-
CVE-2024-33672
•
published on April 26, 2024
An issue was discovered in Veritas NetBackup before 10.4. The Multi-Threaded Agent used in NetBackup can be leveraged to perform arbitrary file deletion on protected files.
-
CVE-2024-33666
•
published on April 26, 2024
An issue was discovered in Zammad before 6.3.0. Users with customer access to a ticket could have accessed time accounting details of this ticket via the API. This data should be available only to agents.
-
CVE-2024-33668
•
published on April 26, 2024
An issue was discovered in Zammad before 6.3.0. The Zammad Upload Cache uses insecure, partially guessable FormIDs to identify content. An attacker could try to brute force them to upload malicious content to article drafts they have no access to.
-
CVE-2024-33673
•
published on April 26, 2024
An issue was discovered in Veritas Backup Exec before 22.2 HotFix 917391. Improper access controls allow for DLL Hijacking in the Windows DLL Search path.
-
CVE-2022-48682
•
published on April 26, 2024
In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.
-
CVE-2023-26603
•
published on April 26, 2024
JumpCloud Agent before 1.178.0 Creates a Temporary File in a Directory with Insecure Permissions. This allows privilege escalation to SYSTEM via a repair action in the installer.
-
CVE-2023-47252
•
published on April 26, 2024
An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45.
-
CVE-2023-51794
•
published on April 26, 2024
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69.
-
CVE-2024-22633
•
published on April 26, 2024
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request.
-
CVE-2024-22632
•
published on April 26, 2024
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request.
-
CVE-2024-25343
•
published on April 26, 2024
Tenda N300 F3 router vulnerability allows users to bypass intended security policy and create weak passwords.
-
CVE-2024-28327
•
published on April 26, 2024
Asus RT-N12+ B1 router stores user passwords in plaintext, which could allow local attackers to obtain unauthorized access and modify router settings.
-
CVE-2024-28328
•
published on April 26, 2024
CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a different user session upon exporting to CSV format.
-
CVE-2024-28322
•
published on April 26, 2024
SQL Injection vulnerability in /event-management-master/backend/register.php in PuneethReddyHC Event Management 1.0 allows attackers to run arbitrary SQL commands via the event_id parameter in a crafted POST request.
-
CVE-2024-28325
•
published on April 26, 2024
Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.
-
CVE-2024-28326
•
published on April 26, 2024
Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface.
-
CVE-2024-30804
•
published on April 26, 2024
An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests.
-
CVE-2024-31828
•
published on April 26, 2024
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.
-
CVE-2024-31502
•
published on April 26, 2024
An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff.
-
CVE-2024-31551
•
published on April 26, 2024
Directory Traversal vulnerability in lib/admin/image.admin.php in cmseasy v7.7.7.9 20240105 allows attackers to delete arbitrary files via crafted GET request.