Total
8067 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-5230 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability has been found in EnvaySoft FleetCart up to 4.1.1 and classified as problematic. Affected by this vulnerability is an unknown functionality. The manipulation of the argument razorpayKeyId leads to information disclosure. The attack can be launched remotely. It is recommended to upgrade the affected component. The identifier VDB-265981 was assigned to this vulnerability. | |||||
| CVE-2024-5202 | 2024-11-21 | N/A | 7.7 HIGH | ||
| Arbitrary File Read in OpenText Dimensions RM allows authenticated users to read files stored on the server via webservices | |||||
| CVE-2024-5133 | 1 Lunary | 1 Lunary | 2024-11-21 | N/A | 8.1 HIGH |
| In lunary-ai/lunary version 1.2.4, an account takeover vulnerability exists due to the exposure of password recovery tokens in API responses. Specifically, when a user initiates the password reset process, the recovery token is included in the response of the `GET /v1/users/me/org` endpoint, which lists all users in a team. This allows any authenticated user to capture the recovery token of another user and subsequently change that user's password without consent, effectively taking over the account. The issue lies in the inclusion of the `recovery_token` attribute in the users object returned by the API. | |||||
| CVE-2024-5096 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Hipcam Device up to 20240511. This vulnerability affects unknown code of the file /log/wifi.mac of the component MAC Address Handler. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-265078 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-5067 | 1 Gitlab | 1 Gitlab | 2024-11-21 | N/A | 4.4 MEDIUM |
| An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles. | |||||
| CVE-2024-5059 | 1 Awplife | 1 Event Monster | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0. | |||||
| CVE-2024-5010 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | N/A | 7.5 HIGH |
| In WhatsUp Gold versions released before 2023.1.3, a vulnerability exists in the TestController functionality. A specially crafted unauthenticated HTTP request can lead to a disclosure of sensitive information. | |||||
| CVE-2024-4596 | 2024-11-21 | 2.6 LOW | 3.7 LOW | ||
| A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability. | |||||
| CVE-2024-4584 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability, which was classified as problematic, has been found in Faraday GM8181 and GM828x up to 20240429. Affected by this issue is some unknown functionality of the file /command_port.ini. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-263306 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4583 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability classified as problematic was found in Faraday GM8181 and GM828x up to 20240429. Affected by this vulnerability is an unknown functionality of the component Request Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-263305 was assigned to this vulnerability. | |||||
| CVE-2024-4540 | 2024-11-21 | N/A | 7.5 HIGH | ||
| A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. | |||||
| CVE-2024-4300 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| E-WEBInformationCo. FS-EZViewer(Web) exposes sensitive information in the service. A remote attacker can obtain the database configuration file path through the webpage source code without login. Accessing this path allows attacker to obtain the database credential with the highest privilege and database host IP address. With this information, attackers can connect to the database and perform actions such as adding, modifying, or deleting database contents. | |||||
| CVE-2024-4220 | 1 Beyondtrust | 1 Beyondinsight | 2024-11-21 | N/A | 4.3 MEDIUM |
| Prior to 23.1, an information disclosure vulnerability exists within BeyondInsight which can allow an attacker to enumerate usernames. | |||||
| CVE-2024-4022 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /version.js of the component Version Data Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-261674 is the identifier assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024. | |||||
| CVE-2024-4021 | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM | ||
| A vulnerability was found in Keenetic KN-1010, KN-1410, KN-1711, KN-1810 and KN-1910 up to 4.1.2.15. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /ndmComponents.js of the component Configuration Setting Handler. The manipulation leads to information disclosure. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-261673 was assigned to this vulnerability. NOTE: The vendor is aware of this issue and plans to fix it by the end of 2024. | |||||
| CVE-2024-4008 | 1 Abb | 10 2tma310010b0001, 2tma310010b0001 Firmware, 2tma310010b0003 and 7 more | 2024-11-21 | N/A | 9.6 CRITICAL |
| FDSK Leak in ABB, Busch-Jaeger, FTS Display (version 1.00) and BCU (version 1.3.0.33) allows attacker to take control via access to local KNX Bus-System | |||||
| CVE-2024-43801 | 1 Jellyfin | 1 Jellyfin | 2024-11-21 | N/A | 4.6 MEDIUM |
| Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. This prevents exploitation of the LocalStorage of the browser. This PR has been merged and the relevant code changes are included in release version 10.9.10. All users are advised to upgrade. | |||||
| CVE-2024-42049 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| TightVNC (Server for Windows) before 2.8.84 allows attackers to connect to the control pipe via a network connection. | |||||
| CVE-2024-41701 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| AccuPOS - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||
| CVE-2024-41696 | 2024-11-21 | N/A | 7.5 HIGH | ||
| Priority PRI WEB Portal Add-On for Priority ERP on prem - CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | |||||