Export limit exceeded: 337617 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (337617 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-50588 | 1 Hasomed | 1 Elefant | 2024-11-08 | 9.8 Critical |
| An unauthenticated attacker with access to the local network of the medical office can use known default credentials to gain remote DBA access to the Elefant Firebird database. The data in the database includes patient data and login credentials among other sensitive data. In addition, this enables an attacker to create and overwrite arbitrary files on the server filesystem with the rights of the Firebird database ("NT AUTHORITY\SYSTEM"). | ||||
| CVE-2024-36064 | 1 Nllcom | 1 Acr Phone | 2024-11-08 | 6.2 Medium |
| The NLL com.nll.cb (aka ACR Phone) application through 0.330-playStore-NoAccessibility-arm8 for Android allows any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.nll.cb.dialer.dialer.DialerActivity component. | ||||
| CVE-2024-51428 | 1 Expressif | 1 Esp Idf | 2024-11-08 | 7.5 High |
| An issue in Espressif Esp idf v5.3.0 allows attackers to cause a Denial of Service (DoS) via a crafted data channel packet. | ||||
| CVE-2024-50589 | 1 Hasomed | 1 Elefant | 2024-11-08 | 7.5 High |
| An unauthenticated attacker with access to the local network of the medical office can query an unprotected Fast Healthcare Interoperability Resources (FHIR) API to get access to sensitive electronic health records (EHR). | ||||
| CVE-2024-48290 | 1 Realtek | 1 Rtl8762ekf-evb Firmware | 2024-11-08 | 4.3 Medium |
| An issue in the Bluetooth Low Energy implementation of Realtek RTL8762E BLE SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ll_terminate_ind packet. | ||||
| CVE-2020-8007 | 1 Pwrstudio | 1 Ev Charger | 2024-11-08 | 9.8 Critical |
| The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip. | ||||
| CVE-2024-50591 | 1 Hasomed | 1 Elefant Software Updater | 2024-11-08 | 7.8 High |
| An attacker with local access the to medical office computer can escalate his Windows user privileges to "NT AUTHORITY\SYSTEM" by exploiting a command injection vulnerability in the Elefant Update Service. The command injection can be exploited by communicating with the Elefant Update Service which is running as "SYSTEM" via Windows Named Pipes.The Elefant Software Updater (ESU) consists of two components. An ESU service which runs as "NT AUTHORITY\SYSTEM" and an ESU tray client which communicates with the service to update or repair the installation and is running with user permissions. The communication is implemented using named pipes. A crafted message of type "MessageType.SupportServiceInfos" can be sent to the local ESU service to inject commands, which are then executed as "NT AUTHORITY\SYSTEM". | ||||
| CVE-2024-50593 | 1 Hasomed | 1 Elefant | 2024-11-08 | 7.8 High |
| An attacker with local access to the medical office computer can access restricted functions of the Elefant Service tool by using a hard-coded "Hotline" password in the Elefant service binary, which is shipped with the software. | ||||
| CVE-2024-8424 | 2 Watchgua, Watchguard | 3 Panda Dome Firmware, Epdr Firmware, Panda Ad360 Firmware | 2024-11-08 | 7.8 High |
| Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions. This issue affects EPDR: before 8.00.23.0000; Panda AD360: before 8.00.23.0000; Panda Dome: before 22.03.00. | ||||
| CVE-2024-46961 | 1 Inshot.com | 1 X Downloader | 2024-11-08 | 8.1 High |
| The Inshot com.downloader.privatebrowser (aka Video Downloader - XDownloader) application through 1.3.5 for Android allows an attacker to execute arbitrary JavaScript code via the com.downloader.privatebrowser.activity.PrivateMainActivity component. | ||||
| CVE-2024-46960 | 1 Asdcom | 1 Hd Video Downloader | 2024-11-08 | 8.8 High |
| The ASD com.rocks.video.downloader (aka HD Video Downloader All Format) application through 7.0.129 for Android allows an attacker to execute arbitrary JavaScript code via the com.rocks.video.downloader.MainBrowserActivity component. | ||||
| CVE-2024-45794 | 1 Kubernetes | 1 Devtron | 2024-11-08 | 8.3 High |
| devtron is an open source tool integration platform for Kubernetes. In affected versions an authenticated user (with minimum permission) could utilize and exploit SQL Injection to allow the execution of malicious SQL queries via CreateUser API (/orchestrator/user). This issue has been addressed in version 0.7.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-36063 | 1 Goodwy Com | 1 Right Dialer | 2024-11-08 | 7.5 High |
| The Goodwy com.goodwy.dialer (aka Right Dialer) application through 5.1.0 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.goodwy.dialer.activities.DialerActivity component. | ||||
| CVE-2024-10975 | 2024-11-08 | 7.7 High | ||
| Nomad Community and Nomad Enterprise ("Nomad") volume specification is vulnerable to arbitrary cross-namespace volume creation through unauthorized Container Storage Interface (CSI) volume writes. This vulnerability, identified as CVE-2024-10975, is fixed in Nomad Community Edition 1.9.2 and Nomad Enterprise 1.9.2, 1.8.7, and 1.7.15. | ||||
| CVE-2024-10526 | 1 Rapid7 | 1 Velociraptor | 2024-11-08 | N/A |
| Rapid7 Velociraptor MSI Installer versions below 0.73.3 suffer from a vulnerability whereby it creates the installation directory with WRITE_DACL permission to the BUILTIN\\Users group. This allows local users who are not administrators to grant themselves the Full Control permission on Velociraptor's files. By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. This issue is fixed in version 0.73.3. | ||||
| CVE-2023-1973 | 1 Redhat | 2 Jboss Enterprise Application Platform, Jboss Enterprise Application Platform Eus | 2024-11-08 | 7.5 High |
| A flaw was found in Undertow package. Using the FormAuthenticationMechanism, a malicious user could trigger a Denial of Service by sending crafted requests, leading the server to an OutofMemory error, exhausting the server's memory. | ||||
| CVE-2024-51434 | 1 Froala | 1 Wysiwyg Editon | 2024-11-08 | 6.1 Medium |
| Inconsistent <plaintext> tag parsing allows for XSS in Froala WYSIWYG editor 4.3.0 and earlier. | ||||
| CVE-2024-9579 | 2 Hp, Poly | 24 Poly Studio G62, Poly Studio G62 Firmware, Poly Studio G7500 and 21 more | 2024-11-08 | 7.5 High |
| A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself. | ||||
| CVE-2024-49522 | 1 Adobe | 1 Substance 3d Painter | 2024-11-08 | 7.8 High |
| Substance3D - Painter versions 10.0.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
| CVE-2024-10452 | 1 Grafana | 1 Grafana | 2024-11-08 | 2.2 Low |
| Organization admins can delete pending invites created in an organization they are not part of. | ||||