Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-1456 | 2024-06-04 | N/A | ||
| An S3 bucket takeover vulnerability was identified in the h2oai/h2o-3 repository. The issue involves the S3 bucket 'http://s3.amazonaws.com/h2o-training', which was found to be vulnerable to unauthorized takeover. | ||||
| CVE-2024-32999 | 2024-06-04 | 6.8 Medium | ||
| Cracking vulnerability in the OS security module Impact: Successful exploitation of this vulnerability will affect availability. | ||||
| CVE-2024-2267 | 2024-05-17 | 4.3 Medium | ||
| A vulnerability was found in keerti1924 Online-Book-Store-Website 1.0 and classified as problematic. This issue affects some unknown processing of the file /shop.php. The manipulation of the argument product_price leads to business logic errors. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-256037 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-2151 | 2024-05-17 | 4.3 Medium | ||
| A vulnerability classified as problematic was found in SourceCodester Online Mobile Management Store 1.0. Affected by this vulnerability is an unknown functionality of the component Product Price Handler. The manipulation of the argument quantity with the input -1 leads to business logic errors. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-255583. | ||||
| CVE-2024-4046 | 2024-05-14 | 6.4 Medium | ||
| Cracking vulnerability in the OS security module Impact: Successful exploitation of this vulnerability will affect availability. | ||||
| CVE-2021-22897 | 5 Haxx, Netapp, Oracle and 2 more | 30 Curl, Cloud Backup, H300e and 27 more | 2024-03-27 | 5.3 Medium |
| curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected cipher set was stored in a single "static" variable in the library, which has the surprising side-effect that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport security significantly. | ||||
| CVE-2021-22922 | 6 Fedoraproject, Haxx, Netapp and 3 more | 23 Fedora, Curl, Cloud Backup and 20 more | 2024-03-27 | 6.5 Medium |
| When curl is instructed to download content using the metalink feature, thecontents is verified against a hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same contentfrom a set of different URLs, potentially hosted by different servers and theclient can then download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting the contents has been breached and the contentsof the specific file on that server is replaced with a modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload. It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the file ondisk. | ||||
| CVE-2021-22926 | 5 Haxx, Netapp, Oracle and 2 more | 26 Curl, Active Iq Unified Manager, Clustered Data Ontap and 23 more | 2024-03-27 | 7.5 High |
| libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use the macOS native TLS library Secure Transport, an application can ask for the client certificate by name or with a file name - using the same option. If the name exists as a file, it will be used instead of by name.If the appliction runs with a current working directory that is writable by other users (like `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and thereby trick the application to use the file based cert instead of the one referred to by name making libcurl send the wrong client certificate in the TLS connection handshake. | ||||
| CVE-2022-27782 | 3 Debian, Haxx, Splunk | 3 Debian Linux, Curl, Universal Forwarder | 2024-03-27 | 7.5 High |
| libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were left out from the configuration match checks, making themmatch too easily. | ||||
| CVE-2022-32207 | 6 Apple, Debian, Fedoraproject and 3 more | 19 Macos, Debian Linux, Fedora and 16 more | 2024-03-27 | 9.8 Critical |
| When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by finalizing the operation with a rename from a temporary name to the final target file name.In that rename operation, it might accidentally *widen* the permissions for the target file, leaving the updated file accessible to more users than intended. | ||||
| CVE-2022-32208 | 6 Apple, Debian, Fedoraproject and 3 more | 19 Macos, Debian Linux, Fedora and 16 more | 2024-03-27 | 5.9 Medium |
| When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly. This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject data to the client. | ||||
| CVE-2023-6832 | 1 Microweber | 1 Microweber | 2023-12-21 | 4.3 Medium |
| Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | ||||
| CVE-2023-4304 | 1 Froxlor | 1 Froxlor | 2023-12-18 | 2.7 Low |
| Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.22,2.1.0. | ||||
| CVE-2023-0565 | 1 Froxlor | 1 Froxlor | 2023-12-18 | 4.9 Medium |
| Business Logic Errors in GitHub repository froxlor/froxlor prior to 2.0.10. | ||||
| CVE-2023-6514 | 1 Huawei | 2 Ajmd-370s, Ajmd-370s Firmware | 2023-12-12 | 8.8 High |
| The Bluetooth module of some Huawei Smart Screen products has an identity authentication bypass vulnerability. Successful exploitation of this vulnerability may allow attackers to access restricted functions. Successful exploitation of this vulnerability may allow attackers to access restricted functions. | ||||
| CVE-2023-6566 | 1 Microweber | 1 Microweber | 2023-12-12 | 6.5 Medium |
| Business Logic Errors in GitHub repository microweber/microweber prior to 2.0. | ||||
| CVE-2023-6017 | 1 H2o | 1 H2o | 2023-11-28 | 7.1 High |
| H2O included a reference to an S3 bucket that no longer existed allowing an attacker to take over the S3 bucket URL. | ||||
| CVE-2020-8181 | 1 Nextcloud | 1 Contacts | 2023-11-07 | 4.3 Medium |
| A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | ||||
| CVE-2023-3914 | 1 Gitlab | 1 Gitlab | 2023-10-03 | 5.3 Medium |
| A business logic error in GitLab EE affecting all versions prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1 allows access to internal projects. A service account is not deleted when a namespace is deleted, allowing access to internal projects. | ||||
| CVE-2023-3484 | 1 Gitlab | 1 Gitlab | 2023-07-31 | 6.5 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 12.8 before 15.11.11, all versions starting from 16.0 before 16.0.7, all versions starting from 16.1 before 16.1.2. An attacker could change the name or path of a public top-level group in certain situations. | ||||