π¨ CVE-2002-2024
Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.
π@cveNotify
Horde IMP 2.2.7 allows remote attackers to obtain the full web root pathname via an HTTP request for (1) poppassd.php3, (2) login.php3?reason=chpass2, (3) spelling.php3, and (4) ldap.search.php3?ldap_serv=nonsense which leaks the information in error messages.
π@cveNotify
π¨ CVE-2024-32899
In gpu_pm_power_off_top_nolock of pixel_gpu_power.c, there is a possible compromise of protected memory due to a race condition. This could lead to local escalation of privilege to TEE with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In gpu_pm_power_off_top_nolock of pixel_gpu_power.c, there is a possible compromise of protected memory due to a race condition. This could lead to local escalation of privilege to TEE with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
π¨ CVE-2024-32906
In AcvpOnMessage of avcp.cpp, there is a possible EOP due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
In AcvpOnMessage of avcp.cpp, there is a possible EOP due to uninitialized data. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
π@cveNotify
π¨ CVE-2023-27636
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
π@cveNotify
Progress Sitefinity before 15.0.0 allows XSS by authenticated users via the content form in the SF Editor.
π@cveNotify
Aldisaw
Cross-Site Scripting (XSS) affects Sitefinity < 15.0 - CVE-2023-27636
Disclaimer This Security Advisory is provided on an βas isβ basis and do not imply any kind of guarantee or warranty. Your use of the information in this publication or linked materials is at your own risk.
π¨ CVE-2024-34312
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
π@cveNotify
Virtual Programming Lab for Moodle up to v4.2.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component vplide.js.
π@cveNotify
GitHub
GitHub - vincentscode/CVE-2024-34312: β£οΈ This repository contains the description and a proof of concept for CVE-2024-34312
β£οΈ This repository contains the description and a proof of concept for CVE-2024-34312 - vincentscode/CVE-2024-34312
π¨ CVE-2024-6206
A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system.
π@cveNotify
A security vulnerability has been identified in HPE Athonet Mobile Core software. The core application contains a code injection vulnerability where a threat actor could execute arbitrary commands with the privilege of the underlying container leading to complete takeover of the target system.
π@cveNotify
π¨ CVE-2024-39182
An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command (ISP6-1779).
π@cveNotify
An information disclosure vulnerability in ISPmanager v6.98.0 allows attackers to access sensitive details of the root user's session via an arbitrary command (ISP6-1779).
π@cveNotify
Ispmanager
ispmanager development plan - Changelog
Features that we plan to add to ispmanager lite, pro and host, the list may be adjusted depending on user feedback.
π¨ CVE-2024-25077
An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image verification. Because the encryption engine for on-the-fly decryption uses AES in CTR mode without authentication, an attacker-modified Nonce can result in execution of arbitrary code.
π@cveNotify
An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image verification. Because the encryption engine for on-the-fly decryption uses AES in CTR mode without authentication, an attacker-modified Nonce can result in execution of arbitrary code.
π@cveNotify
π¨ CVE-2024-41305
A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
π@cveNotify
A Server-Side Request Forgery (SSRF) in the Plugins Page of WonderCMS v3.4.3 allows attackers to force the application to make arbitrary requests via injection of crafted URLs into the pluginThemeUrl parameter.
π@cveNotify
GitHub
GitHub - patrickdeanramos/WonderCMS-version-3.4.3-is-vulnerable-to-Server-Side-Request-Forgery: WonderCMS version 3.4.3 is vulnerableβ¦
WonderCMS version 3.4.3 is vulnerable to Server-Side Request Forgery (SSRF), allowing an attacker to make requests to unauthorized internal resources through the pluginThemeUrl parameter on the Plu...
π¨ CVE-2024-36572
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
π@cveNotify
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
π@cveNotify
Gist
[CVE-2024-36572] Prototype pollution vulnerability affecting @allpro/form-manager NPM module, version 0.7.4
[CVE-2024-36572] Prototype pollution vulnerability affecting @allpro/form-manager NPM module, version 0.7.4 - CVE-2024-36572.md
π¨ CVE-2024-38984
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
π@cveNotify
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
π@cveNotify
Gist
[CVE-2024-38984] Prototype Pollution vulnerability affecting json-override module, versions <= 0.2.0
[CVE-2024-38984] Prototype Pollution vulnerability affecting json-override module, versions <= 0.2.0 - json-override-pp.md
π¨ CVE-2024-38986
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
π@cveNotify
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
π@cveNotify
Gist
[CVE-2024-38986] Prototype Pollution vulnerability affecting @75lb/deep-merge NPM module, versions <= 1.1.1
[CVE-2024-38986] Prototype Pollution vulnerability affecting @75lb/deep-merge NPM module, versions <= 1.1.1 - 75lb-deep-merge.md
π¨ CVE-2024-39010
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
π@cveNotify
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
π@cveNotify
Gist
[CVE-2024-39010] Vulnerability Advisory Prototype Pollution in @chasemoskal/snapstate, version 0.0.9
[CVE-2024-39010] Vulnerability Advisory Prototype Pollution in @chasemoskal/snapstate, version 0.0.9 - Advisory_chase-moskal.md
π¨ CVE-2024-39011
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
π@cveNotify
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the function mergeObjects.
π@cveNotify
Gist
[CVE-2024-39011] Vulnerability Advisory: Prototype Pollution in @chargeover/redoc, version 2.0.9-rc.69
[CVE-2024-39011] Vulnerability Advisory: Prototype Pollution in @chargeover/redoc, version 2.0.9-rc.69 - Advisory_Redocly.md
π¨ CVE-2024-41226
A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.
π@cveNotify
A CSV injection vulnerability in Automation Anywhere Automation 360 version 21094 allows attackers to execute arbitrary code via a crafted payload.
π@cveNotify
Medium
CVE-2024β41226: Response manipulation led to CSV Injection
CVE-2024β41226: Response manipulation led to CSV Injection The purpose of this article is to describe CVE-2024β41226 in detail. This CVE is related to a CSV injection vulnerability in Automation β¦
π¨ CVE-2024-42218
1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms.
π@cveNotify
1Password 8 before 8.10.38 for macOS allows local attackers to exfiltrate vault items by bypassing macOS-specific security mechanisms.
π@cveNotify
π¨ CVE-2024-41244
An Incorrect Access Control vulnerability was found in /smsa/view_class.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view CLASS details.
π@cveNotify
An Incorrect Access Control vulnerability was found in /smsa/view_class.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view CLASS details.
π@cveNotify
GitHub
CVE_Writeup/Kashipara/Responsive School Management System v3.2.0/Broken Access Control - Admin - View Class.pdf at main Β· takeβ¦
Contribute to takekaramey/CVE_Writeup development by creating an account on GitHub.
π¨ CVE-2024-41245
An Incorrect Access Control vulnerability was found in /smsa/view_teachers.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view TEACHER details.
π@cveNotify
An Incorrect Access Control vulnerability was found in /smsa/view_teachers.php in Kashipara Responsive School Management System v3.2.0, which allows remote unauthenticated attackers to view TEACHER details.
π@cveNotify
GitHub
CVE_Writeup/Kashipara/Responsive School Management System v3.2.0/Broken Access Control - Admin - View Teachers.pdf at main Β· tβ¦
Contribute to takekaramey/CVE_Writeup development by creating an account on GitHub.
π¨ CVE-2024-41237
A SQL injection vulnerability in /smsa/teacher_login.php in Kashipara Responsive School Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "username" parameter.
π@cveNotify
A SQL injection vulnerability in /smsa/teacher_login.php in Kashipara Responsive School Management System v1.0 allows an attacker to execute arbitrary SQL commands via the "username" parameter.
π@cveNotify
GitHub
CVE_Writeup/Kashipara/Responsive School Management System v3.2.0/SQL Injection - Teacher.pdf at main Β· takekaramey/CVE_Writeup
Contribute to takekaramey/CVE_Writeup development by creating an account on GitHub.
π¨ CVE-2024-6706
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.
π@cveNotify
Attackers can craft a malicious prompt that coerces the language model into executing arbitrary JavaScript in the context of the web page.
π@cveNotify
π¨ CVE-2018-0824
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
π@cveNotify
A remote code execution vulnerability exists in "Microsoft COM for Windows" when it fails to properly handle serialized objects, aka "Microsoft COM for Windows Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
π@cveNotify