π¨ CVE-2024-7303
A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /request.php of the component Send Blood Request Page. The manipulation of the argument Address/bloodgroup leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273185 was assigned to this vulnerability.
π@cveNotify
A vulnerability was found in itsourcecode Online Blood Bank Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /request.php of the component Send Blood Request Page. The manipulation of the argument Address/bloodgroup leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-273185 was assigned to this vulnerability.
π@cveNotify
GitHub
ItSourceCode 'Online Blood Bank Management System in PHP" Stored XSS Β· Issue #1 Β· cl4irv0yance/CVEs
Stored XSS in Online Blood Bank Management System V1.0 Affected Product Online Blood Bank Management System Vendor Homepage https://itsourcecode.com/free-projects/php-project/online-blood-bank-mana...
π¨ CVE-2024-7320
A vulnerability classified as critical has been found in itsourcecode Online Blood Bank Management System 1.0. This affects an unknown part of the file /admin/index.php of the component Admin Login. The manipulation of the argument user leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273231.
π@cveNotify
A vulnerability classified as critical has been found in itsourcecode Online Blood Bank Management System 1.0. This affects an unknown part of the file /admin/index.php of the component Admin Login. The manipulation of the argument user leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-273231.
π@cveNotify
GitHub
Itsourcecode Online Blood Bank Management Authentication Bypass via SQL Injection to User page and Admin Console Β· Issue #3 Β· β¦
Itsourcecode Online Blood Bank Management Authentication Bypass via SQL Injection to User page and Admin Console Affected Product Online Blood Bank Management System in PHP with Source Code Vendor ...
π¨ CVE-2024-7321
A vulnerability classified as problematic was found in itsourcecode Online Blood Bank Management System 1.0. This vulnerability affects unknown code of the file signup.php of the component User Registration Handler. The manipulation of the argument user leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273232.
π@cveNotify
A vulnerability classified as problematic was found in itsourcecode Online Blood Bank Management System 1.0. This vulnerability affects unknown code of the file signup.php of the component User Registration Handler. The manipulation of the argument user leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-273232.
π@cveNotify
GitHub
ItSourceCode Stored XSS via User Registration Β· Issue #4 Β· cl4irv0yance/CVEs
Stored XSS in Online Blood Bank Management System V1.0 Affected Product Online Blood Bank Management System Vendor Homepage https://itsourcecode.com/free-projects/php-project/online-blood-bank-mana...
π¨ CVE-2024-7285
A vulnerability has been found in SourceCodester Establishment Billing Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/ajax.php?action=save_settings. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273154 is the identifier assigned to this vulnerability.
π@cveNotify
A vulnerability has been found in SourceCodester Establishment Billing Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/ajax.php?action=save_settings. The manipulation of the argument name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-273154 is the identifier assigned to this vulnerability.
π@cveNotify
Gist
sourcecodester_Establishment Billing Management System_XSS_1.md
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2024-24721
An issue was discovered on Innovaphone PBX before 14r1 devices. The password form, used to authenticate, allows a Brute Force Attack through which an attacker may be able to access the administration panel
π@cveNotify
An issue was discovered on Innovaphone PBX before 14r1 devices. The password form, used to authenticate, allows a Brute Force Attack through which an attacker may be able to access the administration panel
π@cveNotify
π¨ CVE-2024-26476
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
π@cveNotify
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
π@cveNotify
GitHub
Research/openemr_BlindSSRF/README.md at main Β· c4v4r0n/Research
Contribute to c4v4r0n/Research development by creating an account on GitHub.
π¨ CVE-2024-31201
A βCWE-428: Unquoted Search Path or Elementβ affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privilege escalation on the local machine.
π@cveNotify
A βCWE-428: Unquoted Search Path or Elementβ affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privilege escalation on the local machine.
π@cveNotify
Nozominetworks
CVE-2024-31201 | Nozomi Networks Labs
A βCWE-428: Unquoted Search Path or Elementβ affects the ThermoscanIP_Scrutation service. Such misconfiguration could be abused in scenarios where incorrect permissions were assigned to the C:\ path to attempt a privilege escalation on the local machine.CVEβ¦
π¨ CVE-2024-31202
A βCWE-732: Incorrect Permission Assignment for Critical Resourceβ in the ThermoscanIP installation folder allows a local attacker to perform a Local Privilege Escalation.
π@cveNotify
A βCWE-732: Incorrect Permission Assignment for Critical Resourceβ in the ThermoscanIP installation folder allows a local attacker to perform a Local Privilege Escalation.
π@cveNotify
Nozominetworks
CVE-2024-31202 | Nozomi Networks Labs
A βCWE-732: Incorrect Permission Assignment for Critical Resourceβ in the ThermoscanIP installation folder allows a local attacker to perform a Local Privilege Escalation.CVE-2024-31202
π¨ CVE-2024-31203
A βCWE-121: Stack-based Buffer Overflowβ in the wd210std.dll dynamic library packaged with the ThermoscanIP installer allows a local attacker to possibly trigger a Denial-of-Service (DoS) condition on the target component.
π@cveNotify
A βCWE-121: Stack-based Buffer Overflowβ in the wd210std.dll dynamic library packaged with the ThermoscanIP installer allows a local attacker to possibly trigger a Denial-of-Service (DoS) condition on the target component.
π@cveNotify
Nozominetworks
CVE-2024-31203 | Nozomi Networks Labs
A βCWE-121: Stack-based Buffer Overflowβ in the wd210std.dll dynamic library packaged with the ThermoscanIP installer allows a local attacker to possibly trigger a Denial-of-Service (DoS) condition on the target component.CVE-2024-31203
π¨ CVE-2024-36424
K7RKScan.sys in K7 Ultimate Security before 17.0.2019 allows local users to cause a denial of service (BSOD) because of a NULL pointer dereference.
π@cveNotify
K7RKScan.sys in K7 Ultimate Security before 17.0.2019 allows local users to cause a denial of service (BSOD) because of a NULL pointer dereference.
π@cveNotify
π¨ CVE-2024-39227
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config.
π@cveNotify
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain a shell injection vulnerability via the interface check_ovpn_client_config.
π@cveNotify
π¨ CVE-2024-39229
An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.
π@cveNotify
An issue in GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, XE3000/X3000 v4, and B2200/MV1000/MV1000W/USB150/N300/SF1200 v3.216 allows attackers to intercept communications via a man-in-the-middle attack when DDNS clients are reporting data to the server.
π@cveNotify
π¨ CVE-2024-42358
PDFio is a simple C library for reading and writing PDF files. There is a denial of service (DOS) vulnerability in the TTF parser. Maliciously crafted TTF files can cause the program to utilize 100% of the Memory and enter an infinite loop. This can also lead to a heap-buffer-overflow vulnerability. An infinite loop occurs in the read_camp function by nGroups value. The ttf.h library is vulnerable. A value called nGroups is extracted from the file, and by changing that value, you can cause the program to utilize 100% of the Memory and enter an infinite loop. If the value of nGroups in the file is small, an infinite loop will not occur. This library, whether used as a standalone binary or as part of another application, is vulnerable to DOS attacks when parsing certain types of files. Automated systems, including web servers that use this code to convert PDF submissions into plaintext, can be DOSed if an attacker uploads a malicious TTF file. This issue has been addressed in release version 1.3.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
PDFio is a simple C library for reading and writing PDF files. There is a denial of service (DOS) vulnerability in the TTF parser. Maliciously crafted TTF files can cause the program to utilize 100% of the Memory and enter an infinite loop. This can also lead to a heap-buffer-overflow vulnerability. An infinite loop occurs in the read_camp function by nGroups value. The ttf.h library is vulnerable. A value called nGroups is extracted from the file, and by changing that value, you can cause the program to utilize 100% of the Memory and enter an infinite loop. If the value of nGroups in the file is small, an infinite loop will not occur. This library, whether used as a standalone binary or as part of another application, is vulnerable to DOS attacks when parsing certain types of files. Automated systems, including web servers that use this code to convert PDF submissions into plaintext, can be DOSed if an attacker uploads a malicious TTF file. This issue has been addressed in release version 1.3.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
GitHub
Merge commit from fork Β· michaelrsweet/pdfio@e4e1c39
Add range checking to TTF loader.
π¨ CVE-2024-7502
A crafted DPA file could force Delta Electronics DIAScreen to overflow a stack-based buffer, which could allow an attacker to execute arbitrary code.
π@cveNotify
A crafted DPA file could force Delta Electronics DIAScreen to overflow a stack-based buffer, which could allow an attacker to execute arbitrary code.
π@cveNotify
π¨ CVE-2024-41677
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
Qwik is a performance focused javascript framework. A potential mutation XSS vulnerability exists in Qwik for versions up to but not including 1.6.0. Qwik improperly escapes HTML on server-side rendering. It converts strings according to the rules found in the `render-ssr.ts` file. It sometimes causes the situation that the final DOM tree rendered on browsers is different from what Qwik expects on server-side rendering. This may be leveraged to perform XSS attacks, and a type of the XSS is known as mXSS (mutation XSS). This has been resolved in qwik version 1.6.0 and @builder.io/qwik version 1.7.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
GitHub
qwik/packages/qwik/src/core/render/ssr/render-ssr.ts at v1.5.5 Β· QwikDev/qwik
Instant-loading web apps, without effort. Contribute to QwikDev/qwik development by creating an account on GitHub.
π¨ CVE-2024-42347
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
matrix-react-sdk is a react-based SDK for inserting a Matrix chat/voip client into a web page. A malicious homeserver could manipulate a user's account data to cause the client to enable URL previews in end-to-end encrypted rooms, in which case any URLs in encrypted messages would be sent to the server. This was patched in matrix-react-sdk 3.105.0. Deployments that trust their homeservers, as well as closed federations of trusted servers, are not affected. Users are advised to upgrade. There are no known workarounds for this vulnerability.
π@cveNotify
GitHub
Release v3.105.1 Β· matrix-org/matrix-react-sdk
Fixes for CVE-2024-42347 / GHSA-f83w-wqhc-cfp4.
π¨ CVE-2024-34610
Improper access control in ExtControlDeviceService prior to SMR Aug-2024 Release 1 allows local attackers to access protected data.
π@cveNotify
Improper access control in ExtControlDeviceService prior to SMR Aug-2024 Release 1 allows local attackers to access protected data.
π@cveNotify
π¨ CVE-2024-34611
Improper access control in KnoxService prior to SMR Aug-2024 Release 1 allows local attackers to get sensitive information.
π@cveNotify
Improper access control in KnoxService prior to SMR Aug-2024 Release 1 allows local attackers to get sensitive information.
π@cveNotify
π¨ CVE-2024-34612
Out-of-bound write in libcodec2secmp4vdec.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify
Out-of-bound write in libcodec2secmp4vdec.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify
π¨ CVE-2024-34613
Improper access control in Galaxy Watch prior to SMR Aug-2024 Release 1 allows local attackers to access sensitive information of Galaxy watch.
π@cveNotify
Improper access control in Galaxy Watch prior to SMR Aug-2024 Release 1 allows local attackers to access sensitive information of Galaxy watch.
π@cveNotify
π1
π¨ CVE-2024-34614
Out-of-bound write in libsmat.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify
Out-of-bound write in libsmat.so prior to SMR Aug-2024 Release 1 allows local attackers to execute arbitrary code.
π@cveNotify