6.5
CVE-2024-55652 - PwnDoc Server-Side Template Injection vulnerability - Sandbox Escape to RCE using custom filters
PenDoc is a penetration testing reporting application. Prior to commit 1d4219c596f4f518798492e48386a20c6e9a2fe6, an attacker can write a malicious docx template containing expressions that escape the JavaScript sandbox to execute arbitrary code on the system. An attacker who can control the contentโฆ
6.6
CVE-2024-53845 - AES/CBC Constant IV Vulnerability in ESPTouch v2
ESPTouch is a connection protocol for internet of things devices. In the ESPTouchV2 protocol, while there is an option to use a custom AES key, there is no option to set the IV (Initialization Vector) prior to versions 5.3.2, 5.2.4, 5.1.6, and 5.0.8. The IV is set to zero and remains constant throuโฆ
5.3
CVE-2024-12490 - code-projects Online Class and Exam Scheduling System teacher_save.php sql injection
A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /pages/teacher_save.php. The manipulation of the argument salut leads to sql injection. The attack can be initiated remotely.โฆ
2
CVE-2024-53274 - GHSL-2024-111: Reflected XSS in /home in habitica
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `home.vue` containsa reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `redirectTo` paramโฆ
5
CVE-2024-53273 - GHSL-2024-110: Reflected XSS in /register in habitica
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `register` function in `RegisterLoginReset.vue` contains a reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious `reโฆ
5
CVE-2024-53272 - GHSL-2024-109: Reflected XSS in /login in habitica
Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The `login` and `social media` function in `RegisterLoginReset.vue` contains two reflected XSS vulnerabilities due to an incorrect sanitization function. An attacker can speโฆ
8.1
CVE-2024-45404 - OpenCTI's lack of Rate Limit lead to OTP brute forcing
OpenCTI is an open-source cyber threat intelligence platform. In versions below 6.2.18, because the function to limit the rate of OTP does not exist, an attacker with valid credentials or a malicious user who commits internal fraud can break through the two-factor authentication and hijack the accoโฆ
5.3
CVE-2024-12489 - code-projects Online Class and Exam Scheduling System term.php sql injection
A vulnerability was found in code-projects Online Class and Exam Scheduling System 1.0. It has been classified as critical. This affects an unknown part of the file /pages/term.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploโฆ
7.8
CVE-2024-11872 - Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability
Epic Games Launcher Incorrect Default Permissions Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Epic Games Launcher. An attacker must first obtain the ability to execute low-privileged code on the target systeโฆ
8.8
CVE-2024-11949 - GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability
GFI Archiver Store Service Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is required to exploit this vulnerability. The specific flaw exists withiโฆ