ReportizFlow
Filtered by vendor
Subscriptions
Total
4044 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-10094 | 1 Pegasystems | 1 Pega Infinity | 2024-11-21 | 9.1 Critical |
| Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | ||||
| CVE-2024-6950 | 2024-11-21 | 6.3 Medium | ||
| A vulnerability, which was classified as critical, has been found in Prain up to 1.3.0. Affected by this issue is some unknown functionality of the file /?import of the component HTTP POST Request Handler. The manipulation of the argument file leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272072. | ||||
| CVE-2024-6947 | 1 Flute-cms | 1 Flute | 2024-11-21 | 4.7 Medium |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been rated as critical. This issue affects the function replaceContent of the file app/Core/Support/ContentParser.php of the component Notification Handler. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-272069 was assigned to this vulnerability. | ||||
| CVE-2024-6946 | 1 Flute-cms | 1 Flute | 2024-11-21 | 4.7 Medium |
| A vulnerability was found in Flute CMS 0.2.2.4-alpha. It has been declared as critical. This vulnerability affects unknown code of the file /admin/pages/list. The manipulation of the argument blocks leads to code injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-272068. | ||||
| CVE-2024-6940 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 4.7 Medium |
| A vulnerability was found in DedeCMS 5.7.114. It has been classified as critical. This affects an unknown part of the file article_template_rand.php. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271995. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6936 | 1 Formtools | 1 Form Tools | 2024-11-21 | 2.7 Low |
| A vulnerability, which was classified as problematic, has been found in formtools.org Form Tools 3.1.1. This issue affects some unknown processing of the file /admin/settings/index.php?page=accounts of the component Setting Handler. The manipulation of the argument Page Theme leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271991. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-6923 | 2 Python, Redhat | 7 Cpython, Enterprise Linux, Rhel Aus and 4 more | 2024-11-21 | 5.5 Medium |
| There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. | ||||
| CVE-2024-6891 | 1 Journyx | 1 Journyx | 2024-11-21 | 8.8 High |
| Attackers with a valid username and password can exploit a python code injection vulnerability during the natural login flow. | ||||
| CVE-2024-6726 | 2024-11-21 | 8.8 High | ||
| Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE). | ||||
| CVE-2024-6376 | 1 Mongodb | 1 Compass | 2024-11-21 | 7 High |
| MongoDB Compass may be susceptible to code injection due to insufficient sandbox protection settings with the usage of ejson shell parser in Compass' connection handling. This issue affects MongoDB Compass versions prior to version 1.42.2 | ||||
| CVE-2024-6345 | 1 Redhat | 9 Enterprise Linux, Openshift, Openshift Devspaces and 6 more | 2024-11-21 | 8.8 High |
| A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. | ||||
| CVE-2024-6206 | 2024-11-21 | 7.5 High | ||
| A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system. | ||||
| CVE-2024-5834 | 2 Fedoraproject, Google | 2 Fedora, Chrome | 2024-11-21 | 8.8 High |
| Inappropriate implementation in Dawn in Google Chrome prior to 126.0.6478.54 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2024-5826 | 2024-11-21 | N/A | ||
| In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server. | ||||
| CVE-2024-5751 | 1 Litellm | 1 Litellm | 2024-11-21 | 9.8 Critical |
| BerriAI/litellm version v1.35.8 contains a vulnerability where an attacker can achieve remote code execution. The vulnerability exists in the `add_deployment` function, which decodes and decrypts environment variables from base64 and assigns them to `os.environ`. An attacker can exploit this by sending a malicious payload to the `/config/update` endpoint, which is then processed and executed by the server when the `get_secret` function is triggered. This requires the server to use Google KMS and a database to store a model. | ||||
| CVE-2024-5683 | 2024-11-21 | 9.8 Critical | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. | ||||
| CVE-2024-5407 | 2024-11-21 | 10 Critical | ||
| A vulnerability in RhinOS 3.0-1190 could allow PHP code injection through the "search" parameter in /portal/search.htm. This vulnerability could allow a remote attacker to perform a reverse shell on the remote system, compromising the entire infrastructure. | ||||
| CVE-2024-4889 | 1 Litellm | 1 Litellm | 2024-11-21 | 7.2 High |
| A code injection vulnerability exists in the berriai/litellm application, version 1.34.6, due to the use of unvalidated input in the eval function within the secret management system. This vulnerability requires a valid Google KMS configuration file to be exploitable. Specifically, by setting the `UI_LOGO_PATH` variable to a remote server address in the `get_image` function, an attacker can write a malicious Google KMS configuration file to the `cached_logo.jpg` file. This file can then be used to execute arbitrary code by assigning malicious code to the `SAVE_CONFIG_TO_DB` environment variable, leading to full system control. The vulnerability is contingent upon the use of the Google KMS feature. | ||||
| CVE-2024-4884 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 9.8 Critical |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Remote Code Execution vulnerability in Progress WhatsUpGold. The Apm.UI.Areas.APM.Controllers.CommunityController allows execution of commands with iisapppool\nmconsole privileges. | ||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 9.8 Critical |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | ||||