Total
4205 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-24830 | 1 Openobserve | 1 Openobserve | 2026-06-17 | N/A | 9.9 CRITICAL |
| OpenObserve is a observability platform built specifically for logs, metrics, traces, analytics, designed to work at petabyte scale. A vulnerability has been identified in the "/api/{org_id}/users" endpoint. This vulnerability allows any authenticated regular user ('member') to add new users with elevated privileges, including the 'root' role, to an organization. This issue circumvents the intended security controls for role assignments. The vulnerability resides in the user creation process, where the payload does not validate the user roles. A regular user can manipulate the payload to assign root-level privileges. This vulnerability leads to Unauthorized Privilege Escalation and significantly compromises the application's role-based access control system. It allows unauthorized control over application resources and poses a risk to data security. All users, particularly those in administrative roles, are impacted. This issue has been addressed in release version 0.8.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-24771 | 1 Maykinmedia | 1 Open Forms | 2026-06-17 | N/A | 7.7 HIGH |
| Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. The maintainers of Open Forms do not believe it is or has been possible to perform this login. However, if this were possible, the victim's account may be abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data. Three mitigating factors to help prevent exploitation include: the usual login page (at `/admin/login/`) does not fully log in the user until the second factor was succesfully provided; the additional non-MFA protected login page at `/api/v2/api-authlogin/` was misconfigured and could not be used to log in; and there are no additional ways to log in. This also requires credentials of a superuser to be compromised to be exploitable. Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain the following patches to address these weaknesses: Move and only enable the API auth endpoints (`/api/v2/api-auth/login/`) with `settings.DEBUG = True`. `settings.DEBUG = True` is insecure and should never be applied in production settings. Additionally, apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking. | |||||
| CVE-2024-24592 | 1 Clear | 1 Clearml | 2026-06-17 | N/A | 9.8 CRITICAL |
| Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to arbitrarily access, create, modify and delete files. | |||||
| CVE-2024-24554 | 1 Bludit | 1 Bludit | 2026-06-17 | N/A | 8.2 HIGH |
| Bludit uses predictable methods in combination with the MD5 hashing algorithm to generate sensitive tokens such as the API token and the user token. This allows attackers to authenticate against the Bludit API. | |||||
| CVE-2024-24496 | 1 Remyandrade | 1 Daily Habit Tracker | 2026-06-17 | N/A | 9.8 CRITICAL |
| An issue in Daily Habit Tracker v.1.0 allows a remote attacker to manipulate trackers via the home.php, add-tracker.php, delete-tracker.php, update-tracker.php components. | |||||
| CVE-2024-24279 | 1 Secdiskapp | 1 Secdiskapp | 2026-06-17 | N/A | 8.8 HIGH |
| An issue in secdiskapp 1.5.1 (management program for NewQ Fingerprint Encryption Super Speed Flash Disk) allows attackers to gain escalated privileges via vsVerifyPassword and vsSetFingerPrintPower functions. | |||||
| CVE-2024-23813 | 1 Siemens | 1 Polarion Alm | 2026-06-17 | N/A | 7.3 HIGH |
| A vulnerability has been identified in Polarion ALM (All versions < V2404.0). The REST API endpoints of doorsconnector of the affected product lacks proper authentication. An unauthenticated attacker could access the endpoints, and potentially execute code. | |||||
| CVE-2024-23806 | 1 Hidglobal | 4 Iclass Se Reader Configuration Cards, Iclass Se Reader Configuration Cards Firmware, Omnikey Secure Elements Reader Configuration Cards and 1 more | 2026-06-17 | N/A | 5.3 MEDIUM |
| Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys. | |||||
| CVE-2024-23792 | 1 Otrs | 1 Otrs | 2026-06-17 | N/A | 5.3 MEDIUM |
| When adding attachments to ticket comments, another user can add attachments as well impersonating the orginal user. The attack requires a logged-in other user to know the UUID. While the legitimate user completes the comment, the malicious user can add more files to the comment. This issue affects OTRS: from 7.0.X through 7.0.48, from 8.0.X through 8.0.37, from 2023.X through 2023.1.1. | |||||
| CVE-2024-23767 | 2026-06-17 | N/A | 8.8 HIGH | ||
| An issue was discovered on HMS Anybus X-Gateway AB7832-F firmware version 3. The HICP protocol allows unauthenticated changes to a device's network configurations. | |||||
| CVE-2024-23647 | 1 Goauthentik | 1 Authentik | 2026-06-17 | N/A | 6.5 MEDIUM |
| Authentik is an open-source Identity Provider. There is a bug in our implementation of PKCE that allows an attacker to circumvent the protection that PKCE offers. PKCE adds the code_challenge parameter to the authorization request and adds the code_verifier parameter to the token request. Prior to 2023.8.7 and 2023.10.7, a downgrade scenario is possible: if the attacker removes the code_challenge parameter from the authorization request, authentik will not do the PKCE check. Because of this bug, an attacker can circumvent the protection PKCE offers, such as CSRF attacks and code injection attacks. Versions 2023.8.7 and 2023.10.7 fix the issue. | |||||
| CVE-2024-23637 | 1 Octoprint | 1 Octoprint | 2026-06-17 | N/A | 4.2 MEDIUM |
| OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0. | |||||
| CVE-2024-23629 | 1 Motorola | 2 Mr2600, Mr2600 Firmware | 2026-06-17 | 7.8 HIGH | 9.6 CRITICAL |
| An authentication bypass vulnerability exists in the web component of the Motorola MR2600. An attacker can exploit this vulnerability to access protected URLs and retrieve sensitive information. | |||||
| CVE-2024-23471 | 1 Solarwinds | 1 Access Rights Manager | 2026-06-17 | N/A | 9.6 CRITICAL |
| The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. | |||||
| CVE-2024-23470 | 1 Solarwinds | 1 Access Rights Manager | 2026-06-17 | N/A | 9.6 CRITICAL |
| The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. | |||||
| CVE-2024-23465 | 1 Solarwinds | 1 Access Rights Manager | 2026-06-17 | N/A | 8.3 HIGH |
| The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. | |||||
| CVE-2024-23255 | 1 Apple | 3 Ipad Os, Iphone Os, Macos | 2026-06-17 | N/A | 2.4 LOW |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 17.4 and iPadOS 17.4, macOS Sonoma 14.4. Photos in the Hidden Photos Album may be viewed without authentication. | |||||
| CVE-2024-23251 | 1 Apple | 4 Ipados, Iphone Os, Macos and 1 more | 2026-06-17 | N/A | 4.6 MEDIUM |
| An authentication issue was addressed with improved state management. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Sonoma 14.5, watchOS 10.5. An attacker with physical access may be able to leak Mail account credentials. | |||||
| CVE-2024-23219 | 1 Apple | 2 Ipados, Iphone Os | 2026-06-17 | N/A | 6.2 MEDIUM |
| The issue was addressed with improved authentication. This issue is fixed in iOS 17.3 and iPadOS 17.3. Stolen Device Protection may be unexpectedly disabled. | |||||
| CVE-2024-22442 | 1 Hp | 2 3par Service Processor, 3par Service Processor Firmware | 2026-06-17 | N/A | 9.8 CRITICAL |
| The vulnerability could be remotely exploited to bypass authentication. | |||||
