Total
958 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44109 | 1 Huawei | 2 Emui, Harmonyos | 2024-02-01 | N/A | 7.5 HIGH |
| Clone vulnerability in the huks ta module.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2021-3169 | 1 Jumpserver | 1 Jumpserver | 2024-01-29 | 10.0 HIGH | 9.8 CRITICAL |
| An issue in Jumpserver before 2.6.2, before 2.5.4, before 2.4.5 allows attackers to create a connection token through an API which does not have access control and use it to access sensitive assets. | |||||
| CVE-2021-4245 | 1 Rfc6902 Project | 1 Rfc6902 | 2024-01-25 | N/A | 9.8 CRITICAL |
| A vulnerability classified as problematic has been found in chbrown rfc6902. This affects an unknown part of the file pointer.ts. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). The exploit has been disclosed to the public and may be used. The name of the patch is c006ce9faa43d31edb34924f1df7b79c137096cf. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-215883. | |||||
| CVE-2023-20057 | 1 Cisco | 13 Asyncos, Email Security Appliance C160, Email Security Appliance C170 and 10 more | 2024-01-25 | N/A | 5.3 MEDIUM |
| A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. This vulnerability is due to improper processing of URLs. An attacker could exploit this vulnerability by crafting a URL in a particular way. A successful exploit could allow the attacker to bypass the URL reputation filters that are configured for an affected device, which could allow malicious URLs to pass through the device. | |||||
| CVE-2022-20772 | 1 Cisco | 4 Email Security Appliance, Email Security Appliance Firmware, Secure Email And Web Manager and 1 more | 2024-01-25 | N/A | 5.3 MEDIUM |
| A vulnerability in Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager could allow an unauthenticated, remote attacker to conduct an HTTP response splitting attack. This vulnerability is due to the failure of the application or its environment to properly sanitize input values. An attacker could exploit this vulnerability by injecting malicious HTTP headers, controlling the response body, or splitting the response into multiple responses. | |||||
| CVE-2023-25613 | 1 Apache | 1 Identity Backend | 2024-01-24 | N/A | 9.8 CRITICAL |
| An LDAP Injection vulnerability exists in the LdapIdentityBackend of Apache Kerby before 2.0.3. | |||||
| CVE-2021-33621 | 2 Fedoraproject, Ruby-lang | 3 Fedora, Cgi, Ruby | 2024-01-24 | N/A | 8.8 HIGH |
| The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. | |||||
| CVE-2024-0552 | 1 Intumit | 2 Smartrobot, Smartrobot Firmware | 2024-01-23 | N/A | 9.8 CRITICAL |
| Intumit inc. SmartRobot's web framwork has a remote code execution vulnerability. An unauthorized remote attacker can exploit this vulnerability to execute arbitrary commands on the remote server. | |||||
| CVE-2023-4818 | 1 Paxtechnology | 2 A920, Paydroid | 2024-01-19 | N/A | 7.6 HIGH |
| PAX A920 device allows to downgrade bootloader due to a bug in its version check. The signature is correctly checked and only bootloader signed by PAX can be used. The attacker must have physical USB access to the device in order to exploit this vulnerability. | |||||
| CVE-2023-42136 | 1 Paxtechnology | 9 A50, A6650, A77 and 6 more | 2024-01-19 | N/A | 7.8 HIGH |
| PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word. The attacker must have shell access to the device in order to exploit this vulnerability. | |||||
| CVE-2023-42135 | 1 Paxtechnology | 3 A50, A920 Pro, Paydroid | 2024-01-19 | N/A | 6.8 MEDIUM |
| PAX A920Pro/A50 devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow local code execution via parameter injection by bypassing the input validation when flashing a specific partition. The attacker must have physical USB access to the device in order to exploit this vulnerability. | |||||
| CVE-2021-4227 | 1 Obg | 1 Ark Wysiwyg Comment Editor | 2024-01-19 | N/A | 5.3 MEDIUM |
| The ark-commenteditor WordPress plugin through 2.15.6 does not properly sanitise or encode the comments when in Source editor, allowing attackers to inject an iFrame in the page and thus load arbitrary content from any page to the comment section | |||||
| CVE-2023-31025 | 1 Nvidia | 2 Dgx A100, Dgx A100 Firmware | 2024-01-18 | N/A | 7.5 HIGH |
| NVIDIA DGX A100 BMC contains a vulnerability where an attacker may cause an LDAP user injection. A successful exploit of this vulnerability may lead to information disclosure. | |||||
| CVE-2023-29050 | 1 Open-xchange | 1 Ox App Suite | 2024-01-12 | N/A | 9.6 CRITICAL |
| The optional "LDAP contacts provider" could be abused by privileged users to inject LDAP filter strings that allow to access content outside of the intended hierarchy. Unauthorized users could break confidentiality of information in the directory and potentially cause high load on the directory server, leading to denial of service. Encoding has been added for user-provided fragments that are used when constructing the LDAP query. No publicly available exploits are known. | |||||
| CVE-2024-21645 | 1 Pyload | 1 Pyload | 2024-01-11 | N/A | 5.3 MEDIUM |
| pyLoad is the free and open-source Download Manager written in pure Python. A log injection vulnerability was identified in `pyload` allowing any unauthenticated actor to inject arbitrary messages into the logs gathered by `pyload`. Forged or otherwise, corrupted log files can be used to cover an attacker’s tracks or even to implicate another party in the commission of a malicious act. This vulnerability has been patched in version 0.5.0b3.dev77. | |||||
| CVE-2023-50093 | 1 Apiida | 1 Api Gateway Manager | 2024-01-09 | N/A | 6.1 MEDIUM |
| APIIDA API Gateway Manager for Broadcom Layer7 v2023.2.2 is vulnerable to Host Header Injection. | |||||
| CVE-2023-39655 | 1 Perfood | 1 Couchauth | 2024-01-09 | N/A | 9.6 CRITICAL |
| A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions <= 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thus leak the password reset token. This may allow an attacker to reset other users' passwords and take over their accounts. | |||||
| CVE-2023-46468 | 1 Juzaweb | 1 Juzaweb Cms | 2024-01-09 | N/A | 7.8 HIGH |
| An issue in juzawebCMS v.3.4 and before allows a remote attacker to execute arbitrary code via a crafted file to the custom plugin function. | |||||
| CVE-2024-21623 | 1 Mehah | 1 Otclient | 2024-01-08 | N/A | 9.8 CRITICAL |
| OTCLient is an alternative tibia client for otserv. Prior to commit db560de0b56476c87a2f967466407939196dd254, the /mehah/otclient "`Analysis - SonarCloud`" workflow is vulnerable to an expression injection in Actions, allowing an attacker to run commands remotely on the runner, leak secrets, and alter the repository using this workflow. Commit db560de0b56476c87a2f967466407939196dd254 contains a fix for this issue. | |||||
| CVE-2023-7114 | 1 Mattermost | 1 Mattermost | 2024-01-05 | N/A | 8.8 HIGH |
| Mattermost version 2.10.0 and earlier fails to sanitize deeplink paths, which allows an attacker to perform CSRF attacks against the server. | |||||