๐จ CVE-2024-37884
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
๐@cveNotify
Nextcloud Server is a self hosted personal cloud system. A malicious user was able to send delete requests for old versions of files they only got shared with read permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 26.0.12 or 27.1.7 or 28.0.3.
๐@cveNotify
GitHub
Users can delete old versions of read-only shared files
### Impact
A malicious user was able to send delete requests for old versions of files they only got shared with read permissions.
### Patches
It is recommended that the Nextcloud Server i...
A malicious user was able to send delete requests for old versions of files they only got shared with read permissions.
### Patches
It is recommended that the Nextcloud Server i...
๐1
๐จ CVE-2024-38301
Dell Alienware Command Center, version 5.7.3.0 and prior, contains an improper access control vulnerability. A low privileged attacker could potentially exploit this vulnerability, leading to denial of service on the local system and information disclosure.
๐@cveNotify
Dell Alienware Command Center, version 5.7.3.0 and prior, contains an improper access control vulnerability. A low privileged attacker could potentially exploit this vulnerability, leading to denial of service on the local system and information disclosure.
๐@cveNotify
๐จ CVE-2024-6652
A vulnerability was found in itsourcecode Gym Management System 1.0. It has been classified as critical. This affects an unknown part of the file manage_member.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271059.
๐@cveNotify
A vulnerability was found in itsourcecode Gym Management System 1.0. It has been classified as critical. This affects an unknown part of the file manage_member.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-271059.
๐@cveNotify
GitHub
Itsourcecode Gym Management System Project In PHP With Source Code v1.0 manage_member.php SQL injection ยท Issue #1 ยท littletree7/cve
Itsourcecode Gym Management System Project In PHP With Source Code v1.0 manage_member.php SQL injection NAME OF AFFECTED PRODUCT(S) Gym Management System Project In PHP With Source Code Vendor Home...
๐จ CVE-2019-20471
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470.
๐@cveNotify
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470.
๐@cveNotify
seclists.org
Full Disclosure: Bunch of IoT CVEs
๐จ CVE-2024-20701
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-21449
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-35256
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-35271
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-37319
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-37320
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
SQL Server Native Client OLE DB Provider Remote Code Execution Vulnerability
๐@cveNotify
๐จ CVE-2024-24307
Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method.
๐@cveNotify
Path Traversal vulnerability in Tunis Soft "Product Designer" (productdesigner) module for PrestaShop before version 1.178.36, allows a remote attacker to escalate privileges and obtain sensitive information via the ajaxProcessCropImage() method.
๐@cveNotify
GitHub
security-advisories/_posts/2024-02-29-productdesigner-22.md at main ยท friends-of-presta/security-advisories
Security advisories of the FOP security team for prestashop - friends-of-presta/security-advisories
๐จ CVE-2023-48902
An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.
๐@cveNotify
An issue was discovered in tramyardg autoexpress version 1.3.0, allows unauthenticated remote attackers to escalate privileges, update car data, delete vehicles, and upload car images via authentication bypass in uploadCarImages.php.
๐@cveNotify
packetstorm.news
Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories, and Whitepapers
๐จ CVE-2017-20190
Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple Unicode combining characters, aka a "Zalgo text" attack. NOTE: third parties dispute whether the computational cost of interpreting Unicode data should be considered a vulnerability.
๐@cveNotify
Some Microsoft technologies as used in Windows 8 through 11 allow a temporary client-side performance degradation during processing of multiple Unicode combining characters, aka a "Zalgo text" attack. NOTE: third parties dispute whether the computational cost of interpreting Unicode data should be considered a vulnerability.
๐@cveNotify
๐จ CVE-2024-31648
Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2.
๐@cveNotify
Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2.
๐@cveNotify
GitHub
CVE/CVE-2024-31648.md at main ยท Mohitkumar0786/CVE
Contribute to Mohitkumar0786/CVE development by creating an account on GitHub.
๐จ CVE-2024-6930
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
The WP Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute within the plugin's bookingform shortcode in all versions up to, and including, 10.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
๐@cveNotify
๐จ CVE-2024-6896
The AMP for WP โ Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.96.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
๐@cveNotify
The AMP for WP โ Accelerated Mobile Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.96.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
๐@cveNotify
๐จ CVE-2024-0855
The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
๐@cveNotify
The Spiffy Calendar WordPress plugin before 4.9.9 doesn't check the event_author parameter, and allows any user to alter it when creating an event, leading to deceiving users/admins that a page was created by a Contributor+.
๐@cveNotify
WPScan
Spiffy Calendar < 4.9.9 - Broken Access Control
See details on Spiffy Calendar < 4.9.9 - Broken Access Control CVE 2024-0855. View the latest Plugin Vulnerabilities on WPScan.
๐จ CVE-2024-27689
Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via /update-article.php.
๐@cveNotify
Stupid Simple CMS v1.2.4 was discovered to contain a Cross-Site Request Forgery (CSRF) via /update-article.php.
๐@cveNotify
GitHub
cms/2.md at main ยท Xin246/cms
Contribute to Xin246/cms development by creating an account on GitHub.
๐จ CVE-2024-22398
An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.
๐@cveNotify
An improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability in SonicWall Email Security Appliance could allow a remote attacker with administrative privileges to conduct a directory traversal attack and delete arbitrary files from the appliance file system.
๐@cveNotify
๐1
๐จ CVE-2024-7367
A vulnerability, which was classified as problematic, was found in SourceCodester Simple Realtime Quiz System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273351.
๐@cveNotify
A vulnerability, which was classified as problematic, was found in SourceCodester Simple Realtime Quiz System 1.0. This affects an unknown part of the file /ajax.php?action=save_user. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273351.
๐@cveNotify
Gist
sourcecodester_Simple Realtime Quiz System_CSRF_1.md
GitHub Gist: instantly share code, notes, and snippets.
๐จ CVE-2024-7374
A vulnerability classified as critical was found in SourceCodester Simple Realtime Quiz System 1.0. This vulnerability affects unknown code of the file /manage_user.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273358 is the identifier assigned to this vulnerability.
๐@cveNotify
A vulnerability classified as critical was found in SourceCodester Simple Realtime Quiz System 1.0. This vulnerability affects unknown code of the file /manage_user.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273358 is the identifier assigned to this vulnerability.
๐@cveNotify
Gist
sourcecodester_Simple Realtime Quiz System_SQL_INJECTION_6.md
GitHub Gist: instantly share code, notes, and snippets.
โค1