Total
31934 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-44231 | 1 Apple | 1 Macos | 2025-01-06 | N/A | 4.6 MEDIUM |
| This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.1. A person with physical access to a Mac may be able to bypass Login Window during a software update. | |||||
| CVE-2023-32221 | 1 Easeus | 1 Todo Backup | 2025-01-04 | N/A | 7.8 HIGH |
| EaseUS Todo Backup version 20220111.390 - An omission during installation may allow a local attacker to perform privilege escalation. | |||||
| CVE-2024-9257 | 1 Logsign | 1 Unified Secops Platform | 2025-01-03 | N/A | 6.5 MEDIUM |
| Logsign Unified SecOps Platform delete_gsuite_key_file Input Validation Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files within sensitive directories on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the delete_gsuite_key_file endpoint. The issue results from the lack of proper validation of a user-supplied filename prior to using it in file operations. An attacker can leverage this vulnerability to delete critical files on the system. Was ZDI-CAN-25265. | |||||
| CVE-2023-51644 | 1 Alltena | 1 Allegra | 2025-01-03 | N/A | 7.3 HIGH |
| Allegra SiteConfigAction Improper Access Control Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of Struts. The issue results from improper access control. An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. Was ZDI-CAN-22512. | |||||
| CVE-2023-5528 | 3 Fedoraproject, Kubernetes, Microsoft | 3 Fedora, Kubernetes, Windows | 2025-01-03 | N/A | 8.8 HIGH |
| A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | |||||
| CVE-2024-27931 | 1 Deno | 1 Deno | 2025-01-03 | N/A | 6.5 MEDIUM |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. | |||||
| CVE-2024-27932 | 1 Deno | 1 Deno | 2025-01-03 | N/A | 4.6 MEDIUM |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue | |||||
| CVE-2023-32673 | 1 Hp | 4 Image Assistant, Pc Hardware Diagnostics, Thunderbolt Dock G2 and 1 more | 2025-01-03 | N/A | 9.8 CRITICAL |
| Certain versions of HP PC Hardware Diagnostics Windows, HP Image Assistant, and HP Thunderbolt Dock G2 Firmware are potentially vulnerable to elevation of privilege. | |||||
| CVE-2023-25368 | 1 Siglent | 6 Sds1074x-e, Sds1074x-e Firmware, Sds1104x-e and 3 more | 2025-01-03 | N/A | 7.5 HIGH |
| Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Incorrect Access Control. An unauthenticated attacker can overwrite firmnware. | |||||
| CVE-2023-1707 | 1 Hp | 317 Color Laserjet Enterprise 5700 49k98a, Color Laserjet Enterprise 5700 6qn28a, Color Laserjet Enterprise 6700 49l00a and 314 more | 2025-01-03 | N/A | 7.5 HIGH |
| Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to information disclosure when IPsec is enabled with FutureSmart version 5.6. | |||||
| CVE-2023-25369 | 1 Siglent | 6 Sds1074x-e, Sds1074x-e Firmware, Sds1104x-e and 3 more | 2025-01-03 | N/A | 7.5 HIGH |
| Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS is vulnerable to Denial of Service on the user interface triggered by malformed SCPI command. | |||||
| CVE-2023-25367 | 1 Siglent | 6 Sds1074x-e, Sds1074x-e Firmware, Sds1104x-e and 3 more | 2025-01-03 | N/A | 9.8 CRITICAL |
| Siglent SDS 1104X-E SDS1xx4X-E_V6.1.37R9.ADS allows unfiltered user input resulting in Remote Code Execution (RCE) with SCPI interface or web server. | |||||
| CVE-2024-39896 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 5.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. When relying on SSO providers in combination with local authentication it can be possible to enumerate existing SSO users in the instance. This is possible because if an email address exists in Directus and belongs to a known SSO provider then it will throw a "helpful" error that the user belongs to another provider. This vulnerability is fixed in 10.13.0. | |||||
| CVE-2024-34708 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 4.9 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0. | |||||
| CVE-2024-27296 | 1 Monospace | 1 Directus | 2025-01-03 | N/A | 5.3 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 10.8.3, the exact Directus version number was being shipped in compiled JS bundles which are accessible without authentication. With this information a malicious attacker can trivially look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. The problem has been resolved in versions 10.8.3 and newer. | |||||
| CVE-2024-45802 | 1 Squid-cache | 1 Squid | 2025-01-03 | N/A | 7.5 HIGH |
| Squid is an open source caching proxy for the Web supporting HTTP, HTTPS, FTP, and more. Due to Input Validation, Premature Release of Resource During Expected Lifetime, and Missing Release of Resource after Effective Lifetime bugs, Squid is vulnerable to Denial of Service attacks by a trusted server against all clients using the proxy. This bug is fixed in the default build configuration of Squid version 6.10. | |||||
| CVE-2024-34082 | 1 Getgrav | 1 Grav | 2025-01-02 | N/A | 9.9 CRITICAL |
| Grav is a file-based Web platform. Prior to version 1.7.46, a low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - `/grav/user/accounts/*.yaml`. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account and read any file in the web server by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. A low privileged user may also perform a full account takeover of other registered users including Administrators. Version 1.7.46 contains a patch. | |||||
| CVE-2024-32645 | 1 Vyperlang | 1 Vyper | 2025-01-02 | N/A | 5.3 MEDIUM |
| Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available. | |||||
| CVE-2022-37967 | 4 Fedoraproject, Microsoft, Netapp and 1 more | 9 Fedora, Windows Server 2008, Windows Server 2012 and 6 more | 2025-01-02 | N/A | N/A |
| Windows Kerberos Elevation of Privilege Vulnerability | |||||
| CVE-2022-37983 | 1 Microsoft | 4 Windows 10, Windows 11, Windows Server 2019 and 1 more | 2025-01-02 | N/A | N/A |
| Microsoft DWM Core Library Elevation of Privilege Vulnerability | |||||