Total
2821 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-37882 | 1 Nextcloud | 1 Nextcloud Server | 2024-08-02 | 8.1 High |
Nextcloud Server is a self hosted personal cloud system. A recipient of a share with read&share permissions could reshare the item with more permissions. It is recommended that the Nextcloud Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4 and that the Nextcloud Enterprise Server is upgraded to 26.0.13 or 27.1.8 or 28.0.4. | ||||
CVE-2024-37677 | 2 Access Management Specialist Project, Shenzhenweitillage | 2 Access Management Specialist, Access Management Specialist | 2024-08-02 | 7.5 High |
An issue in Shenzhen Weitillage Industrial Co., Ltd the access management specialist V6.62.51215 allows a remote attacker to obtain sensitive information. | ||||
CVE-2024-37386 | 1 Stormshield | 1 Stormshield Network Security | 2024-08-02 | 4.2 Medium |
An issue was discovered in Stormshield Network Security (SNS) 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Certain manipulations allow restarting in single-user mode despite the activation of secure boot. The following versions fix this: 4.3.27, 4.7.6, and 4.8.2. | ||||
CVE-2024-37289 | 1 Trendmicro | 1 Apex One | 2024-08-02 | 7.8 High |
An improper access control vulnerability in Trend Micro Apex One could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. | ||||
CVE-2024-37312 | 1 Nextcloud | 1 User Oidc | 2024-08-02 | 6.3 Medium |
user_oidc app is an OpenID Connect user backend for Nextcloud. Missing access control on the ID4me endpoint allows an attacker to register an account eventually getting access to data that is available to all registered users. It is recommended that the OpenID Connect user backend is upgraded to 3.0.0 (Nextcloud 20-23), 4.0.0 (Nexcloud 24) or 5.0.0 (Nextcloud 25-28). | ||||
CVE-2024-37147 | 2024-08-02 | 4.3 Medium | ||
GLPI is an open-source asset and IT management software package that provides ITIL Service Desk features, licenses tracking and software auditing. An authenticated user can attach a document to any item, even if the user has no write access on it. Upgrade to 10.0.16. | ||||
CVE-2024-36540 | 1 External-secrets | 1 External-secrets | 2024-08-02 | 9.8 Critical |
Insecure permissions in external-secrets v0.9.16 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
CVE-2024-36537 | 1 Cert-manager | 1 Cert-manager | 2024-08-02 | 7.2 High |
Insecure permissions in cert-manager v1.14.4 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
CVE-2024-36542 | 1 Kumahq | 1 Kuma | 2024-08-02 | 8.8 High |
Insecure permissions in kuma v2.7.0 allows attackers to access sensitive data and escalate privileges by obtaining the service account's token. | ||||
CVE-2024-36438 | 1 Elinksmart | 1 Smart Cabinet Lock | 2024-08-02 | 7.3 High |
eLinkSmart Hidden Smart Cabinet Lock 2024-05-22 has Incorrect Access Control and fails to perform an authorization check which can lead to card duplication and other attacks. | ||||
CVE-2024-36257 | 1 Mattermost | 1 Mattermost | 2024-08-02 | 2.7 Low |
Mattermost versions 9.5.x <= 9.5.5 and 9.8.0, when using shared channels with multiple remote servers connected, fail to check that the remote server A requesting the server B to update the profile picture of a user is the remote that actually has the user as a local one . This allows a malicious remote A to change the profile images of users that belong to another remote server C that is connected to the server A. | ||||
CVE-2024-36241 | 2024-08-02 | 3.1 Low | ||
Mattermost versions 9.5.x <= 9.5.3, 9.6.x <= 9.6.1 and 8.1.x <= 8.1.12 fail to enforce proper access controls which allows user to view arbitrary post contents via the /playbook add slash command | ||||
CVE-2024-36037 | 2024-08-02 | 5.5 Medium | ||
Zoho ManageEngine ADAudit Plus versions 7260 and below allows unauthorized local agent machine users to view the session recordings. | ||||
CVE-2024-35396 | 2024-08-02 | 9.8 Critical | ||
TOTOLINK CP900L v4.1.5cu.798_B20221228 was discovered to contain a hardcoded password for telnet in /web_cste/cgi-bin/product.ini, which allows attackers to log in as root. | ||||
CVE-2024-35222 | 1 Tauri | 1 Tauri | 2024-08-02 | 5.9 Medium |
Tauri is a framework for building binaries for all major desktop platforms. Remote origin iFrames in Tauri applications can access the Tauri IPC endpoints without being explicitly allowed in the `dangerousRemoteDomainIpcAccess` in v1 and in the `capabilities` in v2. Valid commands with potentially unwanted consequences ("delete project", "transfer credits", etc.) could be invoked by an attacker that controls the content of an iframe running inside a Tauri app. This vulnerability has been patched in versions 1.6.7 and 2.0.0-beta.19. | ||||
CVE-2024-34725 | 2024-08-02 | 7.4 High | ||
In DevmemIntUnexportCtx of devicemem_server.c, there is a possible arbitrary code execution due to a race condition. This could lead to local escalation of privilege in the kernel with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
CVE-2024-34221 | 2024-08-02 | 8.8 High | ||
Sourcecodester Human Resource Management System 1.0 is vulnerable to Insecure Permissions resulting in privilege escalation. | ||||
CVE-2024-34099 | 2024-08-02 | 7.8 High | ||
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||||
CVE-2024-34146 | 2024-08-02 | 6.5 Medium | ||
Jenkins Git server Plugin 114.v068a_c7cc2574 and earlier does not perform a permission check for read access to a Git repository over SSH, allowing attackers with a previously configured SSH public key but lacking Overall/Read permission to access these repositories. | ||||
CVE-2024-34068 | 2024-08-02 | 6.4 Medium | ||
Pterodactyl wings is the server control plane for Pterodactyl Panel. An authenticated user who has access to a game server is able to bypass the previously implemented access control (GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. This would allow malicious users to potentially access resources on local networks that would otherwise be inaccessible. This issue has been addressed in version 1.11.2 and users are advised to upgrade. Users unable to upgrade may enable the `api.disable_remote_download` option as a workaround. |