Total
687 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-47165 | 1 Gradio Project | 1 Gradio | 2024-10-17 | 5.4 Medium |
| Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation. | ||||
| CVE-2024-47084 | 1 Gradio Project | 1 Gradio | 2024-10-17 | 8.3 High |
| Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to `gradio>4.44` to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the `CustomCORSMiddleware` class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation. | ||||
| CVE-2024-21166 | 1 Oracle | 1 Mysql | 2024-10-17 | 5.9 Medium |
| Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.9 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H). | ||||
| CVE-2023-32482 | 1 Dell | 1 Wyse Management Suite | 2024-10-17 | 4.9 Medium |
| Wyse Management Suite versions prior to 4.0 contain an improper authorization vulnerability. An authenticated malicious user with privileged access can push policies to unauthorized tenant group. | ||||
| CVE-2023-23568 | 1 Gallagher | 1 Command Centre | 2024-10-17 | 4.3 Medium |
| Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Personal Data Fields. This issue affects Command Centre: vEL 8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior | ||||
| CVE-2023-25074 | 1 Gallagher | 1 Command Centre | 2024-10-17 | 7.1 High |
| Improper privilege validation in Command Centre Server allows authenticated unprivileged operators to modify and view Competencies. This issue affects Command Centre: vEL8.90 prior to vEL8.90.1318 (MR1), vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831 (MR8), all versions vEL8.40 and prior. | ||||
| CVE-2023-22428 | 1 Gallagher | 1 Command Centre | 2024-10-17 | 7.6 High |
| Improper privilege validation in Command Centre Server allows authenticated operators to modify Division lineage. This issue affects Command Centre: vEL8.80 prior to vEL8.80.1192 (MR2), vEL8.70 prior to vEL8.70.2185 (MR4), vEL8.60 prior to vEL8.60.2347 (MR6), vEL8.50 prior to vEL8.50.2831(MR8), vEL8.40 and prior. | ||||
| CVE-2024-38425 | 1 Qualcomm | 48 Fastconnect 6900, Fastconnect 6900 Firmware, Fastconnect 7800 and 45 more | 2024-10-16 | 6.1 Medium |
| Information disclosure while sending implicit broadcast containing APP launch information. | ||||
| CVE-2020-36841 | 1 Woocommerce | 1 Woocommerce Smart Coupons | 2024-10-16 | 5.3 Medium |
| The WooCommerce Smart Coupons plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the woocommerce_coupon_admin_init function in versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to send themselves gift certificates of any value, which could be redeemed for products sold on the victim’s storefront. | ||||
| CVE-2024-47876 | 1 Sakaiproject | 1 Sakai | 2024-10-16 | 0 Low |
| Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability. | ||||
| CVE-2023-50780 | 1 Apache | 1 Activemq Artemis | 2024-10-16 | 8.8 High |
| Apache ActiveMQ Artemis allows access to diagnostic information and controls through MBeans, which are also exposed through the authenticated Jolokia endpoint. Before version 2.29.0, this also included the Log4J2 MBean. This MBean is not meant for exposure to non-administrative users. This could eventually allow an authenticated attacker to write arbitrary files to the filesystem and indirectly achieve RCE. Users are recommended to upgrade to version 2.29.0 or later, which fixes the issue. | ||||
| CVE-2024-39412 | 1 Adobe | 2 Commerce, Magento | 2024-10-16 | 4.3 Medium |
| Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and perform a minor integrity change. Exploitation of this issue does not require user interaction. | ||||
| CVE-2024-37154 | 1 Evmos | 1 Evmos | 2024-10-15 | 5.3 Medium |
| Evmos is the Ethereum Virtual Machine (EVM) Hub on the Cosmos Network. Users are able to delegate tokens that have not yet been vested. This affects employees and grantees who have funds managed via `ClawbackVestingAccount`. This affects 18.1.0 and earlier. | ||||
| CVE-2024-25108 | 1 Pixelfed | 1 Pixelfed | 2024-10-11 | 9.9 Critical |
| Pixelfed is an open source photo sharing platform. When processing requests authorization was improperly and insufficiently checked, allowing attackers to access far more functionality than users intended, including to the administrative and moderator functionality of the Pixelfed server. This vulnerability affects every version of Pixelfed between v0.10.4 and v0.11.9, inclusive. A proof of concept of this vulnerability exists. This vulnerability affects every local user of a Pixelfed server, and can potentially affect the servers' ability to federate. Some user interaction is required to setup the conditions to be able to exercise the vulnerability, but the attacker could conduct this attack time-delayed manner, where user interaction is not actively required. This vulnerability has been addressed in version 0.11.11. Users are advised to upgrade. There are no known workarounds for this vulnerability. | ||||
| CVE-2024-23806 | 1 Hidglobal | 4 Iclass Se Reader Configuration Cards, Iclass Se Reader Configuration Cards Firmware, Omnikey Secure Elements Reader Configuration Cards and 1 more | 2024-10-11 | 5.3 Medium |
| Sensitive data can be extracted from HID iCLASS SE reader configuration cards. This could include credential and device administrator keys. | ||||
| CVE-2023-28385 | 2 Intel, Microsoft | 3 Next Unit Of Computing Firmware, Nuc Pro Software Suite, Windows | 2024-10-10 | 8.2 High |
| Improper authorization in the Intel(R) NUC Pro Software Suite for Windows before version 2.0.0.9 may allow a privileged user to potentially enable escalation of privilage via local access. | ||||
| CVE-2023-39403 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2023-39402 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2023-39401 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2023-39400 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||