Vulnerabilities (CVE)

Total 258583 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-7079 1 Redhat 1 Openshift Container Platform 2024-07-26 N/A 6.5 MEDIUM
A flaw was found in the Openshift console. The /API/helm/verify endpoint is tasked to fetch and verify the installation of a Helm chart from a URI that is remote HTTP/HTTPS or local. Access to this endpoint is gated by the authHandlerWithUser() middleware function. Contrary to its name, this middleware function does not verify the validity of the user's credentials. As a result, unauthenticated users can access this endpoint.
CVE-2024-38176 2024-07-26 N/A 8.1 HIGH
An improper restriction of excessive authentication attempts in GroupMe allows a unauthenticated attacker to elevate privileges over a network.
CVE-2024-38164 2024-07-26 N/A 9.6 CRITICAL
An improper access control vulnerability in GroupMe allows an a unauthenticated attacker to elevate privileges over a network by convincing a user to click on a malicious link.
CVE-2024-39031 2024-07-25 N/A 5.4 MEDIUM
In Silverpeas Core <= 6.3.5, in Mes Agendas, a user can create new events and add them to their calendar. Additionally, users can invite others from the same domain, including administrators, to these events. A standard user can inject an XSS payload into the "Titre" and "Description" fields when creating an event and then add the administrator or any user to the event. When the invited user (victim) views their own profile, the payload will be executed on their side, even if they do not click on the event.
CVE-2024-6162 2024-07-25 N/A 7.5 HIGH
A vulnerability was found in Undertow. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible denial of service.
CVE-2024-5971 2024-07-25 N/A 7.5 HIGH
A vulnerability was found in Undertow, where the chunked response hangs after the body was flushed. The response headers and body were sent but the client would continue waiting as Undertow does not send the expected 0\r\n termination of the chunked response. This results in uncontrolled resource consumption, leaving the server side to a denial of service attack. This happens only with Java 17 TLSv1.3 scenarios.
CVE-2024-2700 2024-07-25 N/A 7.0 HIGH
A vulnerability was found in the quarkus-core component. Quarkus captures local environment variables from the Quarkus namespace during the application's build, therefore, running the resulting application inherits the values captured at build time. Some local environment variables may have been set by the developer or CI environment for testing purposes, such as dropping the database during application startup or trusting all TLS certificates to accept self-signed certificates. If these properties are configured using environment variables or the .env facility, they are captured into the built application, which can lead to dangerous behavior if the application does not override these values. This behavior only happens for configuration properties from the `quarkus.*` namespace. Application-specific properties are not captured.
CVE-2024-1300 2024-07-25 N/A 5.4 MEDIUM
A vulnerability in the Eclipse Vert.x toolkit causes a memory leak in TCP servers configured with TLS and SNI support. When processing an unknown SNI server name assigned the default certificate instead of a mapped certificate, the SSL context is erroneously cached in the server name map, leading to memory exhaustion. This flaw allows attackers to send TLS client hello messages with fake server names, triggering a JVM out-of-memory error.
CVE-2024-1023 2024-07-25 N/A 6.5 MEDIUM
A vulnerability in the Eclipse Vert.x toolkit results in a memory leak due to using Netty FastThreadLocal data structures. Specifically, when the Vert.x HTTP client establishes connections to different hosts, triggering the memory leak. The leak can be accelerated with intimate runtime knowledge, allowing an attacker to exploit this vulnerability. For instance, a server accepting arbitrary internet addresses could serve as an attack vector by connecting to these addresses, thereby accelerating the memory leak.
CVE-2024-37037 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-07-25 N/A 8.1 HIGH
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.
CVE-2024-37038 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-07-25 N/A 8.8 HIGH
CWE-276: Incorrect Default Permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.
CVE-2024-37039 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-07-25 N/A 7.5 HIGH
CWE-252: Unchecked Return Value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.
CVE-2024-37040 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-07-25 N/A 8.1 HIGH
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.
CVE-2024-37878 1 Twcms 1 Twcms 2024-07-25 N/A 6.1 MEDIUM
Cross Site Scripting vulnerability in TWCMS v.2.0.3 allows a remote attacker to execute arbitrary code via the /TWCMS-gh-pages/twcms/runtime/twcms_view/default,index.htm.php" PHP directly echoes parameters input from external sources
CVE-2024-5557 1 Schneider-electric 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more 2024-07-25 N/A 4.5 MEDIUM
CWE-532: Insertion of Sensitive Information into Log File vulnerability exists that could cause exposure of SNMP credentials when an attacker has access to the controller logs.
CVE-2024-5558 1 Schneider-electric 4 Spacelogic As-b, Spacelogic As-b Firmware, Spacelogic As-p and 1 more 2024-07-25 N/A 6.4 MEDIUM
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability exists that could cause escalation of privileges when an attacker abuses a limited admin account.
CVE-2024-5560 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-07-25 N/A 7.5 HIGH
CWE-125: Out-of-bounds Read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request.
CVE-2024-37223 1 Nicdarkthemes 1 Restaurant Food 2024-07-25 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Nicdark Restaurant Reservations allows Stored XSS.This issue affects Restaurant Reservations: from n/a through 2.0.
CVE-2024-37229 1 Auburnforest 1 Blogmentor 2024-07-25 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in AuburnForest Blogmentor – Blog Layouts for Elementor allows Stored XSS.This issue affects Blogmentor – Blog Layouts for Elementor: from n/a through 1.5.
CVE-2024-37239 1 Wpmudev 1 Branda 2024-07-25 N/A 4.8 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in WPMU DEV Branda allows Stored XSS.This issue affects Branda: from n/a through 3.4.17.