Total
308110 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-25769 | 2024-09-20 | N/A | 7.2 HIGH | ||
| ImpactThe default .htaccess file has some restrictions in the access to PHP files to only allow specific PHP files to be executed in the root of the application. This logic isn't correct, as the regex in the second FilesMatch only checks the filename, not the full path. | |||||
| CVE-2024-45601 | 2024-09-20 | N/A | 7.5 HIGH | ||
| Mesop is a Python-based UI framework designed for rapid web apps development. A vulnerability has been discovered and fixed in Mesop that could potentially allow unauthorized access to files on the server hosting the Mesop application. The vulnerability was related to insufficient input validation in a specific endpoint. This could have allowed an attacker to access files not intended to be served. Users are strongly advised to update to the latest version of Mesop immediately. The latest version includes a fix for this vulnerability. At time of publication 0.12.4 is the most recently available version of Mesop. | |||||
| CVE-2024-46990 | 2024-09-20 | N/A | 5.0 MEDIUM | ||
| Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`. | |||||
| CVE-2024-7785 | 2024-09-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ece Software Electronic Ticket System allows Reflected XSS, Cross-Site Scripting (XSS).This issue affects Electronic Ticket System: before 2024.08. | |||||
| CVE-2024-7736 | 2024-09-20 | N/A | 8.7 HIGH | ||
| A reflected Cross-site Scripting (XSS) vulnerability affecting ENOVIA Collaborative Industry Innovator from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x allows an attacker to execute arbitrary script code in user's browser session. | |||||
| CVE-2023-47105 | 2024-09-20 | N/A | 8.6 HIGH | ||
| exec.CommandContext in Chaosblade 0.3 through 1.7.3, when server mode is used, allows OS command execution via the cmd parameter without authentication. | |||||
| CVE-2023-36268 | 2024-09-20 | N/A | N/A | ||
| Rejected reason: DoS issues, or unexploitable crashes, are out of scope for vulnerabilities. | |||||
| CVE-2024-46049 | 1 Tenda | 2 O6, O6 Firmware | 2024-09-20 | N/A | 9.8 CRITICAL |
| Tenda O6 V3.0 firmware V1.0.0.7(2054) contains a stack overflow vulnerability in the formexeCommand function. | |||||
| CVE-2024-46048 | 1 Tenda | 2 Fh451, Fh451 Firmware | 2024-09-20 | N/A | 9.8 CRITICAL |
| Tenda FH451 v1.0.0.9 has a command injection vulnerability in the formexeCommand function i | |||||
| CVE-2024-46047 | 1 Tenda | 2 Fh451, Fh451 Firmware | 2024-09-20 | N/A | 7.5 HIGH |
| Tenda FH451 v1.0.0.9 has a stack overflow vulnerability in the fromDhcpListClient function. | |||||
| CVE-2024-46046 | 1 Tenda | 2 Fh451, Fh451 Firmware | 2024-09-20 | N/A | 9.8 CRITICAL |
| Tenda FH451 v1.0.0.9 has a stack overflow vulnerability located in the RouteStatic function. | |||||
| CVE-2024-46044 | 1 Tenda | 2 Ch22, Ch22 Firmware | 2024-09-20 | N/A | 9.8 CRITICAL |
| CH22 V1.0.0.6(468) has a stack overflow vulnerability located in the fromqossetting function. | |||||
| CVE-2024-45040 | 1 Consensys | 1 Gnark-crypto | 2024-09-20 | N/A | 5.9 MEDIUM |
| gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not affected. The vulnerability affects the zero-knowledge property of the proofs - in case the witness (secret or internal) values are small, then the attacker may be able to enumerate all possible choices to deduce the actual value. If the possible choices for the variables to be committed is large or there are many values committed, then it would be computationally infeasible to enumerate all valid choices. It doesn't affect the completeness/soundness of the proofs. The vulnerability has been fixed in version 0.11.0. The patch to fix the issue is to add additional randomized value to the list of committed value at proving time to mask the rest of the values which were committed. As a workaround, the user can manually commit to a randomized value. | |||||
| CVE-2024-45039 | 1 Consensys | 1 Gnark-crypto | 2024-09-20 | N/A | 6.2 MEDIUM |
| gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidity verifier. gnark's maintainers expect the impact of the issue be very small - only for the users who have implemented the native Groth16 verifier or are using it with multiple commitments. We do not have information of such users. The issue has been patched in version 0.11.0. As a workaround, users should follow gnark maintainers' recommendation to use only a single commitment and then derive in-circuit commitments as needed using the `std/multicommit` package. | |||||
| CVE-2024-7717 | 1 Thimpress | 1 Wp Events Manager | 2024-09-20 | N/A | 8.8 HIGH |
| The WP Events Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter in all versions up to, and including, 2.1.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2022-4100 | 1 Wpcerber | 1 Cerber Security Antispam \& Malware Scan | 2024-09-20 | N/A | 5.3 MEDIUM |
| The WP Cerber Security plugin for WordPress is vulnerable to IP Protection bypass in versions up to, and including 9.4 due to the plugin improperly checking for a visitor's IP address. This makes it possible for an attacker whose IP address has been blocked to bypass this control by setting the X-Forwarded-For: HTTP header to an IP Address that hasn't been blocked. | |||||
| CVE-2024-38210 | 1 Microsoft | 1 Edge Chromium | 2024-09-19 | N/A | 7.8 HIGH |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2024-38209 | 1 Microsoft | 1 Edge Chromium | 2024-09-19 | N/A | 7.8 HIGH |
| Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability | |||||
| CVE-2024-38208 | 2 Google, Microsoft | 2 Android, Edge | 2024-09-19 | N/A | 6.1 MEDIUM |
| Microsoft Edge for Android Spoofing Vulnerability | |||||
| CVE-2024-38207 | 1 Microsoft | 1 Edge Chromium | 2024-09-19 | N/A | 6.3 MEDIUM |
| Microsoft Edge (HTML-based) Memory Corruption Vulnerability | |||||