Total
2621 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37882 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 8.1 HIGH |
| Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. | |||||
| CVE-2024-37742 | 2024-11-21 | N/A | 8.2 HIGH | ||
| Insecure Access Control in Safe Exam Browser (SEB) = 3.5.0 on Windows. The vulnerability allows an attacker to share clipboard data between the SEB kiosk mode and the underlying system, compromising exam integrity. By exploiting this flaw, an attacker can bypass exam controls and gain an unfair advantage during exams. | |||||
| CVE-2024-37677 | 1 Access Management Specialist Project | 1 Access Management Specialist | 2024-11-21 | N/A | 7.5 HIGH |
| An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information. | |||||
| CVE-2024-37568 | 1 Authlib | 1 Authlib | 2024-11-21 | N/A | 7.5 HIGH |
| lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.) | |||||
| CVE-2024-37386 | 2024-11-21 | N/A | 4.2 MEDIUM | ||
| An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.2. | |||||
| CVE-2024-37317 | 1 Nextcloud | 1 Notes | 2024-11-21 | N/A | 4.6 MEDIUM |
| The Nextcloud Notes app is a distraction free notes taking app for Nextcloud. If an attacker managed to share a folder called `Notes/` with a newly created user before they logged in, the Notes app would use that folder store the personal notes. It is recommended that the Nextcloud Notes app is upgraded to 4.9.3. | |||||
| CVE-2024-37315 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 3.5 LOW |
| Nextcloud Server is a self hosted personal cloud system. An attacker with read-only access to a file is able to restore older versions of a document when the files_versions app is enabled. It is recommended that the Nextcloud Server is upgraded to 26.0.12, 27.1.7 or 28.0.3 and that the Nextcloud Enterprise Server is upgraded to 23.0.12.16, 24.0.12.12, 25.0.13.6, 26.0.12, 27.1.7 or 28.0.3. | |||||
| CVE-2024-37314 | 1 Nextcloud | 1 Nextcloud Server | 2024-11-21 | N/A | 3.5 LOW |
| Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2. | |||||
| CVE-2024-37312 | 2024-11-21 | N/A | 6.3 MEDIUM | ||
| user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28). | |||||
| CVE-2024-36989 | 1 Splunk | 2 Cloud, Splunk | 2024-11-21 | N/A | 7.1 HIGH |
| In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.1.2312.200, a low-privileged user that does not hold the admin or power Splunk roles could create notifications in Splunk Web Bulletin Messages that all users on the instance receive. | |||||
| CVE-2024-36537 | 2024-11-21 | N/A | 7.2 HIGH | ||
| Insecure permissions in cert-manager v1.14.4 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |||||
| CVE-2024-36535 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Insecure permissions in meshery v0.7.51 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | |||||
| CVE-2024-36443 | 2024-11-21 | N/A | 7.6 HIGH | ||
| Swissphone DiCal-RED 4009 devices allow a remote attacker to gain read access to almost the whole file system via anonymous FTP. | |||||
| CVE-2024-36441 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| Swissphone DiCal-RED 4009 devices allow an unauthenticated attacker use a port-2101 TCP connection to gain access to operation messages that are received by the device. | |||||
| CVE-2024-36438 | 2024-11-21 | N/A | 7.3 HIGH | ||
| eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks. | |||||
| CVE-2024-36399 | 1 Kanboard | 1 Kanboard | 2024-11-21 | N/A | 8.2 HIGH |
| Kanboard is project management software that focuses on the Kanban methodology. The vuln is in app/Controller/ProjectPermissionController.php function addUser(). The users permission to add users to a project only get checked on the URL parameter project_id. If the user is authorized to add users to this project the request gets processed. The users permission for the POST BODY parameter project_id does not get checked again while processing. An attacker with the 'Project Manager' on a single project may take over any other project. The vulnerability is fixed in 1.2.37. | |||||
| CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-11-21 | N/A | 2.7 LOW |
| Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | |||||
| CVE-2024-36241 | 2024-11-21 | N/A | 3.1 LOW | ||
| Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command | |||||
| CVE-2024-36080 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Westermo EDW-100 devices through 2024-05-03 have a hidden root user account with a hardcoded password that cannot be changed. NOTE: this is a serial-to-Ethernet converter that should not be placed at the edge of the network. | |||||
| CVE-2024-35433 | 2024-11-21 | N/A | 8.1 HIGH | ||
| ZKTeco ZKBio CVSecurity 6.1.1 is vulnerable to Incorrect Access Control. An authenticated user, without the permissions of managing users, can create a new admin user. | |||||