| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. The CVE was never used. |
| Authentication bypass in the password recovery feature of the local web interface across multiple VIGI camera models allows an attacker on the LAN to reset the admin password without verification by manipulating client-side state. Attackers can gain full administrative access to the device, compromising configuration and network security. |
| Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. |
| The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. |
| Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device.
These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. |
| The WorklogPRO - Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue's summary field |
| The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.
Solr deployments are subject to this vulnerability if they meet the following criteria:
* Solr is running in its "standalone" mode.
* Solr's "allowPath" setting is being used to restrict file access to certain directories.
* Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.
Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. |
