Total
56 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-1561 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to the internet via `launch(share=True)`, thereby allowing remote attackers to read files on the host machine. Furthermore, gradio apps hosted on `huggingface.co` are also affected, potentially leading to the exposure of sensitive information such as API keys and credentials stored in environment variables. | |||||
| CVE-2023-6977 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 7.5 HIGH |
| This vulnerability enables malicious users to read sensitive files on the server. | |||||
| CVE-2023-6975 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.8 CRITICAL |
| A malicious user could use this issue to get command execution on the vulnerable machine and get access to data & models information. | |||||
| CVE-2023-6909 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 7.5 HIGH |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | |||||
| CVE-2023-6831 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 8.1 HIGH |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2. | |||||
| CVE-2023-6130 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.14.2, 7.12.14, 8.4.2. | |||||
| CVE-2023-6023 | 1 Vertaai | 1 Modeldb | 2024-11-21 | N/A | 7.5 HIGH |
| An attacker can read any file on the filesystem on the server hosting ModelDB through an LFI in the artifact_path URL parameter. | |||||
| CVE-2023-6021 | 1 Ray Project | 1 Ray | 2024-11-21 | N/A | 7.5 HIGH |
| LFI in Ray's log API endpoint allows attackers to read any file on the server without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023 | |||||
| CVE-2023-2984 | 2 Microsoft, Pimcore | 2 Windows, Pimcore | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository pimcore/pimcore prior to 10.5.22. | |||||
| CVE-2023-2780 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.8 CRITICAL |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.3.1. | |||||
| CVE-2023-1177 | 1 Lfprojects | 1 Mlflow | 2024-11-21 | N/A | 9.3 CRITICAL |
| Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1. | |||||
| CVE-2023-1034 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.8 HIGH |
| Path Traversal: '\..\filename' in GitHub repository salesagility/suitecrm prior to 7.12.9. | |||||
| CVE-2023-0316 | 1 Froxlor | 1 Froxlor | 2024-11-21 | N/A | 5.5 MEDIUM |
| Path Traversal: '\..\filename' in GitHub repository froxlor/froxlor prior to 2.0.0. | |||||
| CVE-2023-0104 | 1 Weintek | 1 Easybuilder Pro | 2024-11-21 | N/A | 9.3 CRITICAL |
| The listed versions for Weintek EasyBuilder Pro are vulnerable to a ZipSlip attack caused by decompiling a malicious project file. This may allow an attacker to gain control of the user’s computer or gain access to sensitive data. | |||||
| CVE-2022-2788 | 1 Emerson | 1 Electric\'s Proficy | 2024-11-21 | N/A | 3.9 LOW |
| Emerson Electric's Proficy Machine Edition Version 9.80 and prior is vulnerable to CWE-29 Path Traversal: '\..\Filename', also known as a ZipSlip attack, through an upload procedure which enables attackers to implant a malicious .BLZ file on the PLC. The file can transfer through the engineering station onto Windows in a way that executes the malicious code. | |||||
| CVE-2024-7962 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2024-11-01 | N/A | 7.5 HIGH |
| An arbitrary file read vulnerability exists in gaizhenbiao/chuanhuchatgpt version 20240628 due to insufficient validation when loading prompt template files. An attacker can read any file that matches specific criteria using an absolute path. The file must not have a .json extension and, except for the first line, every other line must contain commas. This vulnerability allows reading parts of format-compliant files, including code and log files, which may contain highly sensitive information such as account credentials. | |||||