Threat and Vulnerability Intelligence Database
Example Searches:
CVE
Threat Actors
Countries
Vendors
Severity
Known Exploited
CVE-2024-10774 |
Description: Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication.
CVSS: HIGH (7.3) EPSS Score: 0.04%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-10772 |
Description: Since the firmware update is not validated, an attacker can install modified firmware on the
device. This has a high impact on the availabilty, integrity and confidentiality up to the complete compromise of the device.
CVSS: HIGH (8.8) EPSS Score: 0.04%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-10771 |
Description: Due to missing input validation during one step of the firmware update process, the product
is vulnerable to remote code execution. With network access and the user level ”Service”, an attacker
can execute arbitrary system commands in the root user’s contexts.
CVSS: HIGH (8.8) EPSS Score: 0.04%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-10578 |
Description: The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities.
CVSS: HIGH (8.8) EPSS Score: 0.06%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-10516 |
Description: The Swift Performance Lite plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 2.3.7.1 via the 'ajaxify' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
CVSS: HIGH (8.1) EPSS Score: 1.24%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-10247 |
Description: The Video Gallery – Best WordPress YouTube Gallery Plugin plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 2.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS: HIGH (7.2) EPSS Score: 0.08%
December 7th, 2024 (4 months ago)
|
|
CVE-2024-0130 |
Description: NVIDIA UFM Enterprise, UFM Appliance, and UFM CyberAI contain a vulnerability where an attacker can cause an improper authentication issue by sending a malformed request through the Ethernet management interface. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, and information disclosure.
CVSS: HIGH (8.8) EPSS Score: 0.04%
December 7th, 2024 (4 months ago)
|
|
CVE-2023-35174 |
Description: Livebook is a web application for writing interactive and collaborative code notebooks. On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. This vulnerability has been fixed in version 0.8.2 and 0.9.3.
CVSS: HIGH (8.6) EPSS Score: 0.45%
December 7th, 2024 (4 months ago)
|
|
CVE-2023-32274 |
Description:
Enphase Installer Toolkit versions 3.27.0 has hard coded credentials embedded in binary code in the Android application. An attacker can exploit this and gain access to sensitive information.
CVSS: HIGH (8.6) EPSS Score: 0.1%
December 7th, 2024 (4 months ago)
|
|
CVE-2023-2911 |
Description: If the `recursive-clients` quota is reached on a BIND 9 resolver configured with both `stale-answer-enable yes;` and `stale-answer-client-timeout 0;`, a sequence of serve-stale-related lookups could cause `named` to loop and terminate unexpectedly due to a stack overflow.
This issue affects BIND 9 versions 9.16.33 through 9.16.41, 9.18.7 through 9.18.15, 9.16.33-S1 through 9.16.41-S1, and 9.18.11-S1 through 9.18.15-S1.
CVSS: HIGH (7.5) EPSS Score: 0.1%
December 7th, 2024 (4 months ago)
|