Filtered by vendor
Subscriptions
Total
329 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2022-22399 | 1 Ibm | 1 Aspera Faspex | 2025-01-14 | 5.4 Medium |
IBM Aspera Faspex 5.0.0 and 5.0.1 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 222562. | ||||
CVE-2018-8920 | 1 Synology | 1 Diskstation Manager | 2025-01-14 | 7.2 High |
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format. | ||||
CVE-2023-29543 | 1 Mozilla | 2 Firefox, Focus | 2025-01-10 | 8.8 High |
An attacker could have caused memory corruption and a potentially exploitable use-after-free of a pointer in a global object's debugger vector. This vulnerability affects Firefox for Android < 112, Firefox < 112, and Focus for Android < 112. | ||||
CVE-2023-29541 | 2 Mozilla, Redhat | 9 Firefox, Firefox Esr, Focus and 6 more | 2025-01-10 | 8.8 High |
Firefox did not properly handle downloads of files ending in <code>.desktop</code>, which can be interpreted to run attacker-controlled commands. <br>*This bug only affects Firefox for Linux on certain Distributions. Other operating systems are unaffected, and Mozilla is unable to enumerate all affected Linux Distributions.*. This vulnerability affects Firefox < 112, Focus for Android < 112, Firefox ESR < 102.10, Firefox for Android < 112, and Thunderbird < 102.10. | ||||
CVE-2024-55663 | 1 Xwiki | 1 Xwiki | 2025-01-10 | 9.8 Critical |
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki. | ||||
CVE-2024-10006 | 1 Hashicorp | 1 Consul | 2025-01-10 | 8.3 High |
A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | ||||
CVE-2023-1711 | 1 Hitachienergy | 2 Foxman-un, Unem | 2025-01-10 | 4 Medium |
A vulnerability exists in a FOXMAN-UN and UNEM logging component, it only affects systems that use remote authentication to the network elements. If exploited an attacker could obtain confidential information. List of CPEs: * cpe:2.3:a:hitachienergy:foxman_un:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy:foxman_un:R16A:*:*:*:*:*:*:* * * cpe:2.3:a:hitachienergy:unem:R9C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R10C:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R11A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R11B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R14A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R14B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R15A:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R15B:*:*:*:*:*:*:* * cpe:2.3:a:hitachienergy: unem :R16A:*:*:*:*:*:*:* | ||||
CVE-2023-23599 | 2 Mozilla, Redhat | 8 Firefox, Firefox Esr, Thunderbird and 5 more | 2025-01-09 | 6.5 Medium |
When copying a network request from the developer tools panel as a curl command the output was not being properly sanitized and could allow arbitrary commands to be hidden within. This vulnerability affects Firefox < 109, Thunderbird < 102.7, and Firefox ESR < 102.7. | ||||
CVE-2023-28952 | 1 Ibm | 1 Cognos Controller | 2025-01-07 | 5.3 Medium |
IBM Cognos Controller 10.4.1, 10.4.2, and 11.0.0 is vulnerable to injection attacks in application logging by not sanitizing user provided data. IBM X-Force ID: 251463. | ||||
CVE-2023-3190 | 1 Teampass | 1 Teampass | 2025-01-06 | 4.6 Medium |
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | ||||
CVE-2023-32301 | 1 Discourse | 1 Discourse | 2025-01-03 | 3.1 Low |
Discourse is an open source discussion platform. Prior to version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches, multiple duplicate topics could be created if topic embedding is enabled. This issue is patched in version 3.0.4 of the `stable` branch and version 3.1.0.beta5 of the `beta` and `tests-passed` branches. As a workaround, disable topic embedding if it has been enabled. | ||||
CVE-2024-47528 | 1 Librenms | 1 Librenms | 2024-12-20 | 4.8 Medium |
LibreNMS is an open-source, PHP/MySQL/SNMP-based network monitoring system. Stored Cross-Site Scripting (XSS) can be achieved by uploading a new Background for a Custom Map. Users with "admin" role can set background for a custom map, this allow the upload of SVG file that can contain XSS payload which will trigger on load. This led to Stored Cross-Site Scripting (XSS). The vulnerability is fixed in 24.9.0. | ||||
CVE-2024-46547 | 2024-12-11 | 7.5 High | ||
A vulnerability was found in Romain Bourdon Wampserver all versions (discovered in v3.2.3 and v3.2.6) where unauthorized users could access sensitive information due to improper access control validation via PHP Info Page. This issue can lead to data leaks. | ||||
CVE-2018-9433 | 1 Google | 1 Android | 2024-11-23 | 9.8 Critical |
In ArrayConcatVisitor of builtins-array.cc, there is a possible type confusion due to improper input validation. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
CVE-2024-4177 | 1 Bitdefender | 1 Gravityzone | 2024-11-21 | 8.1 High |
A host whitelist parser issue in the proxy service implemented in the GravityZone Update Server allows an attacker to cause a server-side request forgery. This issue only affects GravityZone Console versions before 6.38.1-2 that are running only on premise. | ||||
CVE-2024-39736 | 1 Ibm | 2 Datacap, Datacap Navigator | 2024-11-21 | 6.5 Medium |
IBM Datacap Navigator 9.1.5, 9.1.6, 9.1.7, 9.1.8, and 9.1.9 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. IBM X-Force ID: 296003. | ||||
CVE-2024-27629 | 1 Rordenlab | 1 Dcm2niix | 2024-11-21 | 7.8 High |
An issue in dc2niix before v.1.0.20240202 allows a local attacker to execute arbitrary code via the generated file name is not properly escaped and injected into a system call when certain types of compression are used. | ||||
CVE-2024-22229 | 1 Dell | 3 Unity Operating Environment, Unity Xt Operating Environment, Unityvsa Operating Environment | 2024-11-21 | 3.1 Low |
Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities. | ||||
CVE-2024-22199 | 1 Gofiber | 1 Django | 2024-11-21 | 9.3 Critical |
This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks. | ||||
CVE-2024-1064 | 1 Craftycontrol | 1 Crafty Controller | 2024-11-21 | 7.5 High |
A host header injection vulnerability in the HTTP handler component of Crafty Controller allows a remote, unauthenticated attacker to trigger a Denial of Service (DoS) condition via a modified host header |