Total
1750 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-27264 | 2024-11-21 | N/A | 7.4 HIGH | ||
| IBM Performance Tools for i 7.2, 7.3, 7.4, and 7.5 could allow a local user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege. IBM X-Force ID: 284563. | |||||
| CVE-2024-26310 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Archer Platform 6.8 before 6.14 P2 (6.14.0.2) contains an improper access control vulnerability. A remote authenticated malicious user could potentially exploit this to gain access to API information that should only be accessible with extra privileges. | |||||
| CVE-2024-26234 | 2024-11-21 | N/A | 6.7 MEDIUM | ||
| Proxy Driver Spoofing Vulnerability | |||||
| CVE-2024-26203 | 2024-11-21 | N/A | 7.3 HIGH | ||
| Azure Data Studio Elevation of Privilege Vulnerability | |||||
| CVE-2024-26201 | 2024-11-21 | N/A | 6.6 MEDIUM | ||
| Microsoft Intune Linux Agent Elevation of Privilege Vulnerability | |||||
| CVE-2024-26139 | 2024-11-21 | N/A | 8.3 HIGH | ||
| OpenCTI is an open source platform allowing organizations to manage their cyber threat intelligence knowledge and observables. Due to lack of certain security controls on the profile edit functionality, an authenticated attacker with low privileges can gain administrative privileges on the web application. | |||||
| CVE-2024-26119 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Adobe Experience Manager versions 6.5.19 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. | |||||
| CVE-2024-26029 | 1 Adobe | 1 Experience Manager | 2024-11-21 | N/A | 7.5 HIGH |
| Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain disclose information. Exploitation of this issue does not require user interaction. | |||||
| CVE-2024-25962 | 2024-11-21 | N/A | 8.3 HIGH | ||
| Dell InsightIQ, version 5.0, contains an improper access control vulnerability. A remote low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to monitoring data. | |||||
| CVE-2024-25852 | 2024-11-21 | N/A | 8.8 HIGH | ||
| Linksys RE7000 v2.0.9, v2.0.11, and v2.0.15 have a command execution vulnerability in the "AccessControlList" parameter of the access control function point. An attacker can use the vulnerability to obtain device administrator rights. | |||||
| CVE-2024-25830 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| F-logic DataCube3 v1.0 is vulnerable to Incorrect Access Control due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the configuration file. A successful exploit could allow the attacker to extract the root and admin password. | |||||
| CVE-2024-25811 | 2024-11-21 | N/A | 6.5 MEDIUM | ||
| An access control issue in Dreamer CMS v4.0.1 allows attackers to download backup files and leak sensitive information. | |||||
| CVE-2024-25736 | 2024-11-21 | N/A | 7.5 HIGH | ||
| An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot GET request. | |||||
| CVE-2024-25723 | 2024-11-21 | N/A | 8.8 HIGH | ||
| ZenML Server in the ZenML machine learning package before 0.46.7 for Python allows remote privilege escalation because the /api/v1/users/{user_name_or_id}/activate REST API endpoint allows access on the basis of a valid username along with a new password in the request body. These are also patched versions: 0.44.4, 0.43.1, and 0.42.2. | |||||
| CVE-2024-25653 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Broken Access Control in the Report functionality of Delinea PAM Secret Server 11.4 allows unprivileged users, when Unlimited Admin Mode is enabled, to view system reports and modify custom reports via the Report functionality in the Web UI. | |||||
| CVE-2024-25251 | 2024-11-21 | N/A | 8.8 HIGH | ||
| code-projects Agro-School Management System 1.0 is suffers from Incorrect Access Control. | |||||
| CVE-2024-25121 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 7.1 HIGH |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions of TYPO3 entities of the File Abstraction Layer (FAL) could be persisted directly via `DataHandler`. This allowed attackers to reference files in the fallback storage directly and retrieve their file names and contents. The fallback storage ("zero-storage") is used as a backward compatibility layer for files located outside properly configured file storages and within the public web root directory. Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 version 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, or 13.0.1 which fix the problem described. When persisting entities of the File Abstraction Layer directly via DataHandler, `sys_file` entities are now denied by default, and `sys_file_reference` & `sys_file_metadata` entities are not permitted to reference files in the fallback storage anymore. When importing data from secure origins, this must be explicitly enabled in the corresponding DataHandler instance by using `$dataHandler->isImporting = true;`. | |||||
| CVE-2024-25120 | 1 Typo3 | 1 Typo3 | 2024-11-21 | N/A | 4.3 MEDIUM |
| TYPO3 is an open source PHP based web content management system released under the GNU GPL. The TYPO3-specific `t3://` URI scheme could be used to access resources outside of the users' permission scope. This encompassed files, folders, pages, and records (although only if a valid link-handling configuration was provided). Exploiting this vulnerability requires a valid backend user account. Users are advised to update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. There are no known workarounds for this issue. | |||||
| CVE-2024-25106 | 1 Openobserve | 1 Openobserve | 2024-11-21 | N/A | 9.1 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. | |||||
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2024-11-21 | N/A | 9.9 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||