Search Results (46116 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2024-39529 1 Juniper 34 Junos, Junos Os, Srx100 and 31 more 2024-11-21 7.5 High
A Use of Externally-Controlled Format String vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If DNS Domain Generation Algorithm (DGA) detection or tunnel detection, and DNS-filtering traceoptions are configured, and specific valid transit DNS traffic is received this causes a PFE crash and restart, leading to a Denial of Service. This issue affects Junos OS: * All versions before 21.4R3-S6, * 22.2 versions before 22.2R3-S3, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3, * 23.2 versions before 23.2R2.
CVE-2024-39518 1 Juniper 1 Junos Os 2024-11-21 7.5 High
A Heap-based Buffer Overflow vulnerability in the telemetry sensor process (sensord) of Juniper Networks Junos OS on MX240, MX480, MX960 platforms using MPC10E causes a steady increase in memory utilization, ultimately leading to a Denial of Service (DoS). When the device is subscribed to a specific subscription on Junos Telemetry Interface, a slow memory leak occurs and eventually all resources are consumed and the device becomes unresponsive. A manual reboot of the Line Card will be required to restore the device to its normal functioning.  This issue is only seen when telemetry subscription is active. The Heap memory utilization can be monitored using the following command:   > show system processes extensive The following command can be used to monitor the memory utilization of the specific sensor   > show system info | match sensord PID NAME MEMORY PEAK MEMORY %CPU THREAD-COUNT CORE-AFFINITY UPTIME 1986 sensord 877.57MB 877.57MB 2 4 0,2-15 7-21:41:32 This issue affects Junos OS:  * from 21.2R3-S5 before 21.2R3-S7,  * from 21.4R3-S4 before 21.4R3-S6,  * from 22.2R3 before 22.2R3-S4,  * from 22.3R2 before 22.3R3-S2,  * from 22.4R1 before 22.4R3,  * from 23.2R1 before 23.2R2.
CVE-2024-39324 1 Aimeos 1 Ai-admin-graphql 2024-11-21 3.8 Low
aimeos/ai-admin-graphql is the Aimeos GraphQL API admin interface. Starting in version 2022.04.1 and prior to versions 2022.10.10, 2023.10.6, and 2024.4.2, improper access control allows a editors to manage own services via GraphQL API which isn't allowed in the JQAdm front end. Versions 2022.10.10, 2023.10.6, and 2024.4.2 contain a patch for the issue.
CVE-2024-39320 1 Discourse 1 Discourse 2024-11-21 6.1 Medium
Discourse is an open source discussion platform. Prior to 3.2.5 and 3.3.0.beta5, the vulnerability allows an attacker to inject iframes from any domain, bypassing the intended restrictions enforced by the allowed_iframes setting. This vulnerability is fixed in 3.2.5 and 3.3.0.beta5.
CVE-2024-39012 2 Ais, Aisltd 2 Strategyen, Strategyen 2024-11-21 9.8 Critical
ais-ltd strategyen v0.4.0 was discovered to contain a prototype pollution via the function mergeObjects. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-39010 1 Chasemoskal 1 Snapstate 2024-11-21 9.8 Critical
chase-moskal snapstate v0.0.9 was discovered to contain a prototype pollution via the function attemptNestedProperty. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties.
CVE-2024-38986 1 75lb 1 Deep-merge 2024-11-21 9.8 Critical
Prototype Pollution in 75lb deep-merge 1.1.1 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via merge methods of lodash to merge objects.
CVE-2024-38984 1 Lukebond 1 Json-override 2024-11-21 9.8 Critical
Prototype Pollution in lukebond json-override 0.2.0 allows attackers to to execute arbitrary code or cause a Denial of Service (DoS) via the __proto__ property.
CVE-2024-38983 1 Alykoshin 1 Mini-deep-assign 2024-11-21 9.8 Critical
Prototype Pollution in alykoshin mini-deep-assign v0.0.8 allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) and cause other impacts via the _assign() method at (/lib/index.js:91)
CVE-2024-38522 1 Hushline 1 Hush Line 2024-11-21 6.3 Medium
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The CSP policy applied on the `tips.hushline.app` website and bundled by default in this repository is trivial to bypass. This vulnerability has been patched in version 0.1.0.
CVE-2024-38373 1 Amazon 1 Freertos-plus-tcp 2024-11-21 9.6 Critical
FreeRTOS-Plus-TCP is a lightweight TCP/IP stack for FreeRTOS. FreeRTOS-Plus-TCP versions 4.0.0 through 4.1.0 contain a buffer over-read issue in the DNS Response Parser when parsing domain names in a DNS response. A carefully crafted DNS response with domain name length value greater than the actual domain name length, could cause the parser to read beyond the DNS response buffer. This issue affects applications using DNS functionality of the FreeRTOS-Plus-TCP stack. Applications that do not use DNS functionality are not affected, even when the DNS functionality is enabled. This vulnerability has been patched in version 4.1.1.
CVE-2024-38301 1 Dell 1 Alienware Command Center 2024-11-21 6.7 Medium
Dell Alienware Command Center, version 5.7.3.0 and prior, contains an improper access control vulnerability. A low privileged attacker could potentially exploit this vulnerability, leading to denial of service on the local system and information disclosure.
CVE-2024-37635 1 Totolink 2 A3700r, A3700r Firmware 2024-11-21 9.8 Critical
TOTOLINK A3700R V9.1.2u.6165_20211012 was discovered to contain a stack overflow via ssid in the function setWiFiBasicCfg
CVE-2024-37280 1 Elastic 1 Elasticsearch 2024-11-21 4.9 Medium
A flaw was discovered in Elasticsearch, affecting document ingestion when an index template contains a dynamic field mapping of “passthrough” type. Under certain circumstances, ingesting documents in this index would cause a StackOverflow exception to be thrown and ultimately lead to a Denial of Service. Note that passthrough fields is an experimental feature.
CVE-2024-37040 1 Schneider-electric 7 Sage 1410, Sage 1430, Sage 1450 and 4 more 2024-11-21 5.4 Medium
CWE-120: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.
CVE-2024-37029 1 Fujielectric 1 Tellus Lite V-simulator 2024-11-21 7.8 High
Fuji Electric Tellus Lite V-Simulator is vulnerable to a stack-based buffer overflow, which could allow an attacker to execute arbitrary code.
CVE-2024-36572 1 Allpro 2 Form-manager, Formmanager Data Handler 2024-11-21 9.8 Critical
Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue.
CVE-2024-36502 1 Huawei 2 Emui, Harmonyos 2024-11-21 7.9 High
Out-of-bounds read vulnerability in the audio module Impact: Successful exploitation of this vulnerability will affect availability.
CVE-2024-36243 1 Openatom 1 Openharmony 2024-11-21 8.2 High
in OpenHarmony v4.0.0 and prior versions allow a remote attacker arbitrary code execution in pre-installed apps through out-of-bounds read and write.
CVE-2024-36129 2 Opentelemetry, Redhat 5 Configgrpc, Confighttp, Opentelemetry and 2 more 2024-11-21 8.2 High
The OpenTelemetry Collector offers a vendor-agnostic implementation on how to receive, process and export telemetry data. An unsafe decompression vulnerability allows unauthenticated attackers to crash the collector via excessive memory consumption. OTel Collector version 0.102.1 fixes this issue. It is also fixed in the confighttp module version 0.102.0 and configgrpc module version 0.102.1.