Total
1750 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-9003 | 1 Jflow Project | 1 Jflow | 2024-09-25 | 4.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability was found in Jinan Chicheng Company JFlow 2.0.0. It has been rated as problematic. This issue affects the function AttachmentUploadController of the file /WF/Ath/EntityMutliFile_Load.do of the component Attachment Handler. The manipulation of the argument oid leads to improper access controls. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-38016 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2024-09-24 | N/A | 7.8 HIGH |
| Microsoft Office Visio Remote Code Execution Vulnerability | |||||
| CVE-2024-37341 | 1 Microsoft | 5 Sql 2016 Azure Connect Feature Pack, Sql Server 2016, Sql Server 2017 and 2 more | 2024-09-23 | N/A | 9.8 CRITICAL |
| Microsoft SQL Server Elevation of Privilege Vulnerability | |||||
| CVE-2024-28170 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 5.5 MEDIUM |
| Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable information disclosure via local access. | |||||
| CVE-2024-32940 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 5.7 MEDIUM |
| Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable denial of service via adjacent access. | |||||
| CVE-2024-34543 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 7.8 HIGH |
| Improper access control in Intel(R) RAID Web Console software for all versions may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-36261 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 5.7 MEDIUM |
| Improper access control in Intel(R) RAID Web Console software all versions may allow an authenticated user to potentially enable denial of service via adjacent access. | |||||
| CVE-2024-36247 | 1 Intel | 1 Raid Web Console | 2024-09-23 | N/A | 5.7 MEDIUM |
| Improper access control in Intel(R) RAID Web Console all versions may allow an authenticated user to potentially enable denial of service via adjacent access. | |||||
| CVE-2024-45323 | 1 Fortinet | 1 Fortiedrmanager | 2024-09-20 | N/A | 2.7 LOW |
| An improper access control vulnerability [CWE-284] in FortiEDR Manager API 6.2.0 through 6.2.2, 6.0 all versions may allow in a shared environment context an authenticated admin with REST API permissions in his profile and restricted to a specific organization to access backend logs that include information related to other organizations. | |||||
| CVE-2024-6796 | 1 Baxter | 1 Connex Health Portal | 2024-09-20 | N/A | 9.1 CRITICAL |
| In Baxter Connex health portal released before 8/30/2024, an improper access control vulnerability has been found that could allow an unauthenticated attacker to gain unauthorized access to Connex portal's database and/or modify content. | |||||
| CVE-2024-42796 | 2024-09-20 | N/A | 5.9 MEDIUM | ||
| An Incorrect Access Control vulnerability was found in /music/ajax.php?action=delete_genre in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to delete the valid music genre entries. | |||||
| CVE-2024-42795 | 2024-09-20 | N/A | 4.2 MEDIUM | ||
| An Incorrect Access Control vulnerability was found in /music/view_user.php?id=3 and /music/controller.php?page=edit_user&id=3 in Kashipara Music Management System v1.0. This vulnerability allows an unauthenticated attacker to view valid user details. | |||||
| CVE-2024-40825 | 2024-09-20 | N/A | 6.0 MEDIUM | ||
| The issue was addressed with improved checks. This issue is fixed in visionOS 2, macOS Sequoia 15. A malicious app with root privileges may be able to modify the contents of system files. | |||||
| CVE-2024-42794 | 2024-09-20 | N/A | 4.7 MEDIUM | ||
| Kashipara Music Management System v1.0 is vulnerable to Incorrect Access Control via /music/ajax.php?action=save_user. | |||||
| CVE-2024-45811 | 2024-09-20 | N/A | 4.8 MEDIUM | ||
| Vite a frontend build tooling framework for javascript. In affected versions the contents of arbitrary files can be returned to the browser. `@fs` denies access to files outside of Vite serving allow list. Adding `?import&raw` to the URL bypasses this limitation and returns the file content if it exists. This issue has been patched in versions 5.4.6, 5.3.6, 5.2.14, 4.5.5, and 3.2.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-46990 | 2024-09-20 | N/A | 5.0 MEDIUM | ||
| Directus is a real-time API and App dashboard for managing SQL database content. When relying on blocking access to localhost using the default `0.0.0.0` filter a user may bypass this block by using other registered loopback devices (like `127.0.0.2` - `127.127.127.127`). This issue has been addressed in release versions 10.13.3 and 11.1.0. Users are advised to upgrade. Users unable to upgrade may block this bypass by manually adding the `127.0.0.0/8` CIDR range which will block access to any `127.X.X.X` ip instead of just `127.0.0.1`. | |||||
| CVE-2024-7553 | 2 Microsoft, Mongodb | 24 Windows 10 1507, Windows 10 1511, Windows 10 1607 and 21 more | 2024-09-19 | N/A | 7.8 HIGH |
| Incorrect validation of files loaded from a local untrusted directory may allow local privilege escalation if the underlying operating systems is Windows. This may result in the application executing arbitrary behaviour determined by the contents of untrusted files. This issue affects MongoDB Server v5.0 versions prior to 5.0.27, MongoDB Server v6.0 versions prior to 6.0.16, MongoDB Server v7.0 versions prior to 7.0.12, MongoDB Server v7.3 versions prior 7.3.3, MongoDB C Driver versions prior to 1.26.2 and MongoDB PHP Driver versions prior to 1.18.1. Required Configuration: Only environments with Windows as the underlying operating system is affected by this issue | |||||
| CVE-2024-6087 | 1 Lunary | 1 Lunary | 2024-09-19 | N/A | 6.5 MEDIUM |
| An improper access control vulnerability exists in lunary-ai/lunary at the latest commit (a761d83) on the main branch. The vulnerability allows an attacker to use the auth tokens issued by the 'invite user' functionality to obtain valid JWT tokens. These tokens can be used to compromise target users upon registration for their own arbitrary organizations. The attacker can invite a target email, obtain a one-time use token, retract the invite, and later use the token to reset the password of the target user, leading to full account takeover. | |||||
| CVE-2023-37234 | 1 Loftware | 1 Spectrum | 2024-09-18 | N/A | 9.8 CRITICAL |
| Loftware Spectrum through 4.6 has unprotected JMX Registry. | |||||
| CVE-2024-37993 | 1 Siemens | 54 Simatic Reader Rf610r Cmiit, Simatic Reader Rf610r Cmiit Firmware, Simatic Reader Rf610r Etsi and 51 more | 2024-09-18 | N/A | 7.5 HIGH |
| A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0) (All versions < V4.2), SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0) (All versions < V4.2), SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0) (All versions < V4.2), SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0) (All versions < V4.2), SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0) (All versions < V4.2), SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0) (All versions < V4.2), SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0) (All versions < V4.2), SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0) (All versions < V4.2), SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0) (All versions < V4.2), SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0) (All versions < V4.2), SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0) (All versions < V4.2), SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0) (All versions < V4.2), SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0) (All versions < V4.2), SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0) (All versions < V4.2), SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0) (All versions < V4.2), SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0) (All versions < V4.2), SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0) (All versions < V4.2), SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0) (All versions < V4.2), SIMATIC RF1140R (6GT2831-6CB00) (All versions < V1.1), SIMATIC RF1170R (6GT2831-6BB00) (All versions < V1.1), SIMATIC RF166C (6GT2002-0EE20) (All versions < V2.2), SIMATIC RF185C (6GT2002-0JE10) (All versions < V2.2), SIMATIC RF186C (6GT2002-0JE20) (All versions < V2.2), SIMATIC RF186CI (6GT2002-0JE50) (All versions < V2.2), SIMATIC RF188C (6GT2002-0JE40) (All versions < V2.2), SIMATIC RF188CI (6GT2002-0JE60) (All versions < V2.2), SIMATIC RF360R (6GT2801-5BA30) (All versions < V2.2). The affected applications do not authenticated the creation of Ajax2App instances. This could allow an unauthenticated attacker to cause a denial of service condition. | |||||