Total
688 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-39400 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2023-39399 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2023-39398 | 1 Huawei | 2 Emui, Harmonyos | 2024-10-09 | 9.1 Critical |
| Parameter verification vulnerability in the installd module. Successful exploitation of this vulnerability may cause sandbox files to be read and written without authorization. | ||||
| CVE-2021-41308 | 1 Atlassian | 4 Jira, Jira Data Center, Jira Server and 1 more | 2024-10-09 | 6.5 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated yet non-administrator remote attackers to edit the File Replication settings via a Broken Access Control vulnerability in the `ReplicationSettings!default.jspa` endpoint. The affected versions are before version 8.6.0, from version 8.7.0 before 8.13.12, and from version 8.14.0 before 8.20.1. | ||||
| CVE-2024-21402 | 1 Microsoft | 1 365 Apps | 2024-10-09 | 7.1 High |
| Microsoft Outlook Elevation of Privilege Vulnerability | ||||
| CVE-2024-26193 | 1 Microsoft | 1 Azure Migrate | 2024-10-09 | 6.4 Medium |
| Azure Migrate Remote Code Execution Vulnerability | ||||
| CVE-2024-43460 | 1 Microsoft | 2 .dynamics 365 Business Central Online, Dynamics 365 Business Central | 2024-10-09 | 8.1 High |
| Improper authorization in Dynamics 365 Business Central resulted in a vulnerability that allows an authenticated attacker to elevate privileges over a network. | ||||
| CVE-2024-38231 | 1 Microsoft | 10 Windows Server 2008, Windows Server 2008 R2, Windows Server 2008 Sp2 and 7 more | 2024-10-09 | 6.5 Medium |
| Windows Remote Desktop Licensing Service Denial of Service Vulnerability | ||||
| CVE-2024-43482 | 1 Microsoft | 1 Outlook | 2024-10-09 | 6.5 Medium |
| Microsoft Outlook for iOS Information Disclosure Vulnerability | ||||
| CVE-2024-20381 | 1 Cisco | 3 Ios Xr, Network Services Orchestrator, Small Business Rv Series Router Firmware | 2024-10-08 | 8.8 High |
| A vulnerability in the JSON-RPC API feature in Cisco Crosswork Network Services Orchestrator (NSO) and ConfD that is used by the web-based management interfaces of Cisco Optical Site Manager and Cisco RV340 Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to modify the configuration of an affected application or device. This vulnerability is due to improper authorization checks on the API. An attacker with privileges sufficient to access the affected application or device could exploit this vulnerability by sending malicious requests to the JSON-RPC API. A successful exploit could allow the attacker to make unauthorized modifications to the configuration of the affected application or device, including creating new user accounts or elevating their own privileges on an affected system. | ||||
| CVE-2024-30061 | 1 Microsoft | 1 Dynamics 365 | 2024-10-08 | 7.3 High |
| Microsoft Dynamics 365 (On-Premises) Information Disclosure Vulnerability | ||||
| CVE-2024-20393 | 1 Cisco | 9 Rv340 Dual Wan Gigabit Vpn Router, Rv340 Dual Wan Gigabit Vpn Router Firmware, Rv340w Dual Wan Gigabit Wireless-ac Vpn Router and 6 more | 2024-10-08 | 8.8 High |
| A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to elevate privileges on an affected device. This vulnerability exists because the web-based management interface discloses sensitive information. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow an attacker to elevate privileges from guest to admin. | ||||
| CVE-2021-41313 | 1 Atlassian | 2 Jira Data Center, Jira Server | 2024-10-08 | 4.3 Medium |
| Affected versions of Atlassian Jira Server and Data Center allow authenticated but non-admin remote attackers to edit email batch configurations via an Improper Authorization vulnerability in the /secure/admin/ConfigureBatching!default.jspa endpoint. The affected versions are before version 8.20.7. | ||||
| CVE-2024-20441 | 1 Cisco | 2 Nexus Dashboard, Nexus Dashboard Fabric Controller | 2024-10-08 | 5.7 Medium |
| A vulnerability in a specific REST API endpoint of Cisco NDFC could allow an authenticated, low-privileged, remote attacker to learn sensitive information on an affected device. This vulnerability is due to insufficient authorization controls on the affected REST API endpoint. An attacker could exploit this vulnerability by sending crafted API requests to the affected endpoint. A successful exploit could allow the attacker to download config only or full backup files and learn sensitive configuration information. This vulnerability only affects a specific REST API endpoint and does not affect the web-based management interface. | ||||
| CVE-2024-5053 | 1 Fluentforms | 1 Contact Form | 2024-10-04 | 4.2 Medium |
| The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized Malichimp API key update due to an insufficient capability check on the verifyRequest function in all versions up to, and including, 5.1.18. This makes it possible for Form Managers with a Subscriber-level access and above to modify the Mailchimp API key used for integration. At the same time, missing Mailchimp API key validation allows the redirect of the integration requests to the attacker-controlled server. | ||||
| CVE-2023-36826 | 1 Sentry | 1 Sentry | 2024-10-03 | 7.7 High |
| Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version 23.5.2, an authenticated user can download a debug or artifact bundle from arbitrary organizations and projects with a known bundle ID. The user does not need to be a member of the organization or have permissions on the project. A patch was issued in version 23.5.2 to ensure authorization checks are properly scoped on requests to retrieve debug or artifact bundles. Authenticated users who do not have the necessary permissions on the particular project are no longer able to download them. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 23.5.2 or higher. | ||||
| CVE-2024-20414 | 1 Cisco | 2 Ios, Ios Xe | 2024-10-02 | 6.5 Medium |
| A vulnerability in the web UI feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system through the web UI. This vulnerability is due to incorrectly accepting configuration changes through the HTTP GET method. An attacker could exploit this vulnerability by persuading a currently authenticated administrator to follow a crafted link. A successful exploit could allow the attacker to change the configuration of the affected device. | ||||
| CVE-2023-38508 | 1 Enalean | 1 Tuleap | 2024-10-02 | 6.5 Medium |
| Tuleap is an open source suite to improve management of software developments and collaboration. In Tuleap Community Edition prior to version 14.11.99.28 and Tuleap Enterprise Edition prior to versions 14.10-6 and 14.11-3, the preview of an artifact link with a type does not respect the project, tracker and artifact level permissions. The issue occurs on the artifact view (not reproducible on the artifact modal). Users might get access to information they should not have access to. Only the title, status, assigned to and last update date fields as defined by the semantics are impacted. If those fields have strict permissions (e.g. the title is only visible to a specific user group) those permissions are still enforced. Tuleap Community Edition 14.11.99.28, Tuleap Enterprise Edition 14.10-6, and Tuleap Enterprise Edition 14.11-3 contain a fix for this issue. | ||||
| CVE-2024-9297 | 1 Oretnom23 | 1 Railway Reservation System | 2024-10-01 | 6.3 Medium |
| A vulnerability was found in SourceCodester Online Railway Reservation System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/. The manipulation of the argument page with the input trains/schedules/system_info leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2023-32678 | 1 Zulip | 1 Zulip Server | 2024-09-30 | 6.5 Medium |
| Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Users who used to be subscribed to a private stream and have been removed from it since retain the ability to edit messages/topics, move messages to other streams, and delete messages that they used to have access to, if other relevant organization permissions allow these actions. For example, a user may be able to edit or delete their old messages they posted in such a private stream. An administrator will be able to delete old messages (that they had access to) from the private stream. This issue was fixed in Zulip Server version 7.3. | ||||