π¨ CVE-2024-7800
A vulnerability classified as critical has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/bidding/admin/ajax.php?action=delete_product. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability classified as critical has been found in SourceCodester Simple Online Bidding System 1.0. This affects an unknown part of the file /simple-online-bidding-system/bidding/admin/ajax.php?action=delete_product. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
GitHub
cve/Sourcecoster_sql3.md at main Β· Wsstiger/cve
Contribute to Wsstiger/cve development by creating an account on GitHub.
π¨ CVE-2018-25081
Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default.
π@cveNotify
Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default.
π@cveNotify
π¨ CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
π@cveNotify
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
π@cveNotify
π¨ CVE-2024-24496
An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.
π@cveNotify
An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components.
π@cveNotify
GitHub
VulnerabilityResearch/2024/DailyHabitTracker-Broken_Access_Control.md at master Β· 0xQRx/VulnerabilityResearch
Contribute to 0xQRx/VulnerabilityResearch development by creating an account on GitHub.
π¨ CVE-2023-47131
The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.
π@cveNotify
The N-able PassPortal extension before 3.29.2 for Chrome inserts sensitive information into a log file.
π@cveNotify
π¨ CVE-2024-24308
SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php.
π@cveNotify
SQL Injection vulnerability in Boostmyshop (boostmyshopagent) module for Prestashop versions 1.1.9 and before, allows remote attackers to escalate privileges and obtain sensitive information via changeOrderCarrier.php, relayPoint.php, and shippingConfirmation.php.
π@cveNotify
Friends-Of-Presta Security Advisories
[CVE-2024-24308] Improper neutralization of SQL parameter in Boostmyshop module for PrestaShop
In the module βBoostmyshopβ (boostmyshopagent) up to version 1.1.9 from Boostmyshop for PrestaShop, a guest can perform SQL injection in affected versions.
π¨ CVE-2024-25306
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'aname' parameter at "School/index.php".
π@cveNotify
Code-projects Simple School Managment System 1.0 allows SQL Injection via the 'aname' parameter at "School/index.php".
π@cveNotify
GitHub
CVEs/Simple School Management System/Simple School Managment System - SQL Injection -1.md at main Β· tubakvgc/CVEs
Contribute to tubakvgc/CVEs development by creating an account on GitHub.
π¨ CVE-2024-25316
Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2.
π@cveNotify
Code-projects Hotel Managment System 1.0 allows SQL Injection via the 'eid' parameter in Hotel/admin/usersettingdel.php?eid=2.
π@cveNotify
GitHub
CVEs/Hotel Managment System/Hotel Managment System - SQL Injection-4.md at main Β· tubakvgc/CVEs
Contribute to tubakvgc/CVEs development by creating an account on GitHub.
π¨ CVE-2024-25448
An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1 allows attackers to cause a heap buffer overflow via parsing a crafted image.
π@cveNotify
An issue in the imlib_free_image_and_decache function of imlib2 v1.9.1 allows attackers to cause a heap buffer overflow via parsing a crafted image.
π@cveNotify
π¨ CVE-2023-50298
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides.
An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,
then send a streaming expression using the mock server's address in "zkHost".
Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.
π@cveNotify
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1.
Solr Streaming Expressions allows users to extract data from other Solr Clouds, using a "zkHost" parameter.
When original SolrCloud is setup to use ZooKeeper credentials and ACLs, they will be sent to whatever "zkHost" the user provides.
An attacker could setup a server to mock ZooKeeper, that accepts ZooKeeper requests with credentials and ACLs and extracts the sensitive information,
then send a streaming expression using the mock server's address in "zkHost".
Streaming Expressions are exposed via the "/streaming" handler, with "read" permissions.
Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue.
From these versions on, only zkHost values that have the same server address (regardless of chroot), will use the given ZooKeeper credentials and ACLs when connecting.
π@cveNotify
π¨ CVE-2022-48623
The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.
π@cveNotify
The Cpanel::JSON::XS package before 4.33 for Perl performs out-of-bounds accesses in a way that allows attackers to obtain sensitive information or cause a denial of service.
π@cveNotify
GitHub
cpan-security-advisory/cpansa/CPANSA-Cpanel-JSON-XS.yml at 9374f98bef51e1ae887f293234050551c079776f Β· briandfoy/cpan-security-advisory
CPAN Security Advisory Database. Contribute to briandfoy/cpan-security-advisory development by creating an account on GitHub.
π¨ CVE-2024-30871
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /WebPages/applyhardware.php.
π@cveNotify
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /WebPages/applyhardware.php.
π@cveNotify
GitHub
cve/NS-ASG-sql-applyhardware.md at main Β· hundanchen69/cve
Contribute to hundanchen69/cve development by creating an account on GitHub.
π¨ CVE-2024-30860
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/export_excel_user.php.
π@cveNotify
netentsec NS-ASG 6.3 is vulnerable to SQL Injection via /admin/export_excel_user.php.
π@cveNotify
GitHub
cve/NS-ASG-sql-export_excel_user.md at main Β· hundanchen69/cve
Contribute to hundanchen69/cve development by creating an account on GitHub.
π¨ CVE-2024-32358
An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function.
π@cveNotify
An issue in Jpress v.5.1.0 allows a remote attacker to execute arbitrary code via a crafted script to the custom plug-in module function.
π@cveNotify
Gist
CVE-2024-32358
CVE-2024-32358. GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2022-32505
An issue was discovered on certain Nuki Home Solutions devices. It is possible to send multiple BLE malformed packets to block some of the functionality and reboot the device. This affects Nuki Smart Lock 3.0 before 3.3.5 and Nuki Smart Lock 2.0 before 2.12.4.
π@cveNotify
An issue was discovered on certain Nuki Home Solutions devices. It is possible to send multiple BLE malformed packets to block some of the functionality and reboot the device. This affects Nuki Smart Lock 3.0 before 3.3.5 and Nuki Smart Lock 2.0 before 2.12.4.
π@cveNotify
LHN
Multiple Security Flaws Found In Nuki Smart Locks
Researchers found numerous security flaws in various Nuki Smart locks. Exploiting the vulnerabilities could affect the smart locksβ confidentiality, integrity, and availability. Nuki Smart Locks Flaws According to an advisory from the NCC Group, their researchersβ¦
π¨ CVE-2024-35011
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=rev&nohrefStr=close.
π@cveNotify
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component /admin/infoType_deal.php?mudi=rev&nohrefStr=close.
π@cveNotify
GitHub
cms/8.md at main Β· Thirtypenny77/cms
Contribute to Thirtypenny77/cms development by creating an account on GitHub.
π¨ CVE-2024-34957
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/sysImages_deal.php?mudi=infoSet.
π@cveNotify
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/sysImages_deal.php?mudi=infoSet.
π@cveNotify
GitHub
cms/1.md at main Β· Gr-1m/cms
Contribute to Gr-1m/cms development by creating an account on GitHub.
π¨ CVE-2024-35345
A vulnerability has been discovered in DiΓ±o Physics School Assistant version 2.3. The vulnerability impacts unidentified code within the file /classes/Users.php. Manipulating the argument id results in cross-site scripting.
π@cveNotify
A vulnerability has been discovered in DiΓ±o Physics School Assistant version 2.3. The vulnerability impacts unidentified code within the file /classes/Users.php. Manipulating the argument id results in cross-site scripting.
π@cveNotify
π¨ CVE-2024-36547
idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/vpsClass_deal.php?mudi=add
π@cveNotify
idccms V1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/vpsClass_deal.php?mudi=add
π@cveNotify
GitHub
cms/32/csrf.md at main Β· da271133/cms
Contribute to da271133/cms development by creating an account on GitHub.
π¨ CVE-2024-5037
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
π@cveNotify
A flaw was found in OpenShift's Telemeter. If certain conditions are in place, an attacker can use a forged token to bypass the issue ("iss") check during JSON web token (JWT) authentication.
π@cveNotify
π¨ CVE-2024-36669
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/type_deal.php?mudi=add.
π@cveNotify
idccms v1.35 was discovered to contain a Cross-Site Request Forgery (CSRF) via the component admin/type_deal.php?mudi=add.
π@cveNotify
GitHub
cms/34/csrf.md at main Β· sigubbs/cms
Contribute to sigubbs/cms development by creating an account on GitHub.