Total
331 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-40813 | 1 Apple | 3 Ipados, Iphone Os, Watchos | 2024-11-21 | N/A | 4.6 MEDIUM |
| A lock screen issue was addressed with improved state management. This issue is fixed in watchOS 10.6, iOS 17.6 and iPadOS 17.6. An attacker with physical access may be able to use Siri to access sensitive user data. | |||||
| CVE-2024-39459 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials). | |||||
| CVE-2024-38453 | 2024-11-21 | N/A | 7.5 HIGH | ||
| The Avalara for Salesforce CPQ app before 7.0 for Salesforce allows attackers to read an API key. NOTE: the current version is 11 as of mid-2024. | |||||
| CVE-2024-36788 | 1 Netgear | 2 Wnr614, Wnr614 Firmware | 2024-11-21 | N/A | 4.8 MEDIUM |
| Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices. | |||||
| CVE-2024-35526 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| An issue in Daemon PTY Limited FarCry Core framework before 7.2.14 allows attackers to access sensitive information in the /facade directory. | |||||
| CVE-2024-33004 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| SAP Business Objects Business Intelligence Platform is vulnerable to Insecure Storage as dynamic web pages are getting cached even after logging out. On successful exploitation, the attacker can see the sensitive information through cache and can open the pages causing limited impact on Confidentiality, Integrity and Availability of the application. | |||||
| CVE-2024-32211 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| An issue in LOGINT LoMag Inventory Management v1.0.20.120 and before allows a local attacker to obtain sensitive information via the UserClass.cs and Settings.cs components. | |||||
| CVE-2024-31400 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Insertion of sensitive information into sent data issue exists in Cybozu Garoon 5.0.0 to 5.15.0. If this vulnerability is exploited, unintended data may be left in forwarded mail. | |||||
| CVE-2024-28132 | 2024-11-21 | N/A | 4.4 MEDIUM | ||
| Exposure of Sensitive Information vulnerability exists in the GSLB container, which may allow an authenticated attacker with local access to view sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | |||||
| CVE-2024-25728 | 1 Expressvpn | 1 Expressvpn | 2024-11-21 | N/A | 7.5 HIGH |
| ExpressVPN before 12.73.0 on Windows, when split tunneling is used, sends DNS requests according to the Windows configuration (e.g., sends them to DNS servers operated by the user's ISP instead of to the ExpressVPN DNS servers), which may allow remote attackers to obtain sensitive information about websites visited by VPN users. | |||||
| CVE-2024-25655 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| Insecure storage of LDAP passwords in the authentication functionality of AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS allows members (with read access to the application database) to decrypt the LDAP passwords of users who successfully authenticate to web management via LDAP. | |||||
| CVE-2024-25360 | 1 Motorola | 2 Cx2l, Cx2l Firmware | 2024-11-21 | N/A | 5.3 MEDIUM |
| A hidden interface in Motorola CX2L Router firmware v1.0.1 leaks information regarding the SystemWizardStatus component via sending a crafted request to device_web_ip. | |||||
| CVE-2024-23445 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| It was identified that if a cross-cluster API key https://www.elastic.co/guide/en/elasticsearch/reference/8.14/security-api-create-cross-cluster-api-key.html#security-api-create-cross-cluster-api-key-request-body restricts search for a given index using the query or the field_security parameter, and the same cross-cluster API key also grants replication for the same index, the search restrictions are not enforced during cross cluster search operations and search results may include documents and terms that should not be returned. This issue only affects the API key based security model for remote clusters https://www.elastic.co/guide/en/elasticsearch/reference/8.14/remote-clusters.html#remote-clusters-security-models that was previously a beta feature and is released as GA with 8.14.0 | |||||
| CVE-2024-22808 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue in Tormach xsTECH CNC Router, PathPilot Controller v2.9.6 allows attackers to cause a Denial of Service (DoS) by disrupting the communication between the PathPilot controller and the CNC router via overwriting the card's name in the device memory. | |||||
| CVE-2024-22193 | 1 Vantage6 | 1 Vantage6 | 2024-11-21 | N/A | 3.5 LOW |
| The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). There are no checks on whether the input is encrypted if a task is created in an encrypted collaboration. Therefore, a user may accidentally create a task with sensitive input data that will then be stored unencrypted in a database. Users should ensure they set the encryption setting correctly. This vulnerability is patched in 4.2.0. | |||||
| CVE-2023-6460 | 1 Google | 1 Cloud Firestore | 2024-11-21 | N/A | 4.0 MEDIUM |
| A potential logging of the firestore key via logging within nodejs-firestore exists - Developers who were logging objects through this._settings would be logging the firestore key as well potentially exposing it to anyone with logs read access. We recommend upgrading to version 6.1.0 to avoid this issue | |||||
| CVE-2023-49515 | 1 Tp-link | 4 Tapo C200, Tapo C200 Firmware, Tapo Tc70 and 1 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| Insecure Permissiosn vulnerability in TP Link TC70 and C200 WIFI Camera v.3 firmware v.1.3.4 and fixed in v.1.3.11 allows a physically proximate attacker to obtain sensitive information via a connection to the UART pin components. | |||||
| CVE-2023-45184 | 1 Ibm | 1 I Access Client Solutions | 2024-11-21 | N/A | 6.2 MEDIUM |
| IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 could allow an attacker to obtain a decryption key due to improper authority checks. IBM X-Force ID: 268270. | |||||
| CVE-2023-45182 | 1 Ibm | 1 I Access Client Solutions | 2024-11-21 | N/A | 7.4 HIGH |
| IBM i Access Client Solutions 1.1.2 through 1.1.4 and 1.1.4.3 through 1.1.9.3 is vulnerable to having its key for an encrypted password decoded. By somehow gaining access to the encrypted password, a local attacker could exploit this vulnerability to obtain the password to other systems. IBM X-Force ID: 268265. | |||||
| CVE-2023-43634 | 1 Lfedge | 1 Eve | 2024-11-21 | N/A | 8.8 HIGH |
| When sealing/unsealing the “vault” key, a list of PCRs is used, which defines which PCRs are used. In a previous project, CYMOTIVE found that the configuration is not protected by the secure boot, and in response Zededa implemented measurements on the config partition that was mapped to PCR 13. In that process, PCR 13 was added to the list of PCRs that seal/unseal the key. In commit “56e589749c6ff58ded862d39535d43253b249acf”, the config partition measurement moved from PCR 13 to PCR 14, but PCR 14 was not added to the list of PCRs that seal/unseal the key. This change makes the measurement of PCR 14 effectively redundant as it would not affect the sealing/unsealing of the key. An attacker could modify the config partition without triggering the measured boot, this could result in the attacker gaining full control over the device with full access to the contents of the encrypted “vault” | |||||