๐จ CVE-2024-49376
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
๐@cveNotify
Autolab, a course management service that enables auto-graded programming assignments, has misconfigured reset password permissions in version 3.0.0. For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. This issue is fixed in version 3.0.1. No known workarounds exist.
๐@cveNotify
GitHub
Merge commit from fork ยท autolab/Autolab@301689a
* Added admin checks for erb and controller paths
* Removed unnecessary admin checks
* Removed newline
* Fixed some linting
* Fixed indentation
* Added more indentation
* Removed unnecessary admin checks
* Removed newline
* Fixed some linting
* Fixed indentation
* Added more indentation
๐จ CVE-2024-49378
smartUp, a web browser mouse gestures extension, has a universal cross-site scripting issue in the Edge and Firefox versions of smartUp 7.2.622.1170. The vulnerability allows another extension to execute arbitrary code in the context of the userโs tab. As of time of publication, no known patches exist.
๐@cveNotify
smartUp, a web browser mouse gestures extension, has a universal cross-site scripting issue in the Edge and Firefox versions of smartUp 7.2.622.1170. The vulnerability allows another extension to execute arbitrary code in the context of the userโs tab. As of time of publication, no known patches exist.
๐@cveNotify
GitHub
smartup/js/background.js at 2144ec161697751b1a6702f1af866726ea689e4e ยท zimocode/smartup
A customizable web browser mouse gestures extension with a variety of actions. - zimocode/smartup
๐จ CVE-2024-31002
Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4 BitReader::ReadCache() at Ap4Utils.cpp component.
๐@cveNotify
Buffer Overflow vulnerability in Bento4 Bento v.1.6.0-641 allows a remote attacker to execute arbitrary code via the AP4 BitReader::ReadCache() at Ap4Utils.cpp component.
๐@cveNotify
GitHub
Heap-buffer-overflow with ASAN in mp42aac ยท Issue #939 ยท axiomatic-systems/Bento4
Dear Bento4 developers, To debug a program built with ASan, here is some output ================================================================= ==3304149==ERROR: AddressSanitizer: heap-buffer-ove...
๐จ CVE-2024-27674
Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
๐@cveNotify
Macro Expert through 4.9.4 allows BUILTIN\Users:(OI)(CI)(M) access to the "%PROGRAMFILES(X86)%\GrassSoft\Macro Expert" folder and thus an unprivileged user can escalate to SYSTEM by replacing the MacroService.exe binary.
๐@cveNotify
GitHub
GitHub - Alaatk/CVE-2024-27674: Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation
Macro Expert <= 4.9.4 - Insecure Permissions Privilege Escalation - Alaatk/CVE-2024-27674
๐จ CVE-2024-26574
Insecure Permissions vulnerability in Wondershare Filmora v.13.0.51 allows a local attacker to execute arbitrary code via a crafted script to the WSNativePushService.exe
๐@cveNotify
Insecure Permissions vulnerability in Wondershare Filmora v.13.0.51 allows a local attacker to execute arbitrary code via a crafted script to the WSNativePushService.exe
๐@cveNotify
Wondershare
[Official] Wondershare Filmora: Edit Video as a Pro
Filmora is an all-in-one video editing software for desktop and mobile. Easily create professional videos with intuitive tools, AI-powered features, and creative effects.
๐จ CVE-2024-31815
In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh
๐@cveNotify
In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh
๐@cveNotify
GitHub
CVE-vulns/TOTOLINK/EX200/Leak_ExportSettings/Leak.md at main ยท 4hsienyang/CVE-vulns
CVE-vulns. Contribute to 4hsienyang/CVE-vulns development by creating an account on GitHub.
๐จ CVE-2024-23086
Apfloat v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
๐@cveNotify
Apfloat v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
๐@cveNotify
๐จ CVE-2024-22949
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
๐@cveNotify
JFreeChart v1.5.4 was discovered to contain a NullPointerException via the component /chart/annotations/CategoryLineAnnotation. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.
๐@cveNotify
๐จ CVE-2023-34034
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
๐@cveNotify
Using "**" as a pattern in Spring Security configuration
for WebFlux creates a mismatch in pattern matching between Spring
Security and Spring WebFlux, and the potential for a security bypass.
๐@cveNotify
๐จ CVE-2023-26562
In Zimbra Collaboration (ZCS) 8.8.15 and 9.0, a closed account (with 2FA and generated passwords) can send e-mail messages when configured for Imap/smtp.
๐@cveNotify
In Zimbra Collaboration (ZCS) 8.8.15 and 9.0, a closed account (with 2FA and generated passwords) can send e-mail messages when configured for Imap/smtp.
๐@cveNotify
๐จ CVE-2024-46994
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue.
๐@cveNotify
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in Blog posts and Contents list Feature. Version 5.1.2 fixes this issue.
๐@cveNotify
ๅฝ็ฃใชใผใใณใฝใผในCMS baserCMS
2024/10/24 baserCMSใซXSSใใฏใใใจใใ่คๆฐใฎ่ๅผฑๆง
๐จ CVE-2024-46995
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in HTTP 400 Bad Request. Version 5.1.2 fixes this issue.
๐@cveNotify
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in HTTP 400 Bad Request. Version 5.1.2 fixes this issue.
๐@cveNotify
๐จ CVE-2024-46996
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Blog posts feature. Version 5.1.2 fixes this issue.
๐@cveNotify
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Blog posts feature. Version 5.1.2 fixes this issue.
๐@cveNotify
ๅฝ็ฃใชใผใใณใฝใผในCMS baserCMS
2024/10/24 baserCMSใซXSSใใฏใใใจใใ่คๆฐใฎ่ๅผฑๆง
๐จ CVE-2024-46998
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue.
๐@cveNotify
baserCMS is a website development framework. Versions prior to 5.1.2 have a cross-site scripting vulnerability in the Edit Email Form Settings Feature. Version 5.1.2 fixes the issue.
๐@cveNotify
๐จ CVE-2024-10123
A vulnerability was found in Tenda AC8 16.03.34.06. It has been declared as critical. Affected by this vulnerability is the function compare_parentcontrol_time of the file /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This is not the same issue like CVE-2023-33671. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was found in Tenda AC8 16.03.34.06. It has been declared as critical. Affected by this vulnerability is the function compare_parentcontrol_time of the file /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This is not the same issue like CVE-2023-33671. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
router_vuls/ac8v4/compare_parentcontrol_time_vul.md at main ยท JohenanLi/router_vuls
Contribute to JohenanLi/router_vuls development by creating an account on GitHub.
๐จ CVE-2024-10335
A vulnerability was found in SourceCodester Garbage Collection Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "username" to be affected. But it must be assumed that the parameter "password" is affected as well.
๐@cveNotify
A vulnerability was found in SourceCodester Garbage Collection Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The initial researcher advisory only mentions the parameter "username" to be affected. But it must be assumed that the parameter "password" is affected as well.
๐@cveNotify
GitHub
VUL/Garbage-Collection-Management-System-01.md at main ยท tang-0717/VUL
Contribute to tang-0717/VUL development by creating an account on GitHub.
๐จ CVE-2024-10336
A vulnerability was found in SourceCodeHero Clothes Recommendation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/index.php of the component Admin Login Page. The manipulation of the argument t1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
A vulnerability was found in SourceCodeHero Clothes Recommendation System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/index.php of the component Admin Login Page. The manipulation of the argument t1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
๐@cveNotify
๐จ CVE-2023-40290
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue that affects Internet Explorer 11 on Windows.
๐@cveNotify
An issue was discovered on Supermicro X11SSM-F, X11SAE-F, and X11SSE-F 1.66 devices. An attacker could exploit an XSS issue that affects Internet Explorer 11 on Windows.
๐@cveNotify
๐จ CVE-2024-30596
Tenda FH1202 v1.2.0.14(408) has a stack overflow vulnerability in the deviceId parameter of the formSetDeviceName function.
๐@cveNotify
Tenda FH1202 v1.2.0.14(408) has a stack overflow vulnerability in the deviceId parameter of the formSetDeviceName function.
๐@cveNotify
๐จ CVE-2024-30587
Tenda FH1202 v1.2.0.14(408) has a stack overflow vulnerability in the urls parameter of the saveParentControlInfo function.
๐@cveNotify
Tenda FH1202 v1.2.0.14(408) has a stack overflow vulnerability in the urls parameter of the saveParentControlInfo function.
๐@cveNotify
๐จ CVE-2024-30604
Tenda FH1203 v2.0.1.6 has a stack overflow vulnerability in the list1 parameter of the fromDhcpListClient function.
๐@cveNotify
Tenda FH1203 v2.0.1.6 has a stack overflow vulnerability in the list1 parameter of the fromDhcpListClient function.
๐@cveNotify