Export limit exceeded: 341171 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (2078 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-6780 | 2024-11-21 | 3.3 Low | ||
| Improper permission control in the mobile application (com.android.server.telecom) may lead to user information security risks. | ||||
| CVE-2024-6739 | 1 Openfind | 2 Mailaudit, Mailgates | 2024-11-21 | 5.3 Medium |
| The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. | ||||
| CVE-2024-5618 | 2024-11-21 | 9.9 Critical | ||
| Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Apinizer Management Console: before 2024.05.1. | ||||
| CVE-2024-43199 | 1 Nagios | 1 Ndoutils | 2024-11-21 | 8.8 High |
| Nagios NDOUtils before 2.1.4 allows privilege escalation from nagios to root because certain executable files are owned by the nagios user. | ||||
| CVE-2024-41685 | 1 Syrotech | 2 Sy-gpon-1110-wdont, Sy-gpon-1110-wdont Firmware | 2024-11-21 | 7.5 High |
| This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. An attacker with remote access could exploit this by intercepting transmission within an HTTP session on the vulnerable system. Successful exploitation of this vulnerability could allow the attacker to capture cookies and obtain sensitive information on the targeted system. | ||||
| CVE-2024-3375 | 1 Havelsan | 1 Dialogue | 2024-11-21 | 9.4 Critical |
| Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84. | ||||
| CVE-2024-39904 | 2024-11-21 | 8.8 High | ||
| VNote is a note-taking platform. Prior to 3.18.1, a code execution vulnerability existed in VNote, which allowed an attacker to execute arbitrary programs on the victim's system. A crafted URI can be used in a note to perform this attack using file:/// as a link. For example, file:///C:/WINDOWS/system32/cmd.exe. This allows attackers to execute arbitrary programs by embedding a reference to a local executable file such as file:///C:/WINDOWS/system32/cmd.exe and file:///C:/WINDOWS/system32/calc.exe. This vulnerability can be exploited by creating and sharing specially crafted notes. An attacker could send a crafted note file and perform further attacks. This vulnerability is fixed in 3.18.1. | ||||
| CVE-2024-39303 | 1 Weblate | 1 Weblate | 2024-11-21 | 4.4 Medium |
| Weblate is a web based localization tool. Prior to version 5.6.2, Weblate didn't correctly validate filenames when restoring project backup. It may be possible to gain unauthorized access to files on the server using a crafted ZIP file. This issue has been addressed in Weblate 5.6.2. As a workaround, do not allow untrusted users to create projects. | ||||
| CVE-2024-38456 | 1 Vivavis | 1 High-leit | 2024-11-21 | 7.8 High |
| HIGH-LEIT V05.08.01.03 and HIGH-LEIT V04.25.00.00 to 4.25.01.01 for Windows from Vivavis contain an insecure file and folder permissions vulnerability in prunsrv.exe. A regular user (non-admin) can exploit the weak folder and file permissions to escalate privileges and execute arbitrary code in the context of NT AUTHORITY\SYSTEM. | ||||
| CVE-2024-37295 | 1 Aimeos | 1 Aimeos-core | 2024-11-21 | 7.2 High |
| Aimeos is an Open Source e-commerce framework for online shops. Starting in version 2024.01.1 and prior to version 2024.04.5, a user with administrative privileges can upload files that look like images but contain PHP code which can then be executed in the context of the web server. Version 2024.04.5 fixes the issue. | ||||
| CVE-2024-36821 | 1 Linksys | 2 Velop Whw0101, Velop Whw0101 Firmware | 2024-11-21 | 6.8 Medium |
| Insecure permissions in Linksys Velop WiFi 5 (WHW01v1) 1.1.13.202617 allows attackers to escalate privileges from Guest to root. | ||||
| CVE-2024-33435 | 1 Guangzhou Yingshi Electronic Technology | 1 Ncast Yingshi | 2024-11-21 | 9.8 Critical |
| Insecure Permissions vulnerability in Guangzhou Yingshi Electronic Technology Co. Ncast Yingshi high-definition intelligent recording and playback system 2007-2017 allows a remote attacker to execute arbitrary code via the /manage/IPSetup.php backend function | ||||
| CVE-2024-32478 | 2024-11-21 | 6.9 Medium | ||
| Git Credential Manager (GCM) is a secure Git credential helper. Prior to 2.5.0, the Debian package does not set root ownership on installed files. This allows user 1001 on a multi-user system can replace binary and gain other users' privileges. This vulnerability is fixed in 2.5.0. | ||||
| CVE-2024-30369 | 1 A10networks | 2 Advanced Core Operating System, Thunder Adc | 2024-11-21 | 7.8 High |
| A10 Thunder ADC Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of A10 Thunder ADC. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the installer. The issue results from incorrect permissions on a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-22754. | ||||
| CVE-2024-30265 | 2024-11-21 | 7.5 High | ||
| Collabora Online is a collaborative online office suite based on LibreOffice technology. Any deployment of voilà dashboard allow local file inclusion. Any file on a filesystem that is readable by the user that runs the voilà dashboard server can be downloaded by someone with network access to the server. Whether this still requires authentication depends on how voilà is deployed. This issue has been patched in 0.2.17, 0.3.8, 0.4.4 and 0.5.6. | ||||
| CVE-2024-29187 | 2024-11-21 | 7.3 High | ||
| WiX toolset lets developers create installers for Windows Installer, the Windows installation engine. When a bundle runs as SYSTEM user, Burn uses GetTempPathW which points to an insecure directory C:\Windows\Temp to drop and load multiple binaries. Standard users can hijack the binary before it's loaded in the application resulting in elevation of privileges. This vulnerability is fixed in 3.14.1 and 4.0.5. | ||||
| CVE-2024-28745 | 2024-11-21 | 3.3 Low | ||
| Improper export of Android application components issue exists in 'ABEMA' App for Android prior to 10.65.0 allowing another app installed on the user's device to access an arbitrary URL on 'ABEMA' App for Android via Intent. If this vulnerability is exploited, an arbitrary website may be displayed on the app, and as a result, the user may become a victim of a phishing attack. | ||||
| CVE-2024-27108 | 2024-11-21 | 6.8 Medium | ||
| Non privileged access to critical file vulnerability in GE HealthCare EchoPAC products | ||||
| CVE-2024-22016 | 1 Rapidscada | 1 Rapid Scada | 2024-11-21 | 7.8 High |
| In Rapid Software LLC's Rapid SCADA versions prior to Version 5.8.4, an authorized user can write directly to the Scada directory. This may allow privilege escalation. | ||||
| CVE-2024-21902 | 1 Qnap | 2 Qts, Quts Hero | 2024-11-21 | 6.4 Medium |
| An incorrect permission assignment for critical resource vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to read or modify the resource via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later | ||||