Total
3617 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23767 | 2024-11-21 | N/A | 8.8 HIGH | ||
| An issue was discovered on HMS Anybus X-Gateway AB7832-F firmware version 3. The HICP protocol allows unauthenticated changes to a device's network configurations. | |||||
| CVE-2024-23647 | 1 Goauthentik | 1 Authentik | 2024-11-21 | N/A | 6.5 MEDIUM |
| Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue. | |||||
| CVE-2024-23637 | 1 Octoprint | 1 Octoprint | 2024-11-21 | N/A | 4.2 MEDIUM |
| OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0. | |||||
| CVE-2024-23629 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2024-11-21 | 7.8 HIGH | 9.6 CRITICAL |
| An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information. | |||||
| CVE-2024-23471 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 9.6 CRITICAL |
| The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. | |||||
| CVE-2024-23470 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 9.6 CRITICAL |
| The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. | |||||
| CVE-2024-23465 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 8.3 HIGH |
| The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. | |||||
| CVE-2024-23251 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2024-11-21 | N/A | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5, watchOS 10.5, iOS 17.5 and iPadOS 17.5, iOS 16.7.8 and iPadOS 16.7.8. An attacker with physical access may be able to leak Mail account credentials. | |||||
| CVE-2024-22442 | 1 Hp | 2 3par Service Processor, 3par Service Processor Firmware | 2024-11-21 | N/A | 9.8 CRITICAL |
| The vulnerability could be remotely exploited to bypass authentication. | |||||
| CVE-2024-22394 | 1 Sonicwall | 22 Nsa 2700, Nsa 3700, Nsa 4700 and 19 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| An improper authentication vulnerability has been identified in SonicWall SonicOS SSL-VPN feature, which in specific conditions could allow a remote attacker to bypass authentication. This issue affects only firmware version SonicOS 7.1.1-7040. | |||||
| CVE-2024-22247 | 2024-11-21 | N/A | 4.8 MEDIUM | ||
| VMware SD-WAN Edge contains a missing authentication and protection mechanism vulnerability. A malicious actor with physical access to the SD-WAN Edge appliance during activation can potentially exploit this vulnerability to access the BIOS configuration. In addition, the malicious actor may be able to exploit the default boot priority configured. | |||||
| CVE-2024-22245 | 2024-11-21 | N/A | 9.6 CRITICAL | ||
| Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). | |||||
| CVE-2024-22206 | 1 Clerk | 1 Javascript | 2024-11-21 | N/A | 9.0 CRITICAL |
| Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3. | |||||
| CVE-2024-21899 | 1 Qnap | 3 Qts, Quts Hero, Qutscloud | 2024-11-21 | N/A | 9.8 CRITICAL |
| An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later | |||||
| CVE-2024-21654 | 1 Rubygems | 1 Rubygems.org | 2024-11-21 | N/A | 4.8 MEDIUM |
| Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. This vulnerability has been patched in commit 0b3272a. | |||||
| CVE-2024-21638 | 1 Microsoft | 1 Azure Ipam | 2024-11-21 | N/A | 9.1 CRITICAL |
| Azure IPAM (IP Address Management) is a lightweight solution developed on top of the Azure platform designed to help Azure customers manage their IP Address space easily and effectively. By design there is no write access to customers' Azure environments as the Service Principal used is only assigned the Reader role at the root Management Group level. Until recently, the solution lacked the validation of the passed in authentication token which may result in attacker impersonating any privileged user to access data stored within the IPAM instance and subsequently from Azure, causing an elevation of privilege. This vulnerability has been patched in version 3.0.0. | |||||
| CVE-2024-21632 | 1 Recognizeapp | 1 Omniauth\ | 2024-11-21 | N/A | 8.6 HIGH |
| omniauth-microsoft_graph provides an Omniauth strategy for the Microsoft Graph API. Prior to versions 2.0.0, the implementation did not validate the legitimacy of the `email` attribute of the user nor did it give/document an option to do so, making it susceptible to nOAuth misconfiguration in cases when the `email` is used as a trusted user identifier. This could lead to account takeover. Version 2.0.0 contains a fix for this issue. | |||||
| CVE-2024-21390 | 1 Microsoft | 1 Authenticator | 2024-11-21 | N/A | 7.1 HIGH |
| Microsoft Authenticator Elevation of Privilege Vulnerability | |||||
| CVE-2024-20900 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 4.0 MEDIUM |
| Improper authentication in MTP application prior to SMR Jul-2024 Release 1 allows local attackers to enter MTP mode without proper authentication. | |||||
| CVE-2024-20890 | 1 Samsung | 1 Android | 2024-11-21 | N/A | 5.3 MEDIUM |
| Improper input validation in BLE prior to SMR Jul-2024 Release 1 allows adjacent attackers to trigger abnormal behavior. | |||||