Total
29022 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23681 | 1 Ls1intum | 1 Artemis Java Test Sandbox | 2024-11-21 | N/A | 8.2 HIGH |
| Artemis Java Test Sandbox versions before 1.11.2 are vulnerable to a sandbox escape when an attacker loads untrusted libraries using System.load or System.loadLibrary. An attacker can abuse this issue to execute arbitrary Java when a victim executes the supposedly sandboxed code. | |||||
| CVE-2024-23447 | 1 Elastic | 1 Network Drive Connector | 2024-11-21 | N/A | 5.3 MEDIUM |
| An issue was discovered in the Windows Network Drive Connector when using Document Level Security to assign permissions to a file, with explicit allow write and deny read. Although the document is not accessible to the user in Network Drive it is visible in search applications to the user. | |||||
| CVE-2024-23446 | 1 Elastic | 1 Kibana | 2024-11-21 | N/A | 6.5 MEDIUM |
| An issue was discovered by Elastic, whereby the Detection Engine Search API does not respect Document-level security (DLS) or Field-level security (FLS) when querying the .alerts-security.alerts-{space_id} indices. Users who are authorized to call this API may obtain unauthorized access to documents if their roles are configured with DLS or FLS against the aforementioned index. | |||||
| CVE-2024-22902 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-11-21 | N/A | 9.8 CRITICAL |
| Vinchin Backup & Recovery v7.2 was discovered to be configured with default root credentials. | |||||
| CVE-2024-22901 | 1 Vinchin | 1 Vinchin Backup And Recovery | 2024-11-21 | N/A | 9.8 CRITICAL |
| Vinchin Backup & Recovery v7.2 was discovered to use default MYSQL credentials. | |||||
| CVE-2024-22388 | 1 Hidglobal | 16 Iclass Se Cp1000 Encoder, Iclass Se Cp1000 Encoder Firmware, Iclass Se Processors and 13 more | 2024-11-21 | N/A | 5.9 MEDIUM |
| Certain configuration available in the communication channel for encoders could expose sensitive data when reader configuration cards are programmed. This data could include credential and device administration keys. | |||||
| CVE-2024-22362 | 1 Drupal | 1 Drupal | 2024-11-21 | N/A | 7.5 HIGH |
| Drupal contains a vulnerability with improper handling of structural elements. If this vulnerability is exploited, an attacker may be able to cause a denial-of-service (DoS) condition. | |||||
| CVE-2024-22045 | 1 Siemens | 1 Sinema Remote Connect Client | 2024-11-21 | N/A | 7.6 HIGH |
| A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.1 SP1). The product places sensitive information into files or directories that are accessible to actors who are allowed to have access to the files, but not to the sensitive information. This information is also available via the web interface of the product. | |||||
| CVE-2024-21665 | 1 Pimcore | 1 E-commerce Framework | 2024-11-21 | N/A | 4.3 MEDIUM |
| ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10. | |||||
| CVE-2024-21653 | 1 Vantage6 | 1 Vantage6 | 2024-11-21 | N/A | 6.5 MEDIUM |
| The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability. | |||||
| CVE-2024-21612 | 1 Juniper | 1 Junos Os Evolved | 2024-11-21 | N/A | 7.5 HIGH |
| An Improper Handling of Syntactically Invalid Structure vulnerability in Object Flooding Protocol (OFP) service of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). On all Junos OS Evolved platforms, when specific TCP packets are received on an open OFP port, the OFP crashes leading to a restart of Routine Engine (RE). Continuous receipt of these specific TCP packets will lead to a sustained Denial of Service (DoS) condition. This issue affects: Juniper Networks Junos OS Evolved * All versions earlier than 21.2R3-S7-EVO; * 21.3 versions earlier than 21.3R3-S5-EVO ; * 21.4 versions earlier than 21.4R3-S5-EVO; * 22.1 versions earlier than 22.1R3-S4-EVO; * 22.2 versions earlier than 22.2R3-S3-EVO ; * 22.3 versions earlier than 22.3R3-EVO; * 22.4 versions earlier than 22.4R2-EVO, 22.4R3-EVO. | |||||
| CVE-2024-21607 | 1 Juniper | 23 Ex9200, Ex9204, Ex9208 and 20 more | 2024-11-21 | N/A | 5.3 MEDIUM |
| An Unsupported Feature in the UI vulnerability in Juniper Networks Junos OS on MX Series and EX9200 Series allows an unauthenticated, network-based attacker to cause partial impact to the integrity of the device. If the "tcp-reset" option is added to the "reject" action in an IPv6 filter which matches on "payload-protocol", packets are permitted instead of rejected. This happens because the payload-protocol match criteria is not supported in the kernel filter causing it to accept all packets without taking any other action. As a fix the payload-protocol match will be treated the same as a "next-header" match to avoid this filter bypass. This issue doesn't affect IPv4 firewall filters. This issue affects Juniper Networks Junos OS on MX Series and EX9200 Series: * All versions earlier than 20.4R3-S7; * 21.1 versions earlier than 21.1R3-S5; * 21.2 versions earlier than 21.2R3-S5; * 21.3 versions earlier than 21.3R3-S4; * 21.4 versions earlier than 21.4R3-S4; * 22.1 versions earlier than 22.1R3-S2; * 22.2 versions earlier than 22.2R3-S2; * 22.3 versions earlier than 22.3R2-S2, 22.3R3; * 22.4 versions earlier than 22.4R1-S2, 22.4R2-S2, 22.4R3. | |||||
| CVE-2024-21600 | 1 Juniper | 1 Junos | 2024-11-21 | N/A | 6.5 MEDIUM |
| An Improper Neutralization of Equivalent Special Elements vulnerability in the Packet Forwarding Engine (PFE) of Juniper Networks Junos OS on PTX Series allows a unauthenticated, adjacent attacker to cause a Denial of Service (DoS). When MPLS packets are meant to be sent to a flexible tunnel interface (FTI) and if the FTI tunnel is down, these will hit the reject NH, due to which the packets get sent to the CPU and cause a host path wedge condition. This will cause the FPC to hang and requires a manual restart to recover. Please note that this issue specifically affects PTX1000, PTX3000, PTX5000 with FPC3, PTX10002-60C, and PTX10008/16 with LC110x. Other PTX Series devices and Line Cards (LC) are not affected. The following log message can be seen when the issue occurs: Cmerror Op Set: Host Loopback: HOST LOOPBACK WEDGE DETECTED IN PATH ID <id> (URI: /fpc/<fpc>/pfe/<pfe>/cm/<cm>/Host_Loopback/<cm>/HOST_LOOPBACK_MAKE_CMERROR_ID[<id>]) This issue affects Juniper Networks Junos OS: * All versions earlier than 20.4R3-S8; * 21.1 versions earlier than 21.1R3-S4; * 21.2 versions earlier than 21.2R3-S6; * 21.3 versions earlier than 21.3R3-S3; * 21.4 versions earlier than 21.4R3-S5; * 22.1 versions earlier than 22.1R2-S2, 22.1R3; * 22.2 versions earlier than 22.2R2-S1, 22.2R3. | |||||
| CVE-2024-21589 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2024-11-21 | N/A | 7.4 HIGH |
| An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information. A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0. This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0. | |||||
| CVE-2024-20895 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.7 HIGH |
| Improper access control in Dar service prior to SMR Jul-2024 Release 1 allows local attackers to bypass restriction for calling SDP features. | |||||
| CVE-2024-20891 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| Improper access control in launchFullscreenIntent of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | |||||
| CVE-2024-20888 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
| Improper access control in OneUIHome prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability. | |||||
| CVE-2024-20827 | 1 Samsung | 1 Gallery | 2024-11-21 | N/A | 4.6 MEDIUM |
| Improper access control vulnerability in Samsung Gallery prior to version 14.5.04.4 allows physical attackers to access the picture using physical keyboard on the lockscreen. | |||||
| CVE-2024-20826 | 1 Samsung | 1 Uphelper Library | 2024-11-21 | N/A | 5.5 MEDIUM |
| Implicit intent hijacking vulnerability in UPHelper library prior to version 4.0.0 allows local attackers to access sensitive information via implicit intent. | |||||
| CVE-2024-1873 | 1 Lollms | 1 Lollms Web Ui | 2024-11-21 | N/A | 9.1 CRITICAL |
| parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the `DiscussionsDB` instance. This flaw enables attackers to create directories anywhere on the system where the application has permissions, potentially leading to denial of service by creating directories with names of critical files, such as HTTPS certificate files, causing server startup failures. Additionally, attackers can manipulate the database path, resulting in the loss of client data by constantly changing the file location to an attacker-controlled location, scattering the data across the filesystem and making recovery difficult. | |||||