CVE Notify
19.3K subscribers
4 photos
203K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2024-46442
An issue in the BYD Dilink Headunit System v3.0 to v4.0 allows attackers to bypass authentication via a bruteforce attack.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-53480
Phpgurukul's Beauty Parlour Management System v1.1 is vulnerable to SQL Injection in `login.php` via the `emailcont` parameter.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-53481
A Cross Site Scripting (XSS) vulnerability in the profile.php of PHPGurukul Beauty Parlour Management System v1.1 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "Firstname" and "Last name" parameters.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-37773
An HTML injection vulnerability in Sunbird DCIM dcTrack 9.1.2 allows attackers authenticated as administrators to inject arbitrary HTML code in an admin screen.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-37774
A Cross-Site Request Forgery (CSRF) in Sunbird DCIM dcTrack v9.1.2 allows authenticated attackers to escalate their privileges by forcing an Administrator user to perform sensitive requests in some admin screens.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-37775
Incorrect access control in Sunbird DCIM dcTrack v9.1.2 allows attackers to create or update a ticket with a location which bypasses an RBAC check.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-37776
A cross-site scripting (XSS) vulnerability in Sunbird DCIM dcTrack v9.1.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload in some admin screens.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-48197
Cross Site Scripting vulnerability in Audiocodes MP-202b v.4.4.3 allows a remote attacker to escalate privileges via the login page of the web interface.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-51111
Cross-Site Scripting (XSS) vulnerability in Pnetlab 5.3.11 allows an attacker to inject malicious scripts into a web page, which are executed in the context of the victim's browser.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-51112
Open Redirect vulnerability in Pnetlab 5.3.11 allows an attacker to manipulate URLs to redirect users to arbitrary external websites via a crafted script

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-54879
SeaCMS V13.1 is vulnerable to Incorrect Access Control. A logic flaw can be exploited by an attacker to allow any user to recharge members indefinitely.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-55407
An issue in the DeviceloControl function of ITE Tech. Inc ITE IO Access v1.0.0.0 allows attackers to perform arbitrary port read and write actions via supplying crafted IOCTL requests.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-46242
An issue in the validate_email function in CTFd/utils/validators/__init__.py of CTFd 3.7.3 allows attackers to cause a Regular expression Denial of Service (ReDoS) via supplying a crafted string as e-mail address during registration.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-48245
Vehicle Management System 1.0 is vulnerable to SQL Injection. A guest user can exploit vulnerable POST parameters in various administrative actions, such as booking a vehicle or confirming a booking. The affected parameters include "Booking ID", "Action Name", and "Payment Confirmation ID", which are present in /newvehicle.php and /newdriver.php.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-53345
An authenticated arbitrary file upload vulnerability in Car Rental Management System v1.0 to v1.3 allows attackers to execute arbitrary code via uploading a crafted file.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-50658
Server-Side Template Injection (SSTI) was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the shippingAsBilling and firstname parameters in updateuserinfo.html file

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-50659
Cross Site Scripting vulnerability iPublish Media Solutions AdPortal 3.0.39 allows a remote attacker to escalate privileges via the shippingAsBilling parameter in updateuserinfo.html.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-50660
File Upload Bypass was found in AdPortal 3.0.39 allows a remote attacker to execute arbitrary code via the file upload functionality

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-53522
Bangkok Medical Software HOSxP XE v4.64.11.3 was discovered to contain a hardcoded IDEA Key-IV pair in the HOSxPXE4.exe and HOS-WIN32.INI components. This allows attackers to access sensitive information.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-54724
PHPYun before 7.0.2 is vulnerable to code execution through backdoor-restricted arbitrary file writing and file inclusion.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2024-54887
TP-Link TL-WR940N V3 and V4 with firmware 3.16.9 and earlier contain a buffer overflow via the dnsserver1 and dnsserver2 parameters at /userRpm/Wan6to4TunnelCfgRpm.htm. This vulnerability allows an authenticated attacker to execute arbitrary code on the remote device in the context of the root user.

๐ŸŽ–@cveNotify