Vulnerabilities (CVE)

Filtered by CWE-20
Total 9862 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-31867 2024-12-06 N/A 6.5 MEDIUM
Improper Input Validation vulnerability in Apache Zeppelin. The attackers can execute malicious queries by setting improper configuration properties to LDAP search filter. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.
CVE-2024-26164 1 Microsoft 1 Django Backend 2024-12-06 N/A 8.8 HIGH
Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability
CVE-2024-28103 1 Rubyonrails 1 Rails 2024-12-06 N/A 5.4 MEDIUM
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
CVE-2024-23246 1 Apple 6 Ipad Os, Iphone Os, Macos and 3 more 2024-12-06 N/A 8.6 HIGH
This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.
CVE-2024-54140 2024-12-05 N/A N/A
sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0.
CVE-2024-7488 2024-12-05 N/A 5.3 MEDIUM
Improper Input Validation vulnerability in RestApp Inc. Online Ordering System allows Integer Attacks.This issue affects Online Ordering System: 8.2.1.  NOTE: Vulnerability fixed in version 8.2.2 and does not exist before 8.2.1.
CVE-2024-21448 1 Microsoft 1 Teams 2024-12-05 N/A 5.0 MEDIUM
Microsoft Teams for Android Information Disclosure Vulnerability
CVE-2024-12138 2024-12-04 6.5 MEDIUM 6.3 MEDIUM
A vulnerability classified as critical was found in horilla up to 1.2.1. This vulnerability affects the function request_new/get_employee_shift/create_reimbursement/key_result_current_value_update/create_meetings/create_skills. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVE-2024-11985 2024-12-04 N/A 4.4 MEDIUM
An improper input validation vulnerability leads to device crashes in certain ASUS router models. Refer to the '12/03/2024 ASUS Router Improper Input Validation' section on the ASUS Security Advisory for more information.
CVE-2024-11079 2024-12-04 N/A 5.5 MEDIUM
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
CVE-2023-31366 1 Amd 1 Uprof 2024-12-03 N/A 3.3 LOW
Improper input validation in AMD ?Prof could allow an attacker to perform a write to an invalid address, potentially resulting in denial of service.
CVE-2024-52815 2024-12-03 N/A N/A
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
CVE-2023-44345 3 Adobe, Apple, Microsoft 3 Indesign, Macos, Windows 2024-12-02 N/A 5.5 MEDIUM
Adobe InDesign versions ID18.5 (and earlier) and ID17.4.2 (and earlier) are affected by a Improper Input Validation vulnerability. An unauthenticated attacker could leverage this vulnerability to achieve an application denial-of-service in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-34098 3 Adobe, Apple, Microsoft 6 Acrobat, Acrobat Dc, Acrobat Reader and 3 more 2024-12-02 N/A 7.8 HIGH
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
CVE-2024-43052 2024-12-02 N/A 7.8 HIGH
Memory corruption while processing API calls to NPU with invalid input.
CVE-2024-52337 2024-12-02 N/A 5.5 MEDIUM
A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick the administrator. The quotes '' are usually used in TuneD logs citing raw user input, so there will always be the ' character ending the spoofed input, and the administrator can easily overlook this. This logged string is later used in logging and in the output of utilities, for example, `tuned-adm get_instances` or other third-party programs that use Tuned's D-Bus interface for such operations.
CVE-2024-3400 1 Paloaltonetworks 1 Pan-os 2024-11-29 N/A 10.0 CRITICAL
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
CVE-2024-30040 1 Microsoft 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more 2024-11-29 N/A 8.8 HIGH
Windows MSHTML Platform Security Feature Bypass Vulnerability
CVE-2024-27896 2024-11-29 N/A 7.5 HIGH
Input verification vulnerability in the log module. Impact: Successful exploitation of this vulnerability can affect integrity.
CVE-2023-41061 1 Apple 3 Ipados, Iphone Os, Watchos 2024-11-29 N/A 7.8 HIGH
A validation issue was addressed with improved logic. This issue is fixed in watchOS 9.6.2, iOS 16.6.1 and iPadOS 16.6.1. A maliciously crafted attachment may result in arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.