Total
276814 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-21652 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-01-09 | 9.8 Critical |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Prior to versions 2.8.13, 2.9.9, and 2.10.4, an attacker can exploit a chain of vulnerabilities, including a Denial of Service (DoS) flaw and in-memory data storage weakness, to effectively bypass the application's brute force login protection. This is a critical security vulnerability that allows attackers to bypass the brute force login protection mechanism. Not only can they crash the service affecting all users, but they can also make unlimited login attempts, increasing the risk of account compromise. Versions 2.8.13, 2.9.9, and 2.10.4 contain a patch for this issue. | ||||
| CVE-2024-43499 | 4 Apple, Linux, Microsoft and 1 more | 6 Macos, Linux Kernel, .net and 3 more | 2025-01-09 | 7.5 High |
| .NET and Visual Studio Denial of Service Vulnerability | ||||
| CVE-2024-43623 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 7.8 High |
| Windows NT OS Kernel Elevation of Privilege Vulnerability | ||||
| CVE-2024-2187 | 1 Wpzoom | 1 Beaver Builder Addons | 2025-01-09 | 6.4 Medium |
| The Beaver Builder Addons by WPZOOM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonials widget in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-43625 | 1 Microsoft | 6 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 3 more | 2025-01-09 | 8.1 High |
| Microsoft Windows VMSwitch Elevation of Privilege Vulnerability | ||||
| CVE-2024-28175 | 2 Argoproj, Redhat | 2 Argo Cd, Openshift Gitops | 2025-01-09 | 9.1 Critical |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Due to the improper URL protocols filtering of links specified in the `link.argocd.argoproj.io` annotations in the application summary component, an attacker can achieve cross-site scripting with elevated permissions. All unpatched versions of Argo CD starting with v1.0.0 are vulnerable to a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. When clicked by a victim user, the script will execute with the victim's permissions (up to and including admin). This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. A patch for this vulnerability has been released in Argo CD versions v2.10.3 v2.9.8, and v2.8.12. There are no completely-safe workarounds besides upgrading. The safest alternative, if upgrading is not possible, would be to create a Kubernetes admission controller to reject any resources with an annotation starting with link.argocd.argoproj.io or reject the resource if the value use an improper URL protocol. This validation will need to be applied in all clusters managed by ArgoCD. | ||||
| CVE-2024-43626 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 7.8 High |
| Windows Telephony Service Elevation of Privilege Vulnerability | ||||
| CVE-2024-43627 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 8.8 High |
| Windows Telephony Service Remote Code Execution Vulnerability | ||||
| CVE-2024-31990 | 3 Argoproj, Kubernetes, Redhat | 3 Argo Cd, Argo-cd, Openshift Gitops | 2025-01-09 | 4.8 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. The API server does not enforce project sourceNamespaces which allows attackers to use the UI to edit resources which should only be mutable via gitops. This vulenrability is fixed in 2.10.7, 2.9.12, and 2.8.16. | ||||
| CVE-2024-43628 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 8.8 High |
| Windows Telephony Service Remote Code Execution Vulnerability | ||||
| CVE-2024-43630 | 1 Microsoft | 6 Windows 10 21h2, Windows 10 22h2, Windows 11 24h2 and 3 more | 2025-01-09 | 7.8 High |
| Windows Kernel Elevation of Privilege Vulnerability | ||||
| CVE-2024-43631 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-01-09 | 6.7 Medium |
| Windows Secure Kernel Mode Elevation of Privilege Vulnerability | ||||
| CVE-2024-2492 | 1 Ideabox | 1 Powerpack Addons For Elementor | 2025-01-09 | 6.4 Medium |
| The PowerPack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Twitter Tweet widget in all versions up to, and including, 2.7.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2024-28107 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | 8.8 High |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. A SQL injection vulnerability has been discovered in the `insertentry` & `saveentry` when modifying records due to improper escaping of the email address. This allows any authenticated user with the rights to add/edit FAQ news to exploit this vulnerability to exfiltrate data, take over accounts and in some cases, even achieve RCE. This vulnerability is fixed in 3.2.6. | ||||
| CVE-2023-22647 | 1 Suse | 1 Rancher | 2025-01-09 | 9.9 Critical |
| An Improper Privilege Management vulnerability in SUSE Rancher allowed standard users to leverage their existing permissions to manipulate Kubernetes secrets in the local cluster, resulting in the secret being deleted, but their read-level permissions to the secret being preserved. When this operation was followed-up by other specially crafted commands, it could result in the user gaining access to tokens belonging to service accounts in the local cluster. This issue affects Rancher: from >= 2.6.0 before < 2.6.13, from >= 2.7.0 before < 2.7.4. | ||||
| CVE-2024-43634 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 6.8 Medium |
| Windows USB Video Class System Driver Elevation of Privilege Vulnerability | ||||
| CVE-2024-28108 | 2 Phpmyfaq, Thorsten | 2 Phpmyfaq, Phpmyfaq | 2025-01-09 | 4.7 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. Due to insufficient validation on the `contentLink` parameter, it is possible for unauthenticated users to inject HTML code to the page which might affect other users. _Also, requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly added FAQ._ This vulnerability is fixed in 3.2.6. | ||||
| CVE-2024-29179 | 1 Phpmyfaq | 1 Phpmyfaq | 2025-01-09 | 4.8 Medium |
| phpMyFAQ is an open source FAQ web application for PHP 8.1+ and MySQL, PostgreSQL and other databases. An attacker with admin privileges can upload an attachment containing JS code without extension and the application will render it as HTML which allows for XSS attacks. | ||||
| CVE-2024-43637 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-01-09 | 6.8 Medium |
| Windows USB Video Class System Driver Elevation of Privilege Vulnerability | ||||
| CVE-2024-32476 | 1 Argoproj | 1 Argo Cd | 2025-01-09 | 6.5 Medium |
| Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. There is a Denial of Service (DoS) vulnerability via OOM using jq in ignoreDifferences. This vulnerability has been patched in version(s) 2.10.7, 2.9.12 and 2.8.16. | ||||