Vulnerabilities (CVE)

Total 296526 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-10765 1 Codezips 1 Online Institute Management System 2024-11-06 6.5 MEDIUM 9.8 CRITICAL
A vulnerability classified as critical was found in Codezips Online Institute Management System up to 1.0. This vulnerability affects unknown code of the file /profile.php. The manipulation of the argument old_image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-10764 1 Codezips 1 Online Institute Management System 2024-11-06 6.5 MEDIUM 9.8 CRITICAL
A vulnerability classified as critical has been found in Codezips Online Institute Management System 1.0. This affects an unknown part of the file /pages/save_user.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVE-2024-44258 1 Apple 4 Ipados, Iphone Os, Tvos and 1 more 2024-11-06 N/A 7.1 HIGH
This issue was addressed with improved handling of symlinks. This issue is fixed in iOS 18.1 and iPadOS 18.1, iOS 17.7.1 and iPadOS 17.7.1, visionOS 2.1, tvOS 18.1. Restoring a maliciously crafted backup file may lead to modification of protected system files.
CVE-2024-31998 1 Combodo 1 Itop 2024-11-06 N/A 8.8 HIGH
Combodo iTop is a simple, web based IT Service Management tool. A CSRF can be performed on CSV import simulation. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-31448 1 Combodo 1 Itop 2024-11-06 N/A 6.1 MEDIUM
Combodo iTop is a simple, web based IT Service Management tool. By filling malicious code in a CSV content, an Cross-site Scripting (XSS) attack can be performed when importing this content. This issue has been fixed in versions 3.1.2 and 3.2.0. All users are advised to upgrade. Users unable to upgrade should validate CSV content before importing it.
CVE-2023-34445 1 Combodo 1 Itop 2024-11-06 N/A 6.1 MEDIUM
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.render.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-34444 1 Combodo 1 Itop 2024-11-06 N/A 6.1 MEDIUM
Combodo iTop is a simple, web based IT Service Management tool. When displaying pages/ajax.searchform.php XSS are possible for scripts outside of script tags. This issue has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-34443 1 Combodo 1 Itop 2024-11-06 N/A 6.1 MEDIUM
Combodo iTop is a simple, web based IT Service Management tool. When displaying page Run queries Cross-site Scripting (XSS) are possible for scripts outside of script tags. This has been fixed in versions 2.7.9, 3.0.4, 3.1.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-8553 2024-11-06 N/A 6.3 MEDIUM
A vulnerability was found in Foreman's loader macros introduced with report templates. These macros may allow an authenticated user with permissions to view and create templates to read any field from Foreman's database. By using specific strings in the loader macros, users can bypass permissions and access sensitive information.
CVE-2024-7012 1 Redhat 1 Satellite 2024-11-06 N/A 9.8 CRITICAL
An authentication bypass vulnerability has been identified in Foreman when deployed with External Authentication, due to the puppet-foreman configuration. This issue arises from Apache's mod_proxy not properly unsetting headers because of restrictions on underscores in HTTP headers, allowing authentication through a malformed header. This flaw impacts all active Satellite deployments (6.13, 6.14 and 6.15) and could potentially enable unauthorized users to gain administrative access.
CVE-2024-48059 2024-11-05 N/A 6.1 MEDIUM
gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser.
CVE-2024-45366 2024-11-05 N/A 6.1 MEDIUM
Welcart e-Commerce prior to 2.11.2 contains a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed on the user's web browser.
CVE-2024-45240 2024-11-05 N/A 7.4 HIGH
The TikTok (aka com.zhiliaoapp.musically) application before 34.5.5 for Android allows the takeover of Lynxview JavaScript interfaces via deeplink traversal (in the application's exposed WebView). (On Android 12 and later, this is only exploitable by third-party applications.)
CVE-2024-44205 1 Apple 3 Ipados, Iphone Os, Macos 2024-11-05 N/A 5.5 MEDIUM
A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.6.8, macOS Monterey 12.7.6, iOS 16.7.9 and iPadOS 16.7.9, iOS 17.6 and iPadOS 17.6, macOS Sonoma 14.6. A sandboxed app may be able to access sensitive user data in system logs.
CVE-2024-41577 2024-11-05 N/A 9.8 CRITICAL
An arbitrary file upload vulnerability in the Ueditor component of productinfoquick v1.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.
CVE-2024-41200 2024-11-05 N/A 5.5 MEDIUM
A segmentation fault in KMPlayer v4.2.2.65 allows attackers to cause a Denial of Service (DoS) via a crafted AVI file.
CVE-2021-46772 2024-11-05 N/A 3.9 LOW
Insufficient input validation in the ABL may allow a privileged attacker with access to the BIOS menu or UEFI shell to tamper with the structure headers in SPI ROM causing an out of bounds memory read and write, potentially resulting in memory corruption or denial of service.
CVE-2024-43219 2024-11-05 N/A 5.3 MEDIUM
Missing Authorization vulnerability in ووکامرس فارسی Persian WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Persian WooCommerce: from n/a through 7.1.6.
CVE-2024-47362 1 Wpchill 1 Strong Testimonials 2024-11-05 N/A 8.8 HIGH
Missing Authorization vulnerability in WPChill Strong Testimonials allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Strong Testimonials: from n/a through 3.1.16.
CVE-2024-51431 1 Lb-link 2 Bl-wr1300h, Bl-wr1300h Firmware 2024-11-05 N/A 9.8 CRITICAL
LB-LINK BL-WR 1300H v.1.0.4 contains hardcoded credentials stored in /etc/shadow which are easily guessable.