Total
29483 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37677 | 1 Access Management Specialist Project | 1 Access Management Specialist | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information. | |||||
| CVE-2024-37293 | 1 Amazon | 1 Aws Deployment Framework | 2024-11-21 | N/A | 7.5 HIGH |
| The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootstrap process that is responsible to deploy ADF's bootstrap stacks to facilitate multi-account cross-region deployments. The ADF bootstrap process relies on elevated privileges to perform this task. Two versions of the bootstrap process exist; a code-change driven pipeline using AWS CodeBuild and an event-driven state machine using AWS Lambda. If an actor has permissions to change the behavior of the CodeBuild project or the Lambda function, they would be able to escalate their privileges. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the `sts:AssumeRole` operation without further restrictions. Therefore, it is able to assume into any AWS Account in the AWS Organization with the elevated privileges provided by the cross-account access role. By default, this role is not restricted when it is created by AWS Organizations, providing Administrator level access to the AWS resources in the AWS Account. The patches for this issue are included in `aws-deployment-framework` version 4.0.0. As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. While the permissions boundary is in place, the account management and bootstrapping of accounts are unable to create, update, or assume into roles. This mitigates the privilege escalation risk, but also disables ADF's ability to create, manage, and bootstrap accounts. | |||||
| CVE-2024-37138 | 1 Dell | 1 Data Domain Operating System | 2024-11-21 | N/A | 4.1 MEDIUM |
| Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system. | |||||
| CVE-2024-36788 | 1 Netgear | 2 Wnr614, Wnr614 Firmware | 2024-11-21 | N/A | 4.8 MEDIUM |
| Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices. | |||||
| CVE-2024-36416 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.6 HIGH |
| SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
| CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 2.7 LOW |
| Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | |||||
| CVE-2024-35252 | 1 Microsoft | 1 Azure Storage Data Movement Library | 2024-11-21 | N/A | 7.5 HIGH |
| Azure Storage Movement Client Library Denial of Service Vulnerability | |||||
| CVE-2024-35154 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | N/A | 7.2 HIGH |
| IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641. | |||||
| CVE-2024-34603 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Improper access control in Samsung Message prior to SMR Jul-2024 Release 1 allows local attackers to access location data. | |||||
| CVE-2024-34595 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| Improper access control in clickAdapterItem of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | |||||
| CVE-2024-34586 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.9 MEDIUM |
| Improper access control in KnoxCustomManagerService prior to SMR Jul-2024 Release 1 allows local attackers to configure Knox privacy policy. | |||||
| CVE-2024-34585 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| Improper access control in launchApp of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | |||||
| CVE-2024-34583 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Improper access control in system property prior to SMR Jul-2024 Release 1 allows local attackers to get device identifier. | |||||
| CVE-2024-34363 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | N/A | 7.5 HIGH |
| Envoy is a cloud-native, open source edge and service proxy. Due to how Envoy invoked the nlohmann JSON library, the library could throw an uncaught exception from downstream data if incomplete UTF-8 strings were serialized. The uncaught exception would cause Envoy to crash. | |||||
| CVE-2024-32152 | 3 Ankitects, Linux, Microsoft | 3 Anki, Linux Kernel, Windows | 2024-11-21 | N/A | 3.1 LOW |
| A blocklist bypass vulnerability exists in the LaTeX functionality of Ankitects Anki 24.04. A specially crafted malicious flashcard can lead to an arbitrary file creation at a fixed path. An attacker can share a malicious flashcard to trigger this vulnerability. | |||||
| CVE-2024-31217 | 1 Strapi | 1 Strapi | 2024-11-21 | N/A | 5.3 MEDIUM |
| Strapi is an open-source content management system. Prior to version 4.22.0, a denial-of-service vulnerability is present in the media upload process causing the server to crash without restarting, affecting either development and production environments. Usually, errors in the application cause it to log the error and keep it running for other clients. This behavior, in contrast, stops the server execution, making it unavailable for any clients until it's manually restarted. Any user with access to the file upload functionality is able to exploit this vulnerability, affecting applications running in both development mode and production mode as well. Users should upgrade @strapi/plugin-upload to version 4.22.0 to receive a patch. | |||||
| CVE-2024-30103 | 1 Microsoft | 3 365 Apps, Office, Outlook | 2024-11-21 | N/A | 8.8 HIGH |
| Microsoft Outlook Remote Code Execution Vulnerability | |||||
| CVE-2024-2814 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability was found in Tenda AC15 15.03.20_multi. It has been rated as critical. This issue affects the function fromDhcpListClient of the file /goform/DhcpListClient. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-257669 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-2213 | 1 Zenml | 1 Zenml | 2024-11-21 | N/A | 3.3 LOW |
| An issue was discovered in zenml-io/zenml versions up to and including 0.55.4. Due to improper authentication mechanisms, an attacker with access to an active user session can change the account password without needing to know the current password. This vulnerability allows for unauthorized account takeover by bypassing the standard password change verification process. The issue was fixed in version 0.56.3. | |||||
| CVE-2024-2035 | 1 Zenml | 1 Zenml | 2024-11-21 | N/A | 6.5 MEDIUM |
| An improper authorization vulnerability exists in the zenml-io/zenml repository, specifically within the API PUT /api/v1/users/id endpoint. This vulnerability allows any authenticated user to modify the information of other users, including changing the `active` status of user accounts to false, effectively deactivating them. This issue affects version 0.55.3 and was fixed in version 0.56.2. The impact of this vulnerability is significant as it allows for the deactivation of admin accounts, potentially disrupting the functionality and security of the application. | |||||