Topics

Sort by:
Attacker Value
Very High

CVE-2023-48788

Disclosure Date: March 12, 2024 (last updated April 01, 2024)
A improper neutralization of special elements used in an sql command ('sql injection') in Fortinet FortiClientEMS version 7.2.0 through 7.2.2, FortiClientEMS 7.0.1 through 7.0.10 allows attacker to execute unauthorized code or commands via specially crafted packets.
Attacker Value
Moderate

CVE-2023-38511

Disclosure Date: April 15, 2024 (last updated April 16, 2024)
iTop is an IT service management platform. Dashboard editor : can load multiple files and URL, and full path disclosure on dashboard config file. This vulnerability is fixed in 3.0.4 and 3.1.1.
1
Attacker Value
Very High

CVE-2024-3400

Disclosure Date: April 12, 2024 (last updated April 18, 2024)
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Attacker Value
Very High

CVE-2021-27101

Disclosure Date: February 16, 2021 (last updated October 07, 2023)
Accellion FTA 9_12_370 and earlier is affected by SQL injection via a crafted Host header in a request to document_root.html. The fixed version is FTA_9_12_380 and later.
Attacker Value
Moderate

CVE-2023-50386

Disclosure Date: February 09, 2024 (last updated February 16, 2024)
Improper Control of Dynamically-Managed Code Resources, Unrestricted Upload of File with Dangerous Type, Inclusion of Functionality from Untrusted Control Sphere vulnerability in Apache Solr.This issue affects Apache Solr: from 6.0.0 through 8.11.2, from 9.0.0 before 9.4.1. In the affected versions, Solr ConfigSets accepted Java jar and class files to be uploaded through the ConfigSets API. When backing up Solr Collections, these configSet files would be saved to disk when using the LocalFileSystemRepository (the default for backups). If the backup was saved to a directory that Solr uses in its ClassPath/ClassLoaders, then the jar and class files would be available to use with any ConfigSet, trusted or untrusted. When Solr is run in a secure way (Authorization enabled), as is strongly suggested, this vulnerability is limited to extending the Backup permissions with the ability to add libraries. Users are recommended to upgrade to version 8.11.3 or 9.4.1, which fix the issue. In thes…
Attacker Value
Very High

CVE-2024-3094

Disclosure Date: March 29, 2024 (last updated April 18, 2024)
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library.
Attacker Value
High

CVE-2023-20269

Disclosure Date: September 06, 2023 (last updated April 04, 2024)
A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user. This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials. A successful exploit could allow the attacker to achieve one or both of the following: Identify valid credentials that could then be used to establish an unauthorized remote …
Attacker Value
Very High

CVE-2024-2054

Disclosure Date: March 21, 2024 (last updated March 21, 2024)
The Artica-Proxy administrative web application will deserialize arbitrary PHP objects supplied by unauthenticated users and subsequently enable code execution as the "www-data" user.
4
Attacker Value
Very High

CVE-2024-23759

Disclosure Date: February 12, 2024 (last updated February 15, 2024)
Deserialization of Untrusted Data in Gambio through 4.9.2.0 allows attackers to run arbitrary code via "search" parameter of the Parcelshopfinder/AddAddressBookEntry" function.
Attacker Value
Moderate

CVE-2024-24725

Disclosure Date: March 23, 2024 (last updated April 02, 2024)
Gibbon through 26.0.00 allows remote authenticated users to conduct PHP deserialization attacks via columnOrder in a POST request to the modules/System%20Admin/import_run.php&type=externalAssessment&step=4 URI.
2