Total
35705 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-34708 | 1 Monospace | 1 Directus | 2026-06-17 | N/A | 4.9 MEDIUM |
| Directus is a real-time API and App dashboard for managing SQL database content. A user with permission to view any collection using redacted hashed fields can get access the raw stored version using the `alias` functionality on the API. Normally, these redacted fields will return `**********` however if we change the request to `?alias[workaround]=redacted` we can instead retrieve the plain text value for the field. This can be avoided by removing permission to view the sensitive fields entirely from users or roles that should not be able to see them. This vulnerability is fixed in 10.11.0. | |||||
| CVE-2024-34696 | 1 Geoserver | 1 Geoserver | 2026-06-17 | N/A | 4.5 MEDIUM |
| GeoServer is an open source server that allows users to share and edit geospatial data. Starting in version 2.10.0 and prior to versions 2.24.4 and 2.25.1, GeoServer's Server Status page and REST API lists all environment variables and Java properties to any GeoServer user with administrative rights as part of those modules' status message. These variables/properties can also contain sensitive information, such as database passwords or API keys/tokens. Additionally, many community-developed GeoServer container images `export` other credentials from their start-up scripts as environment variables to the GeoServer (`java`) process. The precise scope of the issue depends on which container image is used and how it is configured. The `about status` API endpoint which powers the Server Status page is only available to administrators.Depending on the operating environment, administrators might have legitimate access to credentials in other ways, but this issue defeats more sophisticated controls (like break-glass access to secrets or role accounts).By default, GeoServer only allows same-origin authenticated API access. This limits the scope for a third-party attacker to use an administrator’s credentials to gain access to credentials. The researchers who found the vulnerability were unable to determine any other conditions under which the GeoServer REST API may be available more broadly. Users should update container images to use GeoServer 2.24.4 or 2.25.1 to get the bug fix. As a workaround, leave environment variables and Java system properties hidden by default. Those who provide the option to re-enable it should communicate the impact and risks so that users can make an informed choice. | |||||
| CVE-2024-34693 | 1 Apache | 1 Superset | 2026-06-17 | N/A | 6.8 MEDIUM |
| Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue. | |||||
| CVE-2024-34688 | 1 Sap | 1 Netweaver Application Server Java | 2026-06-17 | N/A | 7.5 HIGH |
| Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application. | |||||
| CVE-2024-34684 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2026-06-17 | N/A | 3.7 LOW |
| On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files. | |||||
| CVE-2024-34682 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 2.4 LOW |
| Improper authorization in Settings prior to SMR Nov-2024 Release 1 allows physical attackers to access stored WiFi password in Maintenance Mode. | |||||
| CVE-2024-34675 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 2.4 LOW |
| Improper access control in Dex Mode prior to SMR Nov-2024 Release 1 allows physical attackers to temporarily access to unlocked screen. | |||||
| CVE-2024-34674 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 4.6 MEDIUM |
| Improper access control in Contacts prior to SMR Nov-2024 Release 1 allows physical attackers to access data across multiple user profiles. | |||||
| CVE-2024-34673 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 4.1 MEDIUM |
| Improper Input Validation in IpcProtocol in Modem prior to SMR Nov-2024 Release 1 allows local attackers to cause Denial-of-Service. | |||||
| CVE-2024-34672 | 1 Samsung | 2 Android, Video Player | 2026-06-17 | N/A | 5.5 MEDIUM |
| Improper input validation in SamsungVideoPlayer prior to versions 7.3.29.1 in Android 12, 7.3.36.1 in Android 13, and 7.3.41.230 in Android 14 allows local attackers to access video file of other users. | |||||
| CVE-2024-34662 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 6.2 MEDIUM |
| Improper access control in ActivityManager prior to SMR Oct-2024 Release 1 in select Android 12, 13 and SMR Sep-2024 Release 1 in select Android 14 allows local attackers to execute privileged behaviors. | |||||
| CVE-2024-34659 | 1 Samsung | 1 Group Sharing | 2026-06-17 | N/A | 7.5 HIGH |
| Exposure of sensitive information in GroupSharing prior to version 13.6.13.3 allows remote attackers can force the victim to join the group. | |||||
| CVE-2024-34655 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 6.2 MEDIUM |
| Incorrect use of privileged API in UniversalCredentialManager prior to SMR Sep-2024 Release 1 allows local attackers to access privileged API related to UniversalCredentialManager. | |||||
| CVE-2024-34654 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 6.2 MEDIUM |
| Improper Export of android application component in My Files prior to SMR Sep-2024 Release 1 allows local attackers to access files with My Files' privilege. | |||||
| CVE-2024-34647 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 4.0 MEDIUM |
| Incorrect use of privileged API in DualDarManagerProxy prior to SMR Sep-2024 Release 1 allows local attackers to access privileged APIs related to knox without proper license. | |||||
| CVE-2024-34645 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 6.1 MEDIUM |
| Improper input validation in ThemeCenter prior to SMR Sep-2024 Release 1 allows physical attackers to install privileged applications. | |||||
| CVE-2024-34641 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 5.1 MEDIUM |
| Improper Export of Android Application Components in FeliCaTest prior to SMR Sep-2024 Release 1 allows local attackers to enable NFC configuration. | |||||
| CVE-2024-34620 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 8.4 HIGH |
| Improper privilege management in SumeNNService prior to SMR Aug-2024 Release 1 allows local attackers to start privileged service. | |||||
| CVE-2024-34619 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 7.5 HIGH |
| Improper input validation in librtp.so prior to SMR Aug-2024 Release 1 allows remote attackers to execute arbitrary code with system privilege. User interaction is required for triggering this vulnerability. | |||||
| CVE-2024-34602 | 1 Samsung | 1 Android | 2026-06-17 | N/A | 3.3 LOW |
| Use of implicit intent for sensitive communication in Samsung Messages prior to SMR Jul-2024 Release 1 allows local attackers to get sensitive information. User interaction is required for triggering this vulnerability. | |||||