Total
8067 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-23331 | 2 Microsoft, Vitejs | 2 Windows, Vite | 2024-11-21 | N/A | 7.5 HIGH |
| Vite is a frontend tooling framework for javascript. The Vite dev server option `server.fs.deny` can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems. Since `picomatch` defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible. By requesting raw filesystem paths using augmented casing, the matcher derived from `config.server.fs.deny` fails to block access to sensitive files. This issue has been addressed in vite@5.0.12, vite@4.5.2, vite@3.2.8, and vite@2.9.17. Users are advised to upgrade. Users unable to upgrade should restrict access to dev servers. | |||||
| CVE-2024-22421 | 2 Fedoraproject, Jupyter | 3 Fedora, Jupyterlab, Notebook | 2024-11-21 | N/A | 7.6 HIGH |
| JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their `Authorization` and `XSRFToken` tokens exposed to a third party when running an older `jupyter-server` version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade `jupyter-server` to version 2.7.2 or newer which includes a redirect vulnerability fix. | |||||
| CVE-2024-22331 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2024-11-21 | N/A | 6.2 MEDIUM |
| IBM UrbanCode Deploy (UCD) 7.0 through 7.0.5.19, 7.1 through 7.1.2.15, 7.2 through 7.2.3.8, 7.3 through 7.3.2.3, and IBM UrbanCode Deploy (UCD) - IBM DevOps Deploy 8.0.0.0 could disclose sensitive user information when installing the Windows agent. IBM X-Force ID: 279971. | |||||
| CVE-2024-22301 | 1 Eduva | 1 Albo Pretorio Online | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Ignazio Scimone Albo Pretorio On line.This issue affects Albo Pretorio On line: from n/a through 4.6.6. | |||||
| CVE-2024-22294 | 1 Ip2location | 1 Country Blocker | 2024-11-21 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in IP2Location IP2Location Country Blocker.This issue affects IP2Location Country Blocker: from n/a through 2.33.3. | |||||
| CVE-2024-22154 | 1 Snpdigital | 1 Salesking | 2024-11-21 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in SNP Digital SalesKing.This issue affects SalesKing: from n/a through 1.6.15. | |||||
| CVE-2024-22141 | 1 Cozmoslabs | 1 Profile Builder | 2024-11-21 | N/A | 6.5 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Cozmoslabs Profile Builder Pro.This issue affects Profile Builder Pro: from n/a through 3.10.0. | |||||
| CVE-2024-22002 | 2024-11-21 | N/A | 7.8 HIGH | ||
| CORSAIR iCUE 5.9.105 with iCUE Murals on Windows allows unprivileged users to insert DLL files in the cuepkg-1.2.6 subdirectory of the installation directory. | |||||
| CVE-2024-21902 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | N/A | 6.4 MEDIUM |
| An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later | |||||
| CVE-2024-21380 | 1 Microsoft | 1 Dynamics 365 Business Central | 2024-11-21 | N/A | 8.0 HIGH |
| Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability | |||||
| CVE-2024-21320 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2024-11-21 | N/A | 6.5 MEDIUM |
| Windows Themes Spoofing Vulnerability | |||||
| CVE-2024-20396 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| A vulnerability in the protocol handlers of Cisco Webex App could allow an unauthenticated, remote attacker to gain access to sensitive information. This vulnerability exists because the affected application does not safely handle file protocol handlers. An attacker could exploit this vulnerability by persuading a user to follow a link that is designed to cause the application to send requests. If the attacker can observe transmitted traffic in a privileged network position, a successful exploit could allow the attacker to capture sensitive information, including credential information, from the requests. | |||||
| CVE-2024-1979 | 2024-11-21 | N/A | 3.5 LOW | ||
| A vulnerability was found in Quarkus. In certain conditions related to the CI process, git credentials could be inadvertently published, which could put the git repository at risk. | |||||
| CVE-2024-1968 | 2024-11-21 | N/A | 7.5 HIGH | ||
| In scrapy/scrapy, an issue was identified where the Authorization header is not removed during redirects that only change the scheme (e.g., HTTPS to HTTP) but remain within the same domain. This behavior contravenes the Fetch standard, which mandates the removal of Authorization headers in cross-origin requests when the scheme, host, or port changes. Consequently, when a redirect downgrades from HTTPS to HTTP, the Authorization header may be inadvertently exposed in plaintext, leading to potential sensitive information disclosure to unauthorized actors. The flaw is located in the _build_redirect_request function of the redirect middleware. | |||||
| CVE-2024-1662 | 1 Porty | 1 Powerbank | 2024-11-21 | N/A | 7.2 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PORTY Smart Tech Technology Joint Stock Company PowerBank Application allows Retrieve Embedded Sensitive Data.This issue affects PowerBank Application: before 2.02. | |||||
| CVE-2024-1643 | 2024-11-21 | N/A | 9.1 CRITICAL | ||
| By knowing an organization's ID, an attacker can join the organization without permission and gain the ability to read and modify all data within that organization. This vulnerability allows unauthorized access and modification of sensitive information, posing a significant security risk. The flaw is due to insufficient verification of user permissions when joining an organization. | |||||
| CVE-2024-1460 | 2024-11-21 | N/A | 5.6 MEDIUM | ||
| MSI Afterburner v4.6.5.16370 is vulnerable to a Kernel Memory Leak vulnerability by triggering the 0x80002040 IOCTL code of the RTCore64.sys driver. The handle to the driver can only be obtained from a high integrity process. | |||||
| CVE-2024-1435 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Tainacan.Org Tainacan.This issue affects Tainacan: from n/a through 0.20.6. | |||||
| CVE-2024-1255 | 1 Sepidz | 1 Sepidzdigitalmenu | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| A vulnerability has been found in sepidz SepidzDigitalMenu up to 7.1.0728.1 and classified as problematic. This vulnerability affects unknown code of the file /Waiters. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-252994 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-1139 | 2024-11-21 | N/A | 7.7 HIGH | ||
| A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret. | |||||