-
CVE-2024-33667
•
published on April 26, 2024
An issue was discovered in Zammad before 6.3.0. An authenticated agent could perform a remote Denial of Service attack by calling an endpoint that accepts a generic method name, which was not properly sanitized against an allowlist.
-
CVE-2024-33669
•
published on April 26, 2024
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak. This allows an attacker capable of observing Passbolt's HTTPS queries to the Pwned Password API to more easily brute force passwords that are manually typed by the user.
-
CVE-2022-48682
•
published on April 26, 2024
In deletefiles in FDUPES before 2.2.0, a TOCTOU race condition allows arbitrary file deletion via a symlink.
-
CVE-2023-26603
•
published on April 26, 2024
JumpCloud Agent before 1.178.0 Creates a Temporary File in a Directory with Insecure Permissions. This allows privilege escalation to SYSTEM via a repair action in the installer.
-
CVE-2023-47252
•
published on April 26, 2024
An issue was discovered in PnpSmm in Insyde InsydeH2O with kernel 5.0 through 5.6. There is a possible out-of-bounds access in the SMM communication buffer, leading to tampering. The PNP-related SMI sub-functions do not verify data size before getting it from the communication buffer, which could lead to possible circumstances where the data immediately following the command buffer could be destroyed with a fixed value. This is fixed in kernel 5.2 v05.28.45, kernel 5.3 v05.37.45, kernel 5.4 v05.45.45, kernel 5.5 v05.53.45, and kernel 5.6 v05.60.45.
-
CVE-2023-51794
•
published on April 26, 2024
Buffer Overflow vulnerability in Ffmpeg v.N113007-g8d24a28d06 allows a local attacker to execute arbitrary code via the libavfilter/af_stereowiden.c:120:69.
-
CVE-2024-22633
•
published on April 26, 2024
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hprinter parameter. This vulnerability is triggered via a crafted POST request.
-
CVE-2024-22632
•
published on April 26, 2024
Setor Informatica Sistema Inteligente para Laboratorios (S.I.L.) 388 was discovered to contain a remote code execution (RCE) vulnerability via the hmsg parameter. This vulnerability is triggered via a crafted POST request.
-
CVE-2024-25343
•
published on April 26, 2024
Tenda N300 F3 router vulnerability allows users to bypass intended security policy and create weak passwords.
-
CVE-2024-28325
•
published on April 26, 2024
Asus RT-N12+ B1 router stores credentials in cleartext, which could allow local attackers to obtain unauthorized access and modify router settings.
-
CVE-2024-28327
•
published on April 26, 2024
Asus RT-N12+ B1 router stores user passwords in plaintext, which could allow local attackers to obtain unauthorized access and modify router settings.
-
CVE-2024-28328
•
published on April 26, 2024
CSV Injection vulnerability in the Asus RT-N12+ router allows administrator users to inject arbitrary commands or formulas in the client name parameter which can be triggered and executed in a different user session upon exporting to CSV format.
-
CVE-2024-28322
•
published on April 26, 2024
SQL Injection vulnerability in /event-management-master/backend/register.php in PuneethReddyHC Event Management 1.0 allows attackers to run arbitrary SQL commands via the event_id parameter in a crafted POST request.
-
CVE-2024-28326
•
published on April 26, 2024
Incorrect Access Control in ASUS RT-N12+ B1 and RT-N12 D1 routers allows local attackers to obtain root terminal access via the the UART interface.
-
CVE-2024-30804
•
published on April 26, 2024
An issue discovered in the DeviceIoControl component in ASUS Fan_Xpert before v.10013 allows an attacker to execute arbitrary code via crafted IOCTL requests.
-
CVE-2024-31502
•
published on April 26, 2024
An issue in Insurance Management System v.1.0.0 and before allows a remote attacker to escalate privileges via a crafted POST request to /admin/core/new_staff.
-
CVE-2024-31741
•
published on April 26, 2024
Cross Site Scripting vulnerability in MiniCMS v.1.11 allows a remote attacker to run arbitrary code via crafted string in the URL after login.
-
CVE-2024-31828
•
published on April 26, 2024
Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.
-
CVE-2024-31551
•
published on April 26, 2024
Directory Traversal vulnerability in lib/admin/image.admin.php in cmseasy v7.7.7.9 20240105 allows attackers to delete arbitrary files via crafted GET request.
-
CVE-2024-31755
•
published on April 26, 2024
cJSON v1.7.17 was discovered to contain a segmentation violation, which can trigger through the second parameter of function cJSON_SetValuestring at cJSON.c.