7.8
CVE-2024-12834 - Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability
Delta Electronics DRASimuCAD STP File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DRASimuCAD. User interaction is required to exploit this vulnerability in that the taβ¦
7.9
CVE-2024-56734 - Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email β¦
8.8
CVE-2024-12828 - Webmin CGI Command Injection Remote Code Execution Vulnerability
Webmin CGI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Webmin. Authentication is required to exploit this vulnerability. The specific flaw exists within the handling of CGI requests. The iβ¦
5.7
CVE-2024-56733 - Password Pusher Allows Session Token Interception Leading to Potential Hijacking
Password Pusher is an open source application to communicate sensitive information over the web. A vulnerability has been reported in versions 1.50.3 and prior where an attacker can copy the session cookie before a user logs out, potentially allowing session hijacking. Although the session token isβ¦
5.3
CVE-2024-56517 - LGSL has a reflected XSS at /lgsl_files/lgsl_list.php
LGSL (Live Game Server List) provides online status lists for online video games. Versions up to and including 6.2.1 contain a reflected cross-site scripting vulnerability in the `Referer` HTTP header. The vulnerability allows attackers to inject arbitrary JavaScript code, which is reflected in theβ¦
6.9
CVE-2024-56516 - free-one-api uses md5 for password storage
free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longeβ¦
4.3
CVE-2024-52294 - khoj has an IDOR in subscription management that allows unauthorized subscription modifications
Khoj is a self-hostable artificial intelligence app. Prior to version 1.29.10, an Insecure Direct Object Reference (IDOR) vulnerability in the update_subscription endpoint allows any authenticated user to manipulate other users' Stripe subscriptions by simply modifying the email parameter in the reβ¦
7.2
CVE-2024-54181 - IBM WebSphere Automation command injection
IBM WebSphere Automation 1.7.5 could allow a remote privileged user, who has authorized access to the swagger UI, to execute arbitrary code. Using specially crafted input, the user could exploit this vulnerability to execute arbitrary code on the system.
9.3
CVE-2024-10044 - SSRF in POST /worker_generate_stream API endpoint in lm-sys/fastchat
A Server-Side Request Forgery (SSRF) vulnerability exists in the POST /worker_generate_stream API endpoint of the Controller API Server in lm-sys/fastchat, as of commit e208d5677c6837d590b81cb03847c0b9de100765. This vulnerability allows attackers to exploit the victim controller API server's credenβ¦
4.8
CVE-2024-12993 - Location information exposure in Infinix Weather app
Infinix devices contain a pre-loaded "com.rlk.weathers" application, that exposes an unsecured content provider. An attacker can communicate with the provider and reveal the userβs location without any privileges.Β After multiple attempts to contact the vendor we did not receive any answer. We suppβ¦