842 | 2024-04-15 | N/A | 7.5 HIGH | ||
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control on DESKTOP_EDIT_USER_GET_ABACARD_FIELDS, allowing for an unauthenticated attacker to return the abacard field of any user | |||||
| CVE-2024-29836 | 2024-04-15 | N/A | 9.8 CRITICAL | ||
| The Web interface of Evolution Controller Versions 2.04.560.31.03.2024 and below contains poorly configured access control, allowing for an unauthenticated attacker to update and add user profiles within the application, and gain full access of the site. | |||||
| CVE-2024-3765 | 2024-04-15 | 10.0 HIGH | 9.8 CRITICAL | ||
| A vulnerability classified as critical was found in Xiongmai AHB7804R-MH-V2, AHB8004T-GL, AHB8008T-GL, AHB7004T-GS-V3, AHB7004T-MHV2, AHB8032F-LME and XM530_R80X30-PQ_8M. Affected by this vulnerability is an unknown functionality of the component Sofia Service. The manipulation with the input ff00000000000000000000000000f103250000007b202252657422203a203130302c202253657373696f6e494422203a202230783022207d0a leads to improper access controls. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-260605 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||