NVD

NOTICE UPDATED - May, 29th 2024

The NVD has a new announcement page with status updates, news, and how to stay connected!

Icon for CISA Known Exploited Vulnerabilities Catalog Announcement

The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, product names, and impact metrics.

For information on how to the cite the NVD, including the database's Digital Object Identifier (DOI), please consult NIST's Public Data Repository.

Legal Disclaimer:

Here is where you can read the NVD legal disclaimer.

Last 20 Scored Vulnerability IDs & Summaries CVSS Severity

CVE-2024-21513 - Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vuln... read CVE-2024-21513
Published: July 15, 2024; 1:15:01 AM -0400

V3.1: 8.5 HIGH
CVE-2024-5630 - The Insert or Embed Articulate Content into WordPress plugin before 4.3000000024 does not prevent authors from uploading arbitrary files to the site, which may allow them to upload PHP shells on affected sites.
Published: July 15, 2024; 2:15:01 AM -0400

V3.1: 8.8 HIGH
CVE-2024-6289 - The WPS Hide Login WordPress plugin before 1.9.16.4 does not prevent redirects to the login page via the auth_redirect WordPress function, allowing an unauthenticated visitor to access the hidden login page.
Published: July 15, 2024; 2:15:02 AM -0400

V3.1: 6.1 MEDIUM
CVE-2024-6742 - AguardNet Technology's Space Management System does not properly filter user input, allowing remote attackers with regular privileges to inject JavaScript and perform Reflected Cross-site scripting attacks.
Published: July 15, 2024; 2:15:02 AM -0400

V3.1: 5.4 MEDIUM
CVE-2024-6743 - AguardNet's Space Management System does not properly validate user input, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents.
Published: July 15, 2024; 3:15:25 AM -0400

V3.1: 9.8 CRITICAL
CVE-2024-6744 - The SMTP Listener of Secure Email Gateway from Cellopoint does not properly validate user input, leading to a Buffer Overflow vulnerability. An unauthenticated remote attacker can exploit this vulnerability to execute arbitrary system commands on ... read CVE-2024-6744
Published: July 15, 2024; 3:15:25 AM -0400

V3.1: 9.8 CRITICAL
CVE-2023-46801 - In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files ... read CVE-2023-46801
Published: July 15, 2024; 4:15:02 AM -0400

V3.1: 8.8 HIGH
CVE-2023-41916 - In Apache Linkis =1.4.0, due to the lack of effective filtering of parameters, an attacker configuring malicious Mysql JDBC parameters in the DataSource Manager Module will trigger arbitrary file reading. Therefore, the parameters in the Mysql JD... read CVE-2023-41916
Published: July 15, 2024; 4:15:02 AM -0400

V3.1: 6.5 MEDIUM
CVE-2023-49566 - In Apache Linkis <=1.5.0, due to the lack of effective filtering of parameters, an attacker configuring malicious db2 parameters in the DataSource Manager Module will result in jndi injection. Therefore, the parameters in the DB2 URL should b... read CVE-2023-49566
Published: July 15, 2024; 4:15:02 AM -0400

V3.1: 8.8 HIGH
CVE-2024-23794 - An incorrect privilege assignment vulnerability in the inline editing functionality of OTRS can lead to privilege escalation. This flaw allows an agent with read-only permissions to gain full access to a ticket. This issue arises in very rare inst... read CVE-2024-23794
Published: July 15, 2024; 4:15:02 AM -0400

V3.1: 7.5 HIGH
CVE-2024-6540 - Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem ... read CVE-2024-6540
Published: July 15, 2024; 4:15:02 AM -0400

V3.1: 5.3 MEDIUM
CVE-2024-6740 - Openfind's Mail2000 does not properly validate email atachments, allowing unauthenticated remote attackers to inject JavaScript code within the attachment and perform Stored Cross-site scripting attacks.
Published: July 15, 2024; 4:15:03 AM -0400

V3.1: 6.1 MEDIUM
CVE-2024-39767 - Mattermost Mobile Apps versions <=2.16.0 fail to validate that the push notifications received for a server actually came from this serve that which allows a malicious server to send push notifications with another server’s diagnostic ID or server... read CVE-2024-39767
Published: July 15, 2024; 5:15:02 AM -0400

V3.1: 6.5 MEDIUM
CVE-2024-32945 - Mattermost Mobile Apps versions <=2.16.0 fail to protect against abuse of a globally shared MathJax state which allows an attacker to change the contents of a LateX post, by creating another post with specific macro definitions.
Published: July 15, 2024; 5:15:02 AM -0400

V3.1: 5.3 MEDIUM
CVE-2024-6739 - The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS.
Published: July 15, 2024; 12:15:02 AM -0400

V3.1: 6.1 MEDIUM
CVE-2015-4068 - Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
Published: May 29, 2015; 11:59:23 AM -0400

V3.1: 9.1 CRITICAL
V2.0: 9.4 HIGH
CVE-2015-3035 - Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) wit... read CVE-2015-3035
Published: April 21, 2015; 9:59:02 PM -0400

V3.1: 7.5 HIGH
V2.0: 7.8 HIGH
CVE-2016-10174 - The NETGEAR WNR2000v5 router contains a buffer overflow in the hidden_lang_avi parameter when invoking the URL /apply.cgi?/lang_check.html. This buffer overflow can be exploited by an unauthenticated attacker to achieve remote code execution.
Published: January 29, 2017; 11:59:00 PM -0500

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2017-6316 - Citrix NetScaler SD-WAN devices through v9.1.2.26.561201 allow remote attackers to execute arbitrary shell commands as root via a CGISESSID cookie. On CloudBridge (the former name of NetScaler SD-WAN) devices, the cookie name was CAKEPHP rather th... read CVE-2017-6316
Published: July 20, 2017; 12:29:00 AM -0400

V3.1: 9.8 CRITICAL
V2.0: 10.0 HIGH
CVE-2017-12615 - When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This ... read CVE-2017-12615
Published: September 19, 2017; 9:29:00 AM -0400

V3.1: 8.1 HIGH
V2.0: 6.8 MEDIUM

Created September 20, 2022 , Updated June 27, 2024

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

Legal Disclaimer: