Search Results (34218 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-43416 1 Glpi-project 1 Glpi 2025-01-07 7.5 High
GLPI is a free asset and IT management software package. Starting in version 0.80 and prior to version 10.0.17, an unauthenticated user can use an application endpoint to check if an email address corresponds to a valid GLPI user. Version 10.0.17 fixes the issue.
CVE-2024-37147 1 Glpi-project 1 Glpi 2025-01-07 4.3 Medium
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16.
CVE-2024-52001 1 Combodo 1 Itop 2025-01-07 4.3 Medium
Combodo iTop is a simple, web based IT Service Management tool. In affected versions portal users are able to access forbidden services information. This issue has been addressed in version 3.2.0. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-37980 1 Microsoft 4 Sql Server 2016, Sql Server 2017, Sql Server 2019 and 1 more 2025-01-07 8.8 High
Microsoft SQL Server Elevation of Privilege Vulnerability
CVE-2024-43474 1 Microsoft 2 Sql Server 2017, Sql Server 2019 2025-01-07 7.6 High
Microsoft SQL Server Information Disclosure Vulnerability
CVE-2023-38946 1 Multilaser 2 Re160, Re160 Firmware 2025-01-07 8.8 High
An issue in Multilaser RE160 firmware v5.07.51_pt_MTL01 and v5.07.52_pt_MTL01 allows attackers to bypass the access control and gain complete access to the application via supplying a crafted cookie.
CVE-2023-33781 1 Dlink 2 Dir-842v2, Dir-842v2 Firmware 2025-01-07 8.8 High
An issue in D-Link DIR-842V2 v1.0.3 allows attackers to execute arbitrary commands via importing a crafted file.
CVE-2023-33604 1 Imperial Cms Project 1 Imperial Cms 2025-01-07 9.1 Critical
Imperial CMS v7.5 was discovered to contain an arbitrary file deletion vulnerability via the DelspReFile function in /sp/ListSp.php. This vulnerability is exploited by attackers via a crafted POST request.
CVE-2023-28739 1 Intel 1 Chipset Device Software 2025-01-07 6.7 Medium
Incorrect default permissions in some Intel(R) Chipset Driver Software before version 10.1.19444.8378 may allow an authenticated user to potentially enable escalation of privilege via local access.
CVE-2023-29152 1 Ptc 1 Vuforia Studio 2025-01-06 6.2 Medium
By changing the filename parameter in the request, an attacker could delete any file with the permissions of the Vuforia server account.
CVE-2023-33443 1 Besder 2 Bes--6024pb-i50h1, Videoplaytool 2025-01-06 9.8 Critical
Incorrect access control in the administrative functionalities of BES--6024PB-I50H1 VideoPlayTool v2.0.1.0 allow attackers to execute arbitrary administrative commands via a crafted payload sent to the desired endpoints.
CVE-2023-2904 1 Hidglobal 1 Safe 2025-01-06 7.3 High
The External Visitor Manager portal of HID’s SAFE versions 5.8.0 through 5.11.3 are vulnerable to manipulation within web fields in the application programmable interface (API). An attacker could log in using account credentials available through a request generated by an internal user and then manipulate the visitor-id within the web API to access the personal data of other users. There is no limit on the number of requests that can be made to the HID SAFE Web Server, so an attacker could also exploit this vulnerability to create a denial-of-service condition.
CVE-2023-2187 1 Trianglemicroworks 1 Scada Data Gateway 2025-01-06 5.3 Medium
On Triangle MicroWorks' SCADA Data Gateway version <= v5.01.03, an unauthenticated attacker can send broadcast events to any user via the WebMonitor.An unauthenticated user can use this vulnerability to forcefully log out of any currently logged-in user by sending a "password change event". Furthermore, an attacker could use this vulnerability to spam the logged-in user with false events.
CVE-2024-52517 1 Nextcloud 1 Nextcloud Server 2025-01-06 4.6 Medium
Nextcloud Server is a self hosted personal cloud system. After storing "Global credentials" on the server, the API returns them and adds them into the frontend again, allowing to read them in plain text when an attacker already has access to an active session of a user. It is recommended that the Nextcloud Server is upgraded to 28.0.11, 29.0.8 or 30.0.1 and Nextcloud Enterprise Server is upgraded to 25.0.13.13, 26.0.13.9, 27.1.11.9, 28.0.11, 29.0.8 or 30.0.1.
CVE-2024-52516 1 Nextcloud 1 Nextcloud Server 2025-01-06 3 Low
Nextcloud Server is a self hosted personal cloud system. When a server is configured to only allow sharing with users that are in ones own groups, after a user was removed from a group, previously shared items were not unshared. It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 and Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6.
CVE-2023-34239 1 Gradio Project 1 Gradio 2025-01-06 7.3 High
Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2023-34238 1 Gatsbyjs 1 Gatsby 2025-01-06 4.3 Medium
Gatsby is a free and open source framework based on React. The Gatsby framework prior to versions 4.25.7 and 5.9.1 contain a Local File Inclusion vulnerability in the `__file-code-frame` and `__original-stack-frame` paths, exposed when running the Gatsby develop server (`gatsby develop`). Any file in scope of the development server could potentially be exposed. It should be noted that by default `gatsby develop` is only accessible via the localhost `127.0.0.1`, and one would need to intentionally expose the server to other interfaces to exploit this vulnerability by using server options such as `--host 0.0.0.0`, `-H 0.0.0.0`, or the `GATSBY_HOST=0.0.0.0` environment variable. A patch has been introduced in `gatsby@5.9.1` and `gatsby@4.25.7` which mitigates the issue. Users are advised to upgrade. Users unable to upgrade should avoid exposing their development server to the internet.
CVE-2023-0954 1 Johnsoncontrols 4 Illustra Pro Gen 4 Dome, Illustra Pro Gen 4 Dome Firmware, Illustra Pro Gen 4 Ptz and 1 more 2025-01-06 8.3 High
A debug feature in Sensormatic Electronics Illustra Pro Gen 4 Dome and PTZ cameras allows a user to compromise credentials after a long period of sustained attack.
CVE-2023-29751 1 Yandex 1 Navigator 2025-01-06 5.5 Medium
An issue found in Yandex Navigator v.6.60 for Android allows unauthorized apps to cause a persistent denial of service by manipulating the SharedPreference files.
CVE-2023-34108 1 Mailcow 1 Mailcow\ 2025-01-06 8.8 High
mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI for user/server administration. A vulnerability has been discovered in mailcow which allows an attacker to manipulate internal Dovecot variables by using specially crafted passwords during the authentication process. The issue arises from the behavior of the `passwd-verify.lua` script, which is responsible for verifying user passwords during login attempts. Upon a successful login, the script returns a response in the format of "password=<valid-password>", indicating the successful authentication. By crafting a password with additional key-value pairs appended to it, an attacker can manipulate the returned string and influence the internal behavior of Dovecot. For example, using the password "123 mail_crypt_save_version=0" would cause the `passwd-verify.lua` script to return the string "password=123 mail_crypt_save_version=0". Consequently, Dovecot will interpret this string and set the internal variables accordingly, leading to unintended consequences. This vulnerability can be exploited by an authenticated attacker who has the ability to set their own password. Successful exploitation of this vulnerability could result in unauthorized access to user accounts, bypassing security controls, or other malicious activities. This issue has been patched in version `2023-05a`. Users are advised to upgrade. There are no known workarounds for this vulnerability.