Total
304021 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-41697 | 1 Priority-software | 1 Priority | 2024-09-03 | N/A | 6.1 MEDIUM |
Priority - CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | |||||
CVE-2024-41698 | 1 Priority-software | 1 Priority | 2024-09-03 | N/A | 4.3 MEDIUM |
Priority – CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
CVE-2024-41699 | 1 Priority-software | 1 Priority | 2024-09-03 | N/A | 4.4 MEDIUM |
Priority – CWE-552: Files or Directories Accessible to External Parties | |||||
CVE-2024-41518 | 1 Mecodia | 1 Feripro | 2024-09-03 | N/A | 7.5 HIGH |
An Incorrect Access Control vulnerability in "/admin/programm/<program_id>/export/statistics" in Feripro <= v2.2.3 allows remote attackers to export an XLSX file with information about registrations and participants. | |||||
CVE-2024-43803 | 2024-09-03 | N/A | 4.9 MEDIUM | ||
The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. There are fields for both the `Name` and `Namespace` of the Secret, meaning that versions of the baremetal-operator prior to 0.8.0, 0.6.2, and 0.5.2 will read a `Secret` from any namespace. A user with access to create or edit a `BareMetalHost` can thus exfiltrate a `Secret` from another namespace by using it as e.g. the `userData` for provisioning some host (note that this need not be a real host, it could be a VM somewhere). BMO will only read a key with the name `value` (or `userData`, `metaData`, or `networkData`), so that limits the exposure somewhat. `value` is probably a pretty common key though. Secrets used by _other_ `BareMetalHost`s in different namespaces are always vulnerable. It is probably relatively unusual for anyone other than cluster administrators to have RBAC access to create/edit a `BareMetalHost`. This vulnerability is only meaningful, if the cluster has users other than administrators and users' privileges are limited to their respective namespaces. The patch prevents BMO from accepting links to Secrets from other namespaces as BMH input. Any BMH configuration is only read from the same namespace only. The problem is patched in BMO releases v0.7.0, v0.6.2 and v0.5.2 and users should upgrade to those versions. Prior upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a workaround, an operator can configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces. | |||||
CVE-2024-41700 | 1 Barix | 1 Sip Client Firmware | 2024-09-03 | N/A | 7.5 HIGH |
Barix – CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | |||||
CVE-2024-42941 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the wanmode parameter in the fromAdvSetWan function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
CVE-2024-42940 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the page parameter in the fromP2pListFilter function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
CVE-2024-41241 | 1 Lopalopa | 1 Responsive School Management System | 2024-09-03 | N/A | 6.1 MEDIUM |
A Reflected Cross Site Scripting (XSS) vulnerability was found in " /smsa/admin_login.php" in Kashipara Responsive School Management System v3.2.0, which allows remote attackers to execute arbitrary code via "error" parameter. | |||||
CVE-2024-40473 | 1 Mayurik | 1 Best House Rental Management System | 2024-09-03 | N/A | 5.4 MEDIUM |
A Stored Cross Site Scripting (XSS) vulnerability was found in "manage_houses.php" in SourceCodester Best House Rental Management System v1.0. It allows remote attackers to execute arbitrary code via "House_no" and "Description" parameter fields. | |||||
CVE-2024-33892 | 1 Hms-networks | 7 Ewon Cosy\+ 4g Apac, Ewon Cosy\+ 4g Eu, Ewon Cosy\+ 4g Jp and 4 more | 2024-09-03 | N/A | 7.5 HIGH |
Insecure Permissions vulnerability in Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are susceptible to leaking information through cookies. This is fixed in version 21.2s10 and 22.1s3 | |||||
CVE-2024-3886 | 1 Tagdiv | 1 Tagdiv Composer | 2024-09-03 | N/A | 6.1 MEDIUM |
The tagDiv Composer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘envato_code[]’ parameter in all versions up to, and including, 5.0 due to insufficient input sanitization and output escaping within the on_ajax_check_envato_code function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
CVE-2024-42987 | 1 Tenda | 2 Fh1206, Fh1206 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
Tenda FH1206 v02.03.01.35 was discovered to contain a stack overflow via the modino parameter in the fromPptpUserAdd function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
CVE-2024-42948 | 1 Tenda | 2 Fh1201, Fh1201 Firmware | 2024-09-03 | N/A | 7.5 HIGH |
Tenda FH1201 v1.2.0.14 (408) was discovered to contain a stack overflow via the delno parameter in the fromPptpUserSetting function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | |||||
CVE-2024-42568 | 1 Arajajyothibabu | 1 School Management System | 2024-09-03 | N/A | 9.8 CRITICAL |
School Management System commit bae5aa was discovered to contain a SQL injection vulnerability via the transport parameter at vehicle.php. | |||||
CVE-2024-44778 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | N/A | 9.6 CRITICAL |
A reflected cross-site scripting (XSS) vulnerability in the parent parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||||
CVE-2024-44779 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | N/A | 9.6 CRITICAL |
A reflected cross-site scripting (XSS) vulnerability in the viewname parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||||
CVE-2024-44777 | 1 Vtiger | 1 Vtiger Crm | 2024-09-03 | N/A | 9.6 CRITICAL |
A reflected cross-site scripting (XSS) vulnerability in the tag parameter in the index page of vTiger CRM 7.4.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. | |||||
CVE-2024-43964 | 1 Dsgvo-for-wp | 1 Dsgvo All In One For Wp | 2024-09-03 | N/A | 6.5 MEDIUM |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Michael Leithold DSGVO All in one for WP allows Stored XSS.This issue affects DSGVO All in one for WP: from n/a through 4.5. | |||||
CVE-2024-43396 | 1 Khoj | 1 Khoj | 2024-09-03 | N/A | 5.4 MEDIUM |
Khoj is an application that creates personal AI agents. The Automation feature allows a user to insert arbitrary HTML inside the task instructions, resulting in a Stored XSS. The q parameter for the /api/automation endpoint does not get correctly sanitized when rendered on the page, resulting in the ability of users to inject arbitrary HTML/JS. This vulnerability is fixed in 1.15.0. |