ReportizFlow
Filtered by vendor
Subscriptions
Total
30220 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-39822 | 1 Zoom | 5 Meeting Software Development Kit, Rooms, Rooms Controller and 2 more | 2024-09-05 | 6.5 Medium |
| Sensitive information exposure in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow an authenticated user to conduct an information disclosure via network access. | ||||
| CVE-2024-44930 | 2 Serilog, Serilog-contrib | 2 Serilog, Serilog-enrichers-clientinfo | 2024-09-04 | 6.5 Medium |
| Serilog before v2.1.0 was discovered to contain a Client IP Spoofing vulnerability, which allows attackers to falsify their IP addresses by specifying an arbitrary IP as a value of X-Forwarded-For or Client-Ip headers while performing HTTP requests. | ||||
| CVE-2024-39837 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 3.8 Low |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6 fail to properly restrict channel creation which allows a malicious remote to create arbitrary channels, when shared channels were enabled. | ||||
| CVE-2024-39839 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 4.3 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to disallow users to set their own remote username, when shared channels were enabled, which allows a user on a remote to set their remote username prop to an arbitrary string, which would be then synced to the local server as long as the user hadn't been synced before. | ||||
| CVE-2024-41144 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 5.5 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5, 9.8.x <= 9.8.1 fail to properly validate synced posts, when shared channels are enabled, which allows a malicious remote to create/update/delete arbitrary posts in arbitrary channels | ||||
| CVE-2024-41162 | 1 Mattermost | 1 Mattermost Server | 2024-09-04 | 4.1 Medium |
| Mattermost versions 9.9.x <= 9.9.0, 9.5.x <= 9.5.6, 9.7.x <= 9.7.5 and 9.8.x <= 9.8.1 fail to disallow the modification of local channels by a remote, when shared channels are enabled, which allows a malicious remote to make an arbitrary local channel read-only. | ||||
| CVE-2024-41369 | 1 Sourcefabric | 2 Phoniebox, Rpi-jukebox-rfid | 2024-09-04 | 9.8 Critical |
| RPi-Jukebox-RFID v2.7.0 was discovered to contain a remote code execution (RCE) vulnerability via htdocs\inc.setWifi.php | ||||
| CVE-2024-39579 | 1 Dell | 1 Powerscale Onefs | 2024-09-03 | 6.7 Medium |
| Dell PowerScale OneFS versions 8.2.2.x through 9.8.0.0 contains an incorrect privilege assignment vulnerability. A local high privileged attacker could potentially exploit this vulnerability to gain root-level access. | ||||
| CVE-2024-42978 | 1 Tenda | 2 Fh1206, Fh1206 Firmware | 2024-09-03 | 9.8 Critical |
| An issue in the handler function in /goform/telnet of Tenda FH1206 v02.03.01.35 allows attackers to execute arbitrary commands via a crafted HTTP request. | ||||
| CVE-2024-7851 | 2 Oretnom23, Sourcecodester | 2 Yoga Class Registration System, Yoga Class Registration System | 2024-09-03 | 6.3 Medium |
| A vulnerability has been found in SourceCodester Yoga Class Registration System 1.0 and classified as critical. This vulnerability affects unknown code of the file /classes/Users.php?f=save of the component Add User Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-7925 | 1 Zzcms | 1 Zzcms | 2024-09-03 | 4.3 Medium |
| A vulnerability was found in ZZCMS 2023. It has been rated as problematic. This issue affects some unknown processing of the file 3/E_bak5.1/upload/eginfo.php. The manipulation of the argument phome with the input ShowPHPInfo leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2024-43380 | 1 Floraison | 1 Fugit | 2024-09-03 | 5.3 Medium |
| fugit contains time tools for flor and the floraison group. The fugit "natural" parser, that turns "every wednesday at 5pm" into "0 17 * * 3", accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight. Fugit dependents that do not check (user) input length for plausibility are impacted. A fix was released in fugit 1.11.1. | ||||
| CVE-2024-25562 | 1 Intel | 2 Distribution For Gdb, Oneapi Base Toolkit | 2024-08-31 | 5.8 Medium |
| Improper buffer restrictions in some Intel(R) Distribution for GDB software before version 2024.0.1 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2024-24973 | 1 Intel | 2 Distribution For Gdb, Oneapi Base Toolkit | 2024-08-31 | 2.2 Low |
| Improper input validation for some Intel(R) Distribution for GDB software before version 2024.0.1 may allow an authenticated user to potentially enable denial of service via local access. | ||||
| CVE-2024-42339 | 1 Cyberark | 1 Identity | 2024-08-30 | 4.3 Medium |
| CyberArk - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | ||||
| CVE-2024-44070 | 2 Frrouting, Redhat | 2 Frrouting, Enterprise Linux | 2024-08-30 | 9.8 Critical |
| An issue was discovered in FRRouting (FRR) through 10.1. bgp_attr_encap in bgpd/bgp_attr.c does not check the actual remaining stream length before taking the TLV value. | ||||
| CVE-2024-4428 | 1 Menulux | 2 Management Portal, Managment Portal | 2024-08-30 | 9.8 Critical |
| Improper Privilege Management vulnerability in Menulux Information Technologies Managment Portal allows Collect Data as Provided by Users.This issue affects Managment Portal: through 21.05.2024. | ||||
| CVE-2024-8182 | 1 Flowiseai | 1 Flowise | 2024-08-30 | 7.5 High |
| An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the “/api/v1/get-upload-file” api endpoint. | ||||
| CVE-2024-42467 | 1 Openhab | 2 Openhab Web Interface, Openhab Webui | 2024-08-29 | 10 Critical |
| openHAB, a provider of open-source home automation software, has add-ons including the visualization add-on CometVisu. Prior to version 4.2.1, the proxy endpoint of openHAB's CometVisu add-on can be accessed without authentication. This proxy-feature can be exploited as Server-Side Request Forgery (SSRF) to induce GET HTTP requests to internal-only servers, in case openHAB is exposed in a non-private network. Furthermore, this proxy-feature can also be exploited as a Cross-Site Scripting (XSS) vulnerability, as an attacker is able to re-route a request to their server and return a page with malicious JavaScript code. Since the browser receives this data directly from the openHAB CometVisu UI, this JavaScript code will be executed with the origin of the CometVisu UI. This allows an attacker to exploit call endpoints on an openHAB server even if the openHAB server is located in a private network. (e.g. by sending an openHAB admin a link that proxies malicious JavaScript.) This issue may lead up to Remote Code Execution (RCE) when chained with other vulnerabilities. Users should upgrade to version 4.2.1 of the CometVisu add-on of openHAB to receive a patch. | ||||
| CVE-2024-7610 | 1 Gitlab | 1 Gitlab | 2024-08-29 | 4.3 Medium |
| A Denial of Service (DoS) condition has been discovered in GitLab CE/EE affecting all versions starting with 15.9 before 17.0.6, 17.1 prior to 17.1.4, and 17.2 prior to 17.2.2. It is possible for an attacker to cause catastrophic backtracking while parsing results from Elasticsearch. | ||||