U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
There are 243,730 matching records.
Displaying matches 21 through 40.
Vuln ID Summary CVSS Severity
CVE-2024-41120

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_🔲_Vector_Data_Visualization.py` takes user input, which is later passed to the `gpd.read_file` method. `gpd.read_file` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:14 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41119

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 80 in `8_🏜️_Raster_Data_Visualization.py` takes user input, which is later used in the `eval()` function on line 86, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41118

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_📦_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41117

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_🌍_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41116

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 1254 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 1345, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41115

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 488 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 493, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:13 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41114

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 430 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 435, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 5:15:12 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-4786

An improper validation vulnerability was reported in the Lenovo Tab K10 that could allow a specially crafted application to keep the device on.

Published: July 26, 2024; 4:15:05 PM -0400
V4.0:(not available)
V3.1: 2.8 LOW
V2.0:(not available)
CVE-2024-41113

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 383 or line 390 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 395, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 4:15:05 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-41112

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the palette variable in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 380, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Published: July 26, 2024; 4:15:05 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-40117

Incorrect access control in Solar-Log 1000 before v2.8.2 and build 52- 23.04.2013 allows attackers to obtain Administrative privileges via connecting to the web administration server.

Published: July 26, 2024; 4:15:05 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-40116

An issue in Solar-Log 1000 before v2.8.2 and build 52-23.04.2013 was discovered to store plaintext passwords in the export.html, email.html, and sms.html files.

Published: July 26, 2024; 4:15:04 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-38512

A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted IPMI commands.

Published: July 26, 2024; 4:15:04 PM -0400
V4.0:(not available)
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2024-38511

A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.

Published: July 26, 2024; 4:15:04 PM -0400
V4.0:(not available)
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2024-38510

A privilege escalation vulnerability was discovered in the SSH captive command shell interface that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.

Published: July 26, 2024; 4:15:04 PM -0400
V4.0:(not available)
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2024-38509

A privilege escalation vulnerability was discovered in XCC that could allow an authenticated XCC user with elevated privileges to execute arbitrary code via a specially crafted IPMI command.

Published: July 26, 2024; 4:15:03 PM -0400
V4.0:(not available)
V3.1: 7.2 HIGH
V2.0:(not available)
CVE-2024-38508

A privilege escalation vulnerability was discovered in the web interface or SSH captive command shell interface of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via a specially crafted request.

Published: July 26, 2024; 4:15:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-42007

SPX (aka php-spx) through 0.4.15 allows SPX_UI_URI Directory Traversal to read arbitrary files.

Published: July 26, 2024; 3:15:10 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-39304

ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue.

Published: July 26, 2024; 2:15:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)
CVE-2024-38872

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below are vulnerable to the authenticated SQL injection in the monitoring module.

Published: July 26, 2024; 2:15:03 PM -0400
V4.0:(not available)
V3.x:(not available)
V2.0:(not available)