Search Results (1502 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2019-9514 13 Apache, Apple, Canonical and 10 more 44 Traffic Server, Mac Os X, Swiftnio and 41 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
CVE-2019-9515 12 Apache, Apple, Canonical and 9 more 36 Traffic Server, Mac Os X, Swiftnio and 33 more 2025-01-14 7.5 High
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
CVE-2023-2947 1 Open-emr 1 Openemr 2025-01-14 4.8 Medium
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2948 1 Open-emr 1 Openemr 2025-01-14 6.1 Medium
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2442 1 Gitlab 1 Gitlab 2025-01-07 8.7 High
An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.11 before 15.11.7, all versions starting from 16.0 before 16.0.2. A specially crafted merge request could lead to a stored XSS on the client side which allows attackers to perform arbitrary actions on behalf of victims.
CVE-2023-20888 1 Vmware 1 Vrealize Network Insight 2025-01-07 8.8 High
Aria Operations for Networks contains an authenticated deserialization vulnerability. A malicious actor with network access to VMware Aria Operations for Networks and valid 'member' role credentials may be able to perform a deserialization attack resulting in remote code execution.
CVE-2022-21972 1 Microsoft 23 Windows 10, Windows 10 1507, Windows 10 1607 and 20 more 2025-01-02 8.1 High
Windows Point-to-Point Tunneling Protocol Remote Code Execution Vulnerability
CVE-2022-26809 1 Microsoft 22 Windows 10, Windows 10 1507, Windows 10 1607 and 19 more 2025-01-02 9.8 Critical
Remote Procedure Call Runtime Remote Code Execution Vulnerability
CVE-2022-21907 1 Microsoft 11 Windows 10, Windows 10 1809, Windows 10 20h2 and 8 more 2025-01-02 9.8 Critical
HTTP Protocol Stack Remote Code Execution Vulnerability
CVE-2023-35628 1 Microsoft 22 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 19 more 2025-01-01 8.1 High
Windows MSHTML Platform Remote Code Execution Vulnerability
CVE-2023-21758 1 Microsoft 13 Windows 10, Windows 10 1507, Windows 10 1607 and 10 more 2025-01-01 7.5 High
Windows Internet Key Exchange (IKE) Extension Denial of Service Vulnerability
CVE-2023-21547 1 Microsoft 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more 2025-01-01 7.5 High
Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
CVE-2023-35813 1 Sitecore 4 Experience Commerce, Experience Manager, Experience Platform and 1 more 2024-12-17 9.8 Critical
Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.
CVE-2024-53675 1 Hpe 1 Insight Remote Support 2024-12-12 7.3 High
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
CVE-2018-0101 1 Cisco 2 Adaptive Security Appliance Software, Firepower Threat Defense 2024-12-02 N/A
A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device. This vulnerability affects Cisco ASA Software that is running on the following Cisco products: 3000 Series Industrial Security Appliance (ISA), ASA 5500 Series Adaptive Security Appliances, ASA 5500-X Series Next-Generation Firewalls, ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers, ASA 1000V Cloud Firewall, Adaptive Security Virtual Appliance (ASAv), Firepower 2100 Series Security Appliance, Firepower 4110 Security Appliance, Firepower 9300 ASA Security Module, Firepower Threat Defense Software (FTD). Cisco Bug IDs: CSCvg35618.
CVE-2023-36469 1 Xwiki 1 Xwiki 2024-11-26 10 Critical
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.6 and 15.2RC1. Users are advised to update. As a workaround the main security fix can be manually applied by patching the affected document `XWiki.Notifications.Code.NotificationRSSService`. This will break the link to the differences, though as this requires additional changes to Velocity templates as shown in the patch. While the default template is available in the instance and can be easily patched, the template for mentions is contained in a `.jar`-file and thus cannot be fixed without replacing that jar.
CVE-2024-11320 1 Pandorafms 1 Pandora Fms 2024-11-26 9.8 Critical
Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. This issue affects Pandora FMS: from 700 through <=777.4
CVE-2018-15379 1 Cisco 1 Prime Infrastructure 2024-11-26 N/A
A vulnerability in which the HTTP web server for Cisco Prime Infrastructure (PI) has unrestricted directory permissions could allow an unauthenticated, remote attacker to upload an arbitrary file. This file could allow the attacker to execute commands at the privilege level of the user prime. This user does not have administrative or root privileges. The vulnerability is due to an incorrect permission setting for important system directories. An attacker could exploit this vulnerability by uploading a malicious file by using TFTP, which can be accessed via the web-interface GUI. A successful exploit could allow the attacker to run commands on the targeted application without authentication.
CVE-2018-15381 1 Cisco 1 Unity Express 2024-11-26 N/A
A Java deserialization vulnerability in Cisco Unity Express (CUE) could allow an unauthenticated, remote attacker to execute arbitrary shell commands with the privileges of the root user. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a malicious serialized Java object to the listening Java Remote Method Invocation (RMI) service. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges.
CVE-2024-10914 1 Dlink 8 Dns-320, Dns-320 Firmware, Dns-320lw and 5 more 2024-11-24 8.1 High
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.