Export limit exceeded: 10818 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10818 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-37233 | 2024-11-21 | 4.3 Medium | ||
| Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4. | ||||
| CVE-2024-37154 | 1 Evmos | 1 Evmos | 2024-11-21 | 5.3 Medium |
| Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier. | ||||
| CVE-2024-37152 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | 5.3 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. | ||||
| CVE-2024-36532 | 1 Openkruise | 1 Kruise | 2024-11-21 | 10 Critical |
| Insecure permissions in kruise v1.6.2 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
| CVE-2024-36444 | 1 Swissphone | 1 Dical-red 4009 | 2024-11-21 | 8.1 High |
| cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs. | ||||
| CVE-2024-36443 | 2024-11-21 | 7.6 High | ||
| Swissphone DiCal-RED 4009 devices allow a remote attacker to gain read access to almost the whole file system via anonymous FTP. | ||||
| CVE-2024-36441 | 1 Swissphone | 1 Dical-red 4009 | 2024-11-21 | 5.4 Medium |
| Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device. | ||||
| CVE-2024-36438 | 1 Elinksmart | 1 Smart Cabinet Lock | 2024-11-21 | 7.3 High |
| eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks. | ||||
| CVE-2024-36399 | 1 Kanboard | 1 Kanboard | 2024-11-21 | 8.2 High |
| Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37. | ||||
| CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-11-21 | 2.7 Low |
| Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | ||||
| CVE-2024-36108 | 2024-11-21 | 9.8 Critical | ||
| casgate is an Open Source Identity and Access Management system. In affected versions `casgate` allows remote unauthenticated attacker to obtain sensitive information via GET request to an API endpoint. This issue has been addressed in PR #201 which is pending merge. An attacker could use `id` parameter of GET requests with value `anonymous/ anonymous` to bypass authorization on certain API endpoints. Successful exploitation of the vulnerability could lead to account takeover, privilege escalation or provide attacker with credential to other services. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-35670 | 1 Softlabbd | 1 Integrate Google Drive | 2024-11-21 | 5.3 Medium |
| Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93. | ||||
| CVE-2024-35222 | 1 Tauri | 1 Tauri | 2024-11-21 | 5.9 Medium |
| Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19. | ||||
| CVE-2024-35214 | 1 Blackberry | 1 Cylanceoptics | 2024-11-21 | N/A |
| A tampering vulnerability in the CylanceOPTICS Windows Installer Package of CylanceOPTICS for Windows version 3.2 and 3.3 could allow an attacker to potentially uninstall CylanceOPTICS from a system thereby leaving it with only the protection of CylancePROTECT. | ||||
| CVE-2024-35184 | 2024-11-21 | 5.5 Medium | ||
| Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue. | ||||
| CVE-2024-34596 | 1 Samsung | 1 Smartthings | 2024-11-21 | 5.9 Medium |
| Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. | ||||
| CVE-2024-34524 | 1 Xlang | 1 Open Agents | 2024-11-21 | 9.1 Critical |
| In XLANG OpenAgents through fe73ac4, the allowed_file protection mechanism can be bypassed by using an incorrect file extension for the nature of the file content. | ||||
| CVE-2024-34519 | 2024-11-21 | 6.8 Medium | ||
| Avantra Server 24.x before 24.0.7 and 24.1.x before 24.1.1 mishandles the security of dashboards, aka XAN-5367. If a user can create a dashboard with an auto-login user, data disclosure may occur. Access control can be bypassed when there is a shared dashboard, and its auto-login user has privileges that a dashboard visitor should not have. | ||||
| CVE-2024-34107 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2024-11-21 | 5.3 Medium |
| Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and view minor unauthorised information. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-34104 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2024-11-21 | 8.2 High |
| Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access, leading to both confidentiality and integrity impact. Exploitation of this issue does not require user interaction. | ||||