| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The POPS! Rebel application 5.0 for Android, in POPS! Rebel Bluetooth Glucose Monitoring System, sends unencrypted glucose measurements over BLE. |
| In the module mib < 1.6.1 from MyPresta.eu for PrestaShop, a guest can perform SQL injection. The methods `mib::getManufacturersByCategory()` has sensitive SQL calls that can be executed with a trivial http call and exploited to forge a SQL injection. |
| Cleartext Transmission during initial setup in Shelly TRV 20220811-15234 v.2.1.8 allows a local attacker to obtain the Wi-Fi password. |
| Reflected cross-site scripting (XSS) vulnerabilities in Trend Micro Mobile Security (Enterprise) could allow an exploit against an authenticated victim that visits a malicious link provided by an attacker.
Please note, this vulnerability is similar to, but not identical to, CVE-2023-41177. |
| IBM Db2 10.1, 10.5, and 11.1 could allow a remote user to execute arbitrary code caused by installing like named jar files across multiple databases. A user could exploit this by installing a malicious jar file that overwrites the existing like named jar file in another database. IBM X-Force ID: 249205. |
| An issue was discovered in Contiki-NG tinyDTLS through 2018-08-30. One incorrect handshake could complete with different epoch numbers in the packets Client_Hello, Client_key_exchange, and Change_cipher_spec, which may cause denial of service. |
| File upload vulnerability in ejinshan v8+ terminal security system allows attackers to upload arbitrary files to arbitrary locations on the server. |
| CloudLinux CageFS 7.1.1-1 or below passes the authentication token as a command line argument. In some configurations this allows local users to view the authentication token via the process list and gain code execution as another user. |
| Cross Site Scripting (XSS) in Insurance Management System v1.0, allows remote attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Category Name parameter at /core/new_category2. |
| An issue in Fireboltt Dream Wristphone BSW202_FB_AAC_v2.0_20240110-20240110-1956 allows attackers to cause a Denial of Service (DoS) via a crafted deauth frame. |
| A cross-site scripting (XSS) in Cosmetics and Beauty Product Online Store v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the First Name parameter. |
| Insecure default configurations in Hikvision Interactive Tablet DS-D5B86RB/B V2.3.0 build220119, allows attackers to execute arbitrary commands. |
| Vulnerability in the Oracle Production Scheduling product of Oracle E-Business Suite (component: Import Utility). Supported versions that are affected are 12.2.4-12.2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Production Scheduling. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Production Scheduling accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). |
| Strapi v4.24.4 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /strapi.io/_next/image. This vulnerability allows attackers to scan for open ports or access sensitive information via a crafted GET request. NOTE: The Strapi Development Community argues that this issue is not valid. They contend that "the strapi/admin was wrongly attributed a flaw that only pertains to the strapi.io website, and which, at the end of the day, does not pose any real SSRF risk to applications that make use of the Strapi library." |
| The vCenter Server contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. |
| Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized user information retrieval via the queryUser API. |
| AbrhilSoft Employee's Portal before v5.6.2 was discovered to contain a SQL injection vulnerability in the login page. |
| Daily Expenses Management System version 1.0, developed by PHP Gurukul, contains a time-based blind SQL injection vulnerability in the 'add-expense.php' page. An attacker can exploit the 'item' parameter in a POST request to execute arbitrary SQL commands in the backend database. This can be done by injecting specially crafted SQL queries that make the database perform time-consuming operations, thereby confirming the presence of the SQL injection vulnerability based on the delay in the server's response. |
| A buffer overflow in PX4-Autopilot v1.12.3 allows attackers to cause a Denial of Service (DoS) via a crafted MavLink message. |
| PX4-Autopilot v1.14.3 was discovered to contain a buffer overflow via the topic_name parameter at /logger/logged_topics.cpp. |
