Total
2287 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-45229 | 2026-06-17 | N/A | 6.6 MEDIUM | ||
| The Versa Director offers REST APIs for orchestration and management. By design, certain APIs, such as the login screen, banner display, and device registration, do not require authentication. However, it was discovered that for Directors directly connected to the Internet, one of these APIs can be exploited by injecting invalid arguments into a GET request, potentially exposing the authentication tokens of other currently logged-in users. These tokens can then be used to invoke additional APIs on port 9183. This exploit does not disclose any username or password information. Currently, there are no workarounds in Versa Director. However, if there is Web Application Firewall (WAF) or API Gateway fronting the Versa Director, it can be used to block access to the URLs of vulnerable API. /vnms/devicereg/device/* (on ports 9182 & 9183) and /versa/vnms/devicereg/device/* (on port 443). Versa recommends that Directors be upgraded to one of the remediated software versions. This vulnerability is not exploitable on Versa Directors not exposed to the Internet.We have validated that no Versa-hosted head ends have been affected by this vulnerability. Please contact Versa Technical Support or Versa account team for any further assistance. | |||||
| CVE-2024-45075 | 1 Ibm | 1 Webmethods Integration | 2026-06-17 | N/A | 8.8 HIGH |
| IBM webMethods Integration 10.15 could allow an authenticated user to create scheduler tasks that would allow them to escalate their privileges to administrator due to missing authentication. | |||||
| CVE-2024-45049 | 1 Nixos | 1 Hydra | 2026-06-17 | N/A | 7.5 HIGH |
| Hydra is a Continuous Integration service for Nix based projects. It is possible to trigger evaluations in Hydra without any authentication. Depending on the size of evaluations, this can impact the availability of systems. The problem can be fixed by applying https://github.com/NixOS/hydra/commit/f73043378907c2c7e44f633ad764c8bdd1c947d5 to any Hydra package. Users are advised to upgrade. Users unable to upgrade should deny the `/api/push` route in a reverse proxy. This also breaks the "Evaluate jobset" button in the frontend. | |||||
| CVE-2024-43798 | 2026-06-17 | N/A | 8.6 HIGH | ||
| Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. Anyone running the Chisel server that is using the `AUTH` environment variable to specify credentials to authenticate against is affected by this vulnerability. Chisel is often used to provide an entrypoint to a private network, which means services that are gated by Chisel may be affected. Additionally, Chisel is often used for exposing services to the internet. An attacker could MITM requests by connecting to a Chisel server and requesting to forward traffic from a remote port. This issue has been addressed in release version 1.10.0. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-43488 | 1 Microsoft | 1 Visual Studio Code | 2026-06-17 | N/A | 8.8 HIGH |
| Missing authentication for critical function in Visual Studio Code extension for Arduino allows an unauthenticated attacker to perform remote code execution through network attack vector. | |||||
| CVE-2024-43272 | 2026-06-17 | N/A | 5.3 MEDIUM | ||
| Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24. | |||||
| CVE-2024-42462 | 1 Upkeeper | 1 Upkeeper Manager | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper Authentication vulnerability in upKeeper Solutions product upKeeper Manager allows Authentication Bypass.This issue affects upKeeper Manager: through 5.1.9. | |||||
| CVE-2024-42456 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-06-17 | N/A | 8.8 HIGH |
| A vulnerability in Veeam Backup & Replication platform allows a low-privileged user with a specific role to exploit a method that updates critical configuration settings, such as modifying the trusted client certificate used for authentication on a specific port. This can result in unauthorized access, enabling the user to call privileged methods and initiate critical services. The issue arises due to insufficient permission requirements on the method, allowing users with low privileges to perform actions that should require higher-level permissions. | |||||
| CVE-2024-42455 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-06-17 | N/A | 8.1 HIGH |
| A vulnerability in Veeam Backup & Replication allows a low-privileged user to connect to remoting services and exploit insecure deserialization by sending a serialized temporary file collection. This exploit allows the attacker to delete any file on the system with service account privileges. The vulnerability is caused by an insufficient blacklist during the deserialization process. | |||||
| CVE-2024-42178 | 1 Hcltech | 1 Dryice Myxalytics | 2026-06-17 | N/A | 2.5 LOW |
| HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution. | |||||
| CVE-2024-42017 | 2026-06-17 | N/A | 10.0 CRITICAL | ||
| An issue was discovered in Atos Eviden iCare 2.7.1 through 2.7.11. The application exposes a web interface locally. In the worst-case scenario, if the application is remotely accessible, it allows an attacker to execute arbitrary commands with system privilege on the endpoint hosting the application, without any authentication. | |||||
| CVE-2024-41988 | 2026-06-17 | N/A | N/A | ||
| TEM Opera Plus FM Family Transmitter allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. This file system serves as the basis for the HTTP2 web server module but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. | |||||
| CVE-2024-41969 | 2026-06-17 | N/A | 8.8 HIGH | ||
| A low privileged remote attacker may modify the configuration of the CODESYS V3 service through a missing authentication vulnerability which could lead to full system access and/or DoS. | |||||
| CVE-2024-41968 | 2026-06-17 | N/A | 5.4 MEDIUM | ||
| A low privileged remote attacker may modify the docker settings setup of the device, leading to a limited DoS. | |||||
| CVE-2024-41967 | 2026-06-17 | N/A | 8.1 HIGH | ||
| A low privileged remote attacker may modify the boot mode configuration setup of the device, leading to modification of the firmware upgrade process or a denial-of-service attack. | |||||
| CVE-2024-41793 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2026-06-17 | N/A | 8.6 HIGH |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices provides an endpoint that allows to enable the ssh service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via ssh. | |||||
| CVE-2024-41791 | 1 Siemens | 2 7kt Pac1260 Data Manager, 7kt Pac1260 Data Manager Firmware | 2026-06-17 | N/A | 7.3 HIGH |
| A vulnerability has been identified in SENTRON 7KT PAC1260 Data Manager (All versions). The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time. | |||||
| CVE-2024-40717 | 1 Veeam | 1 Veeam Backup \& Replication | 2026-06-17 | N/A | 8.8 HIGH |
| A vulnerability in Veeam Backup & Replication allows a low-privileged user with certain roles to perform remote code execution (RCE) by updating existing jobs. These jobs can be configured to run pre- and post-scripts, which can be located on a network share and are executed with elevated privileges by default. The user can update a job and schedule it to run almost immediately, allowing arbitrary code execution on the server. | |||||
| CVE-2024-40408 | 1 Cybelesoft | 1 Thinfinity Workspace | 2026-06-17 | N/A | 7.3 HIGH |
| Cybele Software Thinfinity Workspace before v7.0.2.113 was discovered to contain an access control issue in the Create Profile section. This vulnerability allows attackers to create arbitrary user profiles with elevated privileges. | |||||
| CVE-2024-40405 | 1 Cybelesoft | 1 Thinfinity Workspace | 2026-06-17 | N/A | 8.1 HIGH |
| Incorrect access control in Cybele Software Thinfinity Workspace before v7.0.3.109 allows attackers to gain access to a secondary broker via a crafted request. | |||||