Total
10511 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-43052 | 1 Qualcomm | 182 205 Mobile Platform, 205 Mobile Platform Firmware, 215 Mobile Platform and 179 more | 2024-12-12 | N/A | 7.8 HIGH |
| Memory corruption while processing API calls to NPU with invalid input. | |||||
| CVE-2024-12401 | 2024-12-12 | N/A | 4.4 MEDIUM | ||
| A flaw was found in the cert-manager package. This flaw allows an attacker who can modify PEM data that the cert-manager reads, for example, in a Secret resource, to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for the cert-manager in the cluster. | |||||
| CVE-2023-31366 | 1 Amd | 1 Uprof | 2024-12-12 | N/A | 3.3 LOW |
| Improper input validation in AMD μProf could allow an attacker to perform a write to an invalid address, potentially resulting in denial of service. | |||||
| CVE-2024-32989 | 1 Huawei | 2 Emui, Harmonyos | 2024-12-11 | N/A | 3.3 LOW |
| Insufficient verification vulnerability in the system sharing pop-up module Impact: Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2024-32990 | 1 Huawei | 2 Emui, Harmonyos | 2024-12-11 | N/A | 6.1 MEDIUM |
| Permission verification vulnerability in the system sharing pop-up module Impact: Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2024-32992 | 1 Huawei | 2 Emui, Harmonyos | 2024-12-11 | N/A | 7.5 HIGH |
| Insufficient verification vulnerability in the baseband module Impact: Successful exploitation of this vulnerability will affect availability. | |||||
| CVE-2024-11737 | 2024-12-11 | N/A | 9.8 CRITICAL | ||
| CWE-20: Improper Input Validation vulnerability exists that could lead to a denial of service and a loss of confidentiality, integrity of the controller when an unauthenticated crafted Modbus packet is sent to the device. | |||||
| CVE-2024-12353 | 1 Razormist | 1 Phone Contact Manager System | 2024-12-10 | 1.7 LOW | 3.3 LOW |
| A vulnerability, which was classified as problematic, has been found in SourceCodester Phone Contact Manager System 1.0. This issue affects the function UserInterface::MenuDisplayStart of the component User Menu. The manipulation of the argument name leads to improper input validation. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-12355 | 1 Razormist | 1 Phone Contact Manager System | 2024-12-10 | 1.7 LOW | 3.3 LOW |
| A vulnerability has been found in SourceCodester Phone Contact Manager System 1.0 and classified as problematic. Affected by this vulnerability is the function ContactBook::adding of the file ContactBook.cpp. The manipulation leads to improper input validation. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2024-55655 | 2024-12-10 | N/A | N/A | ||
| sigstore-python is a Python tool for generating and verifying Sigstore signatures. Versions of sigstore-python newer than 2.0.0 but prior to 3.6.0 perform insufficient validation of the "integration time" present in "v2" and "v3" bundles during the verification flow: the "integration time" is verified *if* a source of signed time (such as an inclusion promise) is present, but is otherwise trusted if no source of signed time is present. This does not affect "v1" bundles, as the "v1" bundle format always requires an inclusion promise. Sigstore uses signed time to support verification of signatures made against short-lived signing keys. The impact and severity of this weakness is *low*, as Sigstore contains multiple other enforcing components that prevent an attacker who modifies the integration timestamp within a bundle from impersonating a valid signature. In particular, an attacker who modifies the integration timestamp can induce a Denial of Service, but in no different manner than already possible with bundle access (e.g. modifying the signature itself such that it fails to verify). Separately, an attacker could upload a *new* entry to the transparency service, and substitute their new entry's time. However, this would still be rejected at validation time, as the new entry's (valid) signed time would be outside the validity window of the original signing certificate and would nonetheless render the attacker auditable. | |||||
| CVE-2023-28649 | 1 Snapone | 2 Orvc, Ovrc-300-pro | 2024-12-09 | N/A | 8.6 HIGH |
| The Hub in the Snap One OvrC cloud platform is a device used to centralize and manage nested devices connected to it. A vulnerability exists in which an attacker could impersonate a hub and send device requests to claim already claimed devices. The OvrC cloud platform receives the requests but does not validate if the found devices are already managed by another user. | |||||
| CVE-2024-23263 | 4 Apple, Fedoraproject, Webkitgtk and 1 more | 10 Ipados, Iphone Os, Macos and 7 more | 2024-12-09 | N/A | 6.5 MEDIUM |
| A logic issue was addressed with improved validation. This issue is fixed in tvOS 17.4, macOS Sonoma 14.4, visionOS 1.1, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, Safari 17.4. Processing maliciously crafted web content may prevent Content Security Policy from being enforced. | |||||
| CVE-2024-26164 | 1 Microsoft | 1 Django Backend | 2024-12-06 | N/A | 8.8 HIGH |
| Microsoft Django Backend for SQL Server Remote Code Execution Vulnerability | |||||
| CVE-2024-28103 | 1 Rubyonrails | 1 Rails | 2024-12-06 | N/A | 5.4 MEDIUM |
| Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3. | |||||
| CVE-2024-54140 | 2024-12-05 | N/A | N/A | ||
| sigstore-java is a sigstore java client for interacting with sigstore infrastructure. sigstore-java has insufficient verification for a situation where a bundle provides a invalid signature for a checkpoint. This bug impacts clients using any variation of KeylessVerifier.verify(). Currently checkpoints are only used to ensure the root hash of an inclusion proof was provided by the log in question. Failing to validate that means a bundle may provide an inclusion proof that doesn't actually correspond to the log in question. This may eventually lead a monitor/witness being unable to detect when a compromised logs are providing different views of themselves to different clients. There are other mechanisms right now that mitigate this, such as the signed entry timestamp. Sigstore-java currently requires a valid signed entry timestamp. By correctly verifying the signed entry timestamp we can make certain assertions about the log signing the log entry (like the log was aware of the artifact signing event and signed it). Therefore the impact on clients that are not monitors/witnesses is very low. This vulnerability is fixed in 1.2.0. | |||||
| CVE-2024-7488 | 2024-12-05 | N/A | 5.3 MEDIUM | ||
| Improper Input Validation vulnerability in RestApp Inc. Online Ordering System allows Integer Attacks.This issue affects Online Ordering System: 8.2.1. NOTE: Vulnerability fixed in version 8.2.2 and does not exist before 8.2.1. | |||||
| CVE-2024-21448 | 1 Microsoft | 1 Teams | 2024-12-05 | N/A | 5.0 MEDIUM |
| Microsoft Teams for Android Information Disclosure Vulnerability | |||||
| CVE-2024-12138 | 2024-12-04 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical was found in horilla up to 1.2.1. This vulnerability affects the function request_new/get_employee_shift/create_reimbursement/key_result_current_value_update/create_meetings/create_skills. The manipulation leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-11985 | 2024-12-04 | N/A | 4.4 MEDIUM | ||
| An improper input validation vulnerability leads to device crashes in certain ASUS router models. Refer to the '12/03/2024 ASUS Router Improper Input Validation' section on the ASUS Security Advisory for more information. | |||||
| CVE-2024-52815 | 2024-12-03 | N/A | N/A | ||
| Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users. | |||||