Search Results (Refine Search)
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2024-21866 |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the affected product responds back with an error message containing sensitive data if it receives a specific malformed request. Published: February 01, 2024; 7:15:55 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2024-21794 |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can redirect users to malicious pages through the login page. Published: February 01, 2024; 7:15:54 PM -0500 |
V4.0:(not available) V3.1: 5.4 MEDIUM V2.0:(not available) |
CVE-2024-21764 |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, the product uses hard-coded credentials, which may allow an attacker to connect to a specific port. Published: February 01, 2024; 7:15:54 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-50939 |
IBM PowerSC 1.3, 2.0, and 2.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 275129. Published: February 01, 2024; 7:15:54 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2024-24756 |
Crafatar serves Minecraft avatars based on the skin for use in external applications. Files outside of the `lib/public/` directory can be requested from the server. Instances running behind Cloudflare (including crafatar.com) are not affected. Instances using the Docker container as shown in the README are affected, but only files within the container can be read. By default, all of the files within the container can also be found in this repository and are not confidential. This vulnerability is patched in 2.1.5. Published: February 01, 2024; 6:15:11 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2024-23034 |
Cross Site Scripting vulnerability in the input parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. Published: February 01, 2024; 6:15:11 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-23033 |
Cross Site Scripting vulnerability in the path parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. Published: February 01, 2024; 6:15:11 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-23032 |
Cross Site Scripting vulnerability in num parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. Published: February 01, 2024; 6:15:11 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-23031 |
Cross Site Scripting (XSS) vulnerability in is_water parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. Published: February 01, 2024; 6:15:11 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-22927 |
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL. Published: February 01, 2024; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 6.1 MEDIUM V2.0:(not available) |
CVE-2024-21852 |
In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an attacker can supply a malicious configuration file by utilizing a Zip Slip vulnerability in the unpacking routine to achieve remote code execution. Published: February 01, 2024; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-6221 |
The cloud provider MachineSense uses for integration and deployment for multiple MachineSense devices, such as the programmable logic controller (PLC), PumpSense, PowerAnalyzer, FeverWarn, and others is insufficiently protected against unauthorized access. An attacker with access to the internal procedures could view source code, secret credentials, and more. Published: February 01, 2024; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 6.5 MEDIUM V2.0:(not available) |
CVE-2023-49617 |
The MachineSense application programmable interface (API) is improperly protected and can be accessed without authentication. A remote attacker could retrieve and modify sensitive information without any authentication. Published: February 01, 2024; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 9.1 CRITICAL V2.0:(not available) |
CVE-2023-49610 |
MachineSense FeverWarn Raspberry Pi-based devices lack input sanitization, which could allow an attacker on an adjacent network to send a message running commands or could overflow the stack. Published: February 01, 2024; 6:15:10 PM -0500 |
V4.0:(not available) V3.1: 8.1 HIGH V2.0:(not available) |
CVE-2023-49115 |
MachineSense devices use unauthenticated MQTT messaging to monitor devices and remote viewing of sensor data by users. Published: February 01, 2024; 6:15:09 PM -0500 |
V4.0:(not available) V3.1: 7.5 HIGH V2.0:(not available) |
CVE-2023-47867 |
MachineSense FeverWarn devices are configured as Wi-Fi hosts in a way that attackers within range could connect to the device's web services and compromise the device. Published: February 01, 2024; 6:15:09 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2023-46706 |
Multiple MachineSense devices have credentials unable to be changed by the user or administrator. Published: February 01, 2024; 6:15:09 PM -0500 |
V4.0:(not available) V3.1: 9.8 CRITICAL V2.0:(not available) |
CVE-2023-36496 |
Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server. Published: February 01, 2024; 6:15:09 PM -0500 |
V4.0:(not available) V3.1: 8.8 HIGH V2.0:(not available) |
CVE-2024-24755 |
discourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret. Published: February 01, 2024; 5:15:55 PM -0500 |
V4.0:(not available) V3.1: 5.3 MEDIUM V2.0:(not available) |
CVE-2024-1040 |
Gessler GmbH WEB-MASTER user account is stored using a weak hashing algorithm. The attacker can restore the passwords by breaking the hashes stored on the device. Published: February 01, 2024; 5:15:55 PM -0500 |
V4.0:(not available) V3.1: 4.4 MEDIUM V2.0:(not available) |