Total
32201 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-41612 | 1 Openrisc | 2 Mor1kx, Mor1kx Firmware | 2025-02-06 | N/A | 8.8 HIGH |
| An issue was discovered in the ALU unit of the OpenRISC mor1kx processor. The carry flag is not being updated correctly for the subtract instruction, which results in an incorrect value of the carry flag. Any software that relies on this flag may experience corruption in execution. | |||||
| CVE-2024-26136 | 1 Openjsf | 1 Electroncord | 2025-02-05 | N/A | 7.5 HIGH |
| kedi ElectronCord is a bot management tool for Discord. Commit aaaeaf4e6c99893827b2eea4dd02f755e1e24041 exposes an account access token in the `config.json` file. Malicious actors could potentially exploit this vulnerability to gain unauthorized access to sensitive information or perform malicious actions on behalf of the repository owner. As of time of publication, it is unknown whether the owner of the repository has rotated the token or taken other mitigation steps aside from informing users of the situation. | |||||
| CVE-2023-46241 | 1 Discourse | 1 Microsoft Authentication | 2025-02-05 | N/A | 9.0 CRITICAL |
| `discourse-microsoft-auth` is a plugin that enables authentication via Microsoft. On sites with the `discourse-microsoft-auth` plugin enabled, an attack can potentially take control of a victim's Discourse account. Sites that have configured their application's account type to any options other than `Accounts in this organizational directory only (O365 only - Single tenant)` are vulnerable. This vulnerability has been patched in commit c40665f44509724b64938c85def9fb2e79f62ec8 of `discourse-microsoft-auth`. A `microsoft_auth:revoke` rake task has also been added which will deactivate and log out all users that have connected their accounts to Microsoft. User API keys as well as API keys created by those users will also be revoked. The rake task will also remove the connection records to Microsoft for those users. This will allow affected users to re-verify their account emails as well as reconnect their Discourse account to Microsoft for authentication. As a workaround, disable the `discourse-microsoft-auth` plugin by setting the `microsoft_auth_enabled` site setting to `false`. Run the `microsoft_auth:log_out_users` rake task to log out all users with associated Microsoft accounts. | |||||
| CVE-2024-26138 | 1 Xwiki | 1 Application Licensing | 2025-02-05 | N/A | 5.3 MEDIUM |
| The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document `Licenses.Code.LicenseJSON` that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information includes the instance's id as well as first and last name and email of the license owner. This is a leak of information that isn't supposed to be public. The instance id allows associating data on the active installs data with the concrete XWiki instance. Active installs assures that "there's no way to find who's having a given UUID" (referring to the instance id). Further, the information who the license owner is and information about the obtained licenses can be used for targeted phishing attacks. Also, while user information is normally public, email addresses might only be displayed obfuscated, depending on the configuration. This has been fixed in Application Licensing 1.24.2. There are no known workarounds besides upgrading. | |||||
| CVE-2024-26145 | 1 Discourse | 1 Calendar | 2025-02-05 | N/A | 6.5 MEDIUM |
| Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on Discourse. Uninvited users are able to gain access to private events by crafting a request to update their attendance. This problem is resolved in commit dfc4fa15f340189f177a1d1ab2cc94ffed3c1190. As a workaround, one may use post visibility to limit access. | |||||
| CVE-2024-24817 | 1 Discourse | 1 Calendar | 2025-02-05 | N/A | 4.3 MEDIUM |
| Discourse Calendar adds the ability to create a dynamic calendar in the first post of a topic on the open-source discussion platform Discourse. Prior to version 0.4, event invitees created in topics in private categories or PMs (private messages) can be retrieved by anyone, even if they're not logged in. This problem is resolved in version 0.4 of the discourse-calendar plugin. While no known workaround is available, putting the site behind `login_required` will disallow this endpoint to be used by anonymous users, but logged in users can still get the list of invitees in the private topics. | |||||
| CVE-2024-25130 | 1 Enalean | 1 Tuleap | 2025-02-05 | N/A | 5.4 MEDIUM |
| Tuleap is an open source suite to improve management of software developments and collaboration. Prior to version 15.5.99.76 of Tuleap Community Edition and prior to versions 15.5-4 and 15.4-7 of Tuleap Enterprise Edition, users with a read access to a tracker where the mass update feature is used might get access to restricted information. Tuleap Community Edition 15.5.99.76, Tuleap Enterprise Edition 15.5-4, and Tuleap Enterprise Edition 15.4-7 contain a patch for this issue. | |||||
| CVE-2024-1400 | 1 Wobbie | 1 Mollie Forms | 2025-02-05 | N/A | 4.3 MEDIUM |
| The Mollie Forms plugin for WordPress is vulnerable to unauthorized post or page duplication due to a missing capability check on the duplicateForm function in all versions up to, and including, 2.6.3. This makes it possible for authenticated attackers, with subscriber access or higher, to duplicate arbitrary posts and pages. | |||||
| CVE-2023-21086 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In isToggleable of SecureNfcEnabler.java and SecureNfcPreferenceController.java, there is a possible way to enable NFC from a secondary account due to a permissions bypass. This could lead to local escalation of privilege from the Guest account with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-238298970 | |||||
| CVE-2023-21084 | 1 Google | 1 Android | 2025-02-05 | N/A | 6.7 MEDIUM |
| In buildPropFile of filesystem.go, there is a possible insecure hash due to an improperly used crypto. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-13Android ID: A-262892300 | |||||
| CVE-2023-21083 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In onNullBinding of CallScreeningServiceHelper.java, there is a possible way to record audio without showing a privacy indicator due to a permissions bypass. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-252762941 | |||||
| CVE-2025-21313 | 1 Microsoft | 3 Windows 11 24h2, Windows Server 2022 23h2, Windows Server 2025 | 2025-02-05 | N/A | 6.5 MEDIUM |
| Windows Security Account Manager (SAM) Denial of Service Vulnerability | |||||
| CVE-2023-21092 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In retrieveServiceLocked of ActiveServices.java, there is a possible way to dynamically register a BroadcastReceiver using permissions of System App due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-242040055 | |||||
| CVE-2023-21089 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In startInstrumentation of ActivityManagerService.java, there is a possible way to keep the foreground service alive while the app is in the background. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-237766679 | |||||
| CVE-2023-21088 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In deliverOnFlushComplete of LocationProviderManager.java, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-12 Android-12L Android-13Android ID: A-235823542 | |||||
| CVE-2023-21082 | 1 Google | 1 Android | 2025-02-05 | N/A | 5.5 MEDIUM |
| In getNumberFromCallIntent of NewOutgoingCallIntentBroadcaster.java, there is a possible way to enumerate other user's contact phone number due to a confused deputy. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-257030107 | |||||
| CVE-2023-21081 | 1 Google | 1 Android | 2025-02-05 | N/A | 7.8 HIGH |
| In multiple functions of PackageInstallerService.java and related files, there is a possible way to bypass background activity launch restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-230492955 | |||||
| CVE-2023-20909 | 1 Google | 1 Android | 2025-02-05 | N/A | 5.5 MEDIUM |
| In multiple functions of RunningTasks.java, there is a possible privilege escalation due to a missing privilege check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-11 Android-12 Android-12L Android-13Android ID: A-243130512 | |||||
| CVE-2025-21187 | 1 Microsoft | 1 Power Automate For Desktop | 2025-02-05 | N/A | 7.8 HIGH |
| Microsoft Power Automate Remote Code Execution Vulnerability | |||||
| CVE-2018-1457 | 3 Ibm, Linux, Microsoft | 3 Engineering Requirements Management Doors, Linux Kernel, Windows | 2025-02-05 | 7.5 HIGH | 9.8 CRITICAL |
| An undisclosed vulnerability in IBM Rational DOORS 9.5.1 through 9.6.1.10 application allows an attacker to gain DOORS administrator privileges. IBM X-Force ID: 140208. | |||||