CVSS: 5.8EPSS: 0%CPEs: 9EXPL: 1CVE-2025-3164 – Tencent Music Entertainment SuperSonic H2 Database Connection testConnect code injection
https://notcve.org/view.php?id=CVE-2025-3164
03 Apr 2025 — A vulnerability was found in Tencent Music Entertainment SuperSonic up to 0.9.8. It has been rated as critical. Affected by this issue is some unknown functionality of the file /api/semantic/database/testConnect of the component H2 Database Connection Handler. The manipulation leads to code injection. The attack may be launched remotely. • https://vuldb.com/?id.303110 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40433
https://notcve.org/view.php?id=CVE-2024-40433
26 Jul 2024 — Insecure Permissions vulnerability in Tencent wechat v.8.0.37 allows an attacker to escalate privileges via the web-view component. • https://github.com/yikaikkk/CookieShareInWebView/blob/master/README.md • CWE-266: Incorrect Privilege Assignment •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39684 – Tencent RapidJSON include/rapidjson/reader.h GenericReader::ParseNumber() Function Template Exponent Parsing Integer Overflow
https://notcve.org/view.php?id=CVE-2024-39684
09 Jul 2024 — Tencent RapidJSON is vulnerable to privilege escalation due to an integer overflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer overflow vulnerability (when the file is parsed), leading to elevation of privilege. Tencent RapidJSON es vulnerable a la escalada de privilegios debido a un desbordamiento de enteros en la función `GenericRe... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-39684 • CWE-190: Integer Overflow or Wraparound •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38517 – Tencent RapidJSON include/rapidjson/reader.h GenericReader::ParseNumber() Function Template Exponent Parsing Integer Underflow
https://notcve.org/view.php?id=CVE-2024-38517
09 Jul 2024 — Tencent RapidJSON is vulnerable to privilege escalation due to an integer underflow in the `GenericReader::ParseNumber()` function of `include/rapidjson/reader.h` when parsing JSON text from a stream. An attacker needs to send the victim a crafted file which needs to be opened; this triggers the integer underflow vulnerability (when the file is parsed), leading to elevation of privilege. Tencent RapidJSON es vulnerable a la escalada de privilegios debido a un desbordamiento insuficiente de enteros en la fun... • https://github.com/Tencent/rapidjson/pull/1261/commits/8269bc2bc289e9d343bae51cdf6d23ef0950e001 • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34408
https://notcve.org/view.php?id=CVE-2024-34408
03 May 2024 — Tencent libpag through 4.3.51 has an integer overflow in DecodeStream::checkEndOfFile() in codec/utils/DecodeStream.cpp via a crafted PAG (Portable Animated Graphics) file. Tencent libpag hasta 4.3.51 tiene un desbordamiento de enteros en DecodeStream::checkEndOfFile() en codec/utils/DecodeStream.cpp a través de un archivo PAG (gráficos animados portátiles) manipulado. • https://github.com/Tencent/libpag/issues/2230 • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 1%CPEs: 1EXPL: 1CVE-2024-33078
https://notcve.org/view.php?id=CVE-2024-33078
01 May 2024 — Tencent Libpag v4.3 is vulnerable to Buffer Overflow. A user can send a crafted image to trigger a overflow leading to remote code execution. Tencent Lippag v4.3 es vulnerable al desbordamiento de búfer. Un usuario puede enviar una imagen manipulada para desencadenar un desbordamiento que conduzca a la ejecución remota de código. • https://github.com/HBLocker/CVE-2024-33078 • CWE-680: Integer Overflow to Buffer Overflow •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22873
https://notcve.org/view.php?id=CVE-2024-22873
26 Feb 2024 — Tencent Blueking CMDB v3.2.x to v3.9.x was discovered to contain a Server-Side Request Forgery (SSRF) via the event subscription function (/service/subscription.go). This vulnerability allows attackers to access internal requests via a crafted POST request. Se descubrió que Tencent Blueking CMDB v3.2.xa v3.9.x contenía Server-Side Request Forgery (SSRF) a través de la función de suscripción de eventos (/service/subscription.go). Esta vulnerabilidad permite a los atacantes acceder a solicitudes internas medi... • http://blueking.com • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-52286
https://notcve.org/view.php?id=CVE-2023-52286
31 Dec 2023 — Tencent tdsqlpcloud through 1.8.5 allows unauthenticated remote attackers to discover database credentials via an index.php/api/install/get_db_info request, a related issue to CVE-2023-42387. Tencent tdsqlpcloud hasta 1.8.5 permite a atacantes remotos no autenticados descubrir credenciales de bases de datos mediante una solicitud index.php/api/install/get_db_info, un problema relacionado con CVE-2023-42387. • https://github.com/Narrator21/tdsql/blob/main/20230927.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-40829
https://notcve.org/view.php?id=CVE-2023-40829
12 Oct 2023 — There is an interface unauthorized access vulnerability in the background of Tencent Enterprise Wechat Privatization 2.5.x and 2.6.930000. Existe una vulnerabilidad de acceso no autorizado a la interfaz en segundo plano en Tencent Enterprise Wechat Privatization 2.5.x y 2.6.930000. • https://gist.github.com/wwwziziyu/85bdf8d56b415974c4827a5668f493e9 • CWE-863: Incorrect Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39988 – WordPress WxSync Plugin <= 2.7.23 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-39988
09 Aug 2023 — Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in 标准云(std.Cloud) WxSync plugin <= 2.7.23 versions. Se ha encontrado una vulnerabilidad de Cross-Site Scripting (XSS) reflejado y autenticado (con permisos de contribuidor o superiores) en el plugin WxSync en versiones anteriores e incluyendo la 2.7.23. The WxSync plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.8.0 due to insufficient input sanitization and output escaping. This makes i... • https://patchstack.com/database/vulnerability/wxsync/wordpress-wxsync-plugin-2-7-23-cross-site-scripting-xss?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •