Total
295 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-4267 | 1 Apache | 1 Juddi | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The console in Apache jUDDI 3.0.0 does not properly escape line feeds, which allows remote authenticated users to spoof log entries via the numRows parameter. | |||||
| CVE-2024-47531 | 1 Clinical-genomics | 1 Scout | 2024-11-15 | N/A | 4.6 MEDIUM |
| Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89. | |||||
| CVE-2024-47224 | 2024-11-05 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a CRLF injection attack due to inadequate encoding of user input in URLs. A successful exploit could allow an attacker to perform a phishing attack. | |||||
| CVE-2024-47549 | 2 Sharp, Toshibatec | 640 Bp-30c25, Bp-30c25 Firmware, Bp-30c25t and 637 more | 2024-11-05 | N/A | 7.4 HIGH |
| Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to an affected product may cause malicious script executed on the web browser. | |||||
| CVE-2024-40088 | 2024-10-23 | N/A | 5.3 MEDIUM | ||
| A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request. | |||||
| CVE-2024-47845 | 1 Wikimedia | 1 Wikimedia-extensions-css | 2024-10-23 | N/A | 8.2 HIGH |
| Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. | |||||
| CVE-2024-9348 | 2024-10-16 | N/A | N/A | ||
| Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. | |||||
| CVE-2023-45359 | 2024-10-10 | N/A | 6.5 MEDIUM | ||
| An issue was discovered in the Vector Skin component for MediaWiki before 1.39.5 and 1.40.x before 1.40.1. vector-toc-toggle-button-label is not escaped, but should be, because the line param can have markup. | |||||
| CVE-2024-4099 | 1 Gitlab | 1 Gitlab | 2024-10-04 | N/A | 3.1 LOW |
| An issue has been discovered in GitLab EE affecting all versions starting from 16.0 prior to 17.2.8, from 17.3 prior to 17.3.4, and from 17.4 prior to 17.4.1. An AI feature was found to read unsanitized content in a way that could have allowed an attacker to hide prompt injection. | |||||
| CVE-2024-45299 | 1 Alf | 1 Alf | 2024-09-30 | N/A | 6.5 MEDIUM |
| alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5, the preloaded data as json is not escaped correctly, the administrator / event admin could break their own install by inserting non correctly escaped text. The Content-Security-Policy directive blocks any potential script execution. The administrator or event administrator can override the texts for customization purpose. The texts are not properly escaped. Version 2.0-M5 fixes this issue. | |||||
| CVE-2024-45808 | 1 Envoyproxy | 1 Envoy | 2024-09-25 | N/A | 6.5 MEDIUM |
| Envoy is a cloud-native high-performance edge/middle/service proxy. A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs. This is achieved by exploiting the lack of validation for the `REQUESTED_SERVER_NAME` field for access loggers. This issue has been addressed in versions 1.31.2, 1.30.6, 1.29.9, and 1.28.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-7873 | 2024-09-20 | N/A | N/A | ||
| Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting'), Improper Encoding or Escaping of Output, CWE - 83 Improper Neutralization of Script in Attributes in a Web Page vulnerability in Veribilim Software Veribase Order allows Stored XSS, Cross-Site Scripting (XSS), Exploit Script-Based APIs, XSS Through HTTP Headers.This issue affects Veribase Order: before v4.010.3. | |||||
| CVE-2024-8297 | 1 Kitsada8621 | 1 Digital Library Management System | 2024-08-30 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in kitsada8621 Digital Library Management System 1.0. It has been classified as problematic. Affected is the function JwtRefreshAuth of the file middleware/jwt_refresh_token_middleware.go. The manipulation of the argument Authorization leads to improper output neutralization for logs. It is possible to launch the attack remotely. The name of the patch is 81b3336b4c9240f0bf50c13cb8375cf860d945f1. It is recommended to apply a patch to fix this issue. | |||||
| CVE-2024-6329 | 1 Gitlab | 1 Gitlab | 2024-08-23 | N/A | 5.7 MEDIUM |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 8.16 prior to 17.0.6, starting from 17.1 prior to 17.1.4, and starting from 17.2 prior to 17.2.2, which causes the web interface to fail to render the diff correctly when the path is encoded. | |||||
| CVE-2024-38177 | 1 Microsoft | 1 App Installer | 2024-08-16 | N/A | 7.8 HIGH |
| Windows App Installer Spoofing Vulnerability | |||||