Total
1749 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21076 | 2024-07-08 | N/A | 7.5 HIGH | ||
| Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: Offer LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2024-21074 | 2024-07-08 | N/A | 7.5 HIGH | ||
| Vulnerability in the Oracle Trade Management product of Oracle E-Business Suite (component: Finance LOV). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Trade Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Trade Management accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | |||||
| CVE-2024-6428 | 1 Mattermost | 1 Mattermost | 2024-07-05 | N/A | 6.5 MEDIUM |
| Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2, 9.5.x <= 9.5.5 fail to prevent specifying a RemoteId when creating a new user which allows an attacker to specify both a remoteId and the user ID, resulting in creating a user with a user-defined user ID. This can cause some broken functionality in User Management such administrative actions against the user not working. | |||||
| CVE-2024-39361 | 1 Mattermost | 1 Mattermost | 2024-07-05 | N/A | 5.4 MEDIUM |
| Mattermost versions 9.8.0, 9.7.x <= 9.7.4, 9.6.x <= 9.6.2 and 9.5.x <= 9.5.5 fail to prevent users from specifying a RemoteId for their posts which allows an attacker to specify both a remoteId and the post ID, resulting in creating a post with a user-defined post ID. This can cause some broken functionality in the channel or thread with user-defined posts | |||||
| CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-07-05 | N/A | 5.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | |||||
| CVE-2024-5687 | 2024-07-03 | N/A | 5.3 MEDIUM | ||
| If a specific sequence of actions is performed when opening a new tab, the triggering principal associated with the new tab may have been incorrect. The triggering principal is used to calculate many values, including the `Referer` and `Sec-*` headers, meaning there is the potential for incorrect security checks within the browser in addition to incorrect or misleading information sent to remote websites. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 127. | |||||
| CVE-2024-3746 | 2024-07-03 | N/A | 5.5 MEDIUM | ||
| The entire parent directory - C:\ScadaPro and its sub-directories and files are configured by default to allow user, including unprivileged users, to write or overwrite files. | |||||
| CVE-2024-37677 | 1 Access Management Specialist Project | 1 Access Management Specialist | 2024-07-03 | N/A | 7.5 HIGH |
| An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information. | |||||
| CVE-2024-35396 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root. | |||||
| CVE-2024-33666 | 2024-07-03 | N/A | 8.6 HIGH | ||
| An issue was discovered in Zammad before 6.3.0. Users with customer access to a ticket could have accessed time accounting details of this ticket via the API. This data should be available only to agents. | |||||
| CVE-2024-33396 | 2024-07-03 | N/A | 8.4 HIGH | ||
| An issue in karmada-io karmada v1.9.0 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | |||||
| CVE-2024-33393 | 2024-07-03 | N/A | 6.2 MEDIUM | ||
| An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. | |||||
| CVE-2024-33260 | 2024-07-03 | N/A | 5.1 MEDIUM | ||
| Jerryscript commit cefd391 was discovered to contain a segmentation violation via the component parser_parse_class at jerry-core/parser/js/js-parser-expr.c | |||||
| CVE-2024-32418 | 2024-07-03 | N/A | 9.8 CRITICAL | ||
| An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component. | |||||
| CVE-2024-31967 | 2024-07-03 | N/A | 9.1 CRITICAL | ||
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an unauthorized access attack due to improper access control. A successful exploit could allow an attacker to gain unauthorized access to user information or the system configuration. | |||||
| CVE-2024-31964 | 2024-07-03 | N/A | 7.5 HIGH | ||
| A vulnerability on Mitel 6800 Series and 6900 Series SIP Phones through 6.3 SP3 HF4, 6900w Series SIP Phone through 6.3.3, and 6970 Conference Unit through 5.1.1 SP8 allows an unauthenticated attacker to conduct an authentication bypass attack due to improper authentication control. A successful exploit could allow an attacker to modify system configuration settings and potentially cause a denial of service. | |||||
| CVE-2024-31846 | 2024-07-03 | N/A | 7.5 HIGH | ||
| An issue was discovered in Italtel Embrace 1.6.4. The web application does not restrict or incorrectly restricts access to a resource from an unauthorized actor. | |||||
| CVE-2024-30107 | 2024-07-03 | N/A | 3.5 LOW | ||
| HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized users in certain scenarios. | |||||
| CVE-2024-2749 | 2024-07-03 | N/A | 5.9 MEDIUM | ||
| The VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8's access control mechanism fails to properly restrict access to its settings, permitting any users that can access a menu to manipulate requests and perform unauthorized actions such as editing, renaming or deleting (categories for example) despite initial settings prohibiting such access. This vulnerability resembles broken access control, enabling unauthorized users to modify critical VikBooking Hotel Booking Engine & PMS WordPress plugin before 1.6.8 configurations. | |||||
| CVE-2024-29207 | 2024-07-03 | N/A | 7.5 HIGH | ||
| An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Affected Products: UniFi Connect Application (Version 3.7.9 and earlier) UniFi Connect EV Station (Version 1.1.18 and earlier) UniFi Connect EV Station Pro (Version 1.1.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.6.225 and earlier) Mitigation: Update UniFi Connect Application to Version 3.10.7 or later. Update UniFi Connect EV Station to Version 1.2.15 or later. Update UniFi Connect EV Station Pro to Version 1.2.15 or later. Update UniFi Connect Display to Version 1.11.348 or later. Update UniFi Connect Display Cast to Version 1.8.255 or later. | |||||