Recent CVE entries

Stay updated about the Latest Security Vulnerabilities

Please enter a valid CVE number in the format CVE-YYYY-NNNN.

30 Latest CVEs. The New badge indicates CVEs published in the past 24 hours.

CVE-2023-52060
Last updated 2 hours ago
Summary:
A Cross-Site Request Forgery (CSRF) in Gestsup v3.2.46 allows attackers to arbitrarily edit user profile information via a crafted request.
CWE ID:
CWE-352 
CVSS Score:
0.0
References:
Published:
2024-02-13 01:15:00
Last Modified:
2024-10-03 19:58:00
CVE-2024-36359
Last updated 3 hours ago
Summary:
A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 could allow an attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
CWE ID:
CWE-79 
CVSS Score:
0.0
References:
Published:
2024-06-10 22:15:00
Last Modified:
2024-10-03 19:49:00
CVE-2024-3467
Last updated 3 hours ago
Summary:
There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
CWE ID:
CWE-502 
CVSS Score:
0.0
References:
Published:
2024-06-12 21:15:00
Last Modified:
2024-10-03 19:47:00
CVE-2024-37280
Last updated 3 hours ago
Summary:
A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lead to a Denial of Service. Note that passthrough fields is an experimental feature.
CWE ID:
CWE-787 
CVSS Score:
0.0
References:
Published:
2024-06-13 17:15:00
Last Modified:
2024-10-03 19:37:00
CVE-2024-38280
Last updated 3 hours ago
Summary:
An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.
CWE ID:
CWE-312 
CVSS Score:
0.0
References:
Published:
2024-06-13 17:15:00
Last Modified:
2024-10-03 19:36:00
CVE-2024-41592
New
Last updated 3 hours ago
Summary:
DrayTek Vigor3910 devices through 4.3.2.6 have a stack-based overflow when processing query string parameters because GetCGI mishandles extraneous ampersand characters and long key-value pairs.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2024-41595
New
Last updated 3 hours ago
Summary:
DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to change settings or cause a denial of service via .cgi pages because of missing bounds checks on read and write operations.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2024-41596
New
Last updated 3 hours ago
Summary:
Buffer Overflow vulnerabilities exist in DrayTek Vigor310 devices through 4.3.2.6 (in the Vigor management UI) because of improper retrieval and handling of the CGI form parameters.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2024-41583
New
Last updated 3 hours ago
Summary:
DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting (XSS) by authenticated users due to poor sanitization of the router name.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2024-41584
New
Last updated 3 hours ago
Summary:
DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to reflected XSS by authenticated users, caused by missing validation of the sFormAuthStr parameter.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2024-47561
New
Last updated 3 hours ago
Summary:
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.
CWE ID:
CWE-502 
CVSS Score:
0.0
References:
Published:
2024-10-03 11:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2021-35309
Last updated 3 hours ago
Summary:
An issue discovered in Samsung SyncThru Web Service SPL 5.93 06-09-2014 allows attackers to gain escalated privileges via MITM attacks.
CWE ID:
NVD-CWE-noinfo 
CVSS Score:
0.0
References:
Published:
2023-08-22 19:16:00
Last Modified:
2024-10-03 19:35:00
CVE-2022-36799
Last updated 3 hours ago
Summary:
This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
CWE ID:
CWE-94 
CVSS Score:
0.0
References:
Published:
2022-08-01 11:15:00
Last Modified:
2024-10-03 19:35:00
CVE-2018-2628
Last updated 3 hours ago
Summary:
Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
CWE ID:
CWE-502 
CVSS Score:
7.5
References:
Published:
2018-04-19 02:29:00
Last Modified:
2024-10-03 19:35:00
CVE-2023-41354
Last updated 3 hours ago
Summary:
Chunghwa Telecom NOKIA G-040W-Q Firewall function does not block ICMP TIMESTAMP requests by default, an unauthenticated remote attacker can exploit this vulnerability by sending a crafted package, resulting in partially sensitive information exposed to an actor.
CWE ID:
NVD-CWE-noinfo 
CVSS Score:
0.0
References:
Published:
2023-11-03 06:15:00
Last Modified:
2024-10-03 19:24:00
CVE-2020-12069
Last updated 3 hours ago
Summary:
In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.
CWE ID:
CWE-916 
CVSS Score:
0.0
References:
Published:
2022-12-26 19:15:00
Last Modified:
2024-10-03 19:18:00
CVE-2024-41586
New
Last updated 3 hours ago
Summary:
A stack-based Buffer Overflow vulnerability in DrayTek Vigor310 devices through 4.3.2.6 allows a remote attacker to execute arbitrary code via a long query string to the cgi-bin/ipfedr.cgi component.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41588
New
Last updated 3 hours ago
Summary:
The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strncpy function.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41589
New
Last updated 3 hours ago
Summary:
DrayTek Vigor310 devices through 4.3.2.6 use unencrypted HTTP for authentication requests.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41590
New
Last updated 3 hours ago
Summary:
Several CGI endpoints are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strcpy function on DrayTek Vigor310 devices through 4.3.2.6.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41591
New
Last updated 3 hours ago
Summary:
DrayTek Vigor3910 devices through 4.3.2.6 allow unauthenticated DOM-based reflected XSS.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41593
New
Last updated 3 hours ago
Summary:
DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_dns(), because a byte sign-extension operation occurs for the length argument of a _memcpy call, leading to a heap-based Buffer Overflow.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41594
New
Last updated 3 hours ago
Summary:
An issue in DrayTek Vigor310 devices through 4.3.2.6 allows an attacker to obtain sensitive information because the httpd server of the Vigor management UI uses a static string for seeding the PRNG of OpenSSL.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-9266
New
Last updated 3 hours ago
Summary:
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41585
New
Last updated 3 hours ago
Summary:
DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject arbitrary commands into the host machine.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2024-41587
New
Last updated 3 hours ago
Summary:
Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6.
CWE ID:
Unknown
CVSS Score:
0.0
References:
Published:
2024-10-03 19:15:00
Last Modified:
2024-10-03 19:15:00
CVE-2023-48387
Last updated 4 hours ago
Summary:
TAIWAN-CA(TWCA) JCICSecurityTool fails to check the source website and access locations when executing multiple Registry-related functions. In the scenario where a user is using the JCICSecurityTool and has completed identity verification, if the user browses a malicious webpage created by an attacker, the attacker can exploit this vulnerability to read or modify any registry file under HKEY_CURRENT_USER, thereby achieving remote code execution.
CWE ID:
NVD-CWE-noinfo 
CVSS Score:
0.0
References:
Published:
2023-12-15 09:15:00
Last Modified:
2024-10-03 18:40:00
CVE-2024-7732
Last updated 4 hours ago
Summary:
Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.
CWE ID:
CWE-89 
CVSS Score:
0.0
References:
Published:
2024-08-14 07:15:00
Last Modified:
2024-10-03 18:39:00
Loading
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.