Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-36053 | 2024-11-21 | N/A | 9.0 CRITICAL | ||
|
In the mintupload package through 4.2.0 for Linux Mint, service-name mishandling leads to command injection via shell metacharacters in check_connection, drop_data_received_cb, and Service.remove. A user can modify a service name in a ~/.linuxmint/mintUpload/services/service file.
|
|||||
| CVE-2024-34109 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2024-11-21 | N/A | 7.2 HIGH |
|
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but admin privileges are required.
|
|||||
| CVE-2024-34108 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2024-11-21 | N/A | 9.1 CRITICAL |
|
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction, but admin privileges are required and scope is changed.
|
|||||
| CVE-2024-33700 | 1 Level1 | 2 Wbr-6012, Wbr-6012 Firmware | 2024-11-21 | N/A | 7.5 HIGH |
|
The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP commands. This can lead to device reboots and service disruption.
|
|||||
| CVE-2024-32907 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In memcall_add of memlog.c, there is a possible buffer overflow due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-32903 | 1 Google | 1 Android | 2024-11-21 | N/A | 7.8 HIGH |
|
In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-32860 | 1 Dell | 44 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R11 and 41 more | 2024-11-21 | N/A | 7.5 HIGH |
|
Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
|
|||||
| CVE-2024-32859 | 1 Dell | 46 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 43 more | 2024-11-21 | N/A | 7.5 HIGH |
|
Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
|
|||||
| CVE-2024-32858 | 1 Dell | 46 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 43 more | 2024-11-21 | N/A | 7.5 HIGH |
|
Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution.
|
|||||
| CVE-2024-32856 | 1 Dell | 46 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 43 more | 2024-11-21 | N/A | 5.1 MEDIUM |
|
Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure.
|
|||||
| CVE-2024-32755 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
Under certain circumstances the web interface will accept characters unrelated to the expected input.
|
|||||
| CVE-2024-32672 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
A Segmentation Fault issue discovered in
Samsung Open Source Escargot JavaScript engine
allows remote attackers to cause a denial of service via crafted input.
This issue affects Escargot: 4.0.0.
|
|||||
| CVE-2024-32669 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
Improper Input Validation vulnerability in Samsung Open Source escargot JavaScript engine allows Overflow Buffers.
However, it occurs in the test code and does not include in the release.
This issue affects escargot: 4.0.0.
|
|||||
| CVE-2024-32653 | 2024-11-21 | N/A | 6.1 MEDIUM | ||
|
jadx is a Dex to Java decompiler. Prior to version 1.5.0, the package name is not filtered before concatenation. This can be exploited to inject arbitrary code into the package name. The vulnerability allows an attacker to execute commands with shell privileges. Version 1.5.0 contains a patch for the vulnerability.
|
|||||
| CVE-2024-32007 | 1 Apache | 1 Cxf | 2024-11-21 | N/A | 7.5 HIGH |
|
An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token.
|
|||||
| CVE-2024-31965 | 2024-11-21 | N/A | 4.2 MEDIUM | ||
|
A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an authenticated attacker with administrative privilege to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow an attacker to access sensitive information.
|
|||||
| CVE-2024-30087 | 1 Microsoft | 14 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 11 more | 2024-11-21 | N/A | 7.8 HIGH |
|
Win32k Elevation of Privilege Vulnerability
|
|||||
| CVE-2024-30002 | 1 Microsoft | 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Windows Mobile Broadband Driver Remote Code Execution Vulnerability
|
|||||
| CVE-2024-2746 | 2024-11-21 | N/A | 8.8 HIGH | ||
|
Incomplete fix for CVE-2024-1929
The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a
local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started.
The dnf5 library code does not check whether non-root users control the directory in question.
On one hand, this poses a Denial-of-Service attack vector by making th ...
Show More |
|||||
| CVE-2024-2257 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
|
This vulnerability exists in Digisol Router (DG-GR1321: Hardware version 3.7L; Firmware version : v3.2.02) due to improper implementation of password policies. An attacker with physical access could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system.
Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats.
|
|||||
| CVE-2024-2248 | 2024-11-21 | N/A | 6.4 MEDIUM | ||
|
A Header Injection vulnerability in the JFrog platform in versions below 7.85.0 (SaaS) and 7.84.7 (Self-Hosted) may allow threat actors to take over the end user's account when clicking on a specially crafted URL sent to the victim’s user email.
|
|||||
| CVE-2024-29998 | 1 Microsoft | 9 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 6 more | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Windows Mobile Broadband Driver Remote Code Execution Vulnerability
|
|||||
| CVE-2024-29946 | 1 Splunk | 1 Splunk | 2024-11-21 | N/A | 8.1 HIGH |
|
In Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, the Dashboard Examples Hub lacks protections for risky SPL commands. This could let attackers bypass SPL safeguards for risky commands in the Hub. The vulnerability would require the attacker to phish the victim by tricking them into initiating a request within their browser.
|
|||||
| CVE-2024-29068 | 1 Canonical | 1 Snapd | 2024-11-21 | N/A | 5.8 MEDIUM |
|
In snapd versions prior to 2.62, snapd failed to properly check the file
type when extracting a snap. The snap format is a squashfs file-system
image and so can contain files that are non-regular files (such as pipes
or sockets etc). Various file entries within the snap squashfs image
(such as icons etc) are directly read by snapd when it is extracted. An
attacker who could convince a user to install a malicious snap which
contained non-regular files at these paths could then cause snapd to bl ...
Show More |
|||||
| CVE-2024-27912 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
A denial of service vulnerability was reported in some Lenovo Printers that could allow an attacker to cause the device to crash by sending crafted LPD packets.
|
|||||
| CVE-2024-27909 | 2024-11-21 | N/A | 4.9 MEDIUM | ||
|
A denial of service vulnerability was reported in the HTTPS service of some Lenovo Printers that could result in a system reboot.
|
|||||
| CVE-2024-26127 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A | 3.5 LOW |
|
Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction.
|
|||||
| CVE-2024-26126 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A | 3.5 LOW |
|
Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction.
|
|||||
| CVE-2024-25656 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
|
Improper input validation in AVSystem Unified Management Platform (UMP) 23.07.0.16567~LTS can result in unauthenticated CPE (Customer Premises Equipment) devices storing arbitrarily large amounts of data during registration. This can potentially lead to DDoS attacks on the application database and, ultimately, affect the entire product.
|
|||||
| CVE-2024-25590 | 2024-11-21 | N/A | 7.5 HIGH | ||
|
An attacker can publish a zone containing specific Resource Record Sets.
Repeatedly processing and caching results for these sets can lead to a
denial of service.
|
|||||
| CVE-2024-25290 | 2024-11-21 | N/A | 8.0 HIGH | ||
|
An issue in Casa Systems NL1901ACV R6B032 allows a remote attacker to execute arbitrary code via the userName parameter of the add function.
|
|||||
| CVE-2024-25116 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
|
RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, authenticated users can use the `CF.RESERVE` command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.
|
|||||
| CVE-2024-24941 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | N/A | 6.1 MEDIUM |
|
In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL
|
|||||
| CVE-2024-24696 | 1 Zoom | 3 Meeting Software Development Kit, Vdi Windows Meeting Clients, Zoom | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.
|
|||||
| CVE-2024-24695 | 1 Zoom | 3 Meeting Software Development Kit, Vdi Windows Meeting Clients, Zoom | 2024-11-21 | N/A | 6.8 MEDIUM |
|
Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.
|
|||||
| CVE-2024-23790 | 1 Otrs | 1 Otrs | 2024-11-21 | N/A | 3.5 LOW |
|
Improper Input Validation vulnerability in the upload functionality for user avatars allows functionality misuse due to missing check of filetypes.
This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023 through 2023.1.1.
|
|||||
| CVE-2024-23678 | 1 Splunk | 1 Splunk | 2024-11-21 | N/A | 7.5 HIGH |
|
In Splunk Enterprise for Windows versions below 9.0.8 and 9.1.3, Splunk Enterprise does not correctly sanitize path input data. This results in the unsafe deserialization of untrusted data from a separate disk partition on the machine. This vulnerability only affects Splunk Enterprise for Windows.
|
|||||
| CVE-2024-23676 | 1 Splunk | 2 Cloud, Splunk | 2024-11-21 | N/A | 4.6 MEDIUM |
|
In Splunk versions below 9.0.8 and 9.1.3, the “mrollup” SPL command lets a low-privileged user view metrics on an index that they do not have permission to view. This vulnerability requires user interaction from a high-privileged user to exploit.
|
|||||
| CVE-2024-23669 | 1 Fortinet | 1 Fortiwebmanager | 2024-11-21 | N/A | 6.5 MEDIUM |
|
An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
|
|||||
| CVE-2024-23655 | 1 Tuta | 1 Tutanota | 2024-11-21 | N/A | 7.5 HIGH |
|
Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received ema ...
Show More |
|||||