Total
13284 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-32903 | 1 Google | 1 Android | 2024-11-21 | 7.8 High |
| In prepare_response_locked of lwis_transaction.c, there is a possible out of bounds write due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2024-32860 | 1 Dell | 45 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R11 and 42 more | 2024-11-21 | 7.5 High |
| Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | ||||
| CVE-2024-32859 | 1 Dell | 48 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 45 more | 2024-11-21 | 7.5 High |
| Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | ||||
| CVE-2024-32858 | 1 Dell | 48 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 45 more | 2024-11-21 | 7.5 High |
| Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | ||||
| CVE-2024-32856 | 1 Dell | 46 Alienware Area 51m R2, Alienware Area 51m R2 Firmware, Alienware Aurora R10 and 43 more | 2024-11-21 | 5.1 Medium |
| Dell Client Platform BIOS contains an Improper Input Validation vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | ||||
| CVE-2024-32007 | 2 Apache, Redhat | 4 Cxf, Apache-camel-spring-boot, Apache Camel Spring Boot and 1 more | 2024-11-21 | 7.5 High |
| An improper input validation of the p2c parameter in the Apache CXF JOSE code before 4.0.5, 3.6.4 and 3.5.9 allows an attacker to perform a denial of service attack by specifying a large value for this parameter in a token. | ||||
| CVE-2024-29068 | 1 Canonical | 1 Snapd | 2024-11-21 | 5.8 Medium |
| In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image and so can contain files that are non-regular files (such as pipes or sockets etc). Various file entries within the snap squashfs image (such as icons etc) are directly read by snapd when it is extracted. An attacker who could convince a user to install a malicious snap which contained non-regular files at these paths could then cause snapd to block indefinitely trying to read from such files and cause a denial of service. | ||||
| CVE-2024-26127 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 3.5 Low |
| Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction. | ||||
| CVE-2024-26126 | 1 Adobe | 2 Experience Manager, Experience Manager Cloud Service | 2024-11-21 | 3.5 Low |
| Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction. | ||||
| CVE-2024-24941 | 1 Jetbrains | 1 Intellij Idea | 2024-11-21 | 6.1 Medium |
| In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL | ||||
| CVE-2024-24696 | 1 Zoom | 3 Meeting Software Development Kit, Vdi Windows Meeting Clients, Zoom | 2024-11-21 | 6.8 Medium |
| Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access. | ||||
| CVE-2024-23669 | 1 Fortinet | 2 Fortiweb Manager, Fortiwebmanager | 2024-11-21 | 6.4 Medium |
| An improper authorization in Fortinet FortiWebManager version 7.2.0 and 7.0.0 through 7.0.4 and 6.3.0 and 6.2.3 through 6.2.4 and 6.0.2 allows attacker to execute unauthorized code or commands via HTTP requests or CLI. | ||||
| CVE-2024-23655 | 1 Tuta | 1 Tutanota | 2024-11-21 | 7.5 High |
| Tuta is an encrypted email service. Starting in version 3.118.12 and prior to version 3.119.10, an attacker is able to send a manipulated email so that the user can no longer use the app to get access to received emails. By sending a manipulated email, an attacker could put the app into an unusable state. In this case, a user can no longer access received e-mails. Since the vulnerability affects not only the app, but also the web application, a user in this case has no way to access received emails. This issue was tested with iOS and the web app, but it is possible all clients are affected. Version 3.119.10 fixes this issue. | ||||
| CVE-2024-23641 | 1 Svelte | 2 Adapter-node, Kit | 2024-11-21 | 7.5 High |
| SvelteKit is a web development kit. In SvelteKit 2, sending a GET request with a body eg `{}` to a built and previewed/hosted sveltekit app throws `Request with GET/HEAD method cannot have body.` and crashes the preview/hosting. After this happens, one must manually restart the app. `TRACE` requests will also cause the app to crash. Prerendered pages and SvelteKit 1 apps are not affected. `@sveltejs/adapter-node` versions 2.1.2, 3.0.3, and 4.0.1 and `@sveltejs/kit` version 2.4.3 contain a patch for this issue. | ||||
| CVE-2024-23469 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | 9.6 Critical |
| SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. | ||||
| CVE-2024-23324 | 1 Envoyproxy | 1 Envoy | 2024-11-21 | 8.6 High |
| Envoy is a high-performance edge/middle/service proxy. External authentication can be bypassed by downstream connections. Downstream clients can force invalid gRPC requests to be sent to ext_authz, circumventing ext_authz checks when failure_mode_allow is set to true. This issue has been addressed in released 1.29.1, 1.28.1, 1.27.3, and 1.26.7. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-22199 | 1 Gofiber | 1 Django | 2024-11-21 | 9.3 Critical |
| This package provides universal methods to use multiple template engines with the Fiber web framework using the Views interface. This vulnerability specifically impacts web applications that render user-supplied data through this template engine, potentially leading to the execution of malicious scripts in users' browsers when visiting affected web pages. The vulnerability has been addressed, the template engine now defaults to having autoescape set to `true`, effectively mitigating the risk of XSS attacks. | ||||
| CVE-2024-21863 | 1 Openatom | 1 Openharmony | 2024-11-21 | 4.7 Medium |
| in OpenHarmony v4.0.0 and prior versions allow a local attacker cause DOS through improper input. | ||||
| CVE-2024-21663 | 1 Demon1a | 1 Discord-recon | 2024-11-21 | 10 Critical |
| Discord-Recon is a Discord bot created to automate bug bounty recon, automated scans and information gathering via a discord server. Discord-Recon is vulnerable to remote code execution. An attacker is able to execute shell commands in the server without having an admin role. This vulnerability has been fixed in version 0.0.8. | ||||
| CVE-2024-21631 | 1 Vapor | 1 Vapor | 2024-11-21 | 6.5 Medium |
| Vapor is an HTTP web framework for Swift. Prior to version 4.90.0, Vapor's `vapor_urlparser_parse` function uses `uint16_t` indexes when parsing a URI's components, which may cause integer overflows when parsing untrusted inputs. This vulnerability does not affect Vapor directly but could impact applications relying on the URI type for validating user input. The URI type is used in several places in Vapor. A developer may decide to use URI to represent a URL in their application (especially if that URL is then passed to the HTTP Client) and rely on its public properties and methods. However, URI may fail to properly parse a valid (albeit abnormally long) URL, due to string ranges being converted to 16-bit integers. An attacker may use this behavior to trick the application into accepting a URL to an untrusted destination. By padding the port number with zeros, an attacker can cause an integer overflow to occur when the URL authority is parsed and, as a result, spoof the host. Version 4.90.0 contains a patch for this issue. As a workaround, validate user input before parsing as a URI or, if possible, use Foundation's `URL` and `URLComponents` utilities. | ||||