VYPR

CVEs

100,082 total · page 676 of 2,002

  • CVE-2024-2178HigJun 2, 2024
    risk 0.49cvss 7.5epss 0.01

    A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name'…

  • CVE-2024-4148HigJun 1, 2024
    risk 0.49cvss 7.5epss 0.01

    A Regular Expression Denial of Service (ReDoS) vulnerability exists in the lunary-ai/lunary application, version 1.2.10. An attacker can exploit this vulnerability by maliciously manipulating regular expressions, which can significantly impact the response time of the…

  • CVE-2024-5348HigJun 1, 2024
    risk 0.50cvss 8.8epss 0.01

    The Elements For Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.1 via the 'beforeafter_layout' attribute of the beforeafter widget, the 'eventsgrid_layout' attribute of the eventsgrid and list widgets, the…

  • CVE-2024-3821HigJun 1, 2024
    risk 0.47cvss 7.3epss 0.00

    The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions in the wdt_ajax_actions.php file in all versions up to, and including, 6.3.2. This…

  • CVE-2024-4958HigJun 1, 2024
    risk 0.39cvss 7.1epss 0.00

    The User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'import_form_action' function in versions up to, and including,…

  • CVE-2024-3564HigJun 1, 2024
    risk 0.57cvss 8.8epss 0.01

    The Content Blocks (Custom Post Widget) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.3.0 via the plugin's 'content_block' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above,…

  • CVE-2024-5138HigMay 31, 2024
    risk 0.46cvss 8.1epss 0.01

    The snapctl component within snapd allows a confined snap to interact with the snapd daemon to take certain privileged actions on behalf of the snap. It was found that snapctl did not properly parse command-line arguments, allowing an unprivileged user to trigger an authorised…

  • CVE-2024-34009HigMay 31, 2024
    risk 0.00cvss 7.5epss 0.00

    Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized.

  • CVE-2024-34008HigMay 31, 2024
    risk 0.50cvss 8.8epss 0.00

    Actions in the admin management of analytics models did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-34007HigMay 31, 2024
    risk 0.00cvss 8.8epss 0.00

    The logout option within MFA did not include the necessary token to avoid the risk of users inadvertently being logged out via CSRF.

  • CVE-2024-36844HigMay 31, 2024
    risk 0.49cvss 7.5epss 0.01

    libmodbus v3.1.6 was discovered to contain a use-after-free via the ctx->backend pointer. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted message sent to the unit-test-server.

  • CVE-2024-36843HigMay 31, 2024
    risk 0.49cvss 7.5epss 0.01

    libmodbus v3.1.6 was discovered to contain a heap overflow via the modbus_mapping_free() function.

  • CVE-2024-34001HigMay 31, 2024
    risk 0.48cvss 8.4epss 0.00

    Actions in the admin preset tool did not include the necessary token to prevent a CSRF risk.

  • CVE-2024-5564HigMay 31, 2024
    risk 0.53cvss 8.1epss 0.01

    A vulnerability was found in libndp. This flaw allows a local malicious user to cause a buffer overflow in NetworkManager, triggered by sending a malformed IPv6 router advertisement packet. This issue occurred as libndp was not correctly validating the route length information.

  • CVE-2024-23316HigMay 31, 2024
    risk 0.57cvss epss 0.01

    HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests.

  • CVE-2024-29848HigMay 31, 2024
    risk 0.52cvss 7.2epss 0.64

    An unrestricted file upload vulnerability in web component of Ivanti Avalanche before 6.4.x allows an authenticated, privileged user to execute arbitrary commands as SYSTEM.

  • CVE-2024-29846HigMay 31, 2024
    risk 0.53cvss 8.0epss 0.08

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29830HigMay 31, 2024
    risk 0.53cvss 8.0epss 0.08

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29829HigMay 31, 2024
    risk 0.53cvss 8.0epss 0.08

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29828HigMay 31, 2024
    risk 0.53cvss 8.0epss 0.08

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an authenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29827HigMay 31, 2024
    risk 0.63cvss 8.8epss 0.72

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29826HigMay 31, 2024
    risk 0.65cvss 8.8epss 1.00

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29825HigMay 31, 2024
    risk 0.65cvss 8.8epss 1.00

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29824HigKEVMay 31, 2024
    risk 0.80cvss 8.8epss 1.00

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29823HigMay 31, 2024
    risk 0.65cvss 8.8epss 1.00

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-29822HigMay 31, 2024
    risk 0.62cvss 8.8epss 0.64

    An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code.

  • CVE-2024-22059HigMay 31, 2024
    risk 0.57cvss 8.8epss 0.01

    A SQL injection vulnerability in web component of Ivanti Neurons for ITSM allows a remote authenticated user to read/modify/delete information in the underlying database. This may also lead to DoS.

  • CVE-2024-22058HigMay 31, 2024
    risk 0.51cvss 7.8epss 0.00

    A buffer overflow allows a low privilege user on the local machine that has the EPM Agent installed to execute arbitrary code with elevated permissions in Ivanti EPM 2021.1 and older.

  • CVE-2023-46810HigMay 31, 2024
    risk 0.47cvss 7.3epss 0.00

    A local privilege escalation vulnerability in Ivanti Secure Access Client for Linux before 22.7R1, allows a low privileged user to execute code as root.

  • CVE-2023-38551HigMay 31, 2024
    risk 0.53cvss 8.2epss 0.01

    A CRLF Injection vulnerability in Ivanti Connect Secure (9.x, 22.x) allows an authenticated high-privileged user to inject malicious code on a victim’s browser, thereby leading to cross-site scripting attack.

  • CVE-2023-38042HigMay 31, 2024
    risk 0.51cvss 7.8epss 0.00

    A local privilege escalation vulnerability in Ivanti Secure Access Client for Windows allows a low privileged user to execute code as SYSTEM.

  • CVE-2024-36120HigMay 31, 2024
    risk 0.46cvss 8.1epss 0.00

    javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade…

  • CVE-2024-35142HigMay 31, 2024
    risk 0.55cvss 8.4epss 0.00

    IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to execution of unnecessary privileges. IBM X-Force ID: 292418.

  • CVE-2024-35140HigMay 31, 2024
    risk 0.50cvss 7.7epss 0.00

    IBM Security Verify Access Docker 10.0.0 through 10.0.6 could allow a local user to escalate their privileges due to improper certificate validation. IBM X-Force ID: 292416.

  • CVE-2024-28736HigMay 31, 2024
    risk 0.46cvss 7.1epss 0.03

    An issue in Debezium Community debezium-ui v.2.5 allows a local attacker to execute arbitrary code via the refresh page function.

  • CVE-2024-5565HigMay 31, 2024
    risk 0.54cvss 8.1epss 0.15

    The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s…

  • CVE-2024-5525HigMay 31, 2024
    risk 0.54cvss 8.3epss 0.00

    Improper privilege management vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability allows a local user to access the application as an administrator without any provided credentials, allowing the attacker to perform administrative actions.

  • CVE-2024-5523HigMay 31, 2024
    risk 0.57cvss 8.8epss 0.00

    SQL injection vulnerability in Astrotalks affecting version 10/03/2023. This vulnerability could allow an authenticated local user to send a specially crafted SQL query to the 'searchString' parameter and retrieve all information stored in the database.

  • CVE-2024-4469HigMay 31, 2024
    risk 0.49cvss 7.5epss 0.01

    The WP STAGING WordPress Backup Plugin WordPress plugin before 3.5.0 does not prevent users with the administrator role from pinging conducting SSRF attacks, which may be a problem in multisite configurations.

  • CVE-2024-2793HigMay 31, 2024
    risk 0.40cvss 7.2epss 0.00

    The Visual Website Collaboration, Feedback & Project Management – Atarim plugin for WordPress is vulnerable to Stored Cross-Site Scripting via comments in all versions up to, and including, 3.30 due to insufficient input sanitization and output escaping. This makes it possible…

  • CVE-2024-37032HigMay 31, 2024
    risk 0.03cvss 8.8epss 0.90

    Ollama before 0.1.34 does not validate the format of the digest (sha256 with 64 hex digits) when getting the model path, and thus mishandles the TestGetBlobsPath test cases such as fewer than 64 hex digits, more than 64 hex digits, or an initial ../ substring.

  • CVE-2024-5345HigMay 31, 2024
    risk 0.57cvss 8.8epss 0.01

    The Responsive Owl Carousel for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.2.0 via the layout parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and…

  • CVE-2024-37017HigMay 31, 2024
    risk 0.53cvss 8.1epss 0.01

    asdcplib (aka AS-DCP Lib) 2.13.1 has a heap-based buffer over-read in ASDCP::TimedText::MXFReader::h__Reader::MD_to_TimedText_TDesc in AS_DCP_TimedText.cpp in libasdcp.so.

  • CVE-2024-5499HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Out of bounds write in Streams API in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5498HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Use after free in Presentation API in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5497HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Out of bounds memory access in Browser UI in Google Chrome prior to 125.0.6422.141 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5496HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Use after free in Media Session in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5495HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Use after free in Dawn in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5494HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Use after free in Dawn in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

  • CVE-2024-5493HigMay 30, 2024
    risk 0.57cvss 8.8epss 0.01

    Heap buffer overflow in WebRTC in Google Chrome prior to 125.0.6422.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)