Total
157 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-27025 | 1 Ruoyi | 1 Ruoyi | 2025-02-18 | 7.5 High |
| An arbitrary file download vulnerability in the background management module of RuoYi v4.7.6 and below allows attackers to download arbitrary files in the server. | ||||
| CVE-2023-45842 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `mxsldr` package. | ||||
| CVE-2023-45841 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `versal-firmware` package. | ||||
| CVE-2023-45840 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `riscv64-elf-toolchain` package. | ||||
| CVE-2023-45839 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `aufs-util` package. | ||||
| CVE-2023-45838 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| Multiple data integrity vulnerabilities exist in the package hash checking functionality of Buildroot 2023.08.1 and Buildroot dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder.This vulnerability is related to the `aufs` package. | ||||
| CVE-2023-43608 | 1 Buildroot | 1 Buildroot | 2025-02-13 | 8.1 High |
| A data integrity vulnerability exists in the BR_NO_CHECK_HASH_FOR functionality of Buildroot 2023.08.1 and dev commit 622698d7847. A specially crafted man-in-the-middle attack can lead to arbitrary command execution in the builder. | ||||
| CVE-2022-36359 | 2 Debian, Djangoproject | 2 Debian Linux, Django | 2025-02-13 | 8.8 High |
| An issue was discovered in the HTTP FileResponse class in Django 3.2 before 3.2.15 and 4.0 before 4.0.7. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a FileResponse when the filename is derived from user-supplied input. | ||||
| CVE-2025-1058 | 2025-02-13 | 8.1 High | ||
| CWE-494: Download of Code Without Integrity Check vulnerability exists that could render the device inoperable when malicious firmware is downloaded. | ||||
| CVE-2021-44168 | 1 Fortinet | 1 Fortios | 2025-02-12 | 3.3 Low |
| A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages. | ||||
| CVE-2024-52331 | 2025-02-12 | 7.5 High | ||
| ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. | ||||
| CVE-2023-24503 | 1 Electra-air | 1 Smart Kit For Split Ac | 2025-02-06 | 7.5 High |
| Electra Central AC unit – Adjacent attacker may cause the unit to load unauthorized FW. | ||||
| CVE-2023-24500 | 1 Electra-air | 2 Central Ac Unit, Central Ac Unit Firmware | 2025-02-06 | 7.5 High |
| Electra Central AC unit – Adjacent attacker may cause the unit to load unauthorized FW. | ||||
| CVE-2023-28317 | 1 Rocket.chat | 1 Rocket.chat | 2025-01-28 | 5.3 Medium |
| A vulnerability has been discovered in Rocket.Chat, where editing messages can change the original timestamp, causing the UI to display messages in an incorrect order. | ||||
| CVE-2024-42183 | 2025-01-23 | 2.5 Low | ||
| BigFix Patch Download Plug-ins are affected by an arbitrary file download vulnerability. It could allow a malicious operator to download files from arbitrary URLs without any proper validation or allowlist controls. | ||||
| CVE-2024-55459 | 2025-01-09 | 6.5 Medium | ||
| An issue in keras 3.7.0 allows attackers to write arbitrary files to the user's machine via downloading a crafted tar file through the get_file function. | ||||
| CVE-2023-29401 | 2 Gin-gonic, Redhat | 4 Gin, Migration Toolkit Virtualization, Openshift and 1 more | 2025-01-06 | 4.3 Medium |
| The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header. | ||||
| CVE-2024-45321 | 3 App\, Perl, Redhat | 3 \, Cpanminus, Enterprise Linux | 2024-12-05 | 9.8 Critical |
| The App::cpanminus package through 1.7047 for Perl downloads code via insecure HTTP, enabling code execution for network attackers. | ||||
| CVE-2024-54126 | 1 Tp-link | 1 Archer C50 Firmware | 2024-12-05 | N/A |
| This vulnerability exists in the TP-Link Archer C50 due to improper signature verification mechanism in the firmware upgrade process at its web interface. An attacker with administrative privileges within the router’s Wi-Fi range could exploit this vulnerability by uploading and executing malicious firmware which could lead to complete compromise of the targeted device. | ||||
| CVE-2024-33660 | 2024-11-21 | 4.3 Medium | ||
| An exploit is possible where an actor with physical access can manipulate SPI flash without being detected. | ||||