Show filters
487 topics marked with the following tags:
Displaying 21-30 of 487
Sort by:
Attacker Value
Very High
CVE-2019-0230
Disclosure Date: September 14, 2020 (last updated November 08, 2023)
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
1
Attacker Value
Very High
CVE-2021-37928
Disclosure Date: October 07, 2021 (last updated October 07, 2023)
Zoho ManageEngine ADManager Plus version 7110 and prior allows unrestricted file upload which leads to remote code execution.
1
Attacker Value
Moderate
CVE-2019-1436
Disclosure Date: November 12, 2019 (last updated October 06, 2023)
An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka 'Win32k Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1440.
0
Attacker Value
Low
CVE-2020-15408
Disclosure Date: July 28, 2020 (last updated October 07, 2023)
An issue was discovered in Pulse Secure Pulse Connect Secure before 9.1R8. An authenticated attacker can access the admin page console via the end-user web interface because of a rewrite.
0
Attacker Value
High
CVE-2018-11759
Disclosure Date: October 31, 2018 (last updated November 08, 2023)
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
2
Attacker Value
Very High
CVE-2013-3018
Disclosure Date: May 24, 2018 (last updated October 06, 2023)
The AXIS webapp in deploy-tomcat/axis in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.1.2 and 7.2.0 through 7.2.1.4 allows remote attackers to obtain sensitive configuration information via a direct request, as demonstrated by happyaxis.jsp. IBM X-Force ID: 84354.
0
Attacker Value
High
CVE-2023-6553
Disclosure Date: December 15, 2023 (last updated December 22, 2023)
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated attackers to easily execute code on the server.
4
Attacker Value
Moderate
CVE-2021-21255
Disclosure Date: March 02, 2021 (last updated October 07, 2023)
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. In GLPI version 9.5.3, it was possible to switch entities with IDOR from a logged in user. This is fixed in version 9.5.4.
1
Attacker Value
Very Low
CVE-2022-35737
Disclosure Date: August 03, 2022 (last updated March 28, 2024)
SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.
2
Attacker Value
High
VU#498544 ZyXEL pre-authentication command injection in weblogin.cgi
Last updated February 26, 2020
" Multiple ZyXEL devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable device.
Multiple ZyXEL devices achieve authentication by using the weblogin.cgi CGI executable. This program fails to properly sanitize the username parameter that is passed to it. If the username parameter contains certain characters, it can allow command injection with the privileges of the web server that runs on the ZyXEL device. Although the web server does not run as the root user, many ZyXEL devices include a setuid utility that can be leveraged to run any command with root privileges. As such, it should be assumed that exploitation of this vulnerability can lead to remote code execution with root privileges.
Exploit code for this vulnerability that targets NAS devices is available on the internet. "
1