Total
271657 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-37231 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
Loftware Spectrum before 4.6 HF14 uses a Hard-coded Password. | |||||
CVE-2023-37230 | 2024-09-10 | N/A | 8.8 HIGH | ||
Loftware Spectrum (testDeviceConnection) before 5.1 allows SSRF. | |||||
CVE-2023-37229 | 2024-09-10 | N/A | 8.8 HIGH | ||
Loftware Spectrum before 5.1 allows SSRF. | |||||
CVE-2023-37227 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
Loftware Spectrum before 4.6 HF13 Deserializes Untrusted Data. | |||||
CVE-2023-52915 | 1 Linux | 1 Linux Kernel | 2024-09-10 | N/A | 5.5 MEDIUM |
In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer In af9035_i2c_master_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach af9035_i2c_master_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()") | |||||
CVE-2024-44408 | 1 Dlink | 2 Dir-823g, Dir-823g Firmware | 2024-09-10 | N/A | 7.5 HIGH |
D-Link DIR-823G v1.0.2B05_20181207 is vulnerable to Information Disclosure. The device allows unauthorized configuration file downloads, and the downloaded configuration files contain plaintext user passwords. | |||||
CVE-2024-44402 | 1 Dlink | 2 Di-8100g, Di-8100g Firmware | 2024-09-10 | N/A | 9.8 CRITICAL |
D-Link DI-8100G 17.12.20A1 is vulnerable to Command Injection via msp_info.htm. | |||||
CVE-2024-44983 | 1 Linux | 1 Linux Kernel | 2024-09-10 | N/A | 7.1 HIGH |
In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: validate vlan header Ensure there is sufficient room to access the protocol field of the VLAN header, validate it once before the flowtable lookup. ===================================================== BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32 nf_flow_offload_inet_hook+0x45a/0x5f0 net/netfilter/nf_flow_table_inet.c:32 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5440 [inline] | |||||
CVE-2024-44978 | 1 Linux | 1 Linux Kernel | 2024-09-10 | N/A | 7.8 HIGH |
In the Linux kernel, the following vulnerability has been resolved: drm/xe: Free job before xe_exec_queue_put Free job depends on job->vm being valid, the last xe_exec_queue_put can destroy the VM. Prevent UAF by freeing job before xe_exec_queue_put. (cherry picked from commit 32a42c93b74c8ca6d0915ea3eba21bceff53042f) | |||||
CVE-2024-42348 | 1 Fogproject | 1 Fogproject | 2024-09-10 | N/A | 8.6 HIGH |
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.2 can leak AD username and password when registering a computer. This vulnerability is fixed in 1.5.10.41.3 and 1.6.0-beta.1395. | |||||
CVE-2024-42349 | 1 Fogproject | 1 Fogproject | 2024-09-10 | N/A | 5.3 MEDIUM |
FOG is a cloning/imaging/rescue suite/inventory management system. FOG Server 1.5.10.41.4 and earlier can leak authorized and rejected logins via logs stored directly on the root of the web server. FOG Server creates 2 logs on the root of the web server (fog_login_accepted.log and fog_login_failed.log), exposing the name of the user account used to manage FOG, the IP address of the computer used to login and the User-Agent. This vulnerability is fixed in 1.5.10.47. | |||||
CVE-2024-38886 | 1 Horizoncloud | 1 Caterease | 2024-09-10 | N/A | 9.8 CRITICAL |
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Traffic Injection attack due to improper verification of the source of a communication channel. | |||||
CVE-2024-38889 | 1 Horizoncloud | 1 Caterease | 2024-09-10 | N/A | 9.8 CRITICAL |
An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform SQL Injection due to improper neutralization of special elements used in an SQL command. | |||||
CVE-2024-42759 | 2024-09-10 | N/A | 6.3 MEDIUM | ||
An issue in Ellevo v.6.2.0.38160 allows a remote attacker to escalate privileges via the /api/usuario/cadastrodesuplente endpoint. | |||||
CVE-2023-37226 | 2024-09-10 | N/A | 9.8 CRITICAL | ||
Loftware Spectrum before 4.6 HF14 has Missing Authentication for a Critical Function. | |||||
CVE-2024-44867 | 2024-09-10 | N/A | 7.5 HIGH | ||
phpok v3.0 was discovered to contain an arbitrary file read vulnerability via the component /autoload/file.php. | |||||
CVE-2024-8654 | 2024-09-10 | N/A | 5.0 MEDIUM | ||
MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are called in internal aggregation stage. This issue affected MongoDB Server v6.0 version 6.0.3. | |||||
CVE-2024-45393 | 2024-09-10 | N/A | 6.4 MEDIUM | ||
Computer Vision Annotation Tool (CVAT) is an interactive video and image annotation tool for computer vision. An attacker with a CVAT account can access webhook delivery information for any webhook registered on the CVAT instance, including that of other users. For each delivery, this contains information about the event that caused the delivery, typically including full details about the object on which an action was performed (such as the task for an "update:task" event), and the user who performed the action. In addition, the attacker can redeliver any past delivery of any webhook, and trigger a ping event for any webhook. Upgrade to CVAT 2.18.0 or any later version. | |||||
CVE-2024-45044 | 2024-09-10 | N/A | 8.8 HIGH | ||
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When a command ACL is in place and a user executes a command in bconsole using an abbreviation (i.e. "w" for "whoami") the ACL check did not apply to the full form (i.e. "whoami") but to the abbreviated form (i.e. "w"). If the command ACL is configured with negative ACL that should forbid using the "whoami" command, you could still use "w" or "who" as a command successfully. Fixes for the problem are shipped in Bareos versions 23.0.4, 22.1.6 and 21.1.11. If only positive command ACLs are used without any negation, the problem does not occur. | |||||
CVE-2024-8558 | 1 Oretnom23 | 1 Food Ordering Management System | 2024-09-10 | 4.0 MEDIUM | 4.3 MEDIUM |
A vulnerability classified as problematic was found in SourceCodester Food Ordering Management System 1.0. This vulnerability affects unknown code of the file /foms/routers/place-order.php of the component Price Handler. The manipulation of the argument total leads to improper validation of specified quantity in input. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |