| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission.
Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 |
| From the VSPC management agent machine, under condition that the management agent is authorized on the server, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. |
| Improper input validation in /admin/config/save in User-friendly SVN (USVN) before v1.0.12 and below allows administrators to execute arbitrary code via the fields "siteTitle", "siteIco" and "siteLogo". |
| A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. This affects the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. The manipulation of the argument PPW leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. |
| A vulnerability was found in code-projects Patient Record Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /xray_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
| OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos` argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered, the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside the `buffer`) matches the search pattern, the function would return an out of bound index instead of the expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds. Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch. |
| Missing Authorization vulnerability in Creative Motion Clearfy Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Clearfy Cache: from n/a through 2.2.4. |
| A misconfiguration in the default settings of MikroTik RouterOS 7 and fixed in v7.14 allows incoming IPv6 UDP traceroute packets. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BAKKBONE Australia FloristPress allows Reflected XSS.This issue affects FloristPress: from n/a through 7.2.0. |
| Weak Authentication vulnerability in Guido VS Contact Form allows Authentication Abuse.This issue affects VS Contact Form: from n/a through 14.0. |
| Missing Authorization vulnerability in Wpmet WP Fundraising Donation and Crowdfunding Platform.This issue affects WP Fundraising Donation and Crowdfunding Platform: from n/a through 1.6.4. |
| Missing Authorization vulnerability in bqworks Slider Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Slider Pro: from n/a through 4.8.6. |
| Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19. |
| Insufficient control flow management in UEFI firmware for some Intel(R) Xeon(R) Processors may allow an authenticated user to enable denial of service via local access. |
| Unitronics Vision PLC – CWE-703: Improper Check or Handling of Exceptional Conditions may allow denial of service |
| Lakeus is a simple skin made for MediaWiki. Starting in version 1.0.8 and prior to versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0, Lakeus is vulnerable to store cross-site scripting via malicious system messages, though editing the messages requires high privileges. Those with `(editinterface)` rights can edit system messages that are improperly handled in order to send raw HTML. In the case of `lakeus-footermessage`, this will affect all users if the server is configured to link back to this repository. Otherwise, the system messages in themeDesigner.js are only used when the user enables it in their preferences. Versions 1.3.1+REL1.39, 1.3.1+REL1.42, and 1.4.0 contain a patch. |
| The Hospital Information System developed by UNIMAX has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. |
| Due to improper restriction, authenticated attackers could retrieve and read system files of the underlying server through the XML interface. The information that can be read can lead to a full system compromise. |
| A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier could allow an authenticated attacker with administrator privileges to access specific directories and delete files, such as the configuration file, on the affected device. |
| A vulnerability in SMA100 allows a remote authenticated attacker with SSLVPN user privileges to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings. |
