U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Search Type: Search Last 3 Months
There are 11,128 matching records.
Displaying matches 6,301 through 6,320.
Vuln ID Summary CVSS Severity
CVE-2024-23055

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software allows for remote code execution via improper validation of input by the HOST headers.

Published: January 25, 2024; 5:15:08 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-22922

An issue in Projectworlds Vistor Management Systemin PHP v.1.0 allows a remtoe attacker to escalate privileges via a crafted script to the login page in the POST/index.php

Published: January 25, 2024; 5:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2024-0888

A vulnerability, which was classified as problematic, was found in BORGChat 1.0.0 Build 438. This affects an unknown part of the component Service Port 7551. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252039.

Published: January 25, 2024; 5:15:08 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2024-0887

A vulnerability, which was classified as problematic, has been found in Mafiatic Blue Server 1.1. Affected by this issue is some unknown functionality of the component Connection Handler. The manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-252038 is the identifier assigned to this vulnerability.

Published: January 25, 2024; 5:15:08 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2024-0886

A vulnerability classified as problematic was found in Poikosoft EZ CD Audio Converter 8.0.7. Affected by this vulnerability is an unknown functionality of the component Activation Handler. The manipulation of the argument Key leads to denial of service. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-252037 was assigned to this vulnerability.

Published: January 25, 2024; 5:15:07 PM -0500
V3.1: 5.5 MEDIUM
V2.0:(not available)
CVE-2023-51833

A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in the debug.cgi page.

Published: January 25, 2024; 5:15:07 PM -0500
V3.1: 8.1 HIGH
V2.0:(not available)
CVE-2024-24399

An arbitrary file upload vulnerability in LeptonCMS v7.0.0 allows authenticated attackers to execute arbitrary code via uploading a crafted PHP file.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2024-22639

iGalerie v3.0.22 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Titre (Title) field in the editing interface.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-22638

liveSite v2019.1 was discovered to contain a remote code execution (RCE) vulenrabiity via the component /livesite/edit_designer_region.php.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2024-22637

Form Tools v3.1.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /form_builder/preview.php?form_id=2.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-22636

PluXml Blog v5.8.9 was discovered to contain a remote code execution (RCE) vulnerability in the Static Pages feature. This vulnerability is exploited via injecting a crafted payload into the Content field.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2024-22635

WebCalendar v1.3.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the component /WebCalendarvqsmnseug2/edit_entry.php.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-0885

A vulnerability classified as problematic has been found in SpyCamLizard 1.230. Affected is an unknown function of the component HTTP GET Request Handler. The manipulation leads to denial of service. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-252036.

Published: January 25, 2024; 4:15:09 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2024-0884

A vulnerability was found in SourceCodester Online Tours & Travels Management System 1.0. It has been rated as critical. This issue affects the function exec of the file payment.php. The manipulation of the argument id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-252035.

Published: January 25, 2024; 4:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0:(not available)
CVE-2023-52251

An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.

Published: January 25, 2024; 4:15:08 PM -0500
V3.1: 8.8 HIGH
V2.0:(not available)
CVE-2023-52046

Cross Site Scripting vulnerability (XSS) in webmin v.2.105 and earlier allows a remote attacker to execute arbitrary code via a crafted payload to the "Execute cron job as" tab Input field.

Published: January 25, 2024; 4:15:08 PM -0500
V3.1: 4.8 MEDIUM
V2.0:(not available)
CVE-2024-23817

Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Version 18.0.4 has a HTML Injection vulnerability in the Home page of the Dolibarr Application. This vulnerability allows an attacker to inject arbitrary HTML tags and manipulate the rendered content in the application's response. Specifically, I was able to successfully inject a new HTML tag into the returned document and, as a result, was able to comment out some part of the Dolibarr App Home page HTML code. This behavior can be exploited to perform various attacks like Cross-Site Scripting (XSS). To remediate the issue, validate and sanitize all user-supplied input, especially within HTML attributes, to prevent HTML injection attacks; and implement proper output encoding when rendering user-provided data to ensure it is treated as plain text rather than executable HTML.

Published: January 25, 2024; 3:15:41 PM -0500
V3.1: 6.1 MEDIUM
V2.0:(not available)
CVE-2024-23656

Dex is an identity service that uses OpenID Connect to drive authentication for other apps. Dex 2.37.0 serves HTTPS with insecure TLS 1.0 and TLS 1.1. `cmd/dex/serve.go` line 425 seemingly sets TLS 1.2 as minimum version, but the whole `tlsConfig` is ignored after `TLS cert reloader` was introduced in v2.37.0. Configured cipher suites are not respected either. This issue is fixed in Dex 2.38.0.

Published: January 25, 2024; 3:15:41 PM -0500
V3.1: 7.5 HIGH
V2.0:(not available)
CVE-2024-23655

Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue.

Published: January 25, 2024; 3:15:40 PM -0500
V3.1: 5.3 MEDIUM
V2.0:(not available)
CVE-2024-21630

Zulip is an open-source team collaboration tool. A vulnerability in version 8.0 is similar to CVE-2023-32677, but applies to multi-use invitations, not single-use invitation links as in the prior CVE. Specifically, it applies when the installation has configured non-admins to be able to invite users and create multi-use invitations, and has also configured only admins to be able to invite users to streams. As in CVE-2023-32677, this does not let users invite new users to arbitrary streams, only to streams that the inviter can already see. Version 8.1 fixes this issue. As a workaround, administrators can limit sending of invitations down to users who also have the permission to add users to streams.

Published: January 25, 2024; 3:15:40 PM -0500
V3.1: 4.3 MEDIUM
V2.0:(not available)