Threat and Vulnerability Intelligence Database

RSS Feed

Example Searches:

CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited

CVE-2023-4420
A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in...
Description: A remote unprivileged attacker can intercept the communication via e.g. Man-In-The-Middle, due to the absence of Transport Layer Security (TLS) in the SICK LMS5xx. This lack of encryption in the communication channel can lead to the unauthorized disclosure of sensitive information. The attacker can exploit this weakness to eavesdrop on the communication between the LMS5xx and the Client, and potentially manipulate the data being transmitted.

CVSS: CRITICAL (9.8)

EPSS Score: 0.09%

Source: CVE
December 10th, 2024 (4 months ago)

CVE-2023-4419
The LMS5xx uses hard-coded credentials, which potentially allow low-skilled unauthorized remote attackers to reconfigure settings and /or disrupt...
Description: The LMS5xx uses hard-coded credentials, which potentially allow low-skilled unauthorized remote attackers to reconfigure settings and /or disrupt the functionality of the device.

CVSS: CRITICAL (9.8)

EPSS Score: 0.21%

Source: CVE
December 10th, 2024 (4 months ago)

CVE-2023-32117
WordPress Integrate Google Drive plugin <= 1.1.99 - Unauthenticated Broken Access Control vulnerability
Description: Missing Authorization vulnerability in SoftLab Integrate Google Drive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integrate Google Drive: from n/a through 1.1.99.

CVSS: CRITICAL (9.8)

EPSS Score: 0.25%

Source: CVE
December 10th, 2024 (4 months ago)

CVE-2023-31411
A remote unprivileged attacker can modify and access configuration settings on the EventCam App due to the absence of API authentication. The lack...
Description: A remote unprivileged attacker can modify and access configuration settings on the EventCam App due to the absence of API authentication. The lack of authentication in the API allows the attacker to potentially compromise the functionality of the EventCam App.

CVSS: CRITICAL (9.8)

EPSS Score: 0.22%

Source: CVE
December 10th, 2024 (4 months ago)

CVE-2023-3110
Buffer overflow in S0 Decryption on Unify Gateway
Description: Description: A vulnerability in SiLabs Unify Gateway 1.3.1 and earlier allows an unauthenticated attacker within Z-Wave range to overflow a stack buffer, leading to arbitrary code execution.

CVSS: CRITICAL (9.6)

EPSS Score: 0.07%

Source: CVE
December 10th, 2024 (4 months ago)

CVE-2024-43468
Microsoft Configuration Manager Remote Code Execution Vulnerability
Description: Microsoft Configuration Manager Remote Code Execution Vulnerability

CVSS: CRITICAL (9.8)

EPSS Score: 0.05%

Source: CVE
December 9th, 2024 (4 months ago)

CVE-2024-12209
WP Umbrella: Update Backup Restore & Monitoring <= 2.17.0 - Unauthenticated Local File Inclusion
Description: The WP Umbrella: Update Backup Restore & Monitoring plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.17.0 via the 'filename' parameter of the 'umbrella-restore' action. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CVSS: CRITICAL (9.8)

EPSS Score: 2.91%

Source: CVE
December 9th, 2024 (4 months ago)

CVE-2024-54214
WordPress Revy plugin <= 1.18 - Unauthenticated Arbitrary File Upload vulnerability
Description: Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Revy allows Upload a Web Shell to a Web Server.This issue affects Revy: from n/a through 1.18.

CVSS: CRITICAL (10.0)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-54143
openwrt/asu allows build artifact poisoning via truncated SHA-256 hash and command injection
Description: openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such as a command injection in Imagebuilder that allows malicious users to inject arbitrary commands into the build process, resulting in the production of malicious firmware images signed with the legitimate build key. This has been patched with 920c8a1.

CVSS: CRITICAL (9.3)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)

CVE-2024-54136
Untrusted Deserialization in ClipBucket-v5 Version 5.5.1 Revision 199 and Below
Description: ClipBucket V5 provides open source video hosting with PHP. ClipBucket-v5 Version 5.5.1 Revision 199 and below is vulnerable to PHP Deserialization vulnerability. The vulnerability exists in upload/upload.php where the user supplied input via collection get parameter is directly provided to unserialize function. As a result, it is possible for an adversary to inject maliciously crafted PHP serialized object and utilize gadget chains to cause unexpected behaviors of the application. This vulnerability is fixed in 5.5.1 Revision 200.

CVSS: CRITICAL (9.8)

EPSS Score: 0.04%

Source: CVE
December 7th, 2024 (4 months ago)