Total
34640 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23670 | 1 Fortinet | 1 Fortiwebmanager | 2024-12-17 | N/A | 7.8 HIGH |
|
An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI.
|
|||||
| CVE-2024-23711 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In DevmemXIntUnreserveRange of devicemem_server.c, there is a possible arbitrary code execution due to a logic error in the code. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-23707 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible permissions bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2023-34156 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 5.3 MEDIUM |
|
Vulnerability of services denied by early fingerprint APIs on HarmonyOS products.Successful exploitation of this vulnerability may cause services to be denied.
|
|||||
| CVE-2022-48497 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2022-48493 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2022-48492 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2022-48490 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2022-48489 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2022-48486 | 1 Huawei | 1 Emui | 2024-12-17 | N/A | 7.5 HIGH |
|
Configuration defects in the secure OS module.Successful exploitation of this vulnerability will affect availability.
|
|||||
| CVE-2024-23706 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In multiple locations, there is a possible bypass of health data permissions due to an improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-23713 | 1 Google | 1 Android | 2024-12-17 | N/A | 7.8 HIGH |
|
In migrateNotificationFilter of NotificationManagerService.java, there is a possible failure to persist notifications settings due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-44290 | 1 Apple | 3 Ipados, Iphone Os, Watchos | 2024-12-16 | N/A | 3.3 LOW |
|
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1, watchOS 11.1. An app may be able to determine a user’s current location.
|
|||||
| CVE-2024-1632 | 1 Progress | 1 Sitefinity | 2024-12-16 | N/A | 8.8 HIGH |
|
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrative area.
|
|||||
| CVE-2024-21144 | 2 Netapp, Oracle | 4 Oncommand Workflow Automation, Graalvm, Jdk and 1 more | 2024-12-16 | N/A | 3.7 LOW |
|
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Concurrency). Supported versions that are affected are Oracle Java SE: 8u411, 8u411-perf, 11.0.23; Oracle GraalVM Enterprise Edition: 20.3.14 and 21.3.10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in una ...
Show More |
|||||
| CVE-2024-0046 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In installExistingPackageAsUser of InstallPackageHelper.java, there is a possible carrier restriction bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-0048 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In Session of AccountManagerService.java, there is a possible method to retain foreground service privileges due to incorrect handling of null responses. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-40109 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In createFromParcel of UsbConfiguration.java, there is a possible background activity launch (BAL) due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-23717 | 1 Google | 1 Android | 2024-12-16 | N/A | 8.8 HIGH |
|
In access_secure_service_from_temp_bond of btm_sec.cc, there is a possible way to achieve keystroke injection due to improper input validation. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-0021 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In onCreate of NotificationAccessConfirmationActivity.java, there is a possible way for an app in the work profile to enable notification listener services due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
|
|||||
| CVE-2024-0036 | 1 Google | 1 Android | 2024-12-16 | N/A | 7.8 HIGH |
|
In startNextMatchingActivity of ActivityTaskManagerService.java, there is a possible way to bypass the restrictions on starting activities from the background due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2023-51440 | 1 Siemens | 8 Simatic Cp 343-1, Simatic Cp 343-1 Firmware, Simatic Cp 343-1 Lean and 5 more | 2024-12-16 | N/A | 7.5 HIGH |
|
A vulnerability has been identified in SIMATIC CP 343-1 (6GK7343-1EX30-0XE0) (All versions), SIMATIC CP 343-1 Lean (6GK7343-1CX10-0XE0) (All versions), SIPLUS NET CP 343-1 (6AG1343-1EX30-7XE0) (All versions), SIPLUS NET CP 343-1 Lean (6AG1343-1CX10-2XE0) (All versions). Affected products incorrectly validate TCP sequence numbers. This could allow an unauthenticated remote attacker to create a denial of service condition by injecting spoofed TCP RST packets.
|
|||||
| CVE-2024-22042 | 1 Siemens | 1 Unicam Fx | 2024-12-16 | N/A | 7.8 HIGH |
|
A vulnerability has been identified in Unicam FX (All versions). The windows installer agent used in affected product contains incorrect use of privileged APIs that trigger the Windows Console Host (conhost.exe) as a child process with SYSTEM privileges. This could be exploited by an attacker to perform a local privilege escalation attack.
|
|||||
| CVE-2024-53073 | 1 Linux | 1 Linux Kernel | 2024-12-14 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Never decrement pending_async_copies on error
The error flow in nfsd4_copy() calls cleanup_async_copy(), which
already decrements nn->pending_async_copies.
|
|||||
| CVE-2023-40106 | 1 Google | 1 Android | 2024-12-13 | N/A | 7.8 HIGH |
|
In sanitizeSbn of NotificationManagerService.java, there is a possible way to launch an activity from the background due to BAL Bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
|
|||||
| CVE-2024-41647 | 1 Openrobotics | 1 Robot Operating System | 2024-12-13 | N/A | 9.8 CRITICAL |
|
Insecure Permissions vulnerability in Open Robotics Robotic Operating System 2 ROS2 navigation2 v.humble allows an attacker to execute arbitrary code via a crafted script to the nav2_mppi_controller.
|
|||||
| CVE-2024-26119 | 1 Adobe | 1 Experience Manager | 2024-12-13 | N/A | 5.3 MEDIUM |
|
Adobe Experience Manager versions 6.5.19 and earlier are affected by an Information Exposure vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to achieve a low-confidentiality impact within the application. Exploitation of this issue does not require user interaction.
|
|||||
| CVE-2024-11948 | 1 Gfi | 1 Archiver | 2024-12-13 | N/A | 9.8 CRITICAL |
|
GFI Archiver Telerik Web UI Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the product installer. The issue results from the use of a vulnerable version of Telerik Web UI. An attacker can leverage this vulnerability to execute code in the context of NETWORK SERVICE. Was ZDI-CAN-24041.
|
|||||
| CVE-2024-45104 | 1 Lenovo | 1 Xclarity Administrator | 2024-12-13 | N/A | 6.3 MEDIUM |
|
A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call.
|
|||||
| CVE-2024-45103 | 1 Lenovo | 1 Xclarity Administrator | 2024-12-13 | N/A | 4.3 MEDIUM |
|
A valid, authenticated LXCA user may be able to unmanage an LXCA managed device in through the LXCA web interface without sufficient privileges.
|
|||||
| CVE-2024-44200 | 1 Apple | 2 Ipados, Iphone Os | 2024-12-13 | N/A | 3.3 LOW |
|
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 18.1 and iPadOS 18.1. An app may be able to read sensitive location information.
|
|||||
| CVE-2024-44299 | 1 Apple | 2 Ipados, Iphone Os | 2024-12-13 | N/A | 9.8 CRITICAL |
|
The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP firmware.
|
|||||
| CVE-2024-1947 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 4.3 MEDIUM |
|
A denial of service (DoS) condition was discovered in GitLab CE/EE affecting all versions from 13.2.4 before 16.10.6, 16.11 before 16.11.3, and 17.0 before 17.0.1. By leveraging this vulnerability an attacker could create a DoS condition by sending crafted API calls.
|
|||||
| CVE-2024-1952 | 1 Mattermost | 1 Mattermost Server | 2024-12-13 | N/A | 3.1 LOW |
|
Mattermost version 8.1.x before 8.1.9 fails to sanitize data associated with permalinks when a plugin updates an ephemeral post, allowing an authenticated attacker who can control the ephemeral post update to access individual posts' contents in channels they are not a member of.
|
|||||
| CVE-2024-1942 | 1 Mattermost | 1 Mattermost Server | 2024-12-13 | N/A | 4.3 MEDIUM |
|
Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.
|
|||||
| CVE-2024-9164 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 9.6 CRITICAL |
|
An issue was discovered in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches.
|
|||||
| CVE-2024-29221 | 1 Mattermost | 1 Mattermost Server | 2024-12-13 | N/A | 4.7 MEDIUM |
|
Improper Access Control in Mattermost Server versions 9.5.x before 9.5.2, 9.4.x before 9.4.4, 9.3.x before 9.3.3, 8.1.x before 8.1.11 lacked proper access control in the `/api/v4/users/me/teams` endpoint allowing a team admin to get the invite ID of their team, thus allowing them to invite users, even if the "Add Members" permission was explicitly removed from team admins.
|
|||||
| CVE-2018-7738 | 1 Kernel | 1 Util-linux | 2024-12-13 | 7.2 HIGH | 7.8 HIGH |
|
In util-linux before 2.32-rc1, bash-completion/umount allows local users to gain privileges by embedding shell commands in a mountpoint name, which is mishandled during a umount command (within Bash) by a different user, as demonstrated by logging in as root and entering umount followed by a tab character for autocompletion.
|
|||||
| CVE-2024-10240 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 5.3 MEDIUM |
|
An issue has been discovered in GitLab EE affecting all versions starting from 17.3 before 17.3.7, all versions starting from 17.4 before 17.4.4, all versions starting from 17.5 before 17.5.2 in which an unauthenticated user may be able to read some information about an MR in a private project, under certain circumstances.
|
|||||
| CVE-2024-8237 | 1 Gitlab | 1 Gitlab | 2024-12-13 | N/A | 6.5 MEDIUM |
|
A Denial of Service (DoS) issue has been discovered in GitLab CE/EE affecting all versions prior to 12.6 prior to 17.4.5, 17.5 prior to 17.5.3, and 17.6 prior to 17.6.1. An attacker could cause a denial of service with a crafted cargo.toml file.
|
|||||