Total
12849 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47934 | 2025-01-08 | 5.3 Medium | ||
| Improper Input Validation vulnerability in Management Program in TXOne Networks Portable Inspector and Portable Inspector Pro Edition allows remote attacker to crash management service. The Denial of Service situation can be resolved by restarting the management service. This issue affects Portable Inspector: through 1.0.0; Portable Inspector Pro Edition: through 1.0.0. | ||||
| CVE-2023-2961 | 1 Advancemame | 1 Advancecomp | 2025-01-07 | 3.3 Low |
| A segmentation fault flaw was found in the Advancecomp package. This may lead to decreased availability. | ||||
| CVE-2023-34111 | 1 Tdengine | 1 Grafana | 2025-01-07 | 8.1 High |
| The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerability which allows for arbitrary code execution within the github action context due to the insecure usage of `${{ github.event.pull_request.title }}` in a bash command within the GitHub workflow. Attackers can inject malicious commands which will be executed by the workflow. This happens because `${{ github.event.pull_request.title }}` is directly passed to bash command on like 25 of the workflow. This may allow an attacker to gain access to secrets which the github action has access to or to otherwise make use of the compute resources. | ||||
| CVE-2024-12912 | 2025-01-06 | 7.2 High | ||
| An improper input insertion vulnerability in AiCloud on certain router models may lead to arbitrary command execution. Refer to the '01/02/2025 ASUS Router AiCloud vulnerability' section on the ASUS Security Advisory for more information. | ||||
| CVE-2023-34239 | 1 Gradio Project | 1 Gradio | 2025-01-06 | 7.3 High |
| Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the what URLs are proxied. These issues have been addressed in version 3.34.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2023-34610 | 1 Json-io Project | 1 Json-io | 2025-01-06 | 7.5 High |
| An issue was discovered json-io thru 4.14.0 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies. | ||||
| CVE-2023-2455 | 3 Fedoraproject, Postgresql, Redhat | 9 Fedora, Postgresql, Enterprise Linux and 6 more | 2025-01-06 | 5.4 Medium |
| Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. | ||||
| CVE-2024-9257 | 1 Logsign | 1 Unified Secops Platform | 2025-01-03 | 6.5 Medium |
| Logsign Unified SecOps Platform delete_gsuite_key_file Input Validation Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files within sensitive directories on affected installations of Logsign Unified SecOps Platform. Authentication is required to exploit this vulnerability. The specific flaw exists within the delete_gsuite_key_file endpoint. The issue results from the lack of proper validation of a user-supplied filename prior to using it in file operations. An attacker can leverage this vulnerability to delete critical files on the system. Was ZDI-CAN-25265. | ||||
| CVE-2023-5528 | 4 Fedoraproject, Kubernetes, Microsoft and 1 more | 4 Fedora, Kubernetes, Windows and 1 more | 2025-01-03 | 7.2 High |
| A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes. | ||||
| CVE-2024-27931 | 1 Deno | 1 Deno | 2025-01-03 | 5.8 Medium |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime with secure defaults. Insufficient validation of parameters in `Deno.makeTemp*` APIs would allow for creation of files outside of the allowed directories. This may allow the user to overwrite important files on the system that may affect other systems. A user may provide a prefix or suffix to a `Deno.makeTemp*` API containing path traversal characters. This is fixed in Deno 1.41.1. | ||||
| CVE-2024-27932 | 1 Deno | 1 Deno | 2025-01-03 | 4.6 Medium |
| Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.8.0 and prior to version 1.40.4, Deno improperly checks that an import specifier's hostname is equal to or a child of a token's hostname, which can cause tokens to be sent to servers they shouldn't be sent to. An auth token intended for `example[.]com` may be sent to `notexample[.]com`. Anyone who uses DENO_AUTH_TOKENS and imports potentially untrusted code is affected. Version 1.40.0 contains a patch for this issue | ||||
| CVE-2024-32645 | 1 Vyperlang | 1 Vyper | 2025-01-02 | 5.3 Medium |
| Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, incorrect values can be logged when `raw_log` builtin is called with memory or storage arguments to be used as topics. A contract search was performed and no vulnerable contracts were found in production. The `build_IR` function of the `RawLog` class fails to properly unwrap the variables provided as topics. Consequently, incorrect values are logged as topics. As of time of publication, no fixed version is available. | ||||
| CVE-2024-32646 | 1 Vyperlang | 1 Vyper | 2025-01-02 | 5.3 Medium |
| Vyper is a pythonic Smart Contract Language for the Ethereum virtual machine. In versions 0.3.10 and prior, using the `slice` builtin can result in a double eval vulnerability when the buffer argument is either `msg.data`, `self.code` or `<address>.code` and either the `start` or `length` arguments have side-effects. It can be easily triggered only with the versions `<0.3.4` as `0.3.4` introduced the unique symbol fence. No vulnerable production contracts were found. Additionally, double evaluation of side-effects should be easily discoverable in client tests. As such, the impact is low. As of time of publication, no fixed versions are available. | ||||
| CVE-2024-7023 | 2 Google, Microsoft | 2 Chrome, Windows | 2025-01-02 | 8 High |
| Insufficient data validation in Updater in Google Chrome prior to 128.0.6537.0 allowed a remote attacker to perform privilege escalation via a malicious file. (Chromium security severity: Medium) | ||||
| CVE-2023-35619 | 1 Microsoft | 1 Office Long Term Servicing Channel | 2025-01-01 | 5.3 Medium |
| Microsoft Outlook for Mac Spoofing Vulnerability | ||||
| CVE-2023-36897 | 1 Microsoft | 6 365 Apps, Office, Visual Studio 2010 Tools For Office Runtime and 3 more | 2025-01-01 | 8.1 High |
| Visual Studio Tools for Office Runtime Spoofing Vulnerability | ||||
| CVE-2023-36899 | 1 Microsoft | 10 .net Framework, Windows 10 1809, Windows 10 21h2 and 7 more | 2025-01-01 | 8.8 High |
| ASP.NET Elevation of Privilege Vulnerability | ||||
| CVE-2023-36873 | 1 Microsoft | 12 .net Framework, Windows 10 1607, Windows 10 1809 and 9 more | 2025-01-01 | 7.4 High |
| .NET Framework Spoofing Vulnerability | ||||
| CVE-2023-35303 | 1 Microsoft | 12 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 9 more | 2025-01-01 | 8.8 High |
| USB Audio Class System Driver Remote Code Execution Vulnerability | ||||
| CVE-2023-36872 | 1 Microsoft | 1 Vp9 Video Extensions | 2025-01-01 | 5.5 Medium |
| VP9 Video Extensions Information Disclosure Vulnerability | ||||