Latest Vulnerabilities

In the past week, a significant number of vulnerabilities have emerged across various platforms, raising concerns for users and developers alike. Multiple instances of SQL injection and path traversal issues were reported, affecting applications like Apache Traffic Control and ColdFusion, which could allow attackers to manipulate data or gain unauthorized access. Unprivileged users could exploit weaknesses in systems like Gogs and Navidrome to execute arbitrary commands or read sensitive files. An interesting flaw in the Jinja library could enable unauthorized file writing, threatening server security. As these vulnerabilities pose serious risks, increased vigilance and prompt updates are essential.

CVE-2018-25106webuidesigning NebulaX Theme Legacy.php nebula_send_to_hubspot sql injection

medium
6.5
First published (updated )

go/gogs.io/gogs### Impact When the built-in SSH server is enabled (`[server] START_SSH_SERVER = true`), unprivileg…

critical
10
First published (updated )

go/gogs.io/gogsCode Injection

critical
10
First published (updated )

go/gogs.io/gogs### Impact Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the …

critical
10
First published (updated )

go/gogs.io/gogsSQL Injection

high
7.7
First published (updated )

rust/glibThe `VariantStrIter::impl_get` function (called internally by implementations of the `Iterator` and …

First published (updated )

go/github.com/navidrome/navidromeNavidrome stores the JWT secret in plaintext in the `navidrome.db` database file under the `property…

high
7.1
First published (updated )

maven/org.jboss.hal:hal-consoleXSS

First published (updated )

CVE-2024-53961ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

high
7.4
First published (updated )

rust/spl-token-swapThe library provides a safe public API `unpack` to cast `u8` array to arbitrary types, which can cau…

First published (updated )

rust/libaflThe library breaks the safety assumptions when using unsafe API `slice::from_raw_parts_mut`. The poi…

First published (updated )

rust/kvm-ioctlsAn issue was identified in the `VmFd::create_device function`, leading to undefined behavior and mis…

First published (updated )

go/github.com/apache/trafficcontrol/v8SQL Injection

critical
10
First published (updated )

maven/org.apache.spark:spark-hive-thriftserver_2.12Signing cookies is an application security feature that adds a digital signature to cookie data to v…

First published (updated )

composer/shuchkin/simplexlsxXSS

medium
6.8
First published (updated )

pip/jinja2An oversight in how the Jinja sandboxed environment detects calls to `str.format` allows an attacker…

First published (updated )

pip/jinja2A bug in the Jinja compiler allows an attacker that controls both the content and filename of a temp…

First published (updated )

go/gogs.io/gogsPath Traversal

First published (updated )

go/gogs.io/gogsPath Traversal

First published (updated )

CVE-2024-56363APTRS has SSTI vulnerability

high
7.8
First published (updated )

go/github.com/navidrome/navidromeNavidrome Stores JWT Secret in Plaintext in navidrome.db

high
7.1
First published (updated )

CVE-2024-53276GHSL-2024-092: Open CORS policy in home-gallery

medium
6.3
First published (updated )

CVE-2024-53275GHSL-2024-091: DNS rebinding attack in home-gallery

medium
5.3
First published (updated )

composer/shuchkin/simplexlsxCross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

medium
6.8
First published (updated )

pip/jinja2Jinja has a sandbox breakout through indirect reference to format method

critical
10
First published (updated )

pip/jinja2Jinja has a sandbox breakout through malicious filenames

high
8.8
First published (updated )

go/github.com/apache/trafficcontrol/v8Apache Traffic Control: SQL Injection in Traffic Ops endpoint PUT deliveryservice_request_comments

critical
10
Trending
Month
First published (updated )

maven/org.apache.spark:spark-hive-thriftserver_2.12Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails

medium
5.9
Trending
Month
First published (updated )

go/gogs.io/gogsGogs has a Path Traversal in file update API

high
8.7
First published (updated )

go/gogs.io/gogsGogs has a Path Traversal in file editing UI

critical
9.8
First published (updated )

CVE-2024-53256Rizin has a command injection via RzBinInfo bclass due legacy code

high
7.8
First published (updated )

CVE-2024-55539Weak algorithm used to sign RPM package. The following products are affected: Acronis Cyber Protect …

low
2.5
First published (updated )

CVE-2024-12903Incorrect default permissions in Biamp Evoko Home

high
7.8
First published (updated )

CVE-2024-12902Global Wisdom Software ANCHOR - Undocumented Privileged Account

high
8.4
First published (updated )

CVE-2024-11230Elementor Header & Footer Builder <= 1.6.46 - Authenticated (Contributor+) Stored Cross-Site Scripting via Page Title Widget

medium
6.4
First published (updated )

CVE-2024-12901FoxCMS API Endpoint Site.php improper authorization

medium
6.9
First published (updated )

CVE-2024-12900FoxCMS Configuration File installdb.php code injection

medium
6.5
First published (updated )

CVE-2024-128991000 Projects Attendance Tracking Management System course_action.php sql injection

high
7.5
First published (updated )

CVE-2024-54082Command Injection, OS Command Injection

high
7.2
First published (updated )

CVE-2024-52321Multiple SHARP routers contain an improper authentication vulnerability in the configuration backup …

medium
5.9
First published (updated )

CVE-2024-47864Buffer Overflow

medium
5.3
First published (updated )

CVE-2024-46873Multiple SHARP routers leave the hidden debug function enabled. An arbitrary OS command may be execu…

critical
9.8
First published (updated )

CVE-2024-45721Command Injection, OS Command Injection

high
7.2
First published (updated )

CVE-2024-128981000 Projects Attendance Tracking Management System faculty_action.php sql injection

medium
6.5
First published (updated )

CVE-2024-40896XEE

First published (updated )

71290778499524083327129077849952408332

First published (updated )

CVE-2024-12897Intelbras VIP S4320 G2 Web Interface Sha1Account1 path traversal

medium
5.3
First published (updated )

CVE-2024-12896Intelbras VIP S4320 G2 Web Interface webCapsConfig information disclosure

medium
6.9
First published (updated )

CVE-2024-12895TreasureHuntGame TreasureHunt checkflag.php console_log sql injection

medium
6.5
First published (updated )

CVE-2024-12894TreasureHuntGame TreasureHunt acesso.php sql injection

medium
6.5
First published (updated )

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203