Total
242 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34510 | 2024-11-19 | N/A | 7.5 HIGH | ||
| Gradio before 4.20 allows credential leakage on Windows. | |||||
| CVE-2024-47531 | 1 Clinical-genomics | 1 Scout | 2024-11-15 | N/A | 3.5 LOW |
| Scout is a web-based visualizer for VCF-files. Due to the lack of sanitization in the filename, it is possible bypass intended file extension and make users download malicious files with any extension. With malicious content injected inside the file data and users unknowingly downloading it and opening may lead to the compromise of users' devices or data. This vulnerability is fixed in 4.89. | |||||
| CVE-2024-10006 | 1 Hashicorp | 1 Consul | 2024-11-08 | N/A | 5.8 MEDIUM |
| A vulnerability was identified in Consul and Consul Enterprise (“Consul”) such that using Headers in L7 traffic intentions could bypass HTTP header based access rules. | |||||
| CVE-2024-47224 | 2024-11-05 | N/A | 6.5 MEDIUM | ||
| A vulnerability in the AWV (Audio, Web and Video Conferencing) component of Mitel MiCollab through 9.8 SP1 FP2 (9.8.1.201) could allow an unauthenticated attacker to conduct a CRLF injection attack due to inadequate encoding of user input in URLs. A successful exploit could allow an attacker to perform a phishing attack. | |||||
| CVE-2024-47549 | 2 Sharp, Toshibatec | 640 Bp-30c25, Bp-30c25 Firmware, Bp-30c25t and 637 more | 2024-11-05 | N/A | 6.1 MEDIUM |
| Sharp and Toshiba Tec MFPs improperly process query parameters in HTTP requests, which may allow contamination of unintended data to HTTP response headers. Accessing a crafted URL which points to an affected product may cause malicious script executed on the web browser. | |||||
| CVE-2024-45498 | 2024-11-04 | N/A | 8.8 HIGH | ||
| Example DAG: example_inlet_event_extra.py shipped with Apache Airflow version 2.10.0 has a vulnerability that allows an authenticated attacker with only DAG trigger permission to execute arbitrary commands. If you used that example as the base of your DAGs - please review if you have not copied the dangerous example; see https://github.com/apache/airflow/pull/41873 for more information. We recommend against exposing the example DAGs in your deployment. If you must expose the example DAGs, upgrade Airflow to version 2.10.1 or later. | |||||
| CVE-2023-52102 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-23 | N/A | 7.5 HIGH |
| Vulnerability of parameters being not verified in the WMS module. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2023-52098 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-23 | N/A | 7.5 HIGH |
| Denial of Service (DoS) vulnerability in the DMS module. Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2022-43713 | 1 Gxsoftware | 1 Xperiencentral | 2024-10-23 | N/A | 7.5 HIGH |
| Interactive Forms (IAF) in GX Software XperienCentral versions 10.33.1 until 10.35.0 was vulnerable to invalid data input because form validation could be bypassed. | |||||
| CVE-2024-40088 | 2024-10-23 | N/A | 5.3 MEDIUM | ||
| A Directory Traversal vulnerability in the Boa webserver of Vilo 5 Mesh WiFi System <= 5.16.1.33 allows remote, unauthenticated attackers to enumerate the existence and length of any file in the filesystem by placing malicious payloads in the path of any HTTP request. | |||||
| CVE-2024-47845 | 1 Wikimedia | 1 Wikimedia-extensions-css | 2024-10-23 | N/A | 8.2 HIGH |
| Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. | |||||
| CVE-2024-45271 | 2 Helmholz, Mbconnectline | 4 Rex 100, Rex 100 Firmware, Mbnet.mini and 1 more | 2024-10-21 | N/A | 7.8 HIGH |
| An unauthenticated local attacker can gain admin privileges by deploying a config file due to improper input validation. | |||||
| CVE-2023-28738 | 1 Intel | 12 Nuc 7 Essential Nuc7cjysamn, Nuc 7 Essential Nuc7cjysamn Firmware, Nuc Kit Nuc7cjyh and 9 more | 2024-10-21 | N/A | 7.8 HIGH |
| Improper input validation for some Intel NUC BIOS firmware before version JY0070 may allow a privileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2022-36392 | 1 Intel | 134 B150, B250, B360 and 131 more | 2024-10-17 | N/A | 7.5 HIGH |
| Improper input validation in some firmware for Intel(R) AMT and Intel(R) Standard Manageability before versions 11.8.94, 11.12.94, 11.22.94, 12.0.93, 14.1.70, 15.0.45, and 16.1.27 in Intel (R) CSME may allow an unauthenticated user to potentially enable denial of service via network access. | |||||
| CVE-2024-9348 | 2024-10-16 | N/A | N/A | ||
| Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. | |||||
| CVE-2024-45219 | 2024-10-16 | N/A | 8.5 HIGH | ||
| Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-based environments and exploit this to gain access to the host filesystems that could result in the compromise of resource integrity and confidentiality, data loss, denial of service, and availability of KVM-based infrastructure managed by CloudStack. Users are recommended to upgrade to Apache CloudStack 4.18.2.4 or 4.19.1.2, or later, which addresses this issue. Additionally, all user-uploaded or registered KVM-compatible templates and volumes can be scanned and checked that they are flat files that should not be using any additional or unnecessary features. For example, operators can run this on their secondary storage(s) and inspect output. An empty output for the disk being validated means it has no references to the host filesystems; on the other hand, if the output for the disk being validated is not empty, it might indicate a compromised disk. for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info. If the output is not empty, that might indicate a compromised disk; check it carefully."; qemu-img info -U $file | grep file: ; printf "\n\n"; done The command can also be run for the file-based primary storages; however, bear in mind that (i) volumes created from templates will have references for the templates at first and (ii) volumes can be consolidated while migrating, losing their references to the templates. Therefore, the command execution for the primary storages can show both false positives and false negatives. For checking the whole template/volume features of each disk, operators can run the following command: for file in $(find /path/to/storage/ -type f -regex [a-f0-9\-]*.*); do echo "Retrieving file [$file] info."; qemu-img info -U $file; printf "\n\n"; done | |||||
| CVE-2023-4571 | 1 Splunk | 1 It Service Intelligence | 2024-10-15 | N/A | 8.6 HIGH |
| In Splunk IT Service Intelligence (ITSI) versions below 4.13.3 or 4.15.3, a malicious actor can inject American National Standards Institute (ANSI) escape codes into Splunk ITSI log files that, when a vulnerable terminal application reads them, can run malicious code in the vulnerable application. This attack requires a user to use a terminal application that translates ANSI escape codes to read the malicious log file locally in the vulnerable terminal. The vulnerability also requires additional user interaction to succeed. The vulnerability does not directly affect Splunk ITSI. The indirect impact on Splunk ITSI can vary significantly depending on the permissions in the vulnerable terminal application, as well as where and how the user reads the malicious log file. For example, users can copy the malicious file from Splunk ITSI and read it on their local machine. | |||||
| CVE-2023-3997 | 1 Splunk | 1 Soar | 2024-10-15 | N/A | 7.8 HIGH |
| Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. | |||||
| CVE-2023-48655 | 1 Misp-project | 1 Malware Information Sharing Platform | 2024-10-15 | N/A | 9.8 CRITICAL |
| An issue was discovered in MISP before 2.4.176. app/Controller/Component/IndexFilterComponent.php does not properly filter out query parameters. | |||||
| CVE-2023-45539 | 1 Haproxy | 1 Haproxy | 2024-10-15 | N/A | 8.2 HIGH |
| HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. | |||||