Total
3019 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-21828 | 2024-11-21 | N/A | 6.7 MEDIUM | ||
| Improper access control in some Intel(R) Ethernet Controller Administrative Tools software before version 28.3 may allow an authenticated user to potentially enable escalation of privilege via local access. | |||||
| CVE-2024-21767 | 2024-11-21 | N/A | 9.4 CRITICAL | ||
| A remote attacker may be able to bypass access control of Commend WS203VICM by creating a malicious request. | |||||
| CVE-2024-21740 | 2024-11-21 | N/A | 7.4 HIGH | ||
| Artery AT32F415CBT7 and AT32F421C8T7 devices have Incorrect Access Control. | |||||
| CVE-2024-21667 | 1 Pimcore | 1 Customer Management Framework | 2024-11-21 | N/A | 6.5 MEDIUM |
| pimcore/customer-data-framework is the Customer Management Framework for management of customer data within Pimcore. An authenticated and unauthorized user can access the GDPR data extraction feature and query over the information returned, leading to customer data exposure. Permissions are not enforced when reaching the `/admin/customermanagementframework/gdpr-data/search-data-objects` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. An unauthorized user can access PII data from customers. This vulnerability has been patched in version 4.0.6. | |||||
| CVE-2024-21666 | 1 Pimcore | 1 Customer Management Framework | 2024-11-21 | N/A | 6.5 MEDIUM |
| The Customer Management Framework (CMF) for Pimcore adds functionality for customer data management, segmentation, personalization and marketing automation. An authenticated and unauthorized user can access the list of potential duplicate users and see their data. Permissions are enforced when reaching the `/admin/customermanagementframework/duplicates/list` endpoint allowing an authenticated user without the permissions to access the endpoint and query the data available there. Unauthorized user(s) can access PII data from customers. This vulnerability has been patched in version 4.0.6. | |||||
| CVE-2024-21665 | 1 Pimcore | 1 E-commerce Framework | 2024-11-21 | N/A | 4.3 MEDIUM |
| ecommerce-framework-bundle is the Pimcore Ecommerce Framework Bundle. An authenticated and unauthorized user can access the back-office orders list and be able to query over the information returned. Access control and permissions are not being enforced. This vulnerability has been patched in version 1.0.10. | |||||
| CVE-2024-21653 | 1 Vantage6 | 1 Vantage6 | 2024-11-21 | N/A | 6.5 MEDIUM |
| The vantage6 technology enables to manage and deploy privacy enhancing technologies like Federated Learning (FL) and Multi-Party Computation (MPC). Nodes and servers get a ssh config by default that permits root login with password authentication. In a proper deployment, the SSH service is not exposed so there is no risk, but not all deployments are ideal. The default should therefore be less permissive. The vulnerability can be mitigated by removing the ssh part from the docker file and rebuilding the docker image. Version 4.2.0 patches the vulnerability. | |||||
| CVE-2024-21644 | 1 Pyload | 1 Pyload | 2024-11-21 | N/A | 7.5 HIGH |
| pyLoad is the free and open-source Download Manager written in pure Python. Any unauthenticated user can browse to a specific URL to expose the Flask config, including the `SECRET_KEY` variable. This issue has been patched in version 0.5.0b3.dev77. | |||||
| CVE-2024-21589 | 1 Juniper | 1 Paragon Active Assurance Control Center | 2024-11-21 | N/A | 7.4 HIGH |
| An Improper Access Control vulnerability in the Juniper Networks Paragon Active Assurance Control Center allows an unauthenticated network-based attacker to access reports without authenticating, potentially containing sensitive configuration information. A feature was introduced in version 3.1.0 of the Paragon Active Assurance Control Center which allows users to selectively share account data. By exploiting this vulnerability, it is possible to access reports without being logged in, resulting in the opportunity for malicious exfiltration of user data. Note that the Paragon Active Assurance Control Center SaaS offering is not affected by this issue. This issue affects Juniper Networks Paragon Active Assurance versions 3.1.0, 3.2.0, 3.2.2, 3.3.0, 3.3.1, 3.4.0. This issue does not affect Juniper Networks Paragon Active Assurance versions earlier than 3.1.0. | |||||
| CVE-2024-21483 | 2024-11-21 | N/A | 4.6 MEDIUM | ||
| A vulnerability has been identified in SENTRON 7KM PAC3120 AC/DC (7KM3120-0BA01-1DA0) (All versions >= V3.2.3 < V3.2.4 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3120 DC (7KM3120-1BA01-1EA0) (All versions >= V3.2.3 < V3.2.4 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3220 AC/DC (7KM3220-0BA01-1DA0) (All versions >= V3.2.3 < V3.2.4 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)), SENTRON 7KM PAC3220 DC (7KM3220-1BA01-1EA0) (All versions >= V3.2.3 < V3.2.4 only when manufactured between LQN231003... and LQN231215... ( with LQNYYMMDD...)). The read out protection of the internal flash of affected devices was not properly set at the end of the manufacturing process. An attacker with physical access to the device could read out the data. | |||||
| CVE-2024-21401 | 1 Microsoft | 1 Entra Jira Sso Plugin | 2024-11-21 | N/A | 9.8 CRITICAL |
| Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability | |||||
| CVE-2024-21376 | 1 Microsoft | 1 Azure Kubernetes Service | 2024-11-21 | N/A | 9.0 CRITICAL |
| Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability | |||||
| CVE-2024-21364 | 1 Microsoft | 1 Azure Site Recovery | 2024-11-21 | N/A | 9.3 CRITICAL |
| Microsoft Azure Site Recovery Elevation of Privilege Vulnerability | |||||
| CVE-2024-20932 | 2 Netapp, Oracle | 7 Cloud Insights Acquisition Unit, Cloud Insights Storage Workload Security Agent, Oncommand Insight and 4 more | 2024-11-21 | N/A | 7.5 HIGH |
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 17.0.9; Oracle GraalVM for JDK: 17.0.9; Oracle GraalVM Enterprise Edition: 21.3.8 and 22.3.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). | |||||
| CVE-2024-20695 | 1 Microsoft | 1 Skype For Business Server | 2024-11-21 | N/A | 5.7 MEDIUM |
| Skype for Business Information Disclosure Vulnerability | |||||
| CVE-2024-20675 | 1 Microsoft | 1 Edge Chromium | 2024-11-21 | N/A | 6.3 MEDIUM |
| Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability | |||||
| CVE-2024-20657 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2024-11-21 | N/A | 7.0 HIGH |
| Windows Group Policy Elevation of Privilege Vulnerability | |||||
| CVE-2024-20315 | 2024-11-21 | N/A | 5.8 MEDIUM | ||
| A vulnerability in the access control list (ACL) processing on MPLS interfaces in the ingress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to improper assignment of lookup keys to internal interface contexts. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to access resources behind the affected device that were supposed to be protected by a configured ACL. | |||||
| CVE-2024-20263 | 1 Cisco | 170 Cbs250-16p-2g, Cbs250-16p-2g Firmware, Cbs250-16t-2g and 167 more | 2024-11-21 | N/A | 5.8 MEDIUM |
| A vulnerability with the access control list (ACL) management within a stacked switch configuration of Cisco Business 250 Series Smart Switches and Business 350 Series Managed Switches could allow an unauthenticated, remote attacker to bypass protection offered by a configured ACL on an affected device. This vulnerability is due to incorrect processing of ACLs on a stacked configuration when either the primary or backup switches experience a full stack reload or power cycle. An attacker could exploit this vulnerability by sending crafted traffic through an affected device. A successful exploit could allow the attacker to bypass configured ACLs, causing traffic to be dropped or forwarded in an unexpected manner. The attacker does not have control over the conditions that result in the device being in the vulnerable state. Note: In the vulnerable state, the ACL would be correctly applied on the primary devices but could be incorrectly applied to the backup devices. | |||||
| CVE-2024-1439 | 1 Moodle | 1 Moodle | 2024-11-21 | N/A | 6.5 MEDIUM |
| Inadequate access control in Moodle LMS. This vulnerability could allow a local user with a student role to create arbitrary events intended for users with higher roles. It could also allow the attacker to add events to the calendar of all users without their prior consent. | |||||