Total
3944 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-37897 | 2024-11-21 | N/A | 5.4 MEDIUM | ||
| SFTPGo is a full-featured and highly configurable SFTP, HTTP/S, FTP/S and WebDAV server - S3, Google Cloud Storage, Azure Blob. SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. Users are advised to upgrade to version 2.6.1. Users unable to upgrade may keep the password reset feature disabled or set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability. | |||||
| CVE-2024-37893 | 2024-11-21 | N/A | 5.9 MEDIUM | ||
| Firefly III is a free and open source personal finance manager. In affected versions an MFA bypass in the Firefly III OAuth flow may allow malicious users to bypass the MFA-check. This allows malicious users to use password spraying to gain access to Firefly III data using passwords stolen from other sources. As OAuth applications are easily enumerable using an incrementing id, an attacker could try sign an OAuth application up to a users profile quite easily if they have created one. The attacker would also need to know the victims username and password. This problem has been patched in Firefly III v6.1.17 and up. Users are advised to upgrade. Users unable to upgrade should Use a unique password for their Firefly III instance and store their password securely, i.e. in a password manager. | |||||
| CVE-2024-37408 | 2024-11-21 | N/A | 7.3 HIGH | ||
| fprintd through 1.94.3 lacks a security attention mechanism, and thus unexpected actions might be authorized by "auth sufficient pam_fprintd.so" for Sudo. NOTE: the supplier disputes this because they believe issue resolution would involve modifying the PAM configuration to restrict pam_fprintd.so to front-ends that implement a proper attention mechanism, not modifying pam_fprintd.so or fprintd. | |||||
| CVE-2024-37367 | 1 Rockwellautomation | 1 Factorytalk View | 2024-11-21 | N/A | 7.5 HIGH |
| A user authentication vulnerability exists in the Rockwell Automation FactoryTalk® View SE v12. The vulnerability allows a user from a remote system with FTView to send a packet to the customer’s server to view an HMI project. This action is allowed without proper authentication verification. | |||||
| CVE-2024-37233 | 2024-11-21 | N/A | 4.3 MEDIUM | ||
| Improper Authentication vulnerability in Play.Ht allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Play.Ht: from n/a through 3.6.4. | |||||
| CVE-2024-37152 | 1 Argoproj | 1 Argo Cd | 2024-11-21 | N/A | 5.3 MEDIUM |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The vulnerability allows unauthorized access to the sensitive settings exposed by /api/v1/settings endpoint without authentication. All sensitive settings are hidden except passwordPattern. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17. | |||||
| CVE-2024-37019 | 2024-11-21 | N/A | 9.8 CRITICAL | ||
| Northern.tech Mender Enterprise before 3.6.4 and 3.7.x before 3.7.4 has Weak Authentication. | |||||
| CVE-2024-36444 | 2024-11-21 | N/A | 8.1 HIGH | ||
| cgi-bin/fdmcgiwebv2.cgi on Swissphone DiCal-RED 4009 devices allows an unauthenticated attacker to gain access to device logs. | |||||
| CVE-2024-35670 | 1 Softlabbd | 1 Integrate Google Drive | 2024-11-21 | N/A | 5.3 MEDIUM |
| Broken Authentication vulnerability in SoftLab Integrate Google Drive.This issue affects Integrate Google Drive: from n/a through 1.3.93. | |||||
| CVE-2024-35248 | 1 Microsoft | 1 Dynamics 365 Business Central | 2024-11-21 | N/A | 7.3 HIGH |
| Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | |||||
| CVE-2024-35184 | 2024-11-21 | N/A | 5.5 MEDIUM | ||
| Paperless-ngx is a document management system that transforms physical documents into a searchable online archive. Starting in version 2.5.0 and prior to version 2.8.6, remote user authentication allows API access even if API access is explicitly disabled. Version 2.8.6 contains a patchc for the issue. | |||||
| CVE-2024-34596 | 1 Samsung | 1 Smartthings | 2024-11-21 | N/A | 5.9 MEDIUM |
| Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. | |||||
| CVE-2024-34103 | 1 Adobe | 3 Commerce, Commerce Webhooks, Magento | 2024-11-21 | N/A | 8.1 HIGH |
| Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction, but attack complexity is high. | |||||
| CVE-2024-30299 | 1 Adobe | 1 Framemaker Publishing Server | 2024-11-21 | N/A | 10.0 CRITICAL |
| Adobe Framemaker Publishing Server versions 2020.3, 2022.2 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction. | |||||
| CVE-2024-28992 | 1 Solarwinds | 1 Access Rights Manager | 2024-11-21 | N/A | 7.6 HIGH |
| The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information. | |||||
| CVE-2024-28200 | 1 N-able | 1 N-central | 2024-11-21 | N/A | 9.1 CRITICAL |
| The N-central server is vulnerable to an authentication bypass of the user interface. This vulnerability is present in all deployments of N-central prior to 2024.2. This vulnerability was discovered through internal N-central source code review and N-able has not observed any exploitation in the wild. | |||||
| CVE-2024-28188 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
| Jupyter Scheduler is collection of extensions for programming jobs to run now or run on a schedule. The list of conda environments of `jupyter-scheduler` users maybe be exposed, potentially revealing information about projects that a specific user may be working on. This vulnerability has been patched in version(s) 1.1.6, 1.2.1, 1.8.2 and 2.5.2. | |||||
| CVE-2024-26331 | 2024-11-21 | N/A | 7.5 HIGH | ||
| ReCrystallize Server 5.10.0.0 uses a authorization mechanism that relies on the value of a cookie, but it does not bind the cookie value to a session ID. Attackers can easily modify the cookie value, within a browser or by implementing client-side code outside of a browser. Attackers can bypass the authentication mechanism by modifying the cookie to contain an expected value. | |||||
| CVE-2024-25313 | 1 Code-projects | 1 Simple School Management System | 2024-11-21 | N/A | 8.8 HIGH |
| Code-projects Simple School Managment System 1.0 allows Authentication Bypass via the username and password parameters at School/teacher_login.php. | |||||
| CVE-2024-25106 | 1 Openobserve | 1 Openobserve | 2024-11-21 | N/A | 9.1 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A critical vulnerability has been identified in the "/api/{org_id}/users/{email_id}" endpoint. This vulnerability allows any authenticated user within an organization to remove any other user from that same organization, irrespective of their respective roles. This includes the ability to remove users with "Admin" and "Root" roles. By enabling any organizational member to unilaterally alter the user base, it opens the door to unauthorized access and can cause considerable disruptions in operations. The core of the vulnerability lies in the `remove_user_from_org` function in the user management system. This function is designed to allow organizational users to remove members from their organization. The function does not check if the user initiating the request has the appropriate administrative privileges to remove a user. Any user who is part of the organization, irrespective of their role, can remove any other user, including those with higher privileges. This vulnerability is categorized as an Authorization issue leading to Unauthorized User Removal. The impact is severe, as it compromises the integrity of user management within organizations. By exploiting this vulnerability, any user within an organization, without the need for administrative privileges, can remove critical users, including "Admins" and "Root" users. This could result in unauthorized system access, administrative lockout, or operational disruptions. Given that user accounts are typically created by "Admins" or "Root" users, this vulnerability can be exploited by any user who has been granted access to an organization, thereby posing a critical risk to the security and operational stability of the application. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. | |||||