Show filters
129 topics marked with the following tags:
Displaying 11-20 of 129
Sort by:
Attacker Value
High
CVE-2022-24780
Disclosure Date: April 05, 2022 (last updated October 07, 2023)
Combodo iTop is a web based IT Service Management tool. In versions prior to 2.7.6 and 3.0.0, users of the iTop user portal can send TWIG code to the server by forging specific http queries, and execute arbitrary code on the server using http server user privileges. This issue is fixed in versions 2.7.6 and 3.0.0. There are currently no known workarounds.
1
Attacker Value
Low
CVE-2022-1471
Disclosure Date: December 01, 2022 (last updated October 08, 2023)
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
3
Attacker Value
Low
CVE-2023-25194
Disclosure Date: February 07, 2023 (last updated October 08, 2023)
A possible security vulnerability has been identified in Apache Kafka Connect API.
This requires access to a Kafka Connect worker, and the ability to create/modify connectors on it with an arbitrary Kafka client SASL JAAS config
and a SASL-based security protocol, which has been possible on Kafka Connect clusters since Apache Kafka Connect 2.3.0.
When configuring the connector via the Kafka Connect REST API, an authenticated operator can set the `sasl.jaas.config`
property for any of the connector's Kafka clients to "com.sun.security.auth.module.JndiLoginModule", which can be done via the
`producer.override.sasl.jaas.config`, `consumer.override.sasl.jaas.config`, or `admin.override.sasl.jaas.config` properties.
This will allow the server to connect to the attacker's LDAP server
and deserialize the LDAP response, which the attacker can use to execute java deserialization gadget chains on the Kafka connect server.
Attacker can cause unrestricted deserialization of untrusted data (or) RC…
2
Attacker Value
Moderate
CVE-2024-6235
Disclosure Date: July 10, 2024 (last updated July 11, 2024)
Sensitive information disclosure in NetScaler Console
1
Attacker Value
Very Low
CVE-2019-9169
Disclosure Date: February 26, 2019 (last updated November 08, 2023)
In the GNU C Library (aka glibc or libc6) through 2.29, proceed_next_node in posix/regexec.c has a heap-based buffer over-read via an attempted case-insensitive regular-expression match.
0
Attacker Value
Very High
CVE-2022-41622
Disclosure Date: December 07, 2022 (last updated November 08, 2023)
In all versions,
BIG-IP and BIG-IQ are vulnerable to cross-site request forgery (CSRF) attacks through iControl SOAP.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
3
Attacker Value
Low
CVE-2020-0791
Disclosure Date: March 12, 2020 (last updated November 27, 2024)
An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory, aka 'Windows Graphics Component Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2020-0898.
0
Attacker Value
Very High
CVE-2020-3430
Disclosure Date: September 04, 2020 (last updated November 08, 2023)
A vulnerability in the application protocol handling features of Cisco Jabber for Windows could allow an unauthenticated, remote attacker to execute arbitrary commands. The vulnerability is due to improper handling of input to the application protocol handlers. An attacker could exploit this vulnerability by convincing a user to click a link within a message sent by email or other messaging platform. A successful exploit could allow the attacker to execute arbitrary commands on a targeted system with the privileges of the user account that is running the Cisco Jabber client software.
0
Attacker Value
Very Low
CVE-2022-0540
Disclosure Date: April 20, 2022 (last updated October 07, 2023)
A vulnerability in Jira Seraph allows a remote, unauthenticated attacker to bypass authentication by sending a specially crafted HTTP request. This affects Atlassian Jira Server and Data Center versions before 8.13.18, versions 8.14.0 and later before 8.20.6, and versions 8.21.0 and later before 8.22.0. This also affects Atlassian Jira Service Management Server and Data Center versions before 4.13.18, versions 4.14.0 and later before 4.20.6, and versions 4.21.0 and later before 4.22.0.
4
Attacker Value
High
CVE-2020-27955 — Git Large File Storage / Git LFS (git-lfs) - Remote Code Execu…
Disclosure Date: November 05, 2020 (last updated November 28, 2024)
Git LFS 2.12.0 allows Remote Code Execution.
1