| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The flaw does not properly neutralize input during a web page generation. |
| A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware flaw does not properly implement access controls. |
| A vulnerability was discovered in the firmware builds up to 10.10.2.2 in Poly Clariti Manager devices. The firmware contained multiple XSS vulnerabilities in the version of JavaScript used. |
| A lack of signature verification in the bootloader of DENX Software Engineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install crafted firmware files, leading to arbitrary code execution. |
| Use of Implicit Intent for Sensitive Communication in Smart View prior to Android 16 allows local attackers to access sensitive information. |
| An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. Information disclosure can occur via an external HTTPS request. |
| Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props. |
| Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting. |
| An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the EC private key and access sensitive data or execute a man-in-the-middle attack. |
| An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to access the Diffie-Hellman (DH) parameters and access sensitive data or execute a man-in-the-middle attack. |
| IceWarp Server 10.2.1 is vulnerable to Cross Site Scripting (XSS) via the meta parameter. |
| Improper handling and storage of certificates in CP Plus CP-VNR-3104 B3223P22C02424 allow attackers to decrypt communications or execute a man-in-the-middle attacks. |
| An issue in CP Plus CP-VNR-3104 B3223P22C02424 allows attackers to obtain the second RSA private key and access sensitive data or execute a man-in-the-middle attack. |
| Out-of-bounds write in libsavscmn prior to Android 15 allows local attackers to cause memory corruption. |
| Uncontrolled Resource Consumption in Elasticsearch while evaluating specifically crafted search templates with Mustache functions can lead to Denial of Service by causing the Elasticsearch node to crash. |
| Unrestricted file upload in Kibana allows an authenticated attacker to compromise software integrity by uploading a crafted malicious file due to insufficient server-side validation. |
| Plenti <= 0.7.16 is vulnerable to code execution. Users uploading '.svelte' files with the /postLocal endpoint can define the file name as javascript codes. The server executes the uploaded file name in host, and cause code execution. |
| In JetBrains Ktor before 3.1.1 an HTTP Request Smuggling was possible |
| Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected. Only files that are under project root and are denied by a file matching pattern can be bypassed. `server.fs.deny` can contain patterns matching against files (by default it includes .env, .env.*, *.{crt,pem} as such patterns). These patterns were able to bypass for files under `root` by using a combination of slash and dot (/.). This issue has been patched in versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14. |
| A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. |
