The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2024-31804 | An unquoted service path vulnerability in Terratec DMX_6Fire USB v.1.23.0.02 allows a local attacker to escalate privileges via the Program.exe component. | -- | Apr 23, 2024 |
CVE-2024-31805 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to start the Telnet service without authorization via the telnet_enabled parameter in the setTelnetCfg function. | -- | Apr 8, 2024 |
CVE-2024-31806 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a Denial-of-Service (DoS) vulnerability in the RebootSystem function which can reboot the system without authorization. | -- | Apr 8, 2024 |
CVE-2024-31807 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the hostTime parameter in the NTPSyncWithHost function. | -- | Apr 8, 2024 |
CVE-2024-31808 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the webWlanIdx parameter in the setWebWlanIdx function. | -- | Apr 8, 2024 |
CVE-2024-31809 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the FileName parameter in the setUpgradeFW function. | -- | Apr 8, 2024 |
CVE-2024-31810 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a hardcoded password for root at /etc/shadow.sample. | -- | May 14, 2024 |
CVE-2024-31811 | TOTOLINK EX200 V4.0.3c.7646_B20201211 was discovered to contain a remote code execution (RCE) vulnerability via the langType parameter in the setLanguageCfg function. | -- | Apr 8, 2024 |
CVE-2024-31812 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getWiFiExtenderConfig. | -- | Apr 8, 2024 |
CVE-2024-31813 | TOTOLINK EX200 V4.0.3c.7646_B20201211 does not contain an authentication mechanism by default. | -- | Apr 8, 2024 |
CVE-2024-31814 | TOTOLINK EX200 V4.0.3c.7646_B20201211 allows attackers to bypass login through the Form_Login function. | -- | Apr 8, 2024 |
CVE-2024-31815 | In TOTOLINK EX200 V4.0.3c.7314_B20191204, an attacker can obtain the configuration file without authorization through /cgi-bin/ExportSettings.sh | -- | Apr 8, 2024 |
CVE-2024-31816 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getEasyWizardCfg. | -- | Apr 8, 2024 |
CVE-2024-31817 | In TOTOLINK EX200 V4.0.3c.7646_B20201211, an attacker can obtain sensitive information without authorization through the function getSysStatusCfg. | -- | Apr 8, 2024 |
CVE-2024-31818 | Directory Traversal vulnerability in DerbyNet v.9.0 allows a remote attacker to execute arbitrary code via the page parameter of the kiosk.php component. | -- | Apr 15, 2024 |
CVE-2024-31819 | An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. | -- | Apr 11, 2024 |
CVE-2024-31820 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the getLangFolderForEdit method of the Languages.php component. | -- | Apr 29, 2024 |
CVE-2024-31821 | SQL Injection vulnerability in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the manageQuantitiesAndProcurement method of the Orders_model.php component. | -- | Apr 29, 2024 |
CVE-2024-31822 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the saveLanguageFiles method of the Languages.php component. | -- | Apr 29, 2024 |
CVE-2024-31823 | An issue in Ecommerce-CodeIgniter-Bootstrap commit v. d22b54e8915f167a135046ceb857caaf8479c4da allows a remote attacker to execute arbitrary code via the removeSecondaryImage method of the Publish.php component. | -- | Apr 29, 2024 |
CVE-2024-31828 | Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL. | -- | Apr 29, 2024 |
CVE-2024-31837 | DMitry (Deepmagic Information Gathering Tool) 1.3a has a format-string vulnerability, with a threat model similar to CVE-2017-7938. | -- | Apr 30, 2024 |
CVE-2024-31839 | Cross Site Scripting vulnerability in tiagorlampert CHAOS v.5.0.1 allows a remote attacker to escalate privileges via the sendCommandHandler function in the handler.go component. | -- | Apr 15, 2024 |
CVE-2024-31840 | An issue was discovered in Italtel Embrace 1.6.4. The web application inserts cleartext passwords in the HTML source code. An authenticated user is able to edit the configuration of the email server. Once the user access the edit function, the web application fills the edit form with the current credentials for the email account, including the cleartext password. | -- | May 21, 2024 |
CVE-2024-31841 | An issue was discovered in Italtel Embrace 1.6.4. The web server fails to sanitize input data, allowing remote unauthenticated attackers to read arbitrary files on the filesystem. | -- | Apr 19, 2024 |
CVE-2024-31843 | An issue was discovered in Italtel Embrace 1.6.4. The Web application does not properly check the parameters sent as input before they are processed on the server side. This allows authenticated users to execute commands on the Operating System. | -- | May 24, 2024 |
CVE-2024-31844 | An issue was discovered in Italtel Embrace 1.6.4. The server does not properly handle application errors. In some cases, this leads to a disclosure of information about the server. An unauthenticated user is able craft specific requests in order to make the application generate an error. Inside an error message, some information about the server is revealed, such as the absolute path of the source code of the application. This kind of information can help an attacker to perform other attacks against the system. This can be exploited without authentication. | -- | May 21, 2024 |
CVE-2024-31845 | An issue was discovered in Italtel Embrace 1.6.4. The product does not neutralize or incorrectly neutralizes output that is written to logs. The web application writes logs using a GET query string parameter. This parameter can be modified by an attacker, so that every action he performs is attributed to a different user. This can be exploited without authentication. | -- | May 21, 2024 |
CVE-2024-31846 | An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | -- | Apr 19, 2024 |
CVE-2024-31847 | An issue was discovered in Italtel Embrace 1.6.4. A stored cross-site scripting (XSS) vulnerability allows authenticated and unauthenticated remote attackers to inject arbitrary web script or HTML into a GET parameter. This reflects/stores the user input without sanitization. | -- | May 21, 2024 |
CVE-2024-31848 | A path traversal vulnerability exists in the Java version of CData API Server < 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. | -- | Apr 8, 2024 |
CVE-2024-31849 | A path traversal vulnerability exists in the Java version of CData Connect < 23.4.8846 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. | -- | Apr 8, 2024 |
CVE-2024-31850 | A path traversal vulnerability exists in the Java version of CData Arc < 23.4.8839 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions. | -- | Apr 8, 2024 |
CVE-2024-31851 | A path traversal vulnerability exists in the Java version of CData Sync < 23.4.8843 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain access to sensitive information and perform limited actions. | -- | Apr 8, 2024 |
CVE-2024-31852 | LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is we don\'t have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production. | LOW | Apr 8, 2024 |
CVE-2024-31856 | An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code. | -- | May 16, 2024 |
CVE-2024-31857 | Forminator prior to 1.15.4 contains a cross-site scripting vulnerability. If this vulnerability is exploited, a remote attacker may obtain user information etc. and alter the page contents on the user\'s web browser. | -- | Apr 23, 2024 |
CVE-2024-31859 | Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to perform proper authorization checks which allows a member running a playbook in an existing channel to be promoted to a channel admin | -- | May 28, 2024 |
CVE-2024-31860 | Improper Input Validation vulnerability in Apache Zeppelin. By adding relative path indicators(E.g ..), attackers can see the contents for any files in the filesystem that the server account can access. This issue affects Apache Zeppelin: from 0.9.0 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31861 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Apache Zeppelin. The attackers can use Shell interpreter as a code generation gateway, and execute the generated code as a normal way. This issue affects Apache Zeppelin: from 0.10.1 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which doesn\'t have Shell interpreter by default. | -- | Apr 11, 2024 |
CVE-2024-31862 | Improper Input Validation vulnerability in Apache Zeppelin when creating a new note from Zeppelin\'s UI.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31863 | Authentication Bypass by Spoofing vulnerability by replacing to exsiting notes in Apache Zeppelin.This issue affects Apache Zeppelin: from 0.10.1 before 0.11.0. Users are recommended to upgrade to version 0.11.0, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31864 | Improper Control of Generation of Code (\'Code Injection\') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31865 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can call updating cron API with invalid or improper privileges so that the notebook can run with the privileges. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31866 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31867 | Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31868 | Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can modify helium.json and exposure XSS attacks to normal users. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. | -- | Apr 9, 2024 |
CVE-2024-31869 | Airflow versions 2.7.0 through 2.8.4 have a vulnerability that allows an authenticated user to see sensitive provider configuration via the configuration UI page when non-sensitive-only was set as webserver.expose_config configuration (The celery provider is the only community provider currently that has sensitive configurations). You should migrate to Airflow 2.9 or change your expose_config configuration to False as a workaround. This is similar, but different to CVE-2023-46288 https://github.com/advisories/GHSA-9qqg-mh7c-chfq which concerned API, not UI configuration page. | -- | Apr 18, 2024 |
CVE-2024-31871 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Python scripts due to improper certificate validation. IBM X-Force ID: 287306. | -- | Apr 10, 2024 |
CVE-2024-31872 | IBM Security Verify Access Appliance 10.0.0 through 10.0.7 could allow a malicious actor to conduct a man in the middle attack when deploying Open Source scripts due to missing certificate validation. IBM X-Force ID: 287316. | -- | Apr 10, 2024 |