Total
87 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-35198 | 2024-11-21 | 9.8 Critical | ||
| TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as ".." before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-27292 | 2024-11-21 | 7.5 High | ||
| Docassemble is an expert system for guided interviews and document assembly. The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. The vulnerability has been patched in version 1.4.97 of the master branch. | ||||
| CVE-2023-42451 | 1 Joinmastodon | 1 Mastodon | 2024-11-21 | 7.4 High |
| Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2, under certain circumstances, attackers can exploit a flaw in domain name normalization to spoof domains they do not own. Versions 3.5.14, 4.0.10, 4.1.8, and 4.2.0-rc2 contain a patch for this issue. | ||||
| CVE-2022-30621 | 1 Cellinx | 2 Cellinx Nvt - Ip Ptz Camera, Cellinx Nvt - Ip Ptz Camera Firmware | 2024-11-21 | 7.6 High |
| Allows a remote user to read files on the camera's OS "GetFileContent.cgi". Reading arbitrary files on the camera's OS as root user. | ||||
| CVE-2022-28198 | 2 Microsoft, Nvidia | 3 Windows, Omniverse Cache, Omniverse Nucleus | 2024-11-21 | 6.6 Medium |
| NVIDIA Omniverse Nucleus and Cache contain a vulnerability in its configuration of OpenSSL, where an attacker with physical access to the system can cause arbitrary code execution which can impact confidentiality, integrity, and availability. | ||||
| CVE-2022-27778 | 4 Haxx, Netapp, Oracle and 1 more | 19 Curl, Active Iq Unified Manager, Bh500s Firmware and 16 more | 2024-11-21 | 8.1 High |
| A use of incorrectly resolved name vulnerability fixed in 7.83.1 might remove the wrong file when `--no-clobber` is used together with `--remove-on-error`. | ||||
| CVE-2022-0855 | 1 Microweber | 1 Whmcs | 2024-11-21 | 6.1 Medium |
| Improper Resolution of Path Equivalence in GitHub repository microweber-dev/whmcs_plugin prior to 0.0.4. | ||||
| CVE-2021-40856 | 1 Auerswald | 6 Comfortel 1400 Ip, Comfortel 1400 Ip Firmware, Comfortel 2600 Ip and 3 more | 2024-11-21 | 7.5 High |
| Auerswald COMfortel 1400 IP and 2600 IP before 2.8G devices allow Authentication Bypass via the /about/../ substring. | ||||
| CVE-2021-39156 | 2 Istio, Redhat | 2 Istio, Service Mesh | 2024-11-21 | 8.1 High |
| Istio is an open source platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio 1.11.0, 1.10.3 and below, and 1.9.7 and below contain a remotely exploitable vulnerability where an HTTP request with `#fragment` in the path may bypass Istio’s URI path based authorization policies. Patches are available in Istio 1.11.1, Istio 1.10.4 and Istio 1.9.8. As a work around a Lua filter may be written to normalize the path. | ||||
| CVE-2021-37215 | 1 Larvata | 1 Flygo | 2024-11-21 | 4.3 Medium |
| The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee’s user data by specifying that employee’s ID in the API parameter. | ||||
| CVE-2021-37214 | 1 Larvata | 1 Flygo | 2024-11-21 | 8.8 High |
| The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command. | ||||
| CVE-2021-37213 | 1 Larvata | 1 Flygo | 2024-11-21 | 4.3 Medium |
| The check-in record page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID and date in specific parameters to access particular employee’s check-in record. | ||||
| CVE-2021-37212 | 1 Larvata | 1 Flygo | 2024-11-21 | 5.4 Medium |
| The bulletin function of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the bulletin ID in specific Url parameters and access and modify bulletin particular content. | ||||
| CVE-2021-37144 | 1 Cszcms | 1 Csz Cms | 2024-11-21 | 9.1 Critical |
| CSZ CMS 1.2.9 is vulnerable to Arbitrary File Deletion. This occurs in PHP when the unlink() function is called and user input might affect portions of or the whole affected parameter, which represents the path of the file to remove, without sufficient sanitization. | ||||
| CVE-2021-32054 | 1 Fire.ly | 1 Spark | 2024-11-21 | 6.1 Medium |
| Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser. | ||||
| CVE-2021-31933 | 1 Chamilo | 1 Chamilo | 2024-11-21 | 7.2 High |
| A remote code execution vulnerability exists in Chamilo through 1.11.14 due to improper input sanitization of a parameter used for file uploads, and improper file-extension filtering for certain filenames (e.g., .phar or .pht). A remote authenticated administrator is able to upload a file containing arbitrary PHP code into specific directories via main/inc/lib/fileUpload.lib.php directory traversal to achieve PHP code execution. | ||||
| CVE-2021-31920 | 2 Istio, Redhat | 2 Istio, Service Mesh | 2024-11-21 | 6.5 Medium |
| Istio before 1.8.6 and 1.9.x before 1.9.5 has a remotely exploitable vulnerability where an HTTP request path with multiple slashes or escaped slash characters (%2F or %5C) could potentially bypass an Istio authorization policy when path based authorization rules are used. | ||||
| CVE-2021-27306 | 1 Konghq | 1 Kong Gateway | 2024-11-21 | 7.5 High |
| An improper access control vulnerability in the JWT plugin in Kong Gateway prior to 2.3.2.0 allows unauthenticated users access to authenticated routes without a valid token JWT. | ||||
| CVE-2020-4719 | 1 Ibm | 1 Cloud Application Performance Management | 2024-11-21 | 4.9 Medium |
| The IBM Cloud APM 8.1.4 server will issue a DNS request to resolve any hostname specified in the Cloud Event Management Webhook URL configuration definition. This could enable an authenticated user with admin authorization to create DNS query strings that are not hostnames. IBM X-Force ID: 187861. | ||||
| CVE-2020-35894 | 1 Obstack Project | 1 Obstack | 2024-11-21 | 7.5 High |
| An issue was discovered in the obstack crate before 0.1.4 for Rust. Unaligned references can occur. | ||||