Total
1790 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-55579 | 2024-12-10 | N/A | 8.8 HIGH | ||
An issue was discovered in Qlik Sense Enterprise for Windows before November 2024 IR. An unprivileged user with network access may be able to create connection objects that trigger execution of arbitrary EXE files. This is fixed in November 2024 IR, May 2024 Patch 10, February 2024 Patch 14, November 2023 Patch 16, August 2023 Patch 16, May 2023 Patch 18, and February 2023 Patch 15. | |||||
CVE-2024-27798 | 1 Apple | 1 Macos | 2024-12-09 | N/A | 7.8 HIGH |
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges. | |||||
CVE-2023-52361 | 1 Huawei | 1 Harmonyos | 2024-12-09 | N/A | 7.5 HIGH |
The VerifiedBoot module has a vulnerability that may cause authentication errors.Successful exploitation of this vulnerability may affect integrity. | |||||
CVE-2024-23262 | 1 Apple | 3 Ipados, Iphone Os, Visionos | 2024-12-09 | N/A | 3.3 LOW |
This issue was addressed with additional entitlement checks. This issue is fixed in visionOS 1.1, iOS 17.4 and iPadOS 17.4, iOS 16.7.6 and iPadOS 16.7.6. An app may be able to spoof system notifications and UI. | |||||
CVE-2024-45204 | 2024-12-06 | N/A | 7.7 HIGH | ||
A vulnerability exists where a low-privileged user can exploit insufficient permissions in credential handling to leak NTLM hashes of saved credentials. The exploitation involves using retrieved credentials to expose sensitive NTLM hashes, impacting systems beyond the initial target and potentially leading to broader security vulnerabilities. | |||||
CVE-2023-29708 | 1 Wavlink | 1 Wavrouter App | 2024-12-06 | N/A | 7.5 HIGH |
An issue was discovered in /cgi-bin/adm.cgi in WavLink WavRouter version RPT70HA1.x, allows attackers to force a factory reset via crafted payload. | |||||
CVE-2024-11680 | 1 Projectsend | 1 Projectsend | 2024-12-06 | N/A | 9.8 CRITICAL |
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Remote, unauthenticated attackers can exploit this flaw by sending crafted HTTP requests to options.php, enabling unauthorized modification of the application's configuration. Successful exploitation allows attackers to create accounts, upload webshells, and embed malicious JavaScript. | |||||
CVE-2024-23255 | 1 Apple | 3 Ipad Os, Iphone Os, Macos | 2024-12-06 | N/A | 2.4 LOW |
An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4. Photos in the Hidden Photos Album may be viewed without authentication. | |||||
CVE-2024-12148 | 2024-12-05 | N/A | 4.3 MEDIUM | ||
Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints. | |||||
CVE-2024-12247 | 2024-12-05 | N/A | 4.6 MEDIUM | ||
Mattermost versions 9.7.x <= 9.7.5, 9.8.x <= 9.8.2 and 9.9.x <= 9.9.2 fail to properly propagate permission scheme updates across cluster nodes which allows a user to keep old permissions, even if the permission scheme has been updated. | |||||
CVE-2023-32353 | 1 Apple | 1 Itunes | 2024-12-05 | N/A | 7.8 HIGH |
A logic issue was addressed with improved checks. This issue is fixed in iTunes 12.12.9 for Windows. An app may be able to elevate privileges. | |||||
CVE-2021-30205 | 1 Dzzoffice | 1 Dzzoffice | 2024-12-05 | N/A | 5.3 MEDIUM |
Incorrect access control in the component /index.php?mod=system&op=orgtree of dzzoffice 2.02.1_SC_UTF8 allows unauthenticated attackers to browse departments and usernames. | |||||
CVE-2024-12196 | 2024-12-04 | N/A | 6.5 MEDIUM | ||
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission. | |||||
CVE-2024-50671 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
Incorrect access control in Adapt Learning Adapt Authoring Tool <= 0.11.3 allows attackers with Authenticated User roles to obtain email addresses via the "Get users" feature. The vulnerability occurs due to a flaw in permission verification logic, where the wildcard character in permitted URLs grants unintended access to endpoints restricted to users with Super Admin roles. This makes it possible for attackers to disclose the email addresses of all users. | |||||
CVE-2023-34148 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-12-04 | N/A | 7.8 HIGH |
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34147. | |||||
CVE-2023-34147 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-12-04 | N/A | 7.8 HIGH |
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-34146 and CVE-2023-34148. | |||||
CVE-2023-34146 | 2 Microsoft, Trendmicro | 2 Windows, Apex One | 2024-12-04 | N/A | 7.8 HIGH |
An exposed dangerous function vulnerability in the Trend Micro Apex One and Apex One as a Service security agent could allow a local attacker to escalate privileges and write an arbitrary value to specific Trend Micro agent subkeys on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. This is a similar, but not identical vulnerability as CVE-2023-34147 and CVE-2023-34148. | |||||
CVE-2024-42452 | 2024-12-04 | N/A | 8.8 HIGH | ||
A vulnerability in Veeam Backup & Replication allows a low-privileged user to start an agent remotely in server mode and obtain credentials, effectively escalating privileges to system-level access. This allows the attacker to upload files to the server with elevated privileges. The vulnerability exists because remote calls bypass permission checks, leading to full system compromise. | |||||
CVE-2024-42451 | 2024-12-04 | N/A | 7.7 HIGH | ||
A vulnerability in Veeam Backup & Replication allows low-privileged users to leak all saved credentials in plaintext. This is achieved by calling a series of methods over an external protocol, ultimately retrieving the credentials using a malicious setup on the attacker's side. This exposes sensitive data, which could be used for further attacks, including unauthorized access to systems managed by the platform. | |||||
CVE-2023-52944 | 2024-12-04 | N/A | 4.3 MEDIUM | ||
Incorrect authorization vulnerability in ActionRule webapi component in Synology Surveillance Station before 9.2.0-11289 and 9.2.0-9289 allows remote authenticated users to perform limited actions on the set action rules function via unspecified vectors. |