Total
34424 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-5470 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 3.8 Low |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Guest user with `admin_push_rules` permission may have been able to create project-level deploy tokens. | ||||
| CVE-2024-5465 | 1 Huawei | 2 Emui, Harmonyos | 2024-11-21 | 5.9 Medium |
| Function vulnerabilities in the Calendar module Impact: Successful exploitation of this vulnerability will affect availability. | ||||
| CVE-2024-5449 | 1 Wppool | 1 Wp Dark Mode | 2024-11-21 | 4.3 Medium |
| The WP Dark Mode – WordPress Dark Mode Plugin for Improved Accessibility, Dark Theme, Night Mode, and Social Sharing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpdm_social_share_save_options function in all versions up to, and including, 5.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings. | ||||
| CVE-2024-5430 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.8 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 16.10 prior to 16.11.5, starting from 17.0 prior to 17.0.3, and starting from 17.1 prior to 17.1.1, which allows a project maintainer can delete the merge request approval policy via graphQL. | ||||
| CVE-2024-5313 | 1 Schneider-electric | 2 Evlink Home, Evlink Home Firmware | 2024-11-21 | 6.5 Medium |
| CWE-668: Exposure of the Resource Wrong Sphere vulnerability exists that exposes a SSH interface over the product network interface. This does not allow to directly exploit the product or make any unintended operation as the SSH interface access is protected by an authentication mechanism. Impacts are limited to port scanning and fingerprinting activities as well as attempts to perform a potential denial of service attack on the exposed SSH interface. | ||||
| CVE-2024-5257 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.9 Medium |
| An issue was discovered in GitLab CE/EE affecting all versions starting from 17.0 prior to 17.0.4 and from 17.1 prior to 17.1.2 where a Developer user with `admin_compliance_framework` custom role may have been able to modify the URL for a group namespace. | ||||
| CVE-2024-5067 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 4.4 Medium |
| An issue was discovered in GitLab EE affecting all versions starting from 16.11 prior to 17.0.5, starting from 17.1 prior to 17.1.3, and starting from 17.2 prior to 17.2.1 where certain project-level analytics settings could be leaked in DOM to group members with Developer or higher roles. | ||||
| CVE-2024-5059 | 1 Awplife | 1 Event Monster | 2024-11-21 | 5.3 Medium |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in A WP Life Event Management Tickets Booking.This issue affects Event Management Tickets Booking: from n/a through 1.4.0. | ||||
| CVE-2024-5013 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 High |
| In WhatsUp Gold versions released before 2023.1.3, an unauthenticated Denial of Service vulnerability was identified. An unauthenticated attacker can put the application into the SetAdminPassword installation step, which renders the application non-accessible. | ||||
| CVE-2024-5009 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 8.4 High |
| In WhatsUp Gold versions released before 2023.1.3, an Improper Access Control vulnerability in Wug.UI.Controllers.InstallController.SetAdminPassword allows local attackers to modify admin's password. | ||||
| CVE-2024-51127 | 1 Redhat | 2 Hornetq, Jboss Enterprise Application Platform | 2024-11-21 | 7.1 High |
| An issue in the createTempFile method of hornetq v2.4.9 allows attackers to arbitrarily overwrite files or access sensitive information. | ||||
| CVE-2024-4883 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 9.8 Critical |
| In WhatsUp Gold versions released before 2023.1.3, a Remote Code Execution issue exists in Progress WhatsUp Gold. This vulnerability allows an unauthenticated attacker to achieve the RCE as a service account through NmApi.exe. | ||||
| CVE-2024-4660 | 1 Gitlab | 1 Gitlab | 2024-11-21 | 6.5 Medium |
| An issue has been discovered in GitLab EE affecting all versions starting from 11.2 before 17.1.7, all versions starting from 17.2 before 17.2.5, all versions starting from 17.3 before 17.3.2. It was possible for a guest to read the source code of a private project by using group templates. | ||||
| CVE-2024-4220 | 1 Beyondtrust | 1 Beyondinsight | 2024-11-21 | 4.3 Medium |
| Prior to 23.1, an information disclosure vulnerability exists within BeyondInsight which can allow an attacker to enumerate usernames. | ||||
| CVE-2024-4194 | 1 Essentialplugin | 1 Album And Image Gallery Plus Lightbox | 2024-11-21 | 6.5 Medium |
| The The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | ||||
| CVE-2024-46610 | 1 Thecosy | 1 Icecms | 2024-11-21 | 7.5 High |
| An access control issue in IceCMS v3.4.7 and before allows attackers to arbitrarily modify users' information, including username and password, via a crafted POST request sent to the endpoint /User/ChangeUser/s in the ChangeUser function in UserController.java | ||||
| CVE-2024-43801 | 1 Jellyfin | 1 Jellyfin | 2024-11-21 | 4.6 Medium |
| Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. This prevents exploitation of the LocalStorage of the browser. This PR has been merged and the relevant code changes are included in release version 10.9.10. All users are advised to upgrade. | ||||
| CVE-2024-41916 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2024-11-21 | 6.8 Medium |
| A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager. | ||||
| CVE-2024-41839 | 1 Adobe | 1 Experience Manager | 2024-11-21 | 3.5 Low |
| Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Input Validation vulnerability that could lead to a security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and affect the integrity of the page. Exploitation of this issue requires user interaction. | ||||
| CVE-2024-41686 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | 3.3 Low |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to improper implementation of password policies. A local attacker could exploit this by creating password that do not adhere to the defined security standards/policy on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to expose the router to potential security threats. | ||||