5.5
CVE-2024-49750 - Snowflake Connector for Python has sensitive data in logs
The Snowflake Connector for Python provides an interface for developing Python applications that can connect to Snowflake and perform all standard operations. Prior to version 3.12.3, when the logging level was set by the user to DEBUG, the Connector could have logged Duo passcodes (when specified โฆ
5.3
CVE-2024-10349 - SourceCodester Best House Rental Management System ajax.php delete_tenant sql injection
A vulnerability was found in SourceCodester Best House Rental Management System 1.0 and classified as critical. Affected by this issue is the function delete_tenant of the file /ajax.php?action=delete_tenant. The manipulation of the argument id leads to sql injection. The attack may be launched remโฆ
5.3
CVE-2024-10348 - SourceCodester Best House Rental Management System Manage Tenant Details index.php cross site scripโฆ
A vulnerability was found in SourceCodester Best House Rental Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=tenants of the component Manage Tenant Details. The manipulation of the argument Last Name/First Name/Middle Name leadโฆ
4.6
CVE-2024-49762 - Pterodactyl Panel has plain-text logging of user passwords when two-factor authentication is disablโฆ
Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones offiโฆ
7.1
CVE-2024-49760 - OpenRefine has a path traversal in LoadLanguageCommand
OpenRefine is a free, open source tool for working with messy data. The load-language command expects a `lang` parameter from which it constructs the path of the localization file to load, of the form `translations-$LANG.json`. But when doing so in versions prior to 3.8.3, it does not check that thโฆ
7.5
CVE-2024-49359 - ZimaOS vulnerable to Directory Listing via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Zima_Server_IP:PORT>/v2_1/file` in ZimaOS is vulnerable to a directory traversal attack, allowing authenticated users to list the contentโฆ
5.3
CVE-2024-49358 - ZimaOS vulnerable to Username Enumeration via API Responses
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoint `http://<Server-IP>/v1/users/login` in ZimaOS returns distinct responses based on whether a username exists or the password is incorrect. This behโฆ
7.5
CVE-2024-49357 - ZimaOS (Installed Applications and System Information) has Unauthorized Sensitive Data Leak
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as `http://<Server-IP>/v1/users/image?path=/var/lib/casaos/1/app_order.json` and `http://<Server-IP>/v1/users/image?path=/var/libโฆ
5.3
CVE-2024-48932 - ZimaOS Unauthenticated API Discloses Usernames
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In versions below 1.5.0, the API endpoint `http://<Server-ip>/v1/users/name` allows unauthenticated users to access sensitive information, such as usernames, without any authorization. This vulnerability โฆ
7.5
CVE-2024-48931 - ZimaOS Arbitrary File Read via Parameter Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the ZimaOS API endpoint `http://<Zima_Server_IP:PORT>/v3/file?token=<token>&files=<file_path>` is vulnerable to arbitrary file reading due to improper input validaโฆ