Recent CVE entries
Stay updated about the Latest Security Vulnerabilities
30 Latest CVEs. The New badge indicates CVEs published in the past 24 hours.
CVE-2023-52060
0.0
Last updated 2 hours ago
- Summary:
- A Cross-Site Request Forgery (CSRF) in Gestsup v3.2.46 allows attackers to arbitrarily edit user profile information via a crafted request.
- CWE ID:
- CWE-352
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-02-13 01:15:00
- Last Modified:
- 2024-10-03 19:58:00
CVE-2024-36359
0.0
Last updated 3 hours ago
- Summary:
- A cross-site scripting (XSS) vulnerability in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 could allow an attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
- CWE ID:
- CWE-79
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-06-10 22:15:00
- Last Modified:
- 2024-10-03 19:49:00
CVE-2024-3467
0.0
Last updated 3 hours ago
- Summary:
- There is a vulnerability in AVEVA PI Asset Framework Client that could allow malicious code to execute on the PI System Explorer environment under the privileges of an interactive user that was socially engineered to import XML supplied by an attacker.
- CWE ID:
- CWE-502
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-06-12 21:15:00
- Last Modified:
- 2024-10-03 19:47:00
CVE-2024-37280
0.0
Last updated 3 hours ago
- Summary:
- A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lead to a Denial of Service. Note that passthrough fields is an experimental feature.
- CWE ID:
- CWE-787
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-06-13 17:15:00
- Last Modified:
- 2024-10-03 19:37:00
CVE-2024-38280
0.0
Last updated 3 hours ago
- Summary:
- An unauthorized user is able to gain access to sensitive data, including credentials, by physically retrieving the hard disk of the product as the data is stored in clear text.
- CWE ID:
- CWE-312
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-06-13 17:15:00
- Last Modified:
- 2024-10-03 19:36:00
CVE-2024-41592
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor3910 devices through 4.3.2.6 have a stack-based overflow when processing query string parameters because GetCGI mishandles extraneous ampersand characters and long key-value pairs.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2024-41595
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to change settings or cause a denial of service via .cgi pages because of missing bounds checks on read and write operations.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2024-41596
New
0.0
Last updated 3 hours ago
- Summary:
- Buffer Overflow vulnerabilities exist in DrayTek Vigor310 devices through 4.3.2.6 (in the Vigor management UI) because of improper retrieval and handling of the CGI form parameters.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2024-41583
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting (XSS) by authenticated users due to poor sanitization of the router name.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2024-41584
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to reflected XSS by authenticated users, caused by missing validation of the sFormAuthStr parameter.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2024-47561
New
0.0
Last updated 3 hours ago
- Summary:
- Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue.
- CWE ID:
- CWE-502
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 11:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2021-35309
0.0
Last updated 3 hours ago
- Summary:
- An issue discovered in Samsung SyncThru Web Service SPL 5.93 06-09-2014 allows attackers to gain escalated privileges via MITM attacks.
- CWE ID:
- NVD-CWE-noinfo
- CVSS Score:
- 0.0
- References:
- Published:
- 2023-08-22 19:16:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2023-2135
0.0
Last updated 3 hours ago
- Summary:
- Use after free in DevTools in Google Chrome prior to 112.0.5615.137 allowed a remote attacker who convinced a user to enable specific preconditions to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
- CWE ID:
- CWE-416
- CVSS Score:
- 0.0
- References:
-
- https://crbug.com/1424337
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FEJZMAUB4XP44HSHEBDWEKFGA7DUHY42/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AOSGAOPXLBK4A5ZRTVZ4M6QKVLSWMWG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJQI63HWZFL6M26Q6UOHKDY6LD2PFC5Z/
- https://www.debian.org/security/2023/dsa-5393
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHHD6KNH4WLUE6JG6HRQZWNAJMHJ32X7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLO7BL2MHZYPY6O3OAEAQL3SKYMGGO6M/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ES2CDRHR2Y4WY6DNDIAPYZFXJU3ZBFAV/
- https://security.gentoo.org/glsa/202309-17
- Published:
- 2023-04-19 04:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2023-2137
0.0
Last updated 3 hours ago
- Summary:
- Heap buffer overflow in sqlite in Google Chrome prior to 112.0.5615.137 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
- CWE ID:
- CWE-787
- CVSS Score:
- 0.0
- References:
-
- https://crbug.com/1430644
- https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FEJZMAUB4XP44HSHEBDWEKFGA7DUHY42/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4AOSGAOPXLBK4A5ZRTVZ4M6QKVLSWMWG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RJQI63HWZFL6M26Q6UOHKDY6LD2PFC5Z/
- https://www.debian.org/security/2023/dsa-5393
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IHHD6KNH4WLUE6JG6HRQZWNAJMHJ32X7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLO7BL2MHZYPY6O3OAEAQL3SKYMGGO6M/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ES2CDRHR2Y4WY6DNDIAPYZFXJU3ZBFAV/
- https://security.gentoo.org/glsa/202309-17
- Published:
- 2023-04-19 04:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2022-36799
0.0
Last updated 3 hours ago
- Summary:
- This issue exists to document that a security improvement in the way that Jira Server and Data Center use templates has been implemented. Affected versions of Atlassian Jira Server and Data Center allowed remote attackers with system administrator permissions to execute arbitrary code via Template Injection leading to Remote Code Execution (RCE) in the Email Templates feature. In this case the security improvement was to protect against using the XStream library to be able to execute arbitrary code in velocity templates. The affected versions are before version 8.13.19, from version 8.14.0 before 8.20.7, and from version 8.21.0 before 8.22.1.
- CWE ID:
- CWE-94
- CVSS Score:
- 0.0
- References:
- Published:
- 2022-08-01 11:15:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2018-2628
7.5
Last updated 3 hours ago
- Summary:
- Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CWE ID:
- CWE-502
- CVSS Score:
- 7.5
- References:
-
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.securitytracker.com/id/1040696
- http://www.securityfocus.com/bid/103776
- https://github.com/brianwrf/CVE-2018-2628
- https://www.exploit-db.com/exploits/44553/
- https://www.exploit-db.com/exploits/45193/
- https://www.exploit-db.com/exploits/46513/
- Published:
- 2018-04-19 02:29:00
- Last Modified:
- 2024-10-03 19:35:00
CVE-2023-41354
0.0
Last updated 3 hours ago
- Summary:
- Chunghwa Telecom NOKIA G-040W-Q Firewall function does not block ICMP TIMESTAMP requests by default, an unauthenticated remote attacker can exploit this vulnerability by sending a crafted package, resulting in partially sensitive information exposed to an actor.
- CWE ID:
- NVD-CWE-noinfo
- CVSS Score:
- 0.0
- References:
- Published:
- 2023-11-03 06:15:00
- Last Modified:
- 2024-10-03 19:24:00
CVE-2020-12069
0.0
Last updated 3 hours ago
- Summary:
- In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.
- CWE ID:
- CWE-916
- CVSS Score:
- 0.0
- References:
- Published:
- 2022-12-26 19:15:00
- Last Modified:
- 2024-10-03 19:18:00
CVE-2024-41586
New
0.0
Last updated 3 hours ago
- Summary:
- A stack-based Buffer Overflow vulnerability in DrayTek Vigor310 devices through 4.3.2.6 allows a remote attacker to execute arbitrary code via a long query string to the cgi-bin/ipfedr.cgi component.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41588
New
0.0
Last updated 3 hours ago
- Summary:
- The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strncpy function.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41589
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor310 devices through 4.3.2.6 use unencrypted HTTP for authentication requests.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41590
New
0.0
Last updated 3 hours ago
- Summary:
- Several CGI endpoints are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strcpy function on DrayTek Vigor310 devices through 4.3.2.6.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41591
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor3910 devices through 4.3.2.6 allow unauthenticated DOM-based reflected XSS.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41593
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_dns(), because a byte sign-extension operation occurs for the length argument of a _memcpy call, leading to a heap-based Buffer Overflow.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41594
New
0.0
Last updated 3 hours ago
- Summary:
- An issue in DrayTek Vigor310 devices through 4.3.2.6 allows an attacker to obtain sensitive information because the httpd server of the Vigor management UI uses a static string for seeding the PRNG of OpenSSL.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-9266
New
0.0
Last updated 3 hours ago
- Summary:
- URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. This vulnerability affects the use of the Express Response object. This issue impacts Express: from 3.4.5 before 4.0.0.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41585
New
0.0
Last updated 3 hours ago
- Summary:
- DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject arbitrary commands into the host machine.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2024-41587
New
0.0
Last updated 3 hours ago
- Summary:
- Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6.
- CWE ID:
- Unknown
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-10-03 19:15:00
- Last Modified:
- 2024-10-03 19:15:00
CVE-2023-48387
0.0
Last updated 4 hours ago
- Summary:
- TAIWAN-CA(TWCA) JCICSecurityTool fails to check the source website and access locations when executing multiple Registry-related functions. In the scenario where a user is using the JCICSecurityTool and has completed identity verification, if the user browses a malicious webpage created by an attacker, the attacker can exploit this vulnerability to read or modify any registry file under HKEY_CURRENT_USER, thereby achieving remote code execution.
- CWE ID:
- NVD-CWE-noinfo
- CVSS Score:
- 0.0
- References:
- Published:
- 2023-12-15 09:15:00
- Last Modified:
- 2024-10-03 18:40:00
CVE-2024-7732
0.0
Last updated 4 hours ago
- Summary:
- Dr.ID Access Control System from SECOM does not properly validate a specific page parameter, allowing unauthenticated remote attackers to inject SQL commands to read, modify, and delete database contents.
- CWE ID:
- CWE-89
- CVSS Score:
- 0.0
- References:
- Published:
- 2024-08-14 07:15:00
- Last Modified:
- 2024-10-03 18:39:00