RiSec CyberAwareness Logo

CVEs Today

Latest Information on Common Vulnerabilities and Exposures (CVEs)

Last updated: February 25, 2024. 19:00:17 UTC

click on an item for more info;

ID Description Modified References
CVE-2024-21501 Versions of the package sanitize-html before 2.12.1 are vulnerable to Information Exposure when used on the backend and with the style attribute allowed, allowing enumeration of files in the system (including project dependencies). An attacker could exploit this vulnerability to gather details about the file system structure and dependencies of the targeted server. February 24, 2024. 05:15:00 [security.snyk.io][gist.github.com]
CVE-2024-21502 Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. February 24, 2024. 05:15:00 [security.snyk.io][gist.github.com]
CVE-2024-1810 The Archivist – Custom Archive Templates plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode_attributes' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. February 24, 2024. 05:15:00 [www.wordfence.com][plugins.trac.wordpress.org]
CVE-2024-22395 Improper access control vulnerability has been identified in the SMA100 SSL-VPN virtual office portal, which in specific conditions could potentially enable a remote authenticated attacker to associate another user's MFA mobile application. February 24, 2024. 00:15:00 [psirt.global.sonicwall.com]
CVE-2024-22988 An issue in zkteco zkbio WDMS v.8.0.5 allows an attacker to execute arbitrary code via the /files/backup/ component. February 23, 2024. 23:15:00 [zkteco.com][gist.github.com]
CVE-2024-24681 Insecure AES key in Yealink Configuration Encrypt Tool below verrsion 1.2. A single, vendorwide, hardcoded AES key in the configuration tool used to encrypt provisioning documents was leaked leading to a compromise of confidentiality of provisioning documents. February 23, 2024. 23:15:00 [www.reddit.com]
CVE-2024-25469 SQL Injection vulnerability in CRMEB crmeb_java v.1.3.4 and before allows a remote attacker to obtain sensitive information via the latitude and longitude parameters in the api/front/store/list component. February 23, 2024. 23:15:00 [github.com][github.com]
CVE-2024-26188 Microsoft Edge (Chromium-based) Spoofing Vulnerability February 23, 2024. 23:15:00 [msrc.microsoft.com]
CVE-2024-26192 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability February 23, 2024. 23:15:00 [msrc.microsoft.com]
CVE-2024-24310 In the module "Generate barcode on invoice / delivery slip" (ecgeneratebarcode) from Ether Creation <= 1.2.0 for PrestaShop, a guest can perform SQL injection. February 23, 2024. 22:15:00 [addons.prestashop.com][security.friendsofpresta.org]
CVE-2024-25730 Hitron CODA-4582 and CODA-4589 devices have default PSKs that are generated from 5-digit hex values concatenated with a "Hitron" substring, resulting in insufficient entropy (only about one million possibilities). February 23, 2024. 22:15:00 [i.ebayimg.com][i.ebayimg.com]
CVE-2024-27132 Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables. February 23, 2024. 22:15:00 [research.jfrog.com][github.com]
CVE-2024-27133 Insufficient sanitization in MLflow leads to XSS when running a recipe that uses an untrusted dataset. This issue leads to a client-side RCE when running the recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over dataset table fields. February 23, 2024. 22:15:00 [research.jfrog.com][github.com]
CVE-2024-21423 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability February 23, 2024. 22:15:00 [msrc.microsoft.com]
CVE-2024-24309 In the module "Survey TMA" (ecomiz_survey_tma) up to version 2.0.0 from Ecomiz for PrestaShop, a guest can download personal information without restriction. February 23, 2024. 22:15:00 [www.ecomiz.com][security.friendsofpresta.org]
CVE-2024-1832 A vulnerability has been found in SourceCodester Complete File Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/ of the component Admin Login Form. The manipulation of the argument username with the input torada%27+or+%271%27+%3D+%271%27+--+- leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254623. February 23, 2024. 20:15:00 [vuldb.com][vuldb.com]
CVE-2023-51393 Due to an allocation of resources without limits, an uncontrolled resource consumption vulnerability exists in Silicon Labs Ember ZNet SDK prior to v7.4.0.0 (delivered as part of Silicon Labs Gecko SDK v4.4.0) which may enable attackers to trigger a bus fault and crash of the device, requiring a reboot in order to rejoin the network. February 23, 2024. 20:15:00 [community.silabs.com]
CVE-2023-51394 High traffic environments may result in NULL Pointer Dereference vulnerability in Silicon Labs's Ember ZNet SDK before v7.4.0, causing a system crash. February 23, 2024. 20:15:00 [community.silabs.com]
CVE-2024-1833 A vulnerability was found in SourceCodester Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /Account/login.php. The manipulation of the argument txtusername leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-254624. February 23, 2024. 20:15:00 [vuldb.com][vuldb.com]
CVE-2024-1834 A vulnerability was found in SourceCodester Simple Student Attendance System 1.0. It has been classified as problematic. This affects an unknown part of the file ?page=attendance&class_id=1. The manipulation of the argument class_date with the input 2024-02-23%22%3E%3Cscript%3Ealert(1)%3C/script%3E leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-254625 was assigned to this vulnerability. February 23, 2024. 20:15:00 [vuldb.com][vuldb.com]


Page 1 of 1031



Discord Invite
View Disclaimer
Powered by NameCheap