Skip to main content
CVE-2024-41592 HIGH POC This Week

DrayTek Vigor3910 devices through 4.3.2.6 have a stack-based overflow when processing query string parameters because GetCGI mishandles extraneous ampersand characters and long key-value pairs. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Stack Overflow Vigor2952 Firmware Vigor2620 Firmware Vigor2915 Firmware +21
NVD
CVSS 3.1
8.0
EPSS
1.4%
CVE-2024-39755 HIGH POC This Week

A privilege escalation vulnerability exists in the node update functionality of Veertu Anka Build 1.42.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Privilege Escalation Anka Build Cloud
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-41922 HIGH POC This Week

A directory traversal vulnerability exists in the log files download functionality of Veertu Anka Build 1.42.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Anka Build Cloud
NVD
CVSS 3.1
7.5
EPSS
8.1%
CVE-2024-41163 HIGH POC THREAT This Week

A directory traversal vulnerability exists in the archive functionality of Veertu Anka Build 1.42.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Anka Build Cloud
NVD
CVSS 3.1
7.5
EPSS
52.5%
CVE-2024-45870 MEDIUM POC This Month

Bandisoft BandiView 7.05 is vulnerable to Incorrect Access Control in sub_0x3d80fc via a crafted POC file. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Bandiview
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-45872 MEDIUM POC This Month

Bandisoft BandiView 7.05 is vulnerable to Buffer Overflow via sub_0x410d1d. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Heap Overflow Buffer Overflow Bandiview
NVD GitHub
CVSS 3.1
6.3
EPSS
0.4%
CVE-2024-45871 MEDIUM POC This Month

Bandisoft BandiView 7.05 is Incorrect Access Control via sub_0x232bd8 resulting in denial of service (DOS). Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Bandiview
NVD GitHub
CVSS 3.1
6.3
EPSS
0.4%
CVE-2024-41593 CRITICAL Act Now

DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_dns(), because a byte sign-extension operation occurs for the length argument of. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Vigor3912 Firmware Vigor2962 Firmware +22
NVD
CVSS 3.1
9.8
EPSS
0.9%
CVE-2024-7826 CRITICAL Act Now

Improper Check for Unusual or Exceptional Conditions vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrURL.Dll modules) allows Functionality Misuse.1.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Secureanywhere Web Shield
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-7825 CRITICAL Act Now

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows Functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Memory Corruption Secureanywhere Web Shield
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-7824 CRITICAL Act Now

Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Webroot SecureAnywhere - Web Shield on Windows, ARM, 64 bit, 32 bit (wrUrl.Dll modules) allows Functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Microsoft Memory Corruption Secureanywhere Web Shield
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-45367 CRITICAL Act Now

The web server for ONS-S8 - Spectra Aggregation Switch includes an incomplete authentication process, which can lead to an attacker authenticating without a password. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2024-43699 CRITICAL Act Now

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script AM_RegReport.aspx. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 4.0
9.3
EPSS
0.5%
CVE-2024-41925 CRITICAL Act Now

The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

LFI PHP Authentication Bypass
NVD
CVSS 4.0
9.3
EPSS
0.7%
CVE-2024-41988 CRITICAL Act Now

TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass RCE
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2024-47561 CRITICAL PATCH Act Now

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization RCE Apache Java Avro +2
NVD
CVSS 4.0
9.2
EPSS
3.3%
CVE-2024-41589 HIGH This Week

DrayTek Vigor310 devices through 4.3.2.6 use unencrypted HTTP for authentication requests. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Vigor3910 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-9313 HIGH PATCH This Week

Authd PAM module before version 0.3.5 can allow broker-managed users to impersonate any other user managed by the same broker and perform any PAM operation with it, including authenticating as them. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authd
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2024-42417 HIGH This Week

Delta Electronics DIAEnergie is vulnerable to an SQL injection in the script Handler_CFG.ashx. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Diaenergie
NVD
CVSS 4.0
8.7
EPSS
6.8%
CVE-2024-41987 HIGH This Week

The TEM Opera Plus FM Family Transmitter application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF
NVD
CVSS 4.0
8.6
EPSS
0.2%
CVE-2023-37822 HIGH This Week

The Eufy Homebase 2 before firmware version 3.3.4.1h creates a dedicated wireless network for its ecosystem, which serves as a proxy to the end user's primary network. Rated high severity (CVSS 8.2), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Homebase 2 Firmware
NVD
CVSS 3.1
8.2
EPSS
0.3%
CVE-2024-46658 HIGH This Week

Syrotech SY-GOPON-8OLT-L3 v1.6.0_240629 was discovered to contain an authenticated command injection vulnerability. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
8.0
EPSS
23.7%
CVE-2024-41596 HIGH This Week

Buffer Overflow vulnerabilities exist in DrayTek Vigor310 devices through 4.3.2.6 (in the Vigor management UI) because of improper retrieval and handling of the CGI form parameters. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Vigor2620 Firmware Vigor2915 Firmware Vigor2866 Firmware Vigor2766 Firmware +20
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-41595 HIGH This Week

DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to change settings or cause a denial of service via .cgi pages because of missing bounds checks on read and write operations. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Denial Of Service Vigor3910 Firmware
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-41590 HIGH This Week

Several CGI endpoints are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters passed through POST requests to the strcpy function on DrayTek. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow Vigor2765 Firmware Vigor2763 Firmware Vigor2135 Firmware +21
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-41588 HIGH This Week

The CGI endpoints v2x00.cgi and cgiwcg.cgi of DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to buffer overflows, by authenticated users, because of missing bounds checking on parameters. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Vigor2620 Firmware Vigor2915 Firmware Vigor2866 Firmware Vigor2766 Firmware +20
NVD
CVSS 3.1
8.0
EPSS
0.3%
CVE-2024-41586 HIGH This Week

A stack-based Buffer Overflow vulnerability in DrayTek Vigor310 devices through 4.3.2.6 allows a remote attacker to execute arbitrary code via a long query string to the cgi-bin/ipfedr.cgi component. Rated high severity (CVSS 8.0), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Stack Overflow RCE Vigor3910 Firmware
NVD
CVSS 3.1
8.0
EPSS
0.5%
CVE-2024-42415 HIGH This Week

An integer overflow vulnerability exists in the Compound Document Binary File format parser of v1.14.52 of the GNOME Project G Structured File Library (libgsf). Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Integer Overflow RCE Buffer Overflow Libgsf
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2024-36474 HIGH This Week

An integer overflow vulnerability exists in the Compound Document Binary File format parser of the GNOME Project G Structured File Library (libgsf) version v1.14.52. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Integer Overflow RCE Libgsf
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2024-47136 HIGH This Week

Out-of-bounds read vulnerability exists in Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure RCE Kostac Plc
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-47135 HIGH This Week

Stack-based buffer overflow vulnerability exists in Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure Stack Overflow RCE Kostac Plc
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-47134 HIGH This Week

Out-of-bounds write vulnerability exists in Kostac PLC Programming Software (Former name: Koyo PLC Programming Software) Version 1.6.14.0 and earlier. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Information Disclosure RCE Memory Corruption Kostac Plc Programming Software
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-41594 HIGH This Week

An issue in DrayTek Vigor310 devices through 4.3.2.6 allows an attacker to obtain sensitive information because the httpd server of the Vigor management UI uses a static string for seeding the PRNG. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure OpenSSL Vigor2620 Firmware Vigor2915 Firmware Vigor2866 Firmware +21
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-5803 HIGH This Week

The AVGUI.exe of AVG/Avast Antivirus before versions before 24.1 can allow a local attacker to escalate privileges via an COM hijack in a time-of-check to time-of-use (TOCTOU) when self protection is. Rated high severity (CVSS 7.5). No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-47614 HIGH PATCH This Week

async-graphql is a GraphQL server library implemented in Rust. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-8352 HIGH PATCH This Week

The Social Web Suite - Social Media Auto Post, Social Media Auto Publish plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.1.11 via the download_log. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal WordPress Social Web Suite
NVD
CVSS 3.1
7.5
EPSS
1.0%
CVE-2024-9460 MEDIUM This Month

A vulnerability was found in Codezips Online Shopping Portal 1.0. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi PHP Online Shopping Portal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.7%
CVE-2024-41585 MEDIUM This Month

DrayTek Vigor3910 devices through 4.3.2.6 are affected by an OS command injection vulnerability that allows an attacker to leverage the recvCmd binary to escape from the emulated instance and inject. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Vigor3910 Firmware
NVD
CVSS 3.1
6.8
EPSS
0.8%
CVE-2024-9100 MEDIUM This Month

Zohocorp ManageEngine Analytics Plus versions before 5410 and Zoho Analytics On-Premise versions before 5410 are vulnerable to Path traversal. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Zoho
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-8159 MEDIUM This Month

Deep Freeze 9.00.020.5760 is vulnerable to an out-of-bounds read vulnerability by triggering the 0x70014 IOCTL code of the FarDisk.sys driver. Rated medium severity (CVSS 6.4). No vendor patch available.

Buffer Overflow Information Disclosure
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2024-41591 MEDIUM This Month

DrayTek Vigor3910 devices through 4.3.2.6 allow unauthenticated DOM-based reflected XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Vigor2620 Firmware Vigor2915 Firmware Vigor2866 Firmware Vigor2766 Firmware +20
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-47617 MEDIUM PATCH This Month

Sulu is a PHP content management system. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Sulu
NVD GitHub
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-34535 MEDIUM This Month

In Mastodon 4.1.6, API endpoint rate limiting can be bypassed by setting a crafted HTTP request header. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Request Smuggling Mastodon
NVD GitHub
CVSS 3.1
5.9
EPSS
0.4%
CVE-2024-47762 MEDIUM PATCH This Month

Backstage is an open framework for building developer portals. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
5.8
EPSS
0.4%
CVE-2024-41587 MEDIUM This Month

Stored XSS, by authenticated users, is caused by poor sanitization of the Login Page Greeting message in DrayTek Vigor310 devices through 4.3.2.6. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Vigor3910 Firmware Vigor3912 Firmware Vigor2962 Firmware Vigor165 Firmware +20
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-47618 MEDIUM PATCH This Month

Sulu is a PHP content management system. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

PHP XSS Sulu
NVD GitHub
CVSS 4.0
5.1
EPSS
0.4%
CVE-2024-9266 MEDIUM PATCH This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Express. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect
NVD HeroDevs
CVSS 3.1
4.7
EPSS
0.4%
CVE-2024-41584 MEDIUM This Month

DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to reflected XSS by authenticated users, caused by missing validation of the sFormAuthStr parameter. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Vigor3910 Firmware
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-41583 MEDIUM This Month

DrayTek Vigor3910 devices through 4.3.2.6 are vulnerable to stored Cross Site Scripting (XSS) by authenticated users due to poor sanitization of the router name. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Vigor3910 Firmware
NVD
CVSS 3.1
4.7
EPSS
0.3%
CVE-2024-47554 MEDIUM PATCH This Month

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Denial Of Service Commons Io Active Iq Unified Manager Bluexp +5
NVD
CVSS 3.1
4.3
EPSS
1.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy