Total
1745 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27396 | 1 Omron | 542 Cj2h-cpu64, Cj2h-cpu64-eip, Cj2h-cpu64-eip Firmware and 539 more | 2024-12-24 | N/A | 9.8 CRITICAL |
| FINS (Factory Interface Network Service) is a message communication protocol, which is designed to be used in closed FA (Factory Automation) networks, and is used in FA networks composed of OMRON products. Multiple OMRON products that implement FINS protocol contain following security issues -- (1)Plaintext communication, and (2)No authentication required. When FINS messages are intercepted, the contents may be retrieved. When arbitrary FINS messages are injected, any commands may be executed on, or the system information may be retrieved from, the affected device. Affected products and versions are as follows: SYSMAC CS-series CPU Units, all versions, SYSMAC CJ-series CPU Units, all versions, SYSMAC CP-series CPU Units, all versions, SYSMAC NJ-series CPU Units, all versions, SYSMAC NX1P-series CPU Units, all versions, SYSMAC NX102-series CPU Units, all versions, and SYSMAC NX7 Database Connection CPU Units (Ver.1.16 or later) | |||||
| CVE-2024-21855 | 1 Mayuresh82 | 1 Gocast | 2024-12-20 | N/A | 9.8 CRITICAL |
| A lack of authentication vulnerability exists in the HTTP API functionality of GoCast 1.1.3. A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | |||||
| CVE-2024-25618 | 1 Joinmastodon | 1 Mastodon | 2024-12-18 | N/A | 4.2 MEDIUM |
| Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows new identities from configured authentication providers (CAS, SAML, OIDC) to attach to existing local users with the same e-mail address. This results in a possible account takeover if the authentication provider allows changing the e-mail address or multiple authentication providers are configured. When a user logs in through an external authentication provider for the first time, Mastodon checks the e-mail address passed by the provider to find an existing account. However, using the e-mail address alone means that if the authentication provider allows changing the e-mail address of an account, the Mastodon account can immediately be hijacked. All users logging in through external authentication providers are affected. The severity is medium, as it also requires the external authentication provider to misbehave. However, some well-known OIDC providers (like Microsoft Azure) make it very easy to accidentally allow unverified e-mail changes. Moreover, OpenID Connect also allows dynamic client registration. This issue has been addressed in versions 4.2.6, 4.1.14, 4.0.14, and 3.5.18. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-12371 | 2024-12-18 | N/A | N/A | ||
| A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset. | |||||
| CVE-2024-51493 | 1 Octoprint | 1 Octoprint | 2024-12-18 | N/A | 5.3 MEDIUM |
| OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve/recreate/delete the user's or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted. This vulnerability will be patched in version 1.10.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2022-48496 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
| Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized. | |||||
| CVE-2022-48494 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
| Vulnerability of lax app identity verification in the pre-authorization function.Successful exploitation of this vulnerability will cause malicious apps to become pre-authorized. | |||||
| CVE-2021-26280 | 2024-12-17 | N/A | 7.9 HIGH | ||
| Locally installed application can bypass the permission check and perform system operations that require permission. | |||||
| CVE-2021-26278 | 2024-12-17 | N/A | 6.3 MEDIUM | ||
| The wifi module exposes the interface and has improper permission control, leaking sensitive information about the device. | |||||
| CVE-2020-12484 | 2024-12-17 | N/A | 6.4 MEDIUM | ||
| When using special mode to connect to enterprise wifi, certain options are not properly configured and attackers can pretend to be enterprise wifi through a carefully constructed wifi with the same name, which can lead to man-in-the-middle attacks. | |||||
| CVE-2024-10205 | 2024-12-17 | N/A | 9.4 CRITICAL | ||
| Authentication Bypass vulnerability in Hitachi Ops Center Analyzer on Linux, 64 bit (Hitachi Ops Center Analyzer detail view component), Hitachi Infrastructure Analytics Advisor on Linux, 64 bit (Hitachi Data Center Analytics component ).This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before 11.0.3-00; Hitachi Infrastructure Analytics Advisor: from 2.1.0-00 through 4.4.0-00. | |||||
| CVE-2024-2450 | 1 Mattermost | 1 Mattermost Server | 2024-12-13 | N/A | 8.8 HIGH |
| Mattermost versions 8.1.x before 8.1.10, 9.2.x before 9.2.6, 9.3.x before 9.3.2, and 9.4.x before 9.4.3 fail to correctly verify account ownership when switching from email to SAML authentication, allowing an authenticated attacker to take over other user accounts via a crafted switch request under specific conditions. | |||||
| CVE-2024-9164 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 9.6 CRITICAL |
| An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. | |||||
| CVE-2024-26011 | 1 Fortinet | 6 Fortimanager, Fortios, Fortipam and 3 more | 2024-12-12 | N/A | 5.3 MEDIUM |
| A missing authentication for critical function in Fortinet FortiManager version 7.4.0 through 7.4.2, 7.2.0 through 7.2.4, 7.0.0 through 7.0.11, 6.4.0 through 6.4.14, FortiPAM version 1.2.0, 1.1.0 through 1.1.2, 1.0.0 through 1.0.3, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.9, 7.0.0 through 7.0.17, 2.0.0 through 2.0.14, 1.2.0 through 1.2.13, 1.1.0 through 1.1.6, 1.0.0 through 1.0.7, FortiSwitchManager version 7.2.0 through 7.2.3, 7.0.0 through 7.0.3, FortiPortal version 6.0.0 through 6.0.14, FortiOS version 7.4.0 through 7.4.3, 7.2.0 through 7.2.7, 7.0.0 through 7.0.14, 6.4.0 through 6.4.15, 6.2.0 through 6.2.16, 6.0.0 through 6.0.18 allows attacker to execute unauthorized code or commands via specially crafted packets. | |||||
| CVE-2022-48621 | 1 Huawei | 2 Emui, Harmonyos | 2024-12-06 | N/A | 7.5 HIGH |
| Vulnerability of missing authentication for critical functions in the Wi-Fi module.Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2024-10776 | 2024-12-06 | N/A | 8.2 HIGH | ||
| Lua apps can be deployed, removed, started, reloaded or stopped without authorization via AppManager. This allows an attacker to remove legitimate apps creating a DoS attack, read and write files or load apps that use all features of the product available to a customer. | |||||
| CVE-2024-10774 | 2024-12-06 | N/A | 7.3 HIGH | ||
| Unauthenticated CROWN APIs allow access to critical functions. This leads to the accessibility of large parts of the web application without authentication. | |||||
| CVE-2024-35342 | 2024-12-05 | N/A | 4.6 MEDIUM | ||
| Certain Anpviz products allow unauthenticated users to modify or disable camera related settings such as microphone volume, speaker volume, LED lighting, NTP, motion detection, etc. This affects IPC-D250, IPC-D260, IPC-B850, IPC-D850, IPC-D350, IPC-D3150, IPC-D4250, IPC-D380, IPC-D880, IPC-D280, IPC-D3180, MC800N, YM500L, YM800N_N2, YMF50B, YM800SV2, YM500L8, and YM200E10 firmware v3.2.2.2 and lower and possibly more vendors/models of IP camera. | |||||
| CVE-2024-53623 | 2024-12-02 | N/A | 7.5 HIGH | ||
| Incorrect access control in the component l_0_0.xml of TP-Link ARCHER-C7 v5 allows attackers to access sensitive information. | |||||
| CVE-2024-50381 | 2024-12-02 | N/A | N/A | ||
| A vulnerability exists in Snap One OVRC cloud where an attacker can impersonate a Hub device and send requests to claim and unclaim devices. The attacker only needs to provide the MAC address of the targeted device and can make a request to unclaim it from its original connection and make a request to claim it. | |||||