| Country | Number |
|---|---|
| United States | 3344 |
| France | 3248 |
| China | 2147 |
| UK | 1827 |
| India | 1699 |
| Ukraine | 1366 |
| Taiwan | 1321 |
| Germany | 1156 |
| Russia | 988 |
| Pakistan | 532 |
| Port | Number |
|---|---|
| 80 | 28795 |
| 23 | 21105 |
| 25 | 2879 |
| 8080 | 2844 |
| 2323 | 2270 |
| 21 | 2091 |
| 110 | 1319 |
| Exploit | Exploit Information | CVE |
|---|---|---|
| TP-Link Archer AX21 (AX1800) firmware versions before 1 | TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request. | CVE-2023-1389 |
| msgraph-sdk-php is the Microsoft Graph Library for PHP | msgraph-sdk-php is the Microsoft Graph Library for PHP. The Microsoft Graph PHP SDK published packages which contained test code that enabled the use of the phpInfo() function from any application that could access and execute the file at vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php. The phpInfo function exposes system information. The vulnerability affects the GetPhpInfo.php script of the PHP SDK which contains a call to the phpinfo() function. This vulnerability requires a misconfiguration of the server to be present so it can be exploited. For example, making the PHP application’s /vendor directory web accessible. The combination of the vulnerability and the server misconfiguration would allow an attacker to craft an HTTP request that executes the phpinfo() method. The attacker would then be able to get access to system information like configuration, modules, and environment variables and later on use the compromised secrets to access additional data. This problem has been patched in versions 1.109.1 and 2.0.0-RC5. If an immediate deployment with the updated vendor package is not available, you can perform the following temporary workarounds: delete the `vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php` file, remove access to the `/vendor` directory, or disable the phpinfo function. | CVE-2023-49282 |
| Possible path traversal in Apache OFBiz allowing authentication bypass | Possible path traversal in Apache OFBiz allowing authentication bypass. Users are recommended to upgrade to version 18.12.12, that fixes the issue. | CVE-2024-25065 |
| GeoServer is an open source server that allows users to share and edit geospatial data | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed. | CVE-2024-36401 |
| senddoc in OpenOffice | senddoc in OpenOffice.org (OOo) 2.4.1 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/log.obr.##### temporary file. | CVE-2008-4937 |
| SQL Injection exists in the OS Property Real Estate 3 | SQL Injection exists in the OS Property Real Estate 3.12.7 component for Joomla! via the cooling_system1, heating_system1, or laundry parameter. | CVE-2018-7319 |
Last updated: November 1, 2024 | ||
If it's a great idea but you need help to make it a demonstrable reality Web Loft can help.
Webloft has experience in rapid prototyping using modern
industry standard components.
Web Loft has a wealth of experience working with a variety of technologies, languages and frameworks. Looking for something specific? Please check out the list below. If you don't see what you're looking for please get in touch and we can discuss how we can help.