Total
35574 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-7091 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.1 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 15.6 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where it was possible to disclose limited information of an exported group or project to another user. | ||||
| CVE-2024-7060 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 2.6 Low |
| An information disclosure vulnerability in GitLab CE/EE in project/group exports affecting all versions from 15.4 prior to 17.0.5, 17.1 prior to 17.1.3, and 17.2 prior to 17.2.1 allows unauthorized users to view the resultant export. | ||||
| CVE-2024-7057 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An information disclosure vulnerability in GitLab CE/EE affecting all versions starting from 16.7 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where job artifacts can be inappropriately exposed to users lacking the proper authorization level. | ||||
| CVE-2024-6760 | 1 Freebsd | 1 Freebsd | 2024-11-21 | 7.5 High |
| A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database. | ||||
| CVE-2024-6741 | 1 Openfind | 1 Mail2000 | 2024-11-21 | 5.8 Medium |
| Openfind's Mail2000 has a vulnerability that allows the HttpOnly flag to be bypassed. Unauthenticated remote attackers can exploit this vulnerability using specific JavaScript code to obtain the session cookie with the HttpOnly flag enabled. | ||||
| CVE-2024-6540 | 1 Otrs | 1 Otrs | 2024-11-21 | 5.7 Medium |
| Improper filtering of fields when using the export function in the ticket overview of the external interface in OTRS could allow an authorized user to download a list of tickets containing information about tickets of other customers. The problem only occurs if the TicketSearchLegacyEngine has been disabled by the administrator. This issue affects OTRS: 8.0.X, 2023.X, from 2024.X through 2024.4.x | ||||
| CVE-2024-6446 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.5 Low |
| An issue has been discovered in GitLab affecting all versions starting from 17.1 to 17.1.7, 17.2 prior to 17.2.5 and 17.3 prior to 17.3.2. A crafted URL could be used to trick a victim to trust an attacker controlled application. | ||||
| CVE-2024-6426 | 1 Mesbook | 1 Mesbook | 2024-11-21 | 8.1 High |
| Information exposure vulnerability in MESbook 20221021.03 version, the exploitation of which could allow a local attacker, with user privileges, to access different resources by changing the API value of the application. | ||||
| CVE-2024-6407 | 1 Schneider-electric | 2 Whc-5918a, Whc-5918a Firmware | 2024-11-21 | 9.8 Critical |
| CWE-200: Information Exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device. | ||||
| CVE-2024-6398 | 1 Skyhighsecurity | 1 Secure Web Gateway | 2024-11-21 | 4.3 Medium |
| An information disclosure vulnerability in SWG in versions 12.x prior to 12.2.10 and 11.x prior to 11.2.24 allows information stored in a customizable block page to be disclosed to third-party websites due to Same Origin Policy Bypass of browsers in certain scenarios. The risk is low, because other recommended default security policies such as URL categorization and GTI are in place in most policies to block access to uncategorized/high risk websites. Any information disclosed depends on how the customers have customized the block pages. | ||||
| CVE-2024-6395 | 1 Github | 1 Enterprise Server | 2024-11-21 | 5.3 Medium |
| An exposure of sensitive information vulnerability in GitHub Enterprise Server would allow an attacker to enumerate the names of private repositories that utilize deploy keys. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2024-6389 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.3 Medium |
| An issue was discovered in GitLab-CE/EE affecting all versions starting with 17.0 before 17.1.7, 17.2 before 17.2.5, and 17.3 before 17.3.2. An attacker as a guest user was able to access commit information via the release Atom endpoint, contrary to permissions. | ||||
| CVE-2024-6385 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 9.6 Critical |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6, starting from 17.0 prior to 17.0.4, and starting from 17.1 prior to 17.1.2, which allows an attacker to trigger a pipeline as another user under certain circumstances. | ||||
| CVE-2024-6384 | 1 Mongodb | 1 Mongodb | 2024-11-21 | 5.3 Medium |
| "Hot" backup files may be downloaded by underprivileged users, if they are capable of acquiring a unique backup identifier. This issue affects MongoDB Enterprise Server v6.0 versions prior to 6.0.16, MongoDB Enterprise Server v7.0 versions prior to 7.0.11 and MongoDB Enterprise Server v7.3 versions prior to 7.3.3 | ||||
| CVE-2024-6336 | 1 Github | 1 Enterprise Server | 2024-11-21 | 5.3 Medium |
| A Security Misconfiguration vulnerability in GitHub Enterprise Server allowed sensitive information disclosure to unauthorized users in GitHub Enterprise Server by exploiting organization ruleset feature. This attack required an organization member to explicitly change the visibility of a dependent repository from private to public. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.14 and was fixed in versions 3.13.1, 3.12.6, 3.11.12, 3.10.14, and 3.9.17. This vulnerability was reported via the GitHub Bug Bounty program. | ||||
| CVE-2024-6222 | 4 Apple, Docker, Linux and 1 more | 4 Macos, Desktop, Linux Kernel and 1 more | 2024-11-21 | 7.0 High |
| In Docker Desktop before v4.29.0, an attacker who has gained access to the Docker Desktop VM through a container breakout can further escape to the host by passing extensions and dashboard related IPC messages. Docker Desktop v4.29.0 https://docs.docker.com/desktop/release-notes/#4290 fixes the issue on MacOS, Linux and Windows with Hyper-V backend. As exploitation requires "Allow only extensions distributed through the Docker Marketplace" to be disabled, Docker Desktop v4.31.0 https://docs.docker.com/desktop/release-notes/#4310 additionally changes the default configuration to enable this setting by default. | ||||
| CVE-2024-6089 | 1 Rockwellautomation | 2 5015-aenftxt, 5015-aenftxt Firmware | 2024-11-21 | 7.5 High |
| An input validation vulnerability exists in the Rockwell Automation 5015 - AENFTXT when a manipulated PTP packet is sent, causing the secondary adapter to result in a major nonrecoverable fault. If exploited, a power cycle is required to recover the product. | ||||
| CVE-2024-5907 | 1 Paloaltonetworks | 1 Cortex Xdr Agent | 2024-11-21 | 7.0 High |
| A privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices enables a local user to execute programs with elevated privileges. However, execution does require the local user to successfully exploit a race condition, which makes this vulnerability difficult to exploit. | ||||
| CVE-2024-5905 | 1 Paloaltonetworks | 1 Cortex Xdr Agent | 2024-11-21 | 4.4 Medium |
| A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local low privileged Windows user to disrupt some functionality of the agent. However, they are not able to disrupt Cortex XDR agent protection mechanisms using this vulnerability. | ||||
| CVE-2024-5689 | 1 Mozilla | 1 Firefox | 2024-11-21 | 4.3 Medium |
| In addition to detecting when a user was taking a screenshot (XXX), a website was able to overlay the 'My Shots' button that appeared, and direct the user to a replica Firefox Screenshots page that could be used for phishing. This vulnerability affects Firefox < 127. | ||||