Show filters
303,612 Total Results
Displaying 11-20 of 10,000
Refine your search criteria for more targeted results.
Sort by:
Attacker Value
Unknown

CVE-2024-22262

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html  attack or to a SSRF attack if the URL is used after passing validation checks. This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259  and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
0
Attacker Value
Unknown

CVE-2024-31784

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
An issue in Typora v.1.8.10 and before, allows a local attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the src component.
0
Attacker Value
Unknown

CVE-2024-31783

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
Cross Site Scripting (XSS) vulnerability in Typora v.1.6.7 and before, allows a local attacker to obtain sensitive information via a crafted script during markdown file creation.
0
Attacker Value
Unknown

CVE-2024-31634

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
Cross Site Scripting (XSS) vulnerability in Xunruicms versions 4.6.3 and before, allows remote attacker to execute arbitrary code via the Security.php file in the catalog \XunRuiCMS\dayrui\Fcms\Library.
0
Attacker Value
Unknown

CVE-2024-3575

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
Cross-site Scripting (XSS) - Stored in mindsdb/mindsdb
0
Attacker Value
Unknown

CVE-2024-3574

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
In scrapy version 2.10.1, an issue was identified where the Authorization header, containing credentials for server authentication, is leaked to a third-party site during a cross-domain redirect. This vulnerability arises from the failure to remove the Authorization header when redirecting across domains. The exposure of the Authorization header to unauthorized actors could potentially allow for account hijacking.
0
Attacker Value
Unknown

CVE-2024-3573

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
mlflow/mlflow is vulnerable to Local File Inclusion (LFI) due to improper parsing of URIs, allowing attackers to bypass checks and read arbitrary files on the system. The issue arises from the 'is_local_uri' function's failure to properly handle URIs with empty or 'file' schemes, leading to the misclassification of URIs as non-local. Attackers can exploit this by crafting malicious model versions with specially crafted 'source' parameters, enabling the reading of sensitive files within at least two directory levels from the server's root.
0
Attacker Value
Unknown

CVE-2024-3572

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
The scrapy/scrapy project is vulnerable to XML External Entity (XXE) attacks due to the use of lxml.etree.fromstring for parsing untrusted XML data without proper validation. This vulnerability allows attackers to perform denial of service attacks, access local files, generate network connections, or circumvent firewalls by submitting specially crafted XML data.
0
Attacker Value
Unknown

CVE-2024-3571

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories.
0
Attacker Value
Unknown

CVE-2024-3271

Disclosure Date: April 16, 2024 (last updated April 16, 2024)
A command injection vulnerability exists in the run-llama/llama_index repository, specifically within the safe_eval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by crafting input that does not contain an underscore but still results in the execution of OS commands. The vulnerability allows for remote code execution (RCE) on the server hosting the application.
0