Total
3602 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-41984 | 1 Apple | 5 Ipados, Iphone Os, Macos and 2 more | 2024-09-25 | N/A | 7.8 HIGH |
| The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.6, tvOS 17, iOS 16.7 and iPadOS 16.7, macOS Monterey 12.7, watchOS 10, iOS 17 and iPadOS 17, macOS Sonoma 14. An app may be able to execute arbitrary code with kernel privileges. | |||||
| CVE-2023-41450 | 1 Phpkobo | 1 Ajaxnewsticker | 2024-09-23 | N/A | 8.8 HIGH |
| An issue in phpkobo AjaxNewsTicker v.1.0.5 allows a remote attacker to execute arbitrary code via a crafted payload to the reque parameter. | |||||
| CVE-2023-41444 | 2 Binalyze, Microsoft | 2 Irec, Windows | 2024-09-23 | N/A | 7.8 HIGH |
| An issue in Binalyze IREC.sys v.3.11.0 and before allows a local attacker to execute arbitrary code and escalate privileges via the fun_1400084d0 function in IREC.sys driver. | |||||
| CVE-2023-44011 | 1 Mojoportal | 1 Mojoportal | 2024-09-23 | N/A | 9.8 CRITICAL |
| An issue in mojoPortal v.2.7.0.0 allows a remote attacker to execute arbitrary code via a crafted script to the layout.master skin file at the Skin management component. | |||||
| CVE-2024-5751 | 1 Litellm | 1 Litellm | 2024-09-20 | N/A | 9.8 CRITICAL |
| BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model. | |||||
| CVE-2024-8880 | 1 Playsms | 1 Playsms | 2024-09-20 | 5.1 MEDIUM | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure. | |||||
| CVE-2024-7104 | 1 Sfs | 1 Winsure | 2024-09-20 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection.This issue affects ww.Winsure: before 4.6.2. | |||||
| CVE-2023-49000 | 1 Artistscope | 1 Artisbrowser | 2024-09-20 | N/A | 9.8 CRITICAL |
| An issue in ArtistScope ArtisBrowser v.34.1.5 and before allows an attacker to bypass intended access restrictions via interaction with the com.artis.browser.IntentReceiverActivity component. NOTE: this is disputed by the vendor, who indicates that ArtisBrowser 34 does not support CSS3. | |||||
| CVE-2024-45798 | 2024-09-20 | N/A | 9.9 CRITICAL | ||
| arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts. | |||||
| CVE-2024-35515 | 2024-09-20 | N/A | 9.8 CRITICAL | ||
| Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. | |||||
| CVE-2024-43922 | 1 Nitropack | 1 Nitropack | 2024-09-19 | N/A | 9.8 CRITICAL |
| Improper Control of Generation of Code ('Code Injection') vulnerability in NitroPack Inc. NitroPack allows Code Injection.This issue affects NitroPack: from n/a through 1.16.7. | |||||
| CVE-2024-34344 | 1 Nuxt | 1 Nuxt | 2024-09-19 | N/A | 8.8 HIGH |
| Nuxt is a free and open-source framework to create full-stack web applications and websites with Vue.js. Due to the insufficient validation of the `path` parameter in the NuxtTestComponentWrapper, an attacker can execute arbitrary JavaScript on the server side, which allows them to execute arbitrary commands. Users who open a malicious web page in the browser while running the test locally are affected by this vulnerability, which results in the remote code execution from the malicious web page. Since web pages can send requests to arbitrary addresses, a malicious web page can repeatedly try to exploit this vulnerability, which then triggers the exploit when the test server starts. | |||||
| CVE-2024-0220 | 2024-09-19 | N/A | 8.3 HIGH | ||
| B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. | |||||
| CVE-2023-44847 | 1 Seacms | 1 Seacms | 2024-09-19 | N/A | 7.2 HIGH |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ Weixin.php component. | |||||
| CVE-2023-44846 | 1 Seacms | 1 Seacms | 2024-09-19 | N/A | 8.8 HIGH |
| An issue in SeaCMS v.12.8 allows an attacker to execute arbitrary code via the admin_ notify.php component. | |||||
| CVE-2024-44430 | 1 Mayurik | 1 Best Free Law Office Management | 2024-09-19 | N/A | 9.8 CRITICAL |
| SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface | |||||
| CVE-2024-43469 | 1 Microsoft | 1 Azure Cyclecloud | 2024-09-17 | N/A | 8.8 HIGH |
| Azure CycleCloud Remote Code Execution Vulnerability | |||||
| CVE-2022-39424 | 1 Oracle | 1 Vm Virtualbox | 2024-09-17 | N/A | 8.1 HIGH |
| Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are Prior to 6.1.40. Difficult to exploit vulnerability allows unauthenticated attacker with network access via VRDP to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||
| CVE-2023-30912 | 1 Hpe | 1 Oneview | 2024-09-17 | N/A | 9.8 CRITICAL |
| A remote code execution issue exists in HPE OneView. | |||||
| CVE-2023-21890 | 1 Oracle | 1 Communications Converged Application Server | 2024-09-17 | N/A | 9.8 CRITICAL |
| Vulnerability in the Oracle Communications Converged Application Server product of Oracle Communications (component: Core). Supported versions that are affected are 7.1.0 and 8.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via UDP to compromise Oracle Communications Converged Application Server. Successful attacks of this vulnerability can result in takeover of Oracle Communications Converged Application Server. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | |||||