Total
296526 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-10765 | 1 Codezips | 1 Online Institute Management System | 2024-11-06 | 6.5 MEDIUM | 9.8 CRITICAL |
A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. This vulnerability affects unknown code of the file /profile.php. The manipulation of the argument old_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-10764 | 1 Codezips | 1 Online Institute Management System | 2024-11-06 | 6.5 MEDIUM | 9.8 CRITICAL |
A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. This affects an unknown part of the file /pages/save_user.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
CVE-2024-44258 | 1 Apple | 4 Ipados, Iphone Os, Tvos and 1 more | 2024-11-06 | N/A | 7.1 HIGH |
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, tvOS 18.1. Restoring a maliciously crafted backup file may lead to modification of protected system files. | |||||
CVE-2024-31998 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 8.8 HIGH |
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2024-31448 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 6.1 MEDIUM |
Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it. | |||||
CVE-2023-34445 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 6.1 MEDIUM |
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-34444 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 6.1 MEDIUM |
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2023-34443 | 1 Combodo | 1 Itop | 2024-11-06 | N/A | 6.1 MEDIUM |
Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
CVE-2024-8553 | 2024-11-06 | N/A | 6.3 MEDIUM | ||
A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information. | |||||
CVE-2024-7012 | 1 Redhat | 1 Satellite | 2024-11-06 | N/A | 9.8 CRITICAL |
An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access. | |||||
CVE-2024-48059 | 2024-11-05 | N/A | 6.1 MEDIUM | ||
gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser. | |||||
CVE-2024-45366 | 2024-11-05 | N/A | 6.1 MEDIUM | ||
Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser. | |||||
CVE-2024-45240 | 2024-11-05 | N/A | 7.4 HIGH | ||
The TikTok (aka com.zhiliaoapp.musically) application before 34.5.5 for Android allows the takeover of Lynxview JavaScript interfaces via deeplink traversal (in the application's exposed WebView). (On Android 12 and later, this is only exploitable by third-party applications.) | |||||
CVE-2024-44205 | 1 Apple | 3 Ipados, Iphone Os, Macos | 2024-11-05 | N/A | 5.5 MEDIUM |
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs. | |||||
CVE-2024-41577 | 2024-11-05 | N/A | 9.8 CRITICAL | ||
An arbitrary file upload vulnerability in the Ueditor component of productinfoquick v1.0 allows attackers to execute arbitrary code via uploading a crafted PNG file. | |||||
CVE-2024-41200 | 2024-11-05 | N/A | 5.5 MEDIUM | ||
A segmentation fault in KMPlayer v4.2.2.65 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file. | |||||
CVE-2021-46772 | 2024-11-05 | N/A | 3.9 LOW | ||
Insufficient input validation in the ABL may allow a privileged attacker with access to the BIOS menu or UEFI shell to tamper with the structure headers in SPI ROM causing an out of bounds memory read and write, potentially resulting in memory corruption or denial of service. | |||||
CVE-2024-43219 | 2024-11-05 | N/A | 5.3 MEDIUM | ||
Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6. | |||||
CVE-2024-47362 | 1 Wpchill | 1 Strong Testimonials | 2024-11-05 | N/A | 8.8 HIGH |
Missing Authorization vulnerability in WPChill Strong Testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through 3.1.16. | |||||
CVE-2024-51431 | 1 Lb-link | 2 Bl-wr1300h, Bl-wr1300h Firmware | 2024-11-05 | N/A | 9.8 CRITICAL |
LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable. |