Total
29308 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-39303 | 1 Weblate | 1 Weblate | 2024-11-21 | N/A | 4.4 MEDIUM |
Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. | |||||
CVE-2024-39210 | 1 Mayurik | 1 Best House Rental Management System | 2024-11-21 | N/A | 7.5 HIGH |
Best House Rental Management System v1.0 was discovered to contain an arbitrary file read vulnerability via the Page parameter at index.php. This vulnerability allows attackers to read arbitrary PHP files and access other sensitive information within the application. | |||||
CVE-2024-38602 | 1 Linux | 1 Linux Kernel | 2024-11-21 | N/A | 5.5 MEDIUM |
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issues of ax25_dev The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference count leak issue of the object "ax25_dev". Memory leak issue in ax25_addr_ax25dev(): The reference count of the object "ax25_dev" can be increased multiple times in ax25_addr_ax25dev(). This will cause a memory leak. Memory leak issues in ax25_dev_device_down(): The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and then increase the reference count when ax25_dev is added to ax25_dev_list. As a result, the reference count of ax25_dev is 2. But when the device is shutting down. The ax25_dev_device_down() drops the reference count once or twice depending on if we goto unlock_put or not, which will cause memory leak. As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the issue of ax25_dev_device_down(), increase the reference count of ax25_dev once in ax25_dev_device_up() and decrease the reference count of ax25_dev after it is removed from the ax25_dev_list. | |||||
CVE-2024-38554 | 1 Linux | 1 Linux Kernel | 2024-11-21 | N/A | 5.5 MEDIUM |
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issue of net_device There is a reference count leak issue of the object "net_device" in ax25_dev_device_down(). When the ax25 device is shutting down, the ax25_dev_device_down() drops the reference count of net_device one or zero times depending on if we goto unlock_put or not, which will cause memory leak. In order to solve the above issue, decrease the reference count of net_device after dev->ax25_ptr is set to null. | |||||
CVE-2024-38367 | 1 Cocoapods | 1 Trunk.cocoapods.org | 2024-11-21 | N/A | 8.2 HIGH |
trunk.cocoapods.org is the authentication server for the CoacoaPods dependency manager. Prior to commit d4fa66f49cedab449af9a56a21ab40697b9f7b97, the trunk sessions verification step could be manipulated for owner session hijacking Compromising a victim’s session will result in a full takeover of the CocoaPods trunk account. The threat actor could manipulate their pod specifications, disrupt the distribution of legitimate libraries, or cause widespread disruption within the CocoaPods ecosystem. This was patched server-side with commit d4fa66f49cedab449af9a56a21ab40697b9f7b97 in October 2023. | |||||
CVE-2024-38100 | 1 Microsoft | 4 Windows Server 2016, Windows Server 2019, Windows Server 2022 and 1 more | 2024-11-21 | N/A | 7.8 HIGH |
Windows File Explorer Elevation of Privilege Vulnerability | |||||
CVE-2024-38070 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2024-11-21 | N/A | 7.8 HIGH |
Windows LockDown Policy (WLDP) Security Feature Bypass Vulnerability | |||||
CVE-2024-38061 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2024-11-21 | N/A | 7.5 HIGH |
DCOM Remote Cross-Session Activation Elevation of Privilege Vulnerability | |||||
CVE-2024-38058 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 6.8 MEDIUM |
BitLocker Security Feature Bypass Vulnerability | |||||
CVE-2024-37677 | 1 Access Management Specialist Project | 1 Access Management Specialist | 2024-11-21 | N/A | 7.5 HIGH |
An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information. | |||||
CVE-2024-37293 | 1 Amazon | 1 Aws Deployment Framework | 2024-11-21 | N/A | 7.5 HIGH |
The AWS Deployment Framework (ADF) is a framework to manage and deploy resources across multiple AWS accounts and regions within an AWS Organization. ADF allows for staged, parallel, multi-account, cross-region deployments of applications or resources via the structure defined in AWS Organizations while taking advantage of services such as AWS CodePipeline, AWS CodeBuild, and AWS CodeCommit to alleviate the heavy lifting and management compared to a traditional CI/CD setup. ADF contains a bootstrap process that is responsible to deploy ADF's bootstrap stacks to facilitate multi-account cross-region deployments. The ADF bootstrap process relies on elevated privileges to perform this task. Two versions of the bootstrap process exist; a code-change driven pipeline using AWS CodeBuild and an event-driven state machine using AWS Lambda. If an actor has permissions to change the behavior of the CodeBuild project or the Lambda function, they would be able to escalate their privileges. Prior to version 4.0.0, the bootstrap CodeBuild role provides access to the `sts:AssumeRole` operation without further restrictions. Therefore, it is able to assume into any AWS Account in the AWS Organization with the elevated privileges provided by the cross-account access role. By default, this role is not restricted when it is created by AWS Organizations, providing Administrator level access to the AWS resources in the AWS Account. The patches for this issue are included in `aws-deployment-framework` version 4.0.0. As a temporary mitigation, add a permissions boundary to the roles created by ADF in the management account. The permissions boundary should deny all IAM and STS actions. This permissions boundary should be in place until you upgrade ADF or bootstrap a new account. While the permissions boundary is in place, the account management and bootstrapping of accounts are unable to create, update, or assume into roles. This mitigates the privilege escalation risk, but also disables ADF's ability to create, manage, and bootstrap accounts. | |||||
CVE-2024-37138 | 1 Dell | 1 Data Domain Operating System | 2024-11-21 | N/A | 4.1 MEDIUM |
Dell PowerProtect DD, versions prior to 8.0, LTS 7.13.1.0, LTS 7.10.1.30, LTS 7.7.5.40 on DDMC contain a relative path traversal vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to the application sending over an unauthorized file to the managed system. | |||||
CVE-2024-36788 | 1 Netgear | 2 Wnr614, Wnr614 Firmware | 2024-11-21 | N/A | 4.8 MEDIUM |
Netgear WNR614 JNR1010V2 N300-V1.1.0.54_1.0.1 does not properly set the HTTPOnly flag for cookies. This allows attackers to possibly intercept and access sensitive communications between the router and connected devices. | |||||
CVE-2024-36416 | 1 Salesagility | 1 Suitecrm | 2024-11-21 | N/A | 8.6 HIGH |
SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Prior to versions 7.14.4 and 8.6.1, a deprecated v4 API example with no log rotation allows denial of service by logging excessive data. Versions 7.14.4 and 8.6.1 contain a fix for this issue. | |||||
CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 2.7 LOW |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | |||||
CVE-2024-35252 | 1 Microsoft | 1 Azure Storage Data Movement Library | 2024-11-21 | N/A | 7.5 HIGH |
Azure Storage Movement Client Library Denial of Service Vulnerability | |||||
CVE-2024-35154 | 1 Ibm | 1 Websphere Application Server | 2024-11-21 | N/A | 7.2 HIGH |
IBM WebSphere Application Server 8.5 and 9.0 could allow a remote authenticated attacker, who has authorized access to the administrative console, to execute arbitrary code. Using specially crafted input, the attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 292641. | |||||
CVE-2024-34603 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
Improper access control in Samsung Message prior to SMR Jul-2024 Release 1 allows local attackers to access location data. | |||||
CVE-2024-34595 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
Improper access control in clickAdapterItem of SystemUI prior to SMR Jul-2024 Release 1 allows local attackers to launch privileged activities. | |||||
CVE-2024-34586 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.9 MEDIUM |
Improper access control in KnoxCustomManagerService prior to SMR Jul-2024 Release 1 allows local attackers to configure Knox privacy policy. |