CVE-2024-27198

Known exploited
Public exploit
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
Max CVSS
9.8
EPSS Score
97.21%
Published
2024-03-04
Updated
2024-03-11
CISA KEV Added
2024-03-07

CVE-2024-22836

Public exploit
An OS command injection vulnerability exists in Akaunting v3.1.3 and earlier. An attacker can manipulate the company locale when installing an app to execute system commands on the hosting server.
Max CVSS
9.8
EPSS Score
0.45%
Published
2024-02-08
Updated
2024-02-15

CVE-2024-21887

Known exploited
Public exploit
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
Max CVSS
9.1
EPSS Score
97.32%
Published
2024-01-12
Updated
2024-01-22
CISA KEV Added
2024-01-10

CVE-2024-1709

Known exploited
Public exploit
Used for ransomware
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Max CVSS
10.0
EPSS Score
93.46%
Published
2024-02-21
Updated
2024-02-23
CISA KEV Added
2024-02-22

CVE-2024-0204

Public exploit
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the administration portal.
Max CVSS
9.8
EPSS Score
53.86%
Published
2024-01-22
Updated
2024-02-02

CVE-2023-51467

Public exploit
The vulnerability permits attackers to circumvent authentication processes, enabling them to remotely execute arbitrary code
Max CVSS
9.8
EPSS Score
68.50%
Published
2023-12-26
Updated
2024-01-04

CVE-2023-50919

Public exploit
An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
Max CVSS
9.8
EPSS Score
0.11%
Published
2024-01-12
Updated
2024-01-24

CVE-2023-50917

Public exploit
MajorDoMo (aka Major Domestic Module) before 0662e5e allows command execution via thumb.php shell metacharacters. NOTE: this is unrelated to the Majordomo mailing-list manager.
Max CVSS
9.8
EPSS Score
71.10%
Published
2023-12-15
Updated
2024-01-22

CVE-2023-49103

Known exploited
Public exploit
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure.
Max CVSS
10.0
EPSS Score
89.25%
Published
2023-11-21
Updated
2023-12-05
CISA KEV Added
2023-11-30

CVE-2023-49070

Public exploit
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.  Users are recommended to upgrade to version 18.12.10
Max CVSS
9.8
EPSS Score
84.67%
Published
2023-12-05
Updated
2023-12-29

CVE-2023-46747

Known exploited
Public exploit
Undisclosed requests may bypass configuration utility authentication, allowing an attacker with network access to the BIG-IP system through the management port and/or self IP addresses to execute arbitrary system commands.  Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
Max CVSS
9.8
EPSS Score
97.20%
Published
2023-10-26
Updated
2024-02-01
CISA KEV Added
2023-10-31

CVE-2023-46604

Known exploited
Public exploit
Used for ransomware
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
Max CVSS
10.0
EPSS Score
97.31%
Published
2023-10-27
Updated
2023-11-28
CISA KEV Added
2023-11-02

CVE-2023-46456

Public exploit
In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-12-12
Updated
2023-12-14

CVE-2023-46454

Public exploit
In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.
Max CVSS
9.8
EPSS Score
0.09%
Published
2023-12-12
Updated
2023-12-14

CVE-2023-45887

Public exploit
DS Wireless Communication (DWC) with DWC_VERSION_3 and DWC_VERSION_11 allows remote attackers to execute arbitrary code on a game-playing client's machine via a modified GPCM message.
Max CVSS
9.8
EPSS Score
0.29%
Published
2023-12-20
Updated
2024-02-15

CVE-2023-45499

Public exploit
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain hardcoded credentials.
Max CVSS
9.8
EPSS Score
0.14%
Published
2023-10-27
Updated
2023-12-21

CVE-2023-45498

Public exploit
VinChin Backup & Recovery v5.0.*, v6.0.*, v6.7.*, and v7.0.* was discovered to contain a command injection vulnerability.
Max CVSS
9.8
EPSS Score
0.33%
Published
2023-10-27
Updated
2023-12-21

CVE-2023-43654

Public exploit
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
Max CVSS
10.0
EPSS Score
0.11%
Published
2023-09-28
Updated
2023-10-31

CVE-2023-43208

Public exploit
NextGen Healthcare Mirth Connect before version 4.4.1 is vulnerable to unauthenticated remote code execution. Note that this vulnerability is caused by the incomplete patch of CVE-2023-37679.
Max CVSS
9.8
EPSS Score
0.35%
Published
2023-10-26
Updated
2024-01-31

CVE-2023-42793

Known exploited
Public exploit
Used for ransomware
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
Max CVSS
9.8
EPSS Score
97.07%
Published
2023-09-19
Updated
2023-10-03
CISA KEV Added
2023-10-04

CVE-2023-41892

Public exploit
Craft CMS is a platform for creating digital experiences. This is a high-impact, low-complexity attack vector. Users running Craft installations before 4.4.15 are encouraged to update to at least that version to mitigate the issue. This issue has been fixed in Craft CMS 4.4.15.
Max CVSS
10.0
EPSS Score
85.57%
Published
2023-09-13
Updated
2023-12-22

CVE-2023-40044

Known exploited
Public exploit
Used for ransomware
In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker could leverage a .NET deserialization vulnerability in the Ad Hoc Transfer module to execute remote commands on the underlying WS_FTP Server operating system.  
Max CVSS
10.0
EPSS Score
84.13%
Published
2023-09-27
Updated
2023-10-04
CISA KEV Added
2023-10-05

CVE-2023-38965

Public exploit
Lost and Found Information System 1.0 allows account takeover via username and password to a /classes/Users.php?f=save URI.
Max CVSS
9.8
EPSS Score
0.30%
Published
2023-11-03
Updated
2023-11-13

CVE-2023-38646

Public exploit
Metabase open source before 0.46.6.1 and Metabase Enterprise before 1.46.6.1 allow attackers to execute arbitrary commands on the server, at the server's privilege level. Authentication is not required for exploitation. The other fixed versions are 0.45.4.1, 1.45.4.1, 0.44.7.1, 1.44.7.1, 0.43.7.2, and 1.43.7.2.
Max CVSS
9.8
EPSS Score
91.66%
Published
2023-07-21
Updated
2024-02-15

CVE-2023-37679

Public exploit
A remote command execution (RCE) vulnerability in NextGen Mirth Connect v4.3.0 allows attackers to execute arbitrary commands on the hosting server.
Max CVSS
9.8
EPSS Score
8.18%
Published
2023-08-03
Updated
2024-01-31
1268 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!