Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-0261 | 1 Ftpdmin Project | 1 Ftpdmin | 2024-01-10 | N/A | 7.5 HIGH |
| A vulnerability has been found in Sentex FTPDMIN 0.96 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component RNFR Command Handler. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-249817 was assigned to this vulnerability. | |||||
| CVE-2024-0263 | 1 Acme | 1 Ultra Mini Httpd | 2024-01-10 | N/A | 7.5 HIGH |
| A vulnerability was found in ACME Ultra Mini HTTPd 1.21. It has been classified as problematic. This affects an unknown part of the component HTTP GET Request Handler. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-249819. | |||||
| CVE-2023-49123 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49122 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49121 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to heap-based buffer overflow while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49132 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2023-49131 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2023-49130 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application is vulnerable to uninitialized pointer access while parsing specially crafted PAR files. An attacker could leverage this vulnerability to execute code in the context of the current process. | |||||
| CVE-2023-49129 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected applications contain a stack overflow vulnerability while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49124 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49128 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted PAR file. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49127 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49126 | 1 Siemens | 1 Solid Edge Se2023 | 2024-01-10 | N/A | 7.8 HIGH |
| A vulnerability has been identified in Solid Edge SE2023 (All versions < V223.0 Update 10). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | |||||
| CVE-2023-49442 | 1 Jeecg | 1 Jeecg | 2024-01-10 | N/A | 9.8 CRITICAL |
| Deserialization of Untrusted Data in jeecgFormDemoController in JEECG 4.0 and earlier allows attackers to run arbitrary code via crafted POST request. | |||||
| CVE-2023-5881 | 1 Geniecompany | 2 Aladdin Connect Garage Door Opener, Aladdin Connect Garage Door Opener Firmware | 2024-01-10 | N/A | 8.2 HIGH |
| Unauthenticated access permitted to web interface page The Genie Company Aladdin Connect (Retrofit-Kit Model ALDCM) "Garage Door Control Module Setup" and modify the Garage door's SSID settings. | |||||
| CVE-2023-6338 | 1 Lenovo | 1 Universal Device Client | 2024-01-10 | N/A | 7.8 HIGH |
| Uncontrolled search path vulnerabilities were reported in the Lenovo Universal Device Client (UDC) that could allow an attacker with local access to execute code with elevated privileges. | |||||
| CVE-2024-0262 | 1 Projectworlds | 1 Online Job Portal | 2024-01-10 | N/A | 4.8 MEDIUM |
| A vulnerability was found in Online Job Portal 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /Admin/News.php of the component Create News Page. The manipulation of the argument News with the input </title><scRipt>alert(0x00C57D)</scRipt> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-249818 is the identifier assigned to this vulnerability. | |||||
| CVE-2023-6540 | 1 Lenovo | 2 Browser Hd, Browser Mobile | 2024-01-10 | N/A | 7.5 HIGH |
| A vulnerability was reported in the Lenovo Browser Mobile and Lenovo Browser HD Apps for Android that could allow an attacker to craft a payload that could result in the disclosure of sensitive information. | |||||
| CVE-2023-51195 | 2024-01-10 | N/A | N/A | ||
| Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2024-22088 | 1 Chendotjs | 1 Lotos Webserver | 2024-01-10 | N/A | 9.8 CRITICAL |
| Lotos WebServer through 0.1.1 (commit 3eb36cc) has a use-after-free in buffer_avail() at buffer.h via a long URI, because realloc is mishandled. | |||||
| CVE-2024-22047 | 1 Collectiveidea | 1 Audited | 2024-01-10 | N/A | 3.1 LOW |
| A race condition exists in Audited 4.0.0 to 5.3.3 that can result in an authenticated user to cause audit log entries to be attributed to another user. | |||||
| CVE-2023-50256 | 1 Froxlor | 1 Froxlor | 2024-01-10 | N/A | 7.5 HIGH |
| Froxlor is open source server administration software. Prior to version 2.1.2, it was possible to submit the registration form with the essential fields, such as the username and password, left intentionally blank. This inadvertent omission allowed for a bypass of the mandatory field requirements (e.g. surname, company name) established by the system. Version 2.1.2 fixes this issue. | |||||
| CVE-2020-13880 | 1 Irfanview | 1 B3d | 2024-01-10 | N/A | 9.8 CRITICAL |
| IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+1cbf heap-based out-of-bounds write. | |||||
| CVE-2020-13879 | 1 Irfanview | 1 B3d | 2024-01-10 | N/A | 9.8 CRITICAL |
| IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+214f heap-based out-of-bounds write. | |||||
| CVE-2020-13878 | 1 Irfanview | 1 B3d | 2024-01-10 | N/A | 9.8 CRITICAL |
| IrfanView B3D PlugIns before version 4.56 has a B3d.dll!+27ef heap-based out-of-bounds write. | |||||
| CVE-2023-52150 | 1 Ovation | 1 Dynamic Content For Elementor | 2024-01-10 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in Ovation S.R.L. Dynamic Content for Elementor.This issue affects Dynamic Content for Elementor: from n/a before 2.12.5. | |||||
| CVE-2023-52127 | 1 Wpclever | 1 Wpc Product Bundles For Woocommerce | 2024-01-10 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in WPClever WPC Product Bundles for WooCommerce.This issue affects WPC Product Bundles for WooCommerce: from n/a through 7.3.1. | |||||
| CVE-2023-47473 | 1 Fuwushe | 1 Ifair | 2024-01-10 | N/A | 7.5 HIGH |
| Directory Traversal vulnerability in fuwushe.org iFair versions 23.8_ad0 and before allows an attacker to obtain sensitive information via a crafted script. | |||||
| CVE-2023-42358 | 1 O-ran-sc | 1 Ric-plt-e2mgr | 2024-01-10 | N/A | 7.7 HIGH |
| An issue was discovered in O-RAN Software Community ric-plt-e2mgr in the G-Release environment, allows remote attackers to cause a denial of service (DoS) via a crafted request to the E2Manager API component. | |||||
| CVE-2023-5879 | 1 Geniecompany | 1 Aladdin Connect | 2024-01-10 | N/A | 6.8 MEDIUM |
| Users’ product account authentication data was stored in clear text in The Genie Company Aladdin Connect Mobile Application Version 5.65 Build 2075 (and below) on Android Devices. This allows the attacker, with access to the android device, to potentially retrieve users' clear text authentication credentials. | |||||
| CVE-2023-28786 | 1 Solidwp | 1 Solid Security | 2024-01-10 | N/A | 6.1 MEDIUM |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in SolidWP Solid Security – Password, Two Factor Authentication, and Brute Force Protection.This issue affects Solid Security – Password, Two Factor Authentication, and Brute Force Protection: from n/a through 8.1.4. | |||||
| CVE-2023-46929 | 1 Gpac | 1 Gpac | 2024-01-10 | N/A | 7.5 HIGH |
| An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 allows attackers to crash the application. | |||||
| CVE-2021-46900 | 1 Sympa | 1 Sympa | 2024-01-10 | N/A | 7.5 HIGH |
| Sympa before 6.2.62 relies on a cookie parameter for certain security objectives, but does not ensure that this parameter exists and has an unpredictable value. Specifically, the cookie parameter is both a salt for stored passwords and an XSS protection mechanism. | |||||
| CVE-2023-51079 | 1 Mvel | 1 Mvel | 2024-01-10 | N/A | 5.3 MEDIUM |
| A long execution time can occur in the ParseTools.subCompileExpression method in MVEL 2.5.0.Final because of many Java class lookups. NOTE: the vendor disputes this because "the only thing that you could expect is that the parser will take a crazy amount of time to complete its task." | |||||
| CVE-2023-46136 | 1 Palletsprojects | 1 Werkzeug | 2024-01-10 | N/A | 7.5 HIGH |
| Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1. | |||||
| CVE-2022-20727 | 1 Cisco | 5 Cgr1000 Compute Module, Ic3000 Industrial Compute Gateway, Ios and 2 more | 2024-01-10 | 7.2 HIGH | 6.7 MEDIUM |
| Multiple vulnerabilities in the Cisco IOx application hosting environment on multiple Cisco platforms could allow an attacker to inject arbitrary commands into the underlying host operating system, execute arbitrary code on the underlying host operating system, install applications without being authenticated, or conduct a cross-site scripting (XSS) attack against a user of the affected software. For more information about these vulnerabilities, see the Details section of this advisory. | |||||
| CVE-2024-21633 | 1 Apktool | 1 Apktool | 2024-01-10 | N/A | 7.8 HIGH |
| Apktool is a tool for reverse engineering Android APK files. In versions 2.9.1 and prior, Apktool infers resource files' output path according to their resource names which can be manipulated by attacker to place files at desired location on the system Apktool runs on. Affected environments are those in which an attacker may write/overwrite any file that user has write access, and either user name is known or cwd is under user folder. Commit d348c43b24a9de350ff6e5bd610545a10c1fc712 contains a patch for this issue. | |||||
| CVE-2024-21631 | 1 Vapor | 1 Vapor | 2024-01-10 | N/A | 6.5 MEDIUM |
| Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. An attacker may use this behavior to trick the application into accepting a URL to an untrusted destination. By padding the port number with zeros, an attacker can cause an integer overflow to occur when the URL authority is parsed and, as a result, spoof the host. Version 4.90.0 contains a patch for this issue. As a workaround, validate user input before parsing as a URI or, if possible, use Foundation's `URL` and `URLComponents` utilities. | |||||
| CVE-2024-21622 | 1 Craftcms | 1 Craft Cms | 2024-01-10 | N/A | 8.8 HIGH |
| Craft is a content management system. This is a potential moderate impact, low complexity privilege escalation vulnerability in Craft starting in 3.x prior to 3.9.6 and 4.x prior to 4.4.16 with certain user permissions setups. This has been fixed in Craft 4.4.16 and Craft 3.9.6. Users should ensure they are running at least those versions. | |||||
| CVE-2016-10165 | 6 Canonical, Debian, Littlecms and 3 more | 19 Ubuntu Linux, Debian Linux, Little Cms Color Engine and 16 more | 2024-01-10 | 5.8 MEDIUM | 7.1 HIGH |
| The Type_MLU_Read function in cmstypes.c in Little CMS (aka lcms2) allows remote attackers to obtain sensitive information or cause a denial of service via an image with a crafted ICC profile, which triggers an out-of-bounds heap read. | |||||
| CVE-2023-49864 | 2024-01-10 | N/A | N/A | ||
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_image` parameter. | |||||
| CVE-2023-49863 | 2024-01-10 | N/A | N/A | ||
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_webpimage` parameter. | |||||
| CVE-2023-49862 | 2024-01-10 | N/A | N/A | ||
| An information disclosure vulnerability exists in the aVideoEncoderReceiveImage.json.php image upload functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read.This vulnerability is triggered by the `downloadURL_gifimage` parameter. | |||||
| CVE-2023-49738 | 2024-01-10 | N/A | N/A | ||
| An information disclosure vulnerability exists in the image404Raw.php functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary file read. | |||||
| CVE-2023-49715 | 2024-01-10 | N/A | N/A | ||
| A unrestricted php file upload vulnerability exists in the import.json.php temporary copy functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution when chained with an LFI vulnerability. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2023-49589 | 2024-01-10 | N/A | N/A | ||
| An insufficient entropy vulnerability exists in the userRecoverPass.php recoverPass generation functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to an arbitrary user password recovery. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2023-48730 | 2024-01-10 | N/A | N/A | ||
| A cross-site scripting (xss) vulnerability exists in the navbarMenuAndLogo.php user name functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | |||||
| CVE-2023-48728 | 2024-01-10 | N/A | N/A | ||
| A cross-site scripting (xss) vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | |||||
| CVE-2023-47862 | 2024-01-10 | N/A | N/A | ||
| A local file inclusion vulnerability exists in the getLanguageFromBrowser functionality of WWBN AVideo dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send a series of HTTP requests to trigger this vulnerability. | |||||
| CVE-2023-47861 | 2024-01-10 | N/A | N/A | ||
| A cross-site scripting (xss) vulnerability exists in the channelBody.php user name functionality of WWBN AVideo 11.6 and dev master commit 15fed957fb. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | |||||