4
CVE-2024-47825 - CIDR deny policies may not take effect when a more narrow CIDR allow is present
Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than `/32` may be ignored if there is a policy rule referencing a more narrow prefix (`CIDRβ¦
8.9
CVE-2024-49368 - Unchecked logrotate settings lead to arbitrary command execution
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, when Nginx UI configures logrotate, it does not verify the input and directly passes it to exec.Command, causing arbitrary command execution. Version 2.0.0-beta.36 fixes this issue.
5.5
CVE-2024-49367 - Nginx UI's log path can be controlled
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.0.0-beta.36, the log path of nginxui is controllable. This issue can be combined with the directory traversal at `/api/configs` to read directories and file contents on the server. Version 2.0.0-beta.36 fixes the issue.
5.4
CVE-2024-40746 - Extension - hikashop.com - Stored cross site scripting vulnerability in Hikashop component for Joomβ¦
A stored cross-site scripting (XSS) vulnerability in HikaShop Joomla Component < 5.1.1 allows remote attackers to execute arbitrary JavaScript in the web browser of a user, by including a malicious payload in the `description` parameter of any product. The `description `parameter is not sanitised iβ¦
7.7
CVE-2024-49366 - Nginx UI's json field can construct a directory traversal payload, causing arbitrary files to be wrβ¦
Nginx UI is a web user interface for the Nginx web server. Nginx UI v2.0.0-beta.35 and earlier gets the value from the json field without verification, and can construct a value value in the form of `../../`. Arbitrary files can be written to the server, which may result in loss of permissions. Verβ¦
8.7
CVE-2024-48930 - secp256k1-node vulnerable to private key extraction over ECDH
secp256k1-node is a Node.js binding for an Optimized C library for EC operations on curve secp256k1. In `elliptic`-based version, `loadUncompressedPublicKey` has a check that the public key is on the curve. Prior to versions 5.0.1, 4.0.4, and 3.8.1, however, `loadCompressedPublicKey` is missing thaβ¦
8.7
CVE-2024-45309 - OneDev vulnerable to arbitrary file reading for unauthenticated user
OneDev is a Git server with CI/CD, kanban, and packages. A vulnerability in versions prior to 11.0.9 allows unauthenticated users to read arbitrary files accessible by the OneDev server process. This issue has been fixed in version 11.0.9.
6.5
CVE-2024-8305 - MongoDB Server secondaries may crash due to forced index constraints
prepareUnique index may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries, where in extreme cases may cause multiple secondaries crashing leading to no primaries. This issue affects MongoDB Server v6.0 versions prior to 6.0.17, MongoDB Server v7.0 versions β¦
0.0
CVE-2024-10212 -
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
6.5
CVE-2024-49273 - WordPress ProfileGrid plugin <= 5.9.3 - Cross Site Request Forgery (CSRF) vulnerability
Missing Authorization vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities.This issue affects ProfileGrid : from n/a through <= 5.9.3.